From d76cf94b18e3b74527b2b5082f0e1dd92ecaf8db Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Fri, 1 Apr 2016 09:52:39 +0200 Subject: [PATCH] hardening : building basic configuration --- bin/hardening/1.1_Install_Updates.sh | 61 ++++++++++++++++++++++++++-- etc/conf.d/.gitignore | 1 + etc/hardening.cfg | 5 ++- lib/common.sh | 4 +- src/skel.sh | 44 ++++++++++++++++---- 5 files changed, 101 insertions(+), 14 deletions(-) diff --git a/bin/hardening/1.1_Install_Updates.sh b/bin/hardening/1.1_Install_Updates.sh index b79db85..7f0daf9 100644 --- a/bin/hardening/1.1_Install_Updates.sh +++ b/bin/hardening/1.1_Install_Updates.sh @@ -5,17 +5,70 @@ # # -# 1.1 Install Updates, Patches and Additional Security Software (Not Scored) +# Hardening script skeleton replace this line with proper point treated # -# This function will be called if the script status is ont enabled / audit mode -audit () { +set -e # One error, it's over +set -u # One variable unset, it's over +# This function will be called if the script status is on enabled / audit mode +audit () { + : } # This function will be called if the script status is on enabled mode apply () { - + : } +# Environment Sanitizing +export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' +# Source Root Dir Parameter + +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +LONG_SCRIPT_NAME=$(basename $0) +SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh} +# Variable initialization, to avoid crash +status="" +params="" + +[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh +[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh +[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh + +# Source general configuration file and Specific configuration file if exist + +[ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg + +logger "Working on $SCRIPT_NAME" + +if [ -z $status ]; then + logger "Could not find status variable for $SCRIPT_NAME, considered as disabled" + exit 0 +fi + +case $status in + enabled | true ) + audit $params # Perform audit + apply $params # Perform hardening + ;; + audit ) + audit $params # Perform audit + ;; + disabled | false ) + logger "$SCRIPT_NAME is disabled, ignoring" + ;; + *) + logger "Wrong value for status : $status. Must be [ enabled | true | audit | disabled | false ]" + ;; +esac diff --git a/etc/conf.d/.gitignore b/etc/conf.d/.gitignore index e69de29..7103328 100644 --- a/etc/conf.d/.gitignore +++ b/etc/conf.d/.gitignore @@ -0,0 +1 @@ +*.cfg diff --git a/etc/hardening.cfg b/etc/hardening.cfg index 7038654..e23f0a7 100644 --- a/etc/hardening.cfg +++ b/etc/hardening.cfg @@ -1,2 +1,5 @@ # CIS Debian 7 Hardening -# Main Configuration File +# Main Configuration File, put here global variables + +# Valid values are verbose info warning error +LOGLEVEL=verbose diff --git a/lib/common.sh b/lib/common.sh index e7d869a..96294c4 100644 --- a/lib/common.sh +++ b/lib/common.sh @@ -2,6 +2,6 @@ logger() { test -z "$SCRIPT_NAME" && SCRIPT_NAME=$(basename $0) - logger -i -t "$SCRIPT_NAME" -p "user.info" "$(date +%Y.%m.%d-%H:%M:%S) $*" - test -t 1 && echo "$(date +%Z-%Y.%m.%d-%H:%M:%S) $*" + /usr/bin/logger -i -t "$SCRIPT_NAME" -p "user.info" "$*" + test -t 1 && echo "$*" } diff --git a/src/skel.sh b/src/skel.sh index 0d5b59b..d1802aa 100644 --- a/src/skel.sh +++ b/src/skel.sh @@ -4,19 +4,21 @@ # CIS Debian 7 Hardening # - # # Hardening script skeleton replace this line with proper point treated # -# This function will be called if the script status is ont enabled / audit mode -audit () { +set -e # One error, it's over +set -u # One variable unset, it's over +# This function will be called if the script status is on enabled / audit mode +audit () { + : } # This function will be called if the script status is on enabled mode apply () { - + : } # Environment Sanitizing @@ -34,11 +36,39 @@ else fi fi -SCRIPT_NAME=$(basename $0) +LONG_SCRIPT_NAME=$(basename $0) +SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh} +# Variable initialization, to avoid crash +status="" +params="" +[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh +[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh +[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh +[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg # Source general configuration file and Specific configuration file if exist -[ -r $ROOT_DIR/etc/hardening.cfg ] && . $ROOT_DIR/etc/hardening.cfg -[ -r $ROOT_DIR/etc/hardening/$SCRIPT_NAME ] && . $ROOT_DIR/etc/hardening/$SCRIPT_NAME +[ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg +logger "Working on $SCRIPT_NAME" +if [ -z $status ]; then + logger "Could not find status variable for $SCRIPT_NAME, considered as disabled" + exit 0 +fi + +case $status in + enabled | true ) + audit $params # Perform audit + apply $params # Perform hardening + ;; + audit ) + audit $params # Perform audit + ;; + disabled | false ) + logger "$SCRIPT_NAME is disabled, ignoring" + ;; + *) + logger "Wrong value for status : $status. Must be [ enabled | true | audit | disabled | false ]" + ;; +esac