hardening : building basic configuration

This commit is contained in:
thibault.dewailly 2016-04-01 09:52:39 +02:00
parent 9a5e962cd4
commit d76cf94b18
5 changed files with 101 additions and 14 deletions

View File

@ -5,17 +5,70 @@
#
#
# 1.1 Install Updates, Patches and Additional Security Software (Not Scored)
# Hardening script skeleton replace this line with proper point treated
#
# This function will be called if the script status is ont enabled / audit mode
audit () {
set -e # One error, it's over
set -u # One variable unset, it's over
# This function will be called if the script status is on enabled / audit mode
audit () {
:
}
# This function will be called if the script status is on enabled mode
apply () {
:
}
# Environment Sanitizing
export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
LONG_SCRIPT_NAME=$(basename $0)
SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh}
# Variable initialization, to avoid crash
status=""
params=""
[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
# Source general configuration file and Specific configuration file if exist
[ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
logger "Working on $SCRIPT_NAME"
if [ -z $status ]; then
logger "Could not find status variable for $SCRIPT_NAME, considered as disabled"
exit 0
fi
case $status in
enabled | true )
audit $params # Perform audit
apply $params # Perform hardening
;;
audit )
audit $params # Perform audit
;;
disabled | false )
logger "$SCRIPT_NAME is disabled, ignoring"
;;
*)
logger "Wrong value for status : $status. Must be [ enabled | true | audit | disabled | false ]"
;;
esac

View File

@ -0,0 +1 @@
*.cfg

View File

@ -1,2 +1,5 @@
# CIS Debian 7 Hardening
# Main Configuration File
# Main Configuration File, put here global variables
# Valid values are verbose info warning error
LOGLEVEL=verbose

View File

@ -2,6 +2,6 @@
logger() {
test -z "$SCRIPT_NAME" && SCRIPT_NAME=$(basename $0)
logger -i -t "$SCRIPT_NAME" -p "user.info" "$(date +%Y.%m.%d-%H:%M:%S) $*"
test -t 1 && echo "$(date +%Z-%Y.%m.%d-%H:%M:%S) $*"
/usr/bin/logger -i -t "$SCRIPT_NAME" -p "user.info" "$*"
test -t 1 && echo "$*"
}

View File

@ -4,19 +4,21 @@
# CIS Debian 7 Hardening
#
#
# Hardening script skeleton replace this line with proper point treated
#
# This function will be called if the script status is ont enabled / audit mode
audit () {
set -e # One error, it's over
set -u # One variable unset, it's over
# This function will be called if the script status is on enabled / audit mode
audit () {
:
}
# This function will be called if the script status is on enabled mode
apply () {
:
}
# Environment Sanitizing
@ -34,11 +36,39 @@ else
fi
fi
SCRIPT_NAME=$(basename $0)
LONG_SCRIPT_NAME=$(basename $0)
SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh}
# Variable initialization, to avoid crash
status=""
params=""
[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg
# Source general configuration file and Specific configuration file if exist
[ -r $ROOT_DIR/etc/hardening.cfg ] && . $ROOT_DIR/etc/hardening.cfg
[ -r $ROOT_DIR/etc/hardening/$SCRIPT_NAME ] && . $ROOT_DIR/etc/hardening/$SCRIPT_NAME
[ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
logger "Working on $SCRIPT_NAME"
if [ -z $status ]; then
logger "Could not find status variable for $SCRIPT_NAME, considered as disabled"
exit 0
fi
case $status in
enabled | true )
audit $params # Perform audit
apply $params # Perform hardening
;;
audit )
audit $params # Perform audit
;;
disabled | false )
logger "$SCRIPT_NAME is disabled, ignoring"
;;
*)
logger "Wrong value for status : $status. Must be [ enabled | true | audit | disabled | false ]"
;;
esac