10.5_lock_inactive_user_account.sh 11.1_warning_banners.sh 11.2_remove_os_info_warning_banners.sh 11.3_graphical_warning_banners.sh

This commit is contained in:
thibault.dewailly 2016-04-15 23:38:48 +02:00
parent dd9fac10d9
commit da30fa0b48
11 changed files with 254 additions and 4 deletions

View File

@ -13,7 +13,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
USER='root'
PATTERN='umask 077'
PATTERN='umask 644'
FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d/*'
FILE='/etc/profile.d/CIS_10.4_umask.sh'

View File

@ -0,0 +1,46 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
#
#
# 10.4 Set Default umask for Users (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Looking at the manual of useradd, it seems that this recommendation does not fill the title"
info "The number of days after a password expires until the account is permanently disabled."
info "Which is not inactive users per se"
}
# This function will be called if the script status is on enabled mode
apply () {
info "Looking at the manual of useradd, it seems that this recommendation does not fill the title"
info "The number of days after a password expires until the account is permanently disabled."
info "Which is not inactive users per se"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

View File

@ -0,0 +1,80 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
#
#
# 11.1 Set Warning Banner for Standard Login Services (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
PERMISSIONS='644'
USER='root'
GROUP='root'
FILES='/etc/motd /etc/issue /etc/issue.net'
# This function will be called if the script status is on enabled / audit mode
audit () {
for FILE in $FILES; do
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE is not $USER:$GROUP ownership set"
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE has not $PERMISSIONS permissions set"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for FILE in $FILES; do
does_file_exist $FILE
if [ $FNRET != 0 ]; then
info "$FILE does not exist"
touch $FILE
fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
warn "$FILE is not $USER:$GROUP ownership set"
chown $USER:$GROUP $FILE
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

View File

@ -0,0 +1,60 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
#
#
# 11.2 Remove OS Information from Login Warning Banners (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
FILES='/etc/motd /etc/issue /etc/issue.net'
PATTERN='(\\v|\\r|\\m|\\s)'
# This function will be called if the script status is on enabled / audit mode
audit () {
for FILE in $FILES; do
does_pattern_exists_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
crit "$PATTERN is present in $FILE"
else
ok "$PATTERN is not present in $FILE"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for FILE in $FILES; do
does_pattern_exists_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE"
delete_line_in_file $FILE $PATTERN
else
ok "$PATTERN is not present in $FILE"
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

View File

@ -0,0 +1,42 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
#
#
# 11.3 Set Graphical Warning Banner (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Not implemented yet"
}
# This function will be called if the script status is on enabled mode
apply () {
info "Not implemented yet"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

View File

@ -6,7 +6,7 @@
#
#
# 9.2.1 Set Password Creation Requirement Parameters Using pam_cracklib (Scored)
# 9.5 Restrict Access to the su Command (Scored)
#
set -e # One error, it's over

View File

@ -0,0 +1,2 @@
# Configuration for script of same name
status=enabled

View File

@ -0,0 +1,2 @@
# Configuration for script of same name
status=enabled

View File

@ -0,0 +1,2 @@
# Configuration for script of same name
status=enabled

View File

@ -0,0 +1,2 @@
# Configuration for script of same name
status=enabled

View File

@ -123,8 +123,9 @@ add_line_file_before_pattern() {
local LINE=$2
local PATTERN=$3
backup_file "$1"
backup_file "$FILE"
debug "Inserting $LINE before $PATTERN in $FILE"
PATTERN=$(sed 's@/@\/@g' <<< $PATTERN)
debug "sed -i '/$PATTERN/i $LINE' $FILE"
sed -i "/$PATTERN/i $LINE" $FILE
FNRET=0
@ -135,13 +136,26 @@ replace_in_file() {
local SOURCE=$2
local DESTINATION=$3
backup_file "$1"
backup_file "$FILE"
debug "Replacing $SOURCE to $DESTINATION in $FILE"
SOURCE=$(sed 's@/@\/@g' <<< $SOURCE)
debug "sed -i 's/$SOURCE/$DESTINATION/g' $FILE"
sed -i "s/$SOURCE/$DESTINATION/g" $FILE
FNRET=0
}
delete_line_in_file() {
local FILE=$1
local PATTERN=$2
backup_file "$FILE"
debug "Deleting lines from $FILE containing $PATTERN"
PATTERN=$(sed 's@/@\/@g' <<< $PATTERN)
debug "sed -i '/$PATTERN/d' $FILE"
sed -i "/$PATTERN/d" $FILE
FNRET=0
}
#
# Users and groups
#