From da30fa0b48894cf3630216165e76002b06ce0c88 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Fri, 15 Apr 2016 23:38:48 +0200 Subject: [PATCH] 10.5_lock_inactive_user_account.sh 11.1_warning_banners.sh 11.2_remove_os_info_warning_banners.sh 11.3_graphical_warning_banners.sh --- bin/hardening/10.4_default_umask.sh | 2 +- .../10.5_lock_inactive_user_account.sh | 46 +++++++++++ bin/hardening/11.1_warning_banners.sh | 80 +++++++++++++++++++ .../11.2_remove_os_info_warning_banners.sh | 60 ++++++++++++++ .../11.3_graphical_warning_banners.sh | 42 ++++++++++ bin/hardening/9.5_restrict_su.sh | 2 +- .../10.5_lock_inactive_user_account.cfg | 2 + etc/conf.d/11.1_warning_banners.cfg | 2 + .../11.2_remove_os_info_warning_banners.cfg | 2 + etc/conf.d/11.3_graphical_warning_banners.cfg | 2 + lib/utils.sh | 18 ++++- 11 files changed, 254 insertions(+), 4 deletions(-) create mode 100755 bin/hardening/10.5_lock_inactive_user_account.sh create mode 100755 bin/hardening/11.1_warning_banners.sh create mode 100755 bin/hardening/11.2_remove_os_info_warning_banners.sh create mode 100755 bin/hardening/11.3_graphical_warning_banners.sh create mode 100644 etc/conf.d/10.5_lock_inactive_user_account.cfg create mode 100644 etc/conf.d/11.1_warning_banners.cfg create mode 100644 etc/conf.d/11.2_remove_os_info_warning_banners.cfg create mode 100644 etc/conf.d/11.3_graphical_warning_banners.cfg diff --git a/bin/hardening/10.4_default_umask.sh b/bin/hardening/10.4_default_umask.sh index 577a62e..5e09853 100755 --- a/bin/hardening/10.4_default_umask.sh +++ b/bin/hardening/10.4_default_umask.sh @@ -13,7 +13,7 @@ set -e # One error, it's over set -u # One variable unset, it's over USER='root' -PATTERN='umask 077' +PATTERN='umask 644' FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d/*' FILE='/etc/profile.d/CIS_10.4_umask.sh' diff --git a/bin/hardening/10.5_lock_inactive_user_account.sh b/bin/hardening/10.5_lock_inactive_user_account.sh new file mode 100755 index 0000000..6d82eff --- /dev/null +++ b/bin/hardening/10.5_lock_inactive_user_account.sh @@ -0,0 +1,46 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 10.4 Set Default umask for Users (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Looking at the manual of useradd, it seems that this recommendation does not fill the title" + info "The number of days after a password expires until the account is permanently disabled." + info "Which is not inactive users per se" +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Looking at the manual of useradd, it seems that this recommendation does not fill the title" + info "The number of days after a password expires until the account is permanently disabled." + info "Which is not inactive users per se" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/11.1_warning_banners.sh b/bin/hardening/11.1_warning_banners.sh new file mode 100755 index 0000000..b4620ce --- /dev/null +++ b/bin/hardening/11.1_warning_banners.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 11.1 Set Warning Banner for Standard Login Services (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PERMISSIONS='644' +USER='root' +GROUP='root' +FILES='/etc/motd /etc/issue /etc/issue.net' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for FILE in $FILES; do + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE is not $USER:$GROUP ownership set" + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for FILE in $FILES; do + does_file_exist $FILE + if [ $FNRET != 0 ]; then + info "$FILE does not exist" + touch $FILE + fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + warn "$FILE is not $USER:$GROUP ownership set" + chown $USER:$GROUP $FILE + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/11.2_remove_os_info_warning_banners.sh b/bin/hardening/11.2_remove_os_info_warning_banners.sh new file mode 100755 index 0000000..9ed0bc9 --- /dev/null +++ b/bin/hardening/11.2_remove_os_info_warning_banners.sh @@ -0,0 +1,60 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 11.2 Remove OS Information from Login Warning Banners (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILES='/etc/motd /etc/issue /etc/issue.net' +PATTERN='(\\v|\\r|\\m|\\s)' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for FILE in $FILES; do + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + crit "$PATTERN is present in $FILE" + else + ok "$PATTERN is not present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for FILE in $FILES; do + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + warn "$PATTERN is present in $FILE" + delete_line_in_file $FILE $PATTERN + else + ok "$PATTERN is not present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/11.3_graphical_warning_banners.sh b/bin/hardening/11.3_graphical_warning_banners.sh new file mode 100755 index 0000000..7126b93 --- /dev/null +++ b/bin/hardening/11.3_graphical_warning_banners.sh @@ -0,0 +1,42 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 11.3 Set Graphical Warning Banner (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Not implemented yet" +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Not implemented yet" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.5_restrict_su.sh b/bin/hardening/9.5_restrict_su.sh index 70d6922..90737da 100755 --- a/bin/hardening/9.5_restrict_su.sh +++ b/bin/hardening/9.5_restrict_su.sh @@ -6,7 +6,7 @@ # # -# 9.2.1 Set Password Creation Requirement Parameters Using pam_cracklib (Scored) +# 9.5 Restrict Access to the su Command (Scored) # set -e # One error, it's over diff --git a/etc/conf.d/10.5_lock_inactive_user_account.cfg b/etc/conf.d/10.5_lock_inactive_user_account.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/10.5_lock_inactive_user_account.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/11.1_warning_banners.cfg b/etc/conf.d/11.1_warning_banners.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/11.1_warning_banners.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/11.2_remove_os_info_warning_banners.cfg b/etc/conf.d/11.2_remove_os_info_warning_banners.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/11.2_remove_os_info_warning_banners.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/11.3_graphical_warning_banners.cfg b/etc/conf.d/11.3_graphical_warning_banners.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/11.3_graphical_warning_banners.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/lib/utils.sh b/lib/utils.sh index f382475..adc3e30 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -123,8 +123,9 @@ add_line_file_before_pattern() { local LINE=$2 local PATTERN=$3 - backup_file "$1" + backup_file "$FILE" debug "Inserting $LINE before $PATTERN in $FILE" + PATTERN=$(sed 's@/@\/@g' <<< $PATTERN) debug "sed -i '/$PATTERN/i $LINE' $FILE" sed -i "/$PATTERN/i $LINE" $FILE FNRET=0 @@ -135,13 +136,26 @@ replace_in_file() { local SOURCE=$2 local DESTINATION=$3 - backup_file "$1" + backup_file "$FILE" debug "Replacing $SOURCE to $DESTINATION in $FILE" + SOURCE=$(sed 's@/@\/@g' <<< $SOURCE) debug "sed -i 's/$SOURCE/$DESTINATION/g' $FILE" sed -i "s/$SOURCE/$DESTINATION/g" $FILE FNRET=0 } +delete_line_in_file() { + local FILE=$1 + local PATTERN=$2 + + backup_file "$FILE" + debug "Deleting lines from $FILE containing $PATTERN" + PATTERN=$(sed 's@/@\/@g' <<< $PATTERN) + debug "sed -i '/$PATTERN/d' $FILE" + sed -i "/$PATTERN/d" $FILE + FNRET=0 +} + # # Users and groups #