mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-25 06:54:29 +01:00
4.2_enable_nx_support.sh 4.3_enable_randomized_vm_placement.sh 4.4_disable_prelink.sh 4.5_enable_apparmor.sh 5.1.1_disable_nis.sh
This commit is contained in:
parent
1bacb6c2ff
commit
db7b85ceed
53
bin/hardening/4.2_enable_nx_support.sh
Executable file
53
bin/hardening/4.2_enable_nx_support.sh
Executable file
@ -0,0 +1,53 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# Hardening script skeleton replace this line with proper point treated
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
PATTERN='NX[[:space:]]\(Execute[[:space:]]Disable\)[[:space:]]protection:[[:space:]]active'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
does_pattern_exists_in_dmesg $PATTERN
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$PATTERN not present in dmesg"
|
||||||
|
else
|
||||||
|
ok "$PATTERN present in dmesg"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
does_pattern_exists_in_dmesg $PATTERN
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$PATTERN not present in dmesg, please go to the bios to activate this option or change for CPU compatible"
|
||||||
|
else
|
||||||
|
ok "$PATTERN present in dmesg"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||||
|
exit 128
|
||||||
|
else
|
||||||
|
. /etc/default/cis-hardenning
|
||||||
|
if [ -z $CIS_ROOT_DIR ]; then
|
||||||
|
echo "No CIS_ROOT_DIR variable, aborting"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
59
bin/hardening/4.3_enable_randomized_vm_placement.sh
Executable file
59
bin/hardening/4.3_enable_randomized_vm_placement.sh
Executable file
@ -0,0 +1,59 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# Hardening script skeleton replace this line with proper point treated
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
SYSCTL_PARAM='kernel.randomize_va_space'
|
||||||
|
SYSCTL_EXP_RESULT=2
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !"
|
||||||
|
elif [ $FNRET = 255 ]; then
|
||||||
|
warn "$SYSCTL_PARAM does not exist, typo ?"
|
||||||
|
else
|
||||||
|
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it"
|
||||||
|
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||||
|
elif [ $FNRET = 255 ]; then
|
||||||
|
warn "$SYSCTL_PARAM does not exist, typo ?"
|
||||||
|
else
|
||||||
|
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||||
|
exit 128
|
||||||
|
else
|
||||||
|
. /etc/default/cis-hardenning
|
||||||
|
if [ -z $CIS_ROOT_DIR ]; then
|
||||||
|
echo "No CIS_ROOT_DIR variable, aborting"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
57
bin/hardening/4.4_disable_prelink.sh
Executable file
57
bin/hardening/4.4_disable_prelink.sh
Executable file
@ -0,0 +1,57 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 4.4 Disable Prelink (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
PACKAGE='prelink'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
crit "$PACKAGE is installed !"
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is absent"
|
||||||
|
fi
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
crit "$PACKAGE is installed, purging it"
|
||||||
|
/usr/sbin/prelink -ua
|
||||||
|
apt-get purge $PACKAGE -y
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is absent"
|
||||||
|
fi
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||||
|
exit 128
|
||||||
|
else
|
||||||
|
. /etc/default/cis-hardenning
|
||||||
|
if [ -z $CIS_ROOT_DIR ]; then
|
||||||
|
echo "No CIS_ROOT_DIR variable, aborting"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
55
bin/hardening/4.5_enable_apparmor.sh
Executable file
55
bin/hardening/4.5_enable_apparmor.sh
Executable file
@ -0,0 +1,55 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 4.5 Activate AppArmor (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
PACKAGE='apparmor'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$PACKAGE is absent !"
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
fi
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$PACKAGE is not installed, please install $PACKAGE and configure it"
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
fi
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||||
|
exit 128
|
||||||
|
else
|
||||||
|
. /etc/default/cis-hardenning
|
||||||
|
if [ -z $CIS_ROOT_DIR ]; then
|
||||||
|
echo "No CIS_ROOT_DIR variable, aborting"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
55
bin/hardening/5.1.1_disable_nis.sh
Executable file
55
bin/hardening/5.1.1_disable_nis.sh
Executable file
@ -0,0 +1,55 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 5.1.1 Ensure NIS is not installed (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
PACKAGE='nis'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
crit "$PACKAGE is installed !"
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is absent"
|
||||||
|
fi
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
crit "$PACKAGE is installed, purging it"
|
||||||
|
apt-get purge $PACKAGE -y
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is absent"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||||
|
exit 128
|
||||||
|
else
|
||||||
|
. /etc/default/cis-hardenning
|
||||||
|
if [ -z $CIS_ROOT_DIR ]; then
|
||||||
|
echo "No CIS_ROOT_DIR variable, aborting"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
2
etc/conf.d/4.2_enable_nx_support.cfg
Normal file
2
etc/conf.d/4.2_enable_nx_support.cfg
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
# Configuration for script of same name
|
||||||
|
status=enabled
|
2
etc/conf.d/4.3_enable_randomized_vm_placement.cfg
Normal file
2
etc/conf.d/4.3_enable_randomized_vm_placement.cfg
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
# Configuration for script of same name
|
||||||
|
status=enabled
|
2
etc/conf.d/4.4_disable_prelink.cfg
Normal file
2
etc/conf.d/4.4_disable_prelink.cfg
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
# Configuration for script of same name
|
||||||
|
status=enabled
|
2
etc/conf.d/4.5_enable_apparmor.cfg
Normal file
2
etc/conf.d/4.5_enable_apparmor.cfg
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
# Configuration for script of same name
|
||||||
|
status=enabled
|
2
etc/conf.d/5.1.1_disable_nis.cfg
Normal file
2
etc/conf.d/5.1.1_disable_nis.cfg
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
# Configuration for script of same name
|
||||||
|
status=enabled
|
18
lib/utils.sh
18
lib/utils.sh
@ -10,7 +10,7 @@ has_sysctl_param_expected_result() {
|
|||||||
|
|
||||||
if [ "$(sysctl $SYSCTL_PARAM 2>/dev/null)" = "$SYSCTL_PARAM = $EXP_RESULT" ]; then
|
if [ "$(sysctl $SYSCTL_PARAM 2>/dev/null)" = "$SYSCTL_PARAM = $EXP_RESULT" ]; then
|
||||||
FNRET=0
|
FNRET=0
|
||||||
elif [ $? != 0 ]; then
|
elif [ $? = 255 ]; then
|
||||||
debug "$SYSCTL_PARAM does not exist"
|
debug "$SYSCTL_PARAM does not exist"
|
||||||
FNRET=255
|
FNRET=255
|
||||||
else
|
else
|
||||||
@ -23,7 +23,7 @@ set_sysctl_param() {
|
|||||||
local SYSCTL_PARAM=$1
|
local SYSCTL_PARAM=$1
|
||||||
local VALUE=$2
|
local VALUE=$2
|
||||||
debug "Setting $SYSCTL_PARAM to $VALUE"
|
debug "Setting $SYSCTL_PARAM to $VALUE"
|
||||||
if [ "$(sysctl -w $SYSCTL_PARAM 2>/dev/null)" = "$SYSCTL_PARAM = $VALUE" ]; then
|
if [ "$(sysctl -w $SYSCTL_PARAM=$VALUE 2>/dev/null)" = "$SYSCTL_PARAM = $VALUE" ]; then
|
||||||
FNRET=0
|
FNRET=0
|
||||||
elif [ $? != 0 ]; then
|
elif [ $? != 0 ]; then
|
||||||
debug "$SYSCTL_PARAM does not exist"
|
debug "$SYSCTL_PARAM does not exist"
|
||||||
@ -34,6 +34,18 @@ set_sysctl_param() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Dmesg Manipulation
|
||||||
|
#
|
||||||
|
|
||||||
|
does_pattern_exists_in_dmesg() {
|
||||||
|
local PATTERN=$1
|
||||||
|
if $(dmesg | grep -qE "$PATTERN"); then
|
||||||
|
FNRET=0
|
||||||
|
else
|
||||||
|
FNRET=1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# File manipulation
|
# File manipulation
|
||||||
@ -275,8 +287,10 @@ is_pkg_installed()
|
|||||||
{
|
{
|
||||||
PKG_NAME=$1
|
PKG_NAME=$1
|
||||||
if $(dpkg -s $PKG_NAME 2> /dev/null | grep -q '^Status: install ') ; then
|
if $(dpkg -s $PKG_NAME 2> /dev/null | grep -q '^Status: install ') ; then
|
||||||
|
debug "$PKG_NAME is installed"
|
||||||
FNRET=0
|
FNRET=0
|
||||||
else
|
else
|
||||||
|
debug "$PKG_NAME is not installed"
|
||||||
FNRET=1
|
FNRET=1
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user