4.2_enable_nx_support.sh 4.3_enable_randomized_vm_placement.sh 4.4_disable_prelink.sh 4.5_enable_apparmor.sh 5.1.1_disable_nis.sh

This commit is contained in:
thibault.dewailly 2016-04-11 16:53:57 +02:00
parent 1bacb6c2ff
commit db7b85ceed
11 changed files with 305 additions and 2 deletions

View File

@ -0,0 +1,53 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# Hardening script skeleton replace this line with proper point treated
#
set -e # One error, it's over
set -u # One variable unset, it's over
PATTERN='NX[[:space:]]\(Execute[[:space:]]Disable\)[[:space:]]protection:[[:space:]]active'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_pattern_exists_in_dmesg $PATTERN
if [ $FNRET != 0 ]; then
crit "$PATTERN not present in dmesg"
else
ok "$PATTERN present in dmesg"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_pattern_exists_in_dmesg $PATTERN
if [ $FNRET != 0 ]; then
crit "$PATTERN not present in dmesg, please go to the bios to activate this option or change for CPU compatible"
else
ok "$PATTERN present in dmesg"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

View File

@ -0,0 +1,59 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# Hardening script skeleton replace this line with proper point treated
#
set -e # One error, it's over
set -u # One variable unset, it's over
SYSCTL_PARAM='kernel.randomize_va_space'
SYSCTL_EXP_RESULT=2
# This function will be called if the script status is on enabled / audit mode
audit () {
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !"
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist, typo ?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist, typo ?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

View File

@ -0,0 +1,57 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 4.4 Disable Prelink (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
PACKAGE='prelink'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed !"
else
ok "$PACKAGE is absent"
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
/usr/sbin/prelink -ua
apt-get purge $PACKAGE -y
else
ok "$PACKAGE is absent"
fi
:
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

View File

@ -0,0 +1,55 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 4.5 Activate AppArmor (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
PACKAGE='apparmor'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is absent !"
else
ok "$PACKAGE is installed"
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed, please install $PACKAGE and configure it"
else
ok "$PACKAGE is installed"
fi
:
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

View File

@ -0,0 +1,55 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 5.1.1 Ensure NIS is not installed (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
PACKAGE='nis'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed !"
else
ok "$PACKAGE is absent"
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
else
ok "$PACKAGE is absent"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

View File

@ -0,0 +1,2 @@
# Configuration for script of same name
status=enabled

View File

@ -0,0 +1,2 @@
# Configuration for script of same name
status=enabled

View File

@ -0,0 +1,2 @@
# Configuration for script of same name
status=enabled

View File

@ -0,0 +1,2 @@
# Configuration for script of same name
status=enabled

View File

@ -0,0 +1,2 @@
# Configuration for script of same name
status=enabled

View File

@ -10,7 +10,7 @@ has_sysctl_param_expected_result() {
if [ "$(sysctl $SYSCTL_PARAM 2>/dev/null)" = "$SYSCTL_PARAM = $EXP_RESULT" ]; then if [ "$(sysctl $SYSCTL_PARAM 2>/dev/null)" = "$SYSCTL_PARAM = $EXP_RESULT" ]; then
FNRET=0 FNRET=0
elif [ $? != 0 ]; then elif [ $? = 255 ]; then
debug "$SYSCTL_PARAM does not exist" debug "$SYSCTL_PARAM does not exist"
FNRET=255 FNRET=255
else else
@ -23,7 +23,7 @@ set_sysctl_param() {
local SYSCTL_PARAM=$1 local SYSCTL_PARAM=$1
local VALUE=$2 local VALUE=$2
debug "Setting $SYSCTL_PARAM to $VALUE" debug "Setting $SYSCTL_PARAM to $VALUE"
if [ "$(sysctl -w $SYSCTL_PARAM 2>/dev/null)" = "$SYSCTL_PARAM = $VALUE" ]; then if [ "$(sysctl -w $SYSCTL_PARAM=$VALUE 2>/dev/null)" = "$SYSCTL_PARAM = $VALUE" ]; then
FNRET=0 FNRET=0
elif [ $? != 0 ]; then elif [ $? != 0 ]; then
debug "$SYSCTL_PARAM does not exist" debug "$SYSCTL_PARAM does not exist"
@ -34,6 +34,18 @@ set_sysctl_param() {
fi fi
} }
#
# Dmesg Manipulation
#
does_pattern_exists_in_dmesg() {
local PATTERN=$1
if $(dmesg | grep -qE "$PATTERN"); then
FNRET=0
else
FNRET=1
fi
}
# #
# File manipulation # File manipulation
@ -275,8 +287,10 @@ is_pkg_installed()
{ {
PKG_NAME=$1 PKG_NAME=$1
if $(dpkg -s $PKG_NAME 2> /dev/null | grep -q '^Status: install ') ; then if $(dpkg -s $PKG_NAME 2> /dev/null | grep -q '^Status: install ') ; then
debug "$PKG_NAME is installed"
FNRET=0 FNRET=0
else else
debug "$PKG_NAME is not installed"
FNRET=1 FNRET=1
fi fi
} }