diff --git a/bin/hardening/10.1.1_set_password_exp_days.sh b/bin/hardening/10.1.1_set_password_exp_days.sh new file mode 100755 index 0000000..3e0a60d --- /dev/null +++ b/bin/hardening/10.1.1_set_password_exp_days.sh @@ -0,0 +1,86 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 10.1.1 Set Password Expiration Days (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='login' +OPTIONS='PASS_MAX_DAYS=90' +FILE='/etc/login.defs' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/10.1.2_set_password_min_days_change.sh b/bin/hardening/10.1.2_set_password_min_days_change.sh new file mode 100755 index 0000000..136b0e2 --- /dev/null +++ b/bin/hardening/10.1.2_set_password_min_days_change.sh @@ -0,0 +1,86 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 10.1.2 Set Password Change Minimum Number of Days (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='login' +OPTIONS='PASS_MIN_DAYS=7' +FILE='/etc/login.defs' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/10.1.3_set_password_exp_warning_days.sh b/bin/hardening/10.1.3_set_password_exp_warning_days.sh new file mode 100755 index 0000000..ce7b164 --- /dev/null +++ b/bin/hardening/10.1.3_set_password_exp_warning_days.sh @@ -0,0 +1,86 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 10.1.3 Set Password Expiring Warning Days (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='login' +OPTIONS='PASS_MIN_DAYS=7' +FILE='/etc/login.defs' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/10.2_disable_system_accounts.sh b/bin/hardening/10.2_disable_system_accounts.sh new file mode 100755 index 0000000..1aa9421 --- /dev/null +++ b/bin/hardening/10.2_disable_system_accounts.sh @@ -0,0 +1,65 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 10.2 Disable System Accounts (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +SHELL='/bin/false' +FILE='/etc/passwd' +RESULT='' + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Checking if admin accounts have login different from $SHELL" + eval $(RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}' | grep -v "$EXCEPTIONS")) + if [ ! -z "$RESULT" ]; then + crit "Some admin accounts have not $SHELL as shell" + crit "$RESULT" + else + ok "All admin accounts deactivated" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + eval $(RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}' | grep -v "$EXCEPTIONS")) + if [ ! -z "$RESULT" ]; then + warn "Some admin accounts have not $SHELL as shell" + warn "$RESULT" + for USER in $( echo "$RESULT" | cut -d: -f 1 ); do + info "Setting $SHELL to $USER" + usermod -s $SHELL $USER + done + else + ok "All admin accounts deactivated, nothing to apply" + fi +} + +# This function will check config parameters required +check_config() { + if [ -z $EXCEPTIONS ]; then + EXCEPTIONS="@" + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/10.3_default_root_group.sh b/bin/hardening/10.3_default_root_group.sh new file mode 100755 index 0000000..a01fa34 --- /dev/null +++ b/bin/hardening/10.3_default_root_group.sh @@ -0,0 +1,54 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 10.1.3 Set Password Expiring Warning Days (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +USER='root' +EXPECTED_GID='0' + +# This function will be called if the script status is on enabled / audit mode +audit () { + if [ $(grep "^root:" /etc/passwd | cut -f4 -d:) = 0 ]; then + ok "Root group has GID $EXPECTED_GID" + else + crit "Root group has not GID $EXPECTED_GID" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $(grep "^root:" /etc/passwd | cut -f4 -d:) = 0 ]; then + ok "Root group has GID $EXPECTED_GID" + else + warn "Root group has not GID $EXPECTED_GID" + usermod -g $EXPECTED_GID $USER + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/10.4_default_umask.sh b/bin/hardening/10.4_default_umask.sh new file mode 100755 index 0000000..577a62e --- /dev/null +++ b/bin/hardening/10.4_default_umask.sh @@ -0,0 +1,60 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 10.4 Set Default umask for Users (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +USER='root' +PATTERN='umask 077' +FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d/*' +FILE='/etc/profile.d/CIS_10.4_umask.sh' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_pattern_exists_in_file "$FILES_TO_SEARCH" "^$PATTERN" + if [ $FNRET != 0 ]; then + crit "$PATTERN not present in $FILES_TO_SEARCH" + else + ok "$PATTERN present in $FILES_TO_SEARCH" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_pattern_exists_in_file "$FILES_TO_SEARCH" "^$PATTERN" + if [ $FNRET != 0 ]; then + warn "$PATTERN not present in $FILES_TO_SEARCH" + touch $FILE + chmod 700 $FILE + add_end_of_file $FILE "$PATTERN" + else + ok "$PATTERN present in $FILES_TO_SEARCH" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.4_secure_tty.sh b/bin/hardening/9.4_secure_tty.sh new file mode 100755 index 0000000..ddeb0d9 --- /dev/null +++ b/bin/hardening/9.4_secure_tty.sh @@ -0,0 +1,46 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.4 Restrict root Login to System Console (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/securetty' + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Remove terminal entries in $FILE for any consoles that are not in a physically secure location." + info "No measure here, please review the file by yourself" +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Remove terminal entries in $FILE for any consoles that are not in a physically secure location." + info "No measure here, please review the file by yourself" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.5_restrict_su.sh b/bin/hardening/9.5_restrict_su.sh new file mode 100755 index 0000000..70d6922 --- /dev/null +++ b/bin/hardening/9.5_restrict_su.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.2.1 Set Password Creation Requirement Parameters Using pam_cracklib (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='login' +PATTERN='^auth[[:space:]]*required[[:space:]]*pam_wheel.so' +FILE='/etc/pam.d/su' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + add_line_file_before_pattern $FILE "auth required pam_wheel.so" "# Uncomment this if you want wheel members to be able to" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/10.1.1_set_password_exp_days.cfg b/etc/conf.d/10.1.1_set_password_exp_days.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/10.1.1_set_password_exp_days.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/10.1.2_set_password_min_days_change.cfg b/etc/conf.d/10.1.2_set_password_min_days_change.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/10.1.2_set_password_min_days_change.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/10.1.3_set_password_exp_warning_days.cfg b/etc/conf.d/10.1.3_set_password_exp_warning_days.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/10.1.3_set_password_exp_warning_days.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/10.2_disable_system_accounts.cfg b/etc/conf.d/10.2_disable_system_accounts.cfg new file mode 100644 index 0000000..4f45edf --- /dev/null +++ b/etc/conf.d/10.2_disable_system_accounts.cfg @@ -0,0 +1,4 @@ +# Configuration for script of same name +status=enabled +# Put here your exceptions concerning admin shells +EXCEPTIONS="" diff --git a/etc/conf.d/10.3_default_root_group.cfg b/etc/conf.d/10.3_default_root_group.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/10.3_default_root_group.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/10.4_default_umask.cfg b/etc/conf.d/10.4_default_umask.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/10.4_default_umask.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.4_secure_tty.cfg b/etc/conf.d/9.4_secure_tty.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.4_secure_tty.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.5_restrict_su.cfg b/etc/conf.d/9.5_restrict_su.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.5_restrict_su.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled