From a7f418d8a2d5b90a7257542b1dd16fd4238721ca Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Tue, 19 Apr 2016 09:31:01 +0200 Subject: [PATCH] Corrected script names, added License, Completed README and corrected bug with too long logger messages --- LICENSE | 25 +++++++++++++++++++ README | 16 +++++++++--- bin/hardening/12.8_find_unowned_files.sh | 4 +-- ...tp_proxy.sh => 6.13_disable_http_proxy.sh} | 0 ...6.6_diable_ldap.sh => 6.6_disable_ldap.sh} | 0 ..._proxy.cfg => 6.13_disable_http_proxy.cfg} | 0 ...6_diable_ldap.cfg => 6.6_disable_ldap.cfg} | 0 lib/common.sh | 4 +-- 8 files changed, 41 insertions(+), 8 deletions(-) create mode 100644 LICENSE rename bin/hardening/{6.13_diable_http_proxy.sh => 6.13_disable_http_proxy.sh} (100%) rename bin/hardening/{6.6_diable_ldap.sh => 6.6_disable_ldap.sh} (100%) rename etc/conf.d/{6.13_diable_http_proxy.cfg => 6.13_disable_http_proxy.cfg} (100%) rename etc/conf.d/{6.6_diable_ldap.cfg => 6.6_disable_ldap.cfg} (100%) diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..fb3feff --- /dev/null +++ b/LICENSE @@ -0,0 +1,25 @@ +Copyright (c) 2016, OVH SAS. +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of OVH SAS nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY +EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL OVH SAS AND CONTRIBUTORS BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/README b/README index 70d130e..ccd6925 100644 --- a/README +++ b/README @@ -5,9 +5,17 @@ # Hardening scripts : # bin/hardening : Every script has a .cfg associated, status must be defined here -# Main script : -# bin/hardening.sh : Will execute hardening according to configuration - # Configuration # etc/hardening.cfg : Global variables defined such as backup directory, or log level -# etc/conf.d : Folder with all .cfg associated to hardenign scripts +# etc/conf.d : Folder with all .cfg associated to hardening scripts + +# Status parameter will define on each script if it has to be disabled (do nothing), audit (RO), enabled (RW) +# Enabled will perform audit and most of the time correct your system accordingly. +# There is exceptions as it is difficult to know how you want to correct that. + +# Main script : +# bin/hardening.sh : Will execute hardening according to configuration +# Options are : +# --apply : Will apply hardening when scripts have status enabled (RW), and audit points where status is audit (RO) +# --audit : Will audit hardening when scripts have status enabled or audit (RO) +# --audit-all : Apply audit (RO) on all scripts diff --git a/bin/hardening/12.8_find_unowned_files.sh b/bin/hardening/12.8_find_unowned_files.sh index fb081d9..eb8f2ef 100755 --- a/bin/hardening/12.8_find_unowned_files.sh +++ b/bin/hardening/12.8_find_unowned_files.sh @@ -22,7 +22,7 @@ audit () { FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') crit "$FORMATTED_RESULT" else - ok "No world writable files found" + ok "No unowned files found" fi } @@ -33,7 +33,7 @@ apply () { warn "chmowing all unowned files in the system" df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER else - ok "No world writable files found, nothing to apply" + ok "No unowned files found, nothing to apply" fi } diff --git a/bin/hardening/6.13_diable_http_proxy.sh b/bin/hardening/6.13_disable_http_proxy.sh similarity index 100% rename from bin/hardening/6.13_diable_http_proxy.sh rename to bin/hardening/6.13_disable_http_proxy.sh diff --git a/bin/hardening/6.6_diable_ldap.sh b/bin/hardening/6.6_disable_ldap.sh similarity index 100% rename from bin/hardening/6.6_diable_ldap.sh rename to bin/hardening/6.6_disable_ldap.sh diff --git a/etc/conf.d/6.13_diable_http_proxy.cfg b/etc/conf.d/6.13_disable_http_proxy.cfg similarity index 100% rename from etc/conf.d/6.13_diable_http_proxy.cfg rename to etc/conf.d/6.13_disable_http_proxy.cfg diff --git a/etc/conf.d/6.6_diable_ldap.cfg b/etc/conf.d/6.6_disable_ldap.cfg similarity index 100% rename from etc/conf.d/6.6_diable_ldap.cfg rename to etc/conf.d/6.6_disable_ldap.cfg diff --git a/lib/common.sh b/lib/common.sh index d846ab9..48e5d2a 100644 --- a/lib/common.sh +++ b/lib/common.sh @@ -46,14 +46,14 @@ _logger() { COLOR=$1 shift test -z "$SCRIPT_NAME" && SCRIPT_NAME=$(basename $0) - /usr/bin/logger -t "[CIS_Hardening] $SCRIPT_NAME" -p "user.info" "$*" + builtin echo "$*" | /usr/bin/logger -t "[CIS_Hardening] $SCRIPT_NAME" -p "user.info" test -t 1 && cecho $COLOR "$SCRIPT_NAME $*" } cecho () { COLOR=$1 shift - echo -e "${COLOR}$*${NC}" + builtin echo -e "${COLOR}$*${NC}" } crit () {