mirror of
https://github.com/ovh/debian-cis.git
synced 2024-12-23 22:45:23 +01:00
Merge pull request #2 in IAAS/cis-hardening from dev/thibault.dewailly/base_harden to master
Release Alpha 0.1 * commit '091eec57ee7f706c2dd16150c75b4d93a183b724': (64 commits) All configuration defaults to disabled README updated 99.1_timeout_tty.sh 99.2_disable_usb_devices.sh Fixed disabled features, headers and preparing main script Added argument parsing and test checks 13.16_check_duplicate_username.sh 13.17_check_duplicate_groupname.sh 13.18_find_user_netrc_files.sh 13.19_find_user_forward_files.sh 13.20_shadow_group_empty.sh 13.14_check_duplicate_uid.sh 13.15_check_duplicate_gid.sh^C 13.12_users_valid_homedir.sh 13.11_find_passwd_group_inconsistencies.sh 13.13_check_user_homedir_ownership.sh 13.10_find_user_rhosts_files.sh 13.8_check_user_dot_file_perm.sh 13.9_set_perm_on_user_netrc.sh 13.7_check_user_dir_perm.sh 13.1_remove_empty_password_field.sh 13.2_remove_legacy_passwd_entries.sh 13.3_remove_legacy_shadow_entries.sh 13.4_remove_legacy_group_entries.sh 13.5_find_0_uid_non_root_account.sh 13.6_sanitize_root_path.sh 13.1_remove_empry_password_field.sh 12.11_find_sgid_files.sh 12.10_find_suid_files.sh 12.1_etc_passwd_permissions.sh 12.2_etc_shadow_permissions.sh 12.3_etc_group_permissions.sh 12.4_etc_passwd_ownership.sh 12.5_etc_shadow_ownership.sh 12.6_etc_group_ownership.sh 12.7_find_world_writable_file.sh 12.8_find_unowned_files.sh 12.9_find_ungrouped_files.sh 10.5_lock_inactive_user_account.sh 11.1_warning_banners.sh 11.2_remove_os_info_warning_banners.sh 11.3_graphical_warning_banners.sh 10.1.1_set_password_exp_days.sh 10.1.2_set_password_min_days_change.sh 10.1.3_set_password_exp_warning_days.sh 10.2_disable_system_accounts.sh 10.3_default_root_group.sh 10.4_default_umask.sh 9.4_secure_tty.sh 9.5_restrict_su.sh 9.2.1_enable_cracklib.sh 9.2.2_enable_lockout_failed_password.sh 9.2.3_limit_password_reuse.sh 9.3.10_disable_sshd_setenv.sh 9.3.11_sshd_ciphers.sh 9.3.12_sshd_idle_timeout.sh 9.3.13_sshd_limit_access.sh 9.3.14_ssh_banner.sh 9.3.2_sshd_loglevel.sh 9.3.1_sshd_protocol.sh 9.3.3_sshd_conf_perm_ownership.sh 9.3.4_disable_x11_forwarding.sh 9.3.5_sshd_maxauthtries.sh 9.3.6_enable_sshd_ignorerhosts.sh 9.3.7_disable_sshd_hostbasedauthentication.sh 9.3.8_disable_root_login.sh 9.3.9_disable_sshd_permitemptypasswords.sh 9.1.3_cron_hourly_perm_ownership.sh 9.1.4_cron_daily_perm_ownership.sh 9.1.5_cron_weekly_perm_ownership.sh 9.1.6_cron_monthly_perm_ownership.sh 9.1.7_cron_d_perm_ownership.sh 9.1.8_cron_users.sh 9.1.1_enable_cron.sh 9.1.2_crontab_perm_ownership.sh 8.4_configure_logrotate.sh ...
This commit is contained in:
commit
df6d513929
11
README
11
README
@ -1,2 +1,13 @@
|
||||
# CIS Debian 7 Hardening git repository
|
||||
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||
# This is the code base which will be used to fill CIS hardening requirements
|
||||
|
||||
# Hardening scripts :
|
||||
# bin/hardening : Every script has a .cfg associated, status must be defined here
|
||||
|
||||
# Main script :
|
||||
# bin/hardening.sh : Will execute hardening according to configuration
|
||||
|
||||
# Configuration
|
||||
# etc/hardening.cfg : Global variables defined such as backup directory, or log level
|
||||
# etc/conf.d : Folder with all .cfg associated to hardenign scripts
|
||||
|
118
bin/hardening.sh
Executable file
118
bin/hardening.sh
Executable file
@ -0,0 +1,118 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||
#
|
||||
|
||||
#
|
||||
# Main script : Execute hardening considering configuration
|
||||
#
|
||||
|
||||
LONG_SCRIPT_NAME=$(basename $0)
|
||||
SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh}
|
||||
DISABLED_CHECKS=0
|
||||
PASSED_CHECKS=0
|
||||
FAILED_CHECKS=0
|
||||
TOTAL_CHECKS=0
|
||||
TOTAL_TREATED_CHECKS=0
|
||||
AUDIT=0
|
||||
APPLY=0
|
||||
|
||||
usage() {
|
||||
cat << EOF
|
||||
$LONG_SCRIPT_NAME ( --apply | -- audit ) < -h | --help >
|
||||
--apply : Apply hardening if told in configuration
|
||||
--audit : If script not disabled, audit configuration only
|
||||
-h|--help : This help
|
||||
EOF
|
||||
exit 0
|
||||
}
|
||||
|
||||
if [ $# = 0 ]; then
|
||||
usage
|
||||
fi
|
||||
|
||||
# Arguments parsing
|
||||
while [[ $# > 0 ]]; do
|
||||
ARG="$1"
|
||||
case $ARG in
|
||||
--audit)
|
||||
AUDIT=1
|
||||
;;
|
||||
--apply)
|
||||
APPLY=1
|
||||
;;
|
||||
-h|--help)
|
||||
usage
|
||||
;;
|
||||
*)
|
||||
usage
|
||||
;;
|
||||
esac
|
||||
shift
|
||||
done
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh
|
||||
[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg
|
||||
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
|
||||
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
|
||||
|
||||
# Parse every scripts and execute them in the required mode
|
||||
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening | sort -V); do
|
||||
info "Treating $SCRIPT"
|
||||
|
||||
if [ $AUDIT = 1 ]; then
|
||||
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit"
|
||||
$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit
|
||||
elif [ $APPLY = 1 ]; then
|
||||
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT"
|
||||
$CIS_ROOT_DIR/bin/hardening/$SCRIPT
|
||||
fi
|
||||
|
||||
SCRIPT_EXITCODE=$?
|
||||
|
||||
debug "Script $SCRIPT finished with exit code $SCRIPT_EXITCODE"
|
||||
case $SCRIPT_EXITCODE in
|
||||
0)
|
||||
debug "$SCRIPT passed"
|
||||
PASSED_CHECKS=$((PASSED_CHECKS+1))
|
||||
;;
|
||||
1)
|
||||
debug "$SCRIPT failed"
|
||||
FAILED_CHECKS=$((FAILED_CHECKS+1))
|
||||
;;
|
||||
2)
|
||||
debug "$SCRIPT is disabled"
|
||||
DISABLED_CHECKS=$((DISABLED_CHECKS+1))
|
||||
;;
|
||||
esac
|
||||
|
||||
TOTAL_CHECKS=$((TOTAL_CHECKS+1))
|
||||
|
||||
done
|
||||
|
||||
TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS-DISABLED_CHECKS))
|
||||
|
||||
printf "%40s\n" "################### SUMMARY ###################"
|
||||
printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"
|
||||
printf "%30s %s\n" "Total Runned Checks :" "$TOTAL_TREATED_CHECKS"
|
||||
printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
|
||||
printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
|
||||
printf "%30s %.2f %%\n" "Enabled Checks Percentage :" "$( echo "($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100" | bc -l)"
|
||||
if [ $TOTAL_TREATED_CHECKS != 0 ]; then
|
||||
printf "%30s %.2f %%\n" "Conformity Percentage :" "$( echo "($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100" | bc -l)"
|
||||
else
|
||||
printf "%30s %s %%\n" "Conformity Percentage :" "N.A" # No check runned, avoid division by 0
|
||||
fi
|
57
bin/hardening/1.1_install_updates.sh
Executable file
57
bin/hardening/1.1_install_updates.sh
Executable file
@ -0,0 +1,57 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 1.1 Install Updates, Patches and Additional Security Software (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Checking if apt needs an update"
|
||||
apt_update_if_needed
|
||||
info "Fetching upgrades ..."
|
||||
apt_check_updates "CIS_APT"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
crit "$RESULT"
|
||||
FNRET=1
|
||||
else
|
||||
ok "No upgrades available"
|
||||
FNRET=0
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
info "Applying Upgrades..."
|
||||
DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' upgrade -y
|
||||
else
|
||||
ok "No Upgrades to apply"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
# No parameters for this function
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
85
bin/hardening/10.1.1_set_password_exp_days.sh
Executable file
85
bin/hardening/10.1.1_set_password_exp_days.sh
Executable file
@ -0,0 +1,85 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 10.1.1 Set Password Expiration Days (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
PACKAGE='login'
|
||||
OPTIONS='PASS_MAX_DAYS=90'
|
||||
FILE='/etc/login.defs'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$PACKAGE is not installed !"
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
for SSH_OPTION in $OPTIONS; do
|
||||
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||
does_pattern_exists_in_file $FILE "$PATTERN"
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PATTERN is present in $FILE"
|
||||
else
|
||||
crit "$PATTERN is not present in $FILE"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PACKAGE is installed"
|
||||
else
|
||||
crit "$PACKAGE is absent, installing it"
|
||||
apt_install $PACKAGE
|
||||
fi
|
||||
for SSH_OPTION in $OPTIONS; do
|
||||
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||
does_pattern_exists_in_file $FILE "$PATTERN"
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PATTERN is present in $FILE"
|
||||
else
|
||||
warn "$PATTERN not present in $FILE, adding it"
|
||||
does_pattern_exists_in_file $FILE "^$SSH_PARAM"
|
||||
if [ $FNRET != 0 ]; then
|
||||
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
|
||||
else
|
||||
info "Parameter $SSH_PARAM is present but with the wrong value, correcting"
|
||||
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
85
bin/hardening/10.1.2_set_password_min_days_change.sh
Executable file
85
bin/hardening/10.1.2_set_password_min_days_change.sh
Executable file
@ -0,0 +1,85 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 10.1.2 Set Password Change Minimum Number of Days (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
PACKAGE='login'
|
||||
OPTIONS='PASS_MIN_DAYS=7'
|
||||
FILE='/etc/login.defs'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$PACKAGE is not installed !"
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
for SSH_OPTION in $OPTIONS; do
|
||||
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||
does_pattern_exists_in_file $FILE "$PATTERN"
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PATTERN is present in $FILE"
|
||||
else
|
||||
crit "$PATTERN is not present in $FILE"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PACKAGE is installed"
|
||||
else
|
||||
crit "$PACKAGE is absent, installing it"
|
||||
apt_install $PACKAGE
|
||||
fi
|
||||
for SSH_OPTION in $OPTIONS; do
|
||||
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||
does_pattern_exists_in_file $FILE "$PATTERN"
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PATTERN is present in $FILE"
|
||||
else
|
||||
warn "$PATTERN not present in $FILE, adding it"
|
||||
does_pattern_exists_in_file $FILE "^$SSH_PARAM"
|
||||
if [ $FNRET != 0 ]; then
|
||||
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
|
||||
else
|
||||
info "Parameter $SSH_PARAM is present but with the wrong value, correcting"
|
||||
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
85
bin/hardening/10.1.3_set_password_exp_warning_days.sh
Executable file
85
bin/hardening/10.1.3_set_password_exp_warning_days.sh
Executable file
@ -0,0 +1,85 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 10.1.3 Set Password Expiring Warning Days (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
PACKAGE='login'
|
||||
OPTIONS='PASS_MIN_DAYS=7'
|
||||
FILE='/etc/login.defs'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$PACKAGE is not installed !"
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
for SSH_OPTION in $OPTIONS; do
|
||||
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||
does_pattern_exists_in_file $FILE "$PATTERN"
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PATTERN is present in $FILE"
|
||||
else
|
||||
crit "$PATTERN is not present in $FILE"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PACKAGE is installed"
|
||||
else
|
||||
crit "$PACKAGE is absent, installing it"
|
||||
apt_install $PACKAGE
|
||||
fi
|
||||
for SSH_OPTION in $OPTIONS; do
|
||||
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||
does_pattern_exists_in_file $FILE "$PATTERN"
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PATTERN is present in $FILE"
|
||||
else
|
||||
warn "$PATTERN not present in $FILE, adding it"
|
||||
does_pattern_exists_in_file $FILE "^$SSH_PARAM"
|
||||
if [ $FNRET != 0 ]; then
|
||||
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
|
||||
else
|
||||
info "Parameter $SSH_PARAM is present but with the wrong value, correcting"
|
||||
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
90
bin/hardening/10.2_disable_system_accounts.sh
Executable file
90
bin/hardening/10.2_disable_system_accounts.sh
Executable file
@ -0,0 +1,90 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 10.2 Disable System Accounts (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
SHELL='/bin/false'
|
||||
FILE='/etc/passwd'
|
||||
RESULT=''
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Checking if admin accounts have login different from $SHELL"
|
||||
RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}')
|
||||
for LINE in $RESULT; do
|
||||
debug "line : $LINE"
|
||||
ACCOUNT=$( echo $LINE | cut -d: -f 1 )
|
||||
debug "Account : $ACCOUNT"
|
||||
debug "Exceptions : $EXCEPTIONS"
|
||||
debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
|
||||
if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then
|
||||
debug "$ACCOUNT is confirmed as an exception"
|
||||
RESULT=$(sed "s!$LINE!!" <<< "$RESULT")
|
||||
else
|
||||
debug "$ACCOUNT not found in exceptions"
|
||||
fi
|
||||
done
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
crit "Some admin accounts have not $SHELL as shell"
|
||||
crit "$RESULT"
|
||||
else
|
||||
ok "All admin accounts deactivated"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}')
|
||||
for LINE in $RESULT; do
|
||||
debug "line : $LINE"
|
||||
ACCOUNT=$( echo $LINE | cut -d: -f 1 )
|
||||
debug "Account : $ACCOUNT"
|
||||
debug "Exceptions : $EXCEPTIONS"
|
||||
debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
|
||||
if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then
|
||||
debug "$ACCOUNT is confirmed as an exception"
|
||||
RESULT=$(sed "s!$LINE!!" <<< "$RESULT")
|
||||
else
|
||||
debug "$ACCOUNT not found in exceptions"
|
||||
fi
|
||||
done
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
warn "Some admin accounts have not $SHELL as shell"
|
||||
warn "$RESULT"
|
||||
for USER in $( echo "$RESULT" | cut -d: -f 1 ); do
|
||||
info "Setting $SHELL to $USER"
|
||||
usermod -s $SHELL $USER
|
||||
done
|
||||
else
|
||||
ok "All admin accounts deactivated, nothing to apply"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
if [ -z "$EXCEPTIONS" ]; then
|
||||
EXCEPTIONS="@"
|
||||
fi
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
53
bin/hardening/10.3_default_root_group.sh
Executable file
53
bin/hardening/10.3_default_root_group.sh
Executable file
@ -0,0 +1,53 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 10.3 Set Default Group for root Account (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
USER='root'
|
||||
EXPECTED_GID='0'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
if [ $(grep "^root:" /etc/passwd | cut -f4 -d:) = 0 ]; then
|
||||
ok "Root group has GID $EXPECTED_GID"
|
||||
else
|
||||
crit "Root group has not GID $EXPECTED_GID"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $(grep "^root:" /etc/passwd | cut -f4 -d:) = 0 ]; then
|
||||
ok "Root group has GID $EXPECTED_GID"
|
||||
else
|
||||
warn "Root group has not GID $EXPECTED_GID"
|
||||
usermod -g $EXPECTED_GID $USER
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
59
bin/hardening/10.4_default_umask.sh
Executable file
59
bin/hardening/10.4_default_umask.sh
Executable file
@ -0,0 +1,59 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 10.4 Set Default umask for Users (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
USER='root'
|
||||
PATTERN='umask 077'
|
||||
FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d/* /etc/profile'
|
||||
FILE='/etc/profile.d/CIS_10.4_umask.sh'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
does_pattern_exists_in_file "$FILES_TO_SEARCH" "^$PATTERN"
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$PATTERN not present in $FILES_TO_SEARCH"
|
||||
else
|
||||
ok "$PATTERN present in $FILES_TO_SEARCH"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
does_pattern_exists_in_file "$FILES_TO_SEARCH" "^$PATTERN"
|
||||
if [ $FNRET != 0 ]; then
|
||||
warn "$PATTERN not present in $FILES_TO_SEARCH"
|
||||
touch $FILE
|
||||
chmod 644 $FILE
|
||||
add_end_of_file $FILE "$PATTERN"
|
||||
else
|
||||
ok "$PATTERN present in $FILES_TO_SEARCH"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
45
bin/hardening/10.5_lock_inactive_user_account.sh
Executable file
45
bin/hardening/10.5_lock_inactive_user_account.sh
Executable file
@ -0,0 +1,45 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 10.5 Lock Inactive User Accounts (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Looking at the manual of useradd, it seems that this recommendation does not fill the title"
|
||||
info "The number of days after a password expires until the account is permanently disabled."
|
||||
info "Which is not inactive users per se"
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
info "Looking at the manual of useradd, it seems that this recommendation does not fill the title"
|
||||
info "The number of days after a password expires until the account is permanently disabled."
|
||||
info "Which is not inactive users per se"
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
79
bin/hardening/11.1_warning_banners.sh
Executable file
79
bin/hardening/11.1_warning_banners.sh
Executable file
@ -0,0 +1,79 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 11.1 Set Warning Banner for Standard Login Services (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
PERMISSIONS='644'
|
||||
USER='root'
|
||||
GROUP='root'
|
||||
FILES='/etc/motd /etc/issue /etc/issue.net'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
for FILE in $FILES; do
|
||||
has_file_correct_ownership $FILE $USER $GROUP
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
crit "$FILE is not $USER:$GROUP ownership set"
|
||||
fi
|
||||
has_file_correct_permissions $FILE $PERMISSIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
crit "$FILE has not $PERMISSIONS permissions set"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
for FILE in $FILES; do
|
||||
does_file_exist $FILE
|
||||
if [ $FNRET != 0 ]; then
|
||||
info "$FILE does not exist"
|
||||
touch $FILE
|
||||
fi
|
||||
has_file_correct_ownership $FILE $USER $GROUP
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
warn "$FILE is not $USER:$GROUP ownership set"
|
||||
chown $USER:$GROUP $FILE
|
||||
fi
|
||||
has_file_correct_permissions $FILE $PERMISSIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0$PERMISSIONS $FILE
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
59
bin/hardening/11.2_remove_os_info_warning_banners.sh
Executable file
59
bin/hardening/11.2_remove_os_info_warning_banners.sh
Executable file
@ -0,0 +1,59 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 11.2 Remove OS Information from Login Warning Banners (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
FILES='/etc/motd /etc/issue /etc/issue.net'
|
||||
PATTERN='(\\v|\\r|\\m|\\s)'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
for FILE in $FILES; do
|
||||
does_pattern_exists_in_file $FILE "$PATTERN"
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PATTERN is present in $FILE"
|
||||
else
|
||||
ok "$PATTERN is not present in $FILE"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
for FILE in $FILES; do
|
||||
does_pattern_exists_in_file $FILE "$PATTERN"
|
||||
if [ $FNRET = 0 ]; then
|
||||
warn "$PATTERN is present in $FILE"
|
||||
delete_line_in_file $FILE $PATTERN
|
||||
else
|
||||
ok "$PATTERN is not present in $FILE"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
41
bin/hardening/11.3_graphical_warning_banners.sh
Executable file
41
bin/hardening/11.3_graphical_warning_banners.sh
Executable file
@ -0,0 +1,41 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 11.3 Set Graphical Warning Banner (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Not implemented yet"
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
info "Not implemented yet"
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
56
bin/hardening/12.10_find_suid_files.sh
Executable file
56
bin/hardening/12.10_find_suid_files.sh
Executable file
@ -0,0 +1,56 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 12.10 Find SUID System Executables (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Checking if there is suid files"
|
||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000 -print)
|
||||
for BINARY in $RESULT; do
|
||||
if grep -q $BINARY <<< "$EXCEPTIONS"; then
|
||||
debug "$BINARY is confirmed as an exception"
|
||||
RESULT=$(sed "s!$BINARY!!" <<< $RESULT)
|
||||
fi
|
||||
done
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
crit "Some suid files are present"
|
||||
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
|
||||
crit "$FORMATTED_RESULT"
|
||||
else
|
||||
ok "No unknown suid files found"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
info "Removing suid on valid binary may seriously harm your system, report only here"
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
# No param for this function
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
57
bin/hardening/12.11_find_sgid_files.sh
Executable file
57
bin/hardening/12.11_find_sgid_files.sh
Executable file
@ -0,0 +1,57 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 12.11 Find SGID System Executables (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Checking if there is sgid files"
|
||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000 -print)
|
||||
for BINARY in $RESULT; do
|
||||
if grep -q $BINARY <<< "$EXCEPTIONS"; then
|
||||
debug "$BINARY is confirmed as an exception"
|
||||
RESULT=$(sed "s!$BINARY!!" <<< $RESULT)
|
||||
fi
|
||||
done
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
crit "Some sgid files are present"
|
||||
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
|
||||
crit "$FORMATTED_RESULT"
|
||||
else
|
||||
ok "No unknown sgid files found"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
info "Removing sgid on valid binary may seriously harm your system, report only here"
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
if [ -z "$EXCEPTIONS" ]; then
|
||||
EXCEPTIONS="@"
|
||||
fi
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
55
bin/hardening/12.1_etc_passwd_permissions.sh
Executable file
55
bin/hardening/12.1_etc_passwd_permissions.sh
Executable file
@ -0,0 +1,55 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 12.1 Verify Permissions on /etc/passwd (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
FILE='/etc/passwd'
|
||||
PERMISSIONS='644'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
has_file_correct_permissions $FILE $PERMISSIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
crit "$FILE has not $PERMISSIONS permissions set"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
has_file_correct_permissions $FILE $PERMISSIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0$PERMISSIONS $FILE
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
55
bin/hardening/12.2_etc_shadow_permissions.sh
Executable file
55
bin/hardening/12.2_etc_shadow_permissions.sh
Executable file
@ -0,0 +1,55 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 12.2 Verify Permissions on /etc/shadow (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
FILE='/etc/shadow'
|
||||
PERMISSIONS='640'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
has_file_correct_permissions $FILE $PERMISSIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
crit "$FILE has not $PERMISSIONS permissions set"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
has_file_correct_permissions $FILE $PERMISSIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0$PERMISSIONS $FILE
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
55
bin/hardening/12.3_etc_group_permissions.sh
Executable file
55
bin/hardening/12.3_etc_group_permissions.sh
Executable file
@ -0,0 +1,55 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 12.3 Verify Permissions on /etc/group (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
FILE='/etc/group'
|
||||
PERMISSIONS='644'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
has_file_correct_permissions $FILE $PERMISSIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
crit "$FILE has not $PERMISSIONS permissions set"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
has_file_correct_permissions $FILE $PERMISSIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0$PERMISSIONS $FILE
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
70
bin/hardening/12.4_etc_passwd_ownership.sh
Executable file
70
bin/hardening/12.4_etc_passwd_ownership.sh
Executable file
@ -0,0 +1,70 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 12.4 Verify User/Group Ownership on /etc/passwd (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
FILE='/etc/passwd'
|
||||
USER='root'
|
||||
GROUP='root'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
has_file_correct_ownership $FILE $USER $GROUP
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
crit "$FILE is not $USER:$GROUP ownership set"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
has_file_correct_ownership $FILE $USER $GROUP
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
info "fixing $FILE ownership to $USER:$GROUP"
|
||||
chown $USER:$GROUP $FILE
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
does_user_exist $USER
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$USER does not exist"
|
||||
exit 128
|
||||
fi
|
||||
does_group_exist $GROUP
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$GROUP does not exist"
|
||||
exit 128
|
||||
fi
|
||||
does_file_exist $FILE
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
exit 128
|
||||
fi
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
70
bin/hardening/12.5_etc_shadow_ownership.sh
Executable file
70
bin/hardening/12.5_etc_shadow_ownership.sh
Executable file
@ -0,0 +1,70 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 12.5 Verify User/Group Ownership on /etc/shadow (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
FILE='/etc/shadow'
|
||||
USER='root'
|
||||
GROUP='shadow'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
has_file_correct_ownership $FILE $USER $GROUP
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
crit "$FILE is not $USER:$GROUP ownership set"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
has_file_correct_ownership $FILE $USER $GROUP
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
info "fixing $FILE ownership to $USER:$GROUP"
|
||||
chown $USER:$GROUP $FILE
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
does_user_exist $USER
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$USER does not exist"
|
||||
exit 128
|
||||
fi
|
||||
does_group_exist $GROUP
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$GROUP does not exist"
|
||||
exit 128
|
||||
fi
|
||||
does_file_exist $FILE
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
exit 128
|
||||
fi
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
70
bin/hardening/12.6_etc_group_ownership.sh
Executable file
70
bin/hardening/12.6_etc_group_ownership.sh
Executable file
@ -0,0 +1,70 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 12.6 Verify User/Group Ownership on /etc/group (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
FILE='/etc/group'
|
||||
USER='root'
|
||||
GROUP='root'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
has_file_correct_ownership $FILE $USER $GROUP
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
crit "$FILE is not $USER:$GROUP ownership set"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
has_file_correct_ownership $FILE $USER $GROUP
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
info "fixing $FILE ownership to $USER:$GROUP"
|
||||
chown $USER:$GROUP $FILE
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
does_user_exist $USER
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$USER does not exist"
|
||||
exit 128
|
||||
fi
|
||||
does_group_exist $GROUP
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$GROUP does not exist"
|
||||
exit 128
|
||||
fi
|
||||
does_file_exist $FILE
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
exit 128
|
||||
fi
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
56
bin/hardening/12.7_find_world_writable_file.sh
Executable file
56
bin/hardening/12.7_find_world_writable_file.sh
Executable file
@ -0,0 +1,56 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 12.7 Find World Writable Files (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Checking if there is world writable files"
|
||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
crit "Some world writable file are present"
|
||||
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
|
||||
crit "$FORMATTED_RESULT"
|
||||
else
|
||||
ok "No world writable files found"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
warn "chmoding o-w all files in the system"
|
||||
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null| xargs chmod o-w
|
||||
else
|
||||
ok "No world writable files found, nothing to apply"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
# No param for this function
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
58
bin/hardening/12.8_find_unowned_files.sh
Executable file
58
bin/hardening/12.8_find_unowned_files.sh
Executable file
@ -0,0 +1,58 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 12.8 Find Un-owned Files and Directories (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
USER='root'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Checking if there is unowned files"
|
||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null)
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
crit "Some world writable file are present"
|
||||
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
|
||||
crit "$FORMATTED_RESULT"
|
||||
else
|
||||
ok "No world writable files found"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
warn "chmowing all unowned files in the system"
|
||||
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER
|
||||
else
|
||||
ok "No world writable files found, nothing to apply"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
# No param for this function
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
58
bin/hardening/12.9_find_ungrouped_files.sh
Executable file
58
bin/hardening/12.9_find_ungrouped_files.sh
Executable file
@ -0,0 +1,58 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 12.9 Find Un-grouped Files and Directories (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
GROUP='root'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Checking if there is unowned files"
|
||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null)
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
crit "Some world writable file are present"
|
||||
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
|
||||
crit "$FORMATTED_RESULT"
|
||||
else
|
||||
ok "No world writable files found"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
warn "chmowing all ungrouped files in the system"
|
||||
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp $GROUP
|
||||
else
|
||||
ok "No world writable files found, nothing to apply"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
# No param for this function
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
56
bin/hardening/13.10_find_user_rhosts_files.sh
Executable file
56
bin/hardening/13.10_find_user_rhosts_files.sh
Executable file
@ -0,0 +1,56 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 13.10 Check for Presence of User .rhosts Files (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
ERRORS=0
|
||||
FILENAME=".rhosts"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
|
||||
debug "Working on $DIR"
|
||||
for FILE in $DIR/$FILENAME; do
|
||||
if [ ! -h "$FILE" -a -f "$FILE" ]; then
|
||||
crit "$FILE present"
|
||||
ERRORS=$((ERRORS+1))
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
if [ $ERRORS = 0 ]; then
|
||||
ok "No $FILENAME present in users files"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
info "If the audit returns something, please check with the user why he has this file"
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
54
bin/hardening/13.11_find_passwd_group_inconsistencies.sh
Executable file
54
bin/hardening/13.11_find_passwd_group_inconsistencies.sh
Executable file
@ -0,0 +1,54 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 13.11 Check Groups in /etc/passwd (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
ERRORS=0
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
|
||||
for GROUP in $(cut -s -d: -f4 /etc/passwd | sort -u ); do
|
||||
debug "Working on group $GROUP"
|
||||
if ! grep -q -P "^.*?:[^:]*:$GROUP:" /etc/group; then
|
||||
crit "Group $GROUP is referenced by /etc/passwd but does not exist in /etc/group"
|
||||
ERRORS=$((ERRORS+1))
|
||||
fi
|
||||
done
|
||||
|
||||
if [ $ERRORS = 0 ]; then
|
||||
ok "passwd and group Groups are consistent"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
info "Solving passwd and group consistency automatically may seriously harm your system, report only here"
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
57
bin/hardening/13.12_users_valid_homedir.sh
Executable file
57
bin/hardening/13.12_users_valid_homedir.sh
Executable file
@ -0,0 +1,57 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 13.12 Check That Users Are Assigned Valid Home Directories (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
ERRORS=0
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
RESULT=$(cat /etc/passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
|
||||
for LINE in $RESULT; do
|
||||
debug "Working on $LINE"
|
||||
USER=$(awk -F: {'print $1'} <<< $LINE)
|
||||
USERID=$(awk -F: {'print $2'} <<< $LINE)
|
||||
DIR=$(awk -F: {'print $3'} <<< $LINE)
|
||||
if [ $USERID -ge 1000 -a ! -d "$DIR" -a $USER != "nfsnobody" -a $USER != "nobody" ]; then
|
||||
crit "The home directory ($DIR) of user $USER does not exist."
|
||||
ERRORS=$((ERRORS+1))
|
||||
fi
|
||||
done
|
||||
|
||||
if [ $ERRORS = 0 ]; then
|
||||
ok "All home directories exists"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
info "Modifying home directories may seriously harm your system, report only here"
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
68
bin/hardening/13.13_check_user_homedir_ownership.sh
Executable file
68
bin/hardening/13.13_check_user_homedir_ownership.sh
Executable file
@ -0,0 +1,68 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 13.13 Check User Home Directory Ownership (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
ERRORS=0
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
RESULT=$(cat /etc/passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
|
||||
for LINE in $RESULT; do
|
||||
debug "Working on $LINE"
|
||||
USER=$(awk -F: {'print $1'} <<< $LINE)
|
||||
USERID=$(awk -F: {'print $2'} <<< $LINE)
|
||||
DIR=$(awk -F: {'print $3'} <<< $LINE)
|
||||
if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" ]; then
|
||||
OWNER=$(stat -L -c "%U" "$DIR")
|
||||
if [ "$OWNER" != "$USER" ]; then
|
||||
crit "The home directory ($DIR) of user $USER is owned by $OWNER."
|
||||
ERRORS=$((ERRORS+1))
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
if [ $ERRORS = 0 ]; then
|
||||
ok "All home directories have correct ownership"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
cat /etc/passwd | awk -F: '{ print $1 " " $3 " " $6 }' | while read USER USERID DIR; do
|
||||
if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" ]; then
|
||||
OWNER=$(stat -L -c "%U" "$DIR")
|
||||
if [ "$OWNER" != "$USER" ]; then
|
||||
warn "The home directory ($DIR) of user $USER is owned by $OWNER."
|
||||
chown $USER $DIR
|
||||
fi
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
57
bin/hardening/13.14_check_duplicate_uid.sh
Executable file
57
bin/hardening/13.14_check_duplicate_uid.sh
Executable file
@ -0,0 +1,57 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 13.14 Check for Duplicate UIDs (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
ERRORS=0
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
RESULT=$(cat /etc/passwd | cut -f3 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
|
||||
for LINE in $RESULT; do
|
||||
debug "Working on line $LINE"
|
||||
OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)
|
||||
USERID=$(awk -F: {'print $2'} <<< $LINE)
|
||||
if [ $OCC_NUMBER -gt 1 ]; then
|
||||
USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERID /etc/passwd | xargs)
|
||||
ERRORS=$((ERRORS+1))
|
||||
crit "Duplicate UID ($USERID): ${USERS}"
|
||||
fi
|
||||
done
|
||||
|
||||
if [ $ERRORS = 0 ]; then
|
||||
ok "No duplicate UIDs"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
info "Editing automatically uids may seriously harm your system, report only here"
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
57
bin/hardening/13.15_check_duplicate_gid.sh
Executable file
57
bin/hardening/13.15_check_duplicate_gid.sh
Executable file
@ -0,0 +1,57 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 13.15 Check for Duplicate GIDs (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
ERRORS=0
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
RESULT=$(cat /etc/group | cut -f3 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
|
||||
for LINE in $RESULT; do
|
||||
debug "Working on line $LINE"
|
||||
OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)
|
||||
GROUPID=$(awk -F: {'print $2'} <<< $LINE)
|
||||
if [ $OCC_NUMBER -gt 1 ]; then
|
||||
USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPID /etc/passwd | xargs)
|
||||
ERRORS=$((ERRORS+1))
|
||||
crit "Duplicate GID ($GROUPID): ${USERS}"
|
||||
fi
|
||||
done
|
||||
|
||||
if [ $ERRORS = 0 ]; then
|
||||
ok "No duplicate GIDs"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
info "Editing automatically gids may seriously harm your system, report only here"
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
57
bin/hardening/13.16_check_duplicate_username.sh
Executable file
57
bin/hardening/13.16_check_duplicate_username.sh
Executable file
@ -0,0 +1,57 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 13.16 Check for Duplicate User Names (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
ERRORS=0
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
RESULT=$(cat /etc/passwd | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
|
||||
for LINE in $RESULT; do
|
||||
debug "Working on line $LINE"
|
||||
OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)
|
||||
USERNAME=$(awk -F: {'print $2'} <<< $LINE)
|
||||
if [ $OCC_NUMBER -gt 1 ]; then
|
||||
USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERNAME /etc/passwd | xargs)
|
||||
ERRORS=$((ERRORS+1))
|
||||
crit "Duplicate username $USERNAME"
|
||||
fi
|
||||
done
|
||||
|
||||
if [ $ERRORS = 0 ]; then
|
||||
ok "No duplicate usernames"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
info "Editing automatically username may seriously harm your system, report only here"
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
57
bin/hardening/13.17_check_duplicate_groupname.sh
Executable file
57
bin/hardening/13.17_check_duplicate_groupname.sh
Executable file
@ -0,0 +1,57 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 13.17 Check for Duplicate Group Names (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
ERRORS=0
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
RESULT=$(cat /etc/group | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
|
||||
for LINE in $RESULT; do
|
||||
debug "Working on line $LINE"
|
||||
OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)
|
||||
GROUPNAME=$(awk -F: {'print $2'} <<< $LINE)
|
||||
if [ $OCC_NUMBER -gt 1 ]; then
|
||||
USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPNAME /etc/passwd | xargs)
|
||||
ERRORS=$((ERRORS+1))
|
||||
crit "Duplicate groupname $GROUPNAME"
|
||||
fi
|
||||
done
|
||||
|
||||
if [ $ERRORS = 0 ]; then
|
||||
ok "No duplicate groupnames"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
info "Editing automatically groupname may seriously harm your system, report only here"
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
56
bin/hardening/13.18_find_user_netrc_files.sh
Executable file
56
bin/hardening/13.18_find_user_netrc_files.sh
Executable file
@ -0,0 +1,56 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 13.18 Check for Presence of User .netrc Files (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
ERRORS=0
|
||||
FILENAME='.netrc'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
|
||||
debug "Working on $DIR"
|
||||
for FILE in $DIR/$FILENAME; do
|
||||
if [ ! -h "$FILE" -a -f "$FILE" ]; then
|
||||
crit "$FILE present"
|
||||
ERRORS=$((ERRORS+1))
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
if [ $ERRORS = 0 ]; then
|
||||
ok "No $FILENAME present in users files"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
info "If the audit returns something, please check with the user why he has this file"
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
56
bin/hardening/13.19_find_user_forward_files.sh
Executable file
56
bin/hardening/13.19_find_user_forward_files.sh
Executable file
@ -0,0 +1,56 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 13.19 Check for Presence of User .forward Files (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
ERRORS=0
|
||||
FILENAME='.forward'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
|
||||
debug "Working on $DIR"
|
||||
for FILE in $DIR/$FILENAME; do
|
||||
if [ ! -h "$FILE" -a -f "$FILE" ]; then
|
||||
crit "$FILE present"
|
||||
ERRORS=$((ERRORS+1))
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
if [ $ERRORS = 0 ]; then
|
||||
ok "No $FILENAME present in users files"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
info "If the audit returns something, please check with the user why he has this file"
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
59
bin/hardening/13.1_remove_empty_password_field.sh
Executable file
59
bin/hardening/13.1_remove_empty_password_field.sh
Executable file
@ -0,0 +1,59 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 13.1 Ensure Password Fields are Not Empty (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
FILE='/etc/shadow'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Checking if accounts have empty passwords"
|
||||
RESULT=$(cat $FILE | awk -F: '($2 == "" ) { print $1 }')
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
crit "Some accounts have empty passwords"
|
||||
crit $RESULT
|
||||
else
|
||||
ok "All accounts have a password"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
RESULT=$(cat $FILE | awk -F: '($2 == "" ) { print $1 }')
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
warn "Some accounts have empty passwords"
|
||||
for ACCOUNT in $RESULT; do
|
||||
info "Locking $ACCOUNT"
|
||||
passwd -l $ACCOUNT >/dev/null 2>&1
|
||||
done
|
||||
else
|
||||
ok "All accounts have a password"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
66
bin/hardening/13.20_shadow_group_empty.sh
Executable file
66
bin/hardening/13.20_shadow_group_empty.sh
Executable file
@ -0,0 +1,66 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 13.20 Ensure shadow group is empty (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
ERRORS=0
|
||||
FILEGROUP='/etc/group'
|
||||
PATTERN='^shadow:x:[[:digit:]]+:'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
does_pattern_exists_in_file $FILEGROUP $PATTERN
|
||||
if [ $FNRET = 0 ]; then
|
||||
info "shadow group exists"
|
||||
RESULT=$(grep -E "$PATTERN" $FILEGROUP | cut -d: -f4)
|
||||
GROUPID=$(getent group shadow | cut -d: -f3)
|
||||
debug "$RESULT $GROUPID"
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
crit "Some user belong to shadow group : $RESULT"
|
||||
else
|
||||
ok "No one belongs to shadow group"
|
||||
fi
|
||||
|
||||
info "Checking if a user has $GROUPID as primary group"
|
||||
RESULT=$(awk -F: '($4 == shadowid) { print $1 }' shadowid=$GROUPID /etc/passwd)
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
crit "Some user have shadow id to their primary group : $RESULT"
|
||||
else
|
||||
ok "No one have shadow id to their primary group"
|
||||
fi
|
||||
else
|
||||
crit "shadow group doesn't exist"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
info "If the audit returns something, please check with the user why he has this file"
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
60
bin/hardening/13.2_remove_legacy_passwd_entries.sh
Executable file
60
bin/hardening/13.2_remove_legacy_passwd_entries.sh
Executable file
@ -0,0 +1,60 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 13.2 Verify No Legacy "+" Entries Exist in /etc/passwd File (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
FILE='/etc/passwd'
|
||||
RESULT=''
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Checking if accounts have empty passwords"
|
||||
if grep '^+:' $FILE -q; then
|
||||
RESULT=$(grep '^+:' $FILE)
|
||||
crit "Some accounts have legacy password entry"
|
||||
crit $RESULT
|
||||
else
|
||||
ok "All accounts have a valid password entry format"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if grep '^+:' $FILE -q; then
|
||||
RESULT=$(grep '^+:' $FILE)
|
||||
warn "Some accounts have legacy password entry"
|
||||
for LINE in $RESULT; do
|
||||
info "Removing $LINE from $FILE"
|
||||
delete_line_in_file $FILE $LINE
|
||||
done
|
||||
else
|
||||
ok "All accounts have a valid password entry format"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
60
bin/hardening/13.3_remove_legacy_shadow_entries.sh
Executable file
60
bin/hardening/13.3_remove_legacy_shadow_entries.sh
Executable file
@ -0,0 +1,60 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 13.3 Verify No Legacy "+" Entries Exist in /etc/shadow File (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
FILE='/etc/shadow'
|
||||
RESULT=''
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Checking if accounts have empty passwords"
|
||||
if grep '^+:' $FILE -q; then
|
||||
RESULT=$(grep '^+:' $FILE)
|
||||
crit "Some accounts have legacy password entry"
|
||||
crit $RESULT
|
||||
else
|
||||
ok "All accounts have a valid password entry format"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if grep '^+:' $FILE -q; then
|
||||
RESULT=$(grep '^+:' $FILE)
|
||||
warn "Some accounts have legacy password entry"
|
||||
for LINE in $RESULT; do
|
||||
info "Removing $LINE from $FILE"
|
||||
delete_line_in_file $FILE $LINE
|
||||
done
|
||||
else
|
||||
ok "All accounts have a valid password entry format"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
60
bin/hardening/13.4_remove_legacy_group_entries.sh
Executable file
60
bin/hardening/13.4_remove_legacy_group_entries.sh
Executable file
@ -0,0 +1,60 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 13.4 Verify No Legacy "+" Entries Exist in /etc/group File (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
FILE='/etc/group'
|
||||
RESULT=''
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Checking if accounts have empty passwords"
|
||||
if grep '^+:' $FILE -q; then
|
||||
RESULT=$(grep '^+:' $FILE)
|
||||
crit "Some accounts have legacy password entry"
|
||||
crit $RESULT
|
||||
else
|
||||
ok "All accounts have a valid password entry format"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if grep '^+:' $FILE -q; then
|
||||
RESULT=$(grep '^+:' $FILE)
|
||||
warn "Some accounts have legacy password entry"
|
||||
for LINE in $RESULT; do
|
||||
info "Removing $LINE from $FILE"
|
||||
delete_line_in_file $FILE $LINE
|
||||
done
|
||||
else
|
||||
ok "All accounts have a valid password entry format"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
64
bin/hardening/13.5_find_0_uid_non_root_account.sh
Executable file
64
bin/hardening/13.5_find_0_uid_non_root_account.sh
Executable file
@ -0,0 +1,64 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 13.5 Verify No UID 0 Accounts Exist Other Than root (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
FILE='/etc/passwd'
|
||||
RESULT=''
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Checking if accounts have uid 0"
|
||||
RESULT=$(cat $FILE | awk -F: '($3 == 0 && $1!="root" ) { print $1 }')
|
||||
for ACCOUNT in $RESULT; do
|
||||
debug "Account : $ACCOUNT"
|
||||
debug "Exceptions : $EXCEPTIONS"
|
||||
debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
|
||||
if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then
|
||||
debug "$ACCOUNT is confirmed as an exception"
|
||||
RESULT=$(sed "s!$ACCOUNT!!" <<< "$RESULT")
|
||||
else
|
||||
debug "$ACCOUNT not found in exceptions"
|
||||
fi
|
||||
done
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
crit "Some accounts have uid 0"
|
||||
crit $RESULT
|
||||
else
|
||||
ok "No account with suid 0 apart root"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
info "Removing accounts with uid 0 may seriously harm your system, report only here"
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
if [ -z "$EXCEPTIONS" ]; then
|
||||
EXCEPTIONS="@"
|
||||
fi
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
83
bin/hardening/13.6_sanitize_root_path.sh
Executable file
83
bin/hardening/13.6_sanitize_root_path.sh
Executable file
@ -0,0 +1,83 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 13.6 Ensure root PATH Integrity (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
ERRORS=0
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
if [ "`echo $PATH | grep :: `" != "" ]; then
|
||||
crit "Empty Directory in PATH (::)"
|
||||
ERRORS=$((ERRORS+1))
|
||||
fi
|
||||
if [ "`echo $PATH | grep :$`" != "" ]; then
|
||||
crit "Trailing : in PATH $PATH"
|
||||
ERRORS=$((ERRORS+1))
|
||||
fi
|
||||
FORMATTED_PATH=$(echo $PATH | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g')
|
||||
set -- $FORMATTED_PATH
|
||||
while [ "${1:-}" != "" ]; do
|
||||
if [ "$1" = "." ]; then
|
||||
crit "PATH contains ."
|
||||
ERRORS=$((ERRORS+1))
|
||||
else
|
||||
if [ -d $1 ]; then
|
||||
dirperm=$(ls -ldH $1 | cut -f1 -d" ")
|
||||
if [ $(echo $dirperm | cut -c6 ) != "-" ]; then
|
||||
crit "Group Write permission set on directory $1"
|
||||
ERRORS=$((ERRORS+1))
|
||||
fi
|
||||
if [ $(echo $dirperm | cut -c9 ) != "-" ]; then
|
||||
crit "Other Write permission set on directory $1"
|
||||
ERRORS=$((ERRORS+1))
|
||||
fi
|
||||
dirown=$(ls -ldH $1 | awk '{print $3}')
|
||||
if [ "$dirown" != "root" ] ; then
|
||||
crit "$1 is not owned by root"
|
||||
ERRORS=$((ERRORS+1))
|
||||
fi
|
||||
else
|
||||
crit "$1 is not a directory"
|
||||
ERRORS=$((ERRORS+1))
|
||||
fi
|
||||
fi
|
||||
shift
|
||||
done
|
||||
|
||||
if [ $ERRORS = 0 ]; then
|
||||
ok "root PATH is secure"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
info "Editing items from PATH may seriously harm your system, report only here"
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
108
bin/hardening/13.7_check_user_dir_perm.sh
Executable file
108
bin/hardening/13.7_check_user_dir_perm.sh
Executable file
@ -0,0 +1,108 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 13.7 Check Permissions on User Home Directories (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
ERRORS=0
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
for dir in $(cat /etc/passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
|
||||
debug "Working on $dir"
|
||||
debug "Exceptions : $EXCEPTIONS"
|
||||
debug "echo \"$EXCEPTIONS\" | grep -q $dir"
|
||||
if echo "$EXCEPTIONS" | grep -q $dir; then
|
||||
debug "$dir is confirmed as an exception"
|
||||
RESULT=$(sed "s!$dir!!" <<< "$RESULT")
|
||||
else
|
||||
debug "$dir not found in exceptions"
|
||||
fi
|
||||
if [ -d $dir ]; then
|
||||
dirperm=$(/bin/ls -ld $dir | cut -f1 -d" ")
|
||||
if [ $(echo $dirperm | cut -c6 ) != "-" ]; then
|
||||
crit "Group Write permission set on directory $dir"
|
||||
ERRORS=$((ERRORS+1))
|
||||
fi
|
||||
if [ $(echo $dirperm | cut -c8 ) != "-" ]; then
|
||||
crit "Other Read permission set on directory $dir"
|
||||
ERRORS=$((ERRORS+1))
|
||||
fi
|
||||
if [ $(echo $dirperm | cut -c9 ) != "-" ]; then
|
||||
crit "Other Write permission set on directory $dir"
|
||||
ERRORS=$((ERRORS+1))
|
||||
fi
|
||||
if [ $(echo $dirperm | cut -c10 ) != "-" ]; then
|
||||
crit "Other Execute permission set on directory $dir"
|
||||
ERRORS=$((ERRORS+1))
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
if [ $ERRORS = 0 ]; then
|
||||
ok "No incorrect permissions on home directories"
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
for dir in $(cat /etc/passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
|
||||
debug "Working on $dir"
|
||||
debug "Exceptions : $EXCEPTIONS"
|
||||
debug "echo \"$EXCEPTIONS\" | grep -q $dir"
|
||||
if echo "$EXCEPTIONS" | grep -q $dir; then
|
||||
debug "$dir is confirmed as an exception"
|
||||
RESULT=$(sed "s!$dir!!" <<< "$RESULT")
|
||||
else
|
||||
debug "$dir not found in exceptions"
|
||||
fi
|
||||
if [ -d $dir ]; then
|
||||
dirperm=$(/bin/ls -ld $dir | cut -f1 -d" ")
|
||||
if [ $(echo $dirperm | cut -c6 ) != "-" ]; then
|
||||
warn "Group Write permission set on directory $dir"
|
||||
chmod g-w $dir
|
||||
fi
|
||||
if [ $(echo $dirperm | cut -c8 ) != "-" ]; then
|
||||
warn "Other Read permission set on directory $dir"
|
||||
chmod o-r $dir
|
||||
fi
|
||||
if [ $(echo $dirperm | cut -c9 ) != "-" ]; then
|
||||
warn "Other Write permission set on directory $dir"
|
||||
chmod o-w $dir
|
||||
fi
|
||||
if [ $(echo $dirperm | cut -c10 ) != "-" ]; then
|
||||
warn "Other Execute permission set on directory $dir"
|
||||
chmod o-x $dir
|
||||
fi
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
if [ -z "$EXCEPTIONS" ]; then
|
||||
EXCEPTIONS="@"
|
||||
fi
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
76
bin/hardening/13.8_check_user_dot_file_perm.sh
Executable file
76
bin/hardening/13.8_check_user_dot_file_perm.sh
Executable file
@ -0,0 +1,76 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 13.8 Check User Dot File Permissions (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
ERRORS=0
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
|
||||
debug "Working on $DIR"
|
||||
for FILE in $DIR/.[A-Za-z0-9]*; do
|
||||
if [ ! -h "$FILE" -a -f "$FILE" ]; then
|
||||
FILEPERM=$(ls -ld $FILE | cut -f1 -d" ")
|
||||
if [ $(echo $FILEPERM | cut -c6) != "-" ]; then
|
||||
crit "Group Write permission set on FILE $FILE"
|
||||
ERRORS=$((ERRORS+1))
|
||||
fi
|
||||
if [ $(echo $FILEPERM | cut -c9) != "-" ]; then
|
||||
crit "Other Write permission set on FILE $FILE"
|
||||
ERRORS=$((ERRORS+1))
|
||||
fi
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
if [ $ERRORS = 0 ]; then
|
||||
ok "Dot file permission in users directories are correct"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
|
||||
for FILE in $DIR/.[A-Za-z0-9]*; do
|
||||
if [ ! -h "$FILE" -a -f "$FILE" ]; then
|
||||
FILEPERM=$(ls -ld $FILE | cut -f1 -d" ")
|
||||
if [ $(echo $FILEPERM | cut -c6) != "-" ]; then
|
||||
warn "Group Write permission set on FILE $FILE"
|
||||
chmod g-w $FILE
|
||||
fi
|
||||
if [ $(echo $FILEPERM | cut -c9) != "-" ]; then
|
||||
warn "Other Write permission set on FILE $FILE"
|
||||
chmod o-w $FILE
|
||||
fi
|
||||
fi
|
||||
done
|
||||
done
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
75
bin/hardening/13.9_set_perm_on_user_netrc.sh
Executable file
75
bin/hardening/13.9_set_perm_on_user_netrc.sh
Executable file
@ -0,0 +1,75 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 13.9 Check Permissions on User .netrc Files (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
PERMISSIONS="600"
|
||||
ERRORS=0
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
|
||||
debug "Working on $DIR"
|
||||
for FILE in $DIR/.netrc; do
|
||||
if [ ! -h "$FILE" -a -f "$FILE" ]; then
|
||||
has_file_correct_permissions $FILE $PERMISSIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
crit "$FILE has not $PERMISSIONS permissions set"
|
||||
ERRORS=$((ERRORS+1))
|
||||
fi
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
if [ $ERRORS = 0 ]; then
|
||||
ok "permission $PERMISSIONS set on .netrc users files"
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
|
||||
debug "Working on $DIR"
|
||||
for FILE in $DIR/.netrc; do
|
||||
if [ ! -h "$FILE" -a -f "$FILE" ]; then
|
||||
has_file_correct_permissions $FILE $PERMISSIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
warn "$FILE has not $PERMISSIONS permissions set"
|
||||
chmod 600 $FILE
|
||||
fi
|
||||
fi
|
||||
done
|
||||
done
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
80
bin/hardening/2.10_home_nodev.sh
Executable file
80
bin/hardening/2.10_home_nodev.sh
Executable file
@ -0,0 +1,80 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.10 Add nodev Option to /home (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
PARTITION="/home"
|
||||
OPTION="nodev"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
crit "$PARTITION is not a partition"
|
||||
FNRET=2
|
||||
else
|
||||
ok "$PARTITION is a partition"
|
||||
has_mount_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
crit "$PARTITION have no option $OPTION in fstab !"
|
||||
FNRET=1
|
||||
else
|
||||
ok "$PARTITION have $OPTION in fstab"
|
||||
has_mounted_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||
FNRET=3
|
||||
else
|
||||
ok "$PARTITION mounted with $OPTION"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
info "Adding $OPTION to fstab"
|
||||
add_option_to_fstab $PARTITION $OPTION
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
elif [ $FNRET = 3 ]; then
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
# No param for this script
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
68
bin/hardening/2.11_removable_device_nodev.sh
Executable file
68
bin/hardening/2.11_removable_device_nodev.sh
Executable file
@ -0,0 +1,68 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.11 Add nodev Option to Removable Media Partitions (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
PARTITION="/media\S*"
|
||||
OPTION="nodev"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Verifying if there is $PARTITION like partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
ok "There is no partition like $PARTITION"
|
||||
FNRET=0
|
||||
else
|
||||
info "detected $PARTITION like"
|
||||
has_mount_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
crit "$PARTITION have no option $OPTION in fstab !"
|
||||
FNRET=1
|
||||
else
|
||||
ok "$PARTITION have $OPTION in fstab"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
info "Adding $OPTION to fstab"
|
||||
add_option_to_fstab $PARTITION $OPTION
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
# No param for this script
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
68
bin/hardening/2.12_removable_device_noexec.sh
Executable file
68
bin/hardening/2.12_removable_device_noexec.sh
Executable file
@ -0,0 +1,68 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.12 Add noexec Option to Removable Media Partitions (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
PARTITION="/media\S*"
|
||||
OPTION="noexec"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Verifying if there is $PARTITION like partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
ok "There is no partition like $PARTITION"
|
||||
FNRET=0
|
||||
else
|
||||
info "detected $PARTITION like"
|
||||
has_mount_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
crit "$PARTITION have no option $OPTION in fstab !"
|
||||
FNRET=1
|
||||
else
|
||||
ok "$PARTITION have $OPTION in fstab"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
info "Adding $OPTION to fstab"
|
||||
add_option_to_fstab $PARTITION $OPTION
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
# No param for this script
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
68
bin/hardening/2.13_removable_device_nosuid.sh
Executable file
68
bin/hardening/2.13_removable_device_nosuid.sh
Executable file
@ -0,0 +1,68 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.13 Add nosuid Option to Removable Media Partitions (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
PARTITION="/media\S*"
|
||||
OPTION="nosuid"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Verifying if there is $PARTITION like partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
ok "There is no partition like $PARTITION"
|
||||
FNRET=0
|
||||
else
|
||||
info "detected $PARTITION like"
|
||||
has_mount_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
crit "$PARTITION have no option $OPTION in fstab !"
|
||||
FNRET=1
|
||||
else
|
||||
ok "$PARTITION have $OPTION in fstab"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
info "Adding $OPTION to fstab"
|
||||
add_option_to_fstab $PARTITION $OPTION
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
# No param for this script
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
80
bin/hardening/2.14_run_shm_nodev.sh
Executable file
80
bin/hardening/2.14_run_shm_nodev.sh
Executable file
@ -0,0 +1,80 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.14 Add nodev Option to /run/shm Partition (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
PARTITION="/run/shm"
|
||||
OPTION="nodev"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
crit "$PARTITION is not a partition"
|
||||
FNRET=2
|
||||
else
|
||||
ok "$PARTITION is a partition"
|
||||
has_mount_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
crit "$PARTITION have no option $OPTION in fstab !"
|
||||
FNRET=1
|
||||
else
|
||||
ok "$PARTITION have $OPTION in fstab"
|
||||
has_mounted_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||
FNRET=3
|
||||
else
|
||||
ok "$PARTITION mounted with $OPTION"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
info "Adding $OPTION to fstab"
|
||||
add_option_to_fstab $PARTITION $OPTION
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
elif [ $FNRET = 3 ]; then
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
# No param for this script
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
80
bin/hardening/2.15_run_shm_nosuid.sh
Executable file
80
bin/hardening/2.15_run_shm_nosuid.sh
Executable file
@ -0,0 +1,80 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.15 Add nosuid Option to /run/shm Partition (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
PARTITION="/run/shm"
|
||||
OPTION="nosuid"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
crit "$PARTITION is not a partition"
|
||||
FNRET=2
|
||||
else
|
||||
ok "$PARTITION is a partition"
|
||||
has_mount_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
crit "$PARTITION have no option $OPTION in fstab !"
|
||||
FNRET=1
|
||||
else
|
||||
ok "$PARTITION have $OPTION in fstab"
|
||||
has_mounted_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||
FNRET=3
|
||||
else
|
||||
ok "$PARTITION mounted with $OPTION"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
info "Adding $OPTION to fstab"
|
||||
add_option_to_fstab $PARTITION $OPTION
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
elif [ $FNRET = 3 ]; then
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
# No param for this script
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
80
bin/hardening/2.16_run_shm_noexec.sh
Executable file
80
bin/hardening/2.16_run_shm_noexec.sh
Executable file
@ -0,0 +1,80 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.16 Add noexec Option to /run/shm Partition (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
PARTITION="/run/shm"
|
||||
OPTION="noexec"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
crit "$PARTITION is not a partition"
|
||||
FNRET=2
|
||||
else
|
||||
ok "$PARTITION is a partition"
|
||||
has_mount_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
crit "$PARTITION have no option $OPTION in fstab !"
|
||||
FNRET=1
|
||||
else
|
||||
ok "$PARTITION have $OPTION in fstab"
|
||||
has_mounted_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||
FNRET=3
|
||||
else
|
||||
ok "$PARTITION mounted with $OPTION"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
info "Adding $OPTION to fstab"
|
||||
add_option_to_fstab $PARTITION $OPTION
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
elif [ $FNRET = 3 ]; then
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
# No param for this script
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
55
bin/hardening/2.17_sticky_bit_world_writable_folder.sh
Executable file
55
bin/hardening/2.17_sticky_bit_world_writable_folder.sh
Executable file
@ -0,0 +1,55 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.17 Set Sticky Bit on All World-Writable Directories (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Checking if setuid is set on world writable Directories"
|
||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
crit "Some world writable directories are not on sticky bit mode !"
|
||||
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
|
||||
crit "$FORMATTED_RESULT"
|
||||
else
|
||||
ok "All world writable directories have a sticky bit"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
|
||||
else
|
||||
ok "All world writable directories have a sticky bit, nothing to apply"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
# No param for this function
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
57
bin/hardening/2.18_disable_cramfs.sh
Executable file
57
bin/hardening/2.18_disable_cramfs.sh
Executable file
@ -0,0 +1,57 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.18 Disable Mounting of cramfs Filesystems (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
|
||||
KERNEL_OPTION="cramfs"
|
||||
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
is_kernel_option_enabled $KERNEL_OPTION
|
||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$KERNEL_OPTION is enabled !"
|
||||
else
|
||||
ok "$KERNEL_OPTION is disabled"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
is_kernel_option_enabled $KERNEL_OPTION
|
||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
||||
else
|
||||
ok "$KERNEL_OPTION is disabled, nothing to do"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
57
bin/hardening/2.19_disable_freevxfs.sh
Executable file
57
bin/hardening/2.19_disable_freevxfs.sh
Executable file
@ -0,0 +1,57 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.19 Disable Mounting of freevxfs Filesystems (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
|
||||
KERNEL_OPTION="freevxfs"
|
||||
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
is_kernel_option_enabled $KERNEL_OPTION
|
||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$KERNEL_OPTION is enabled !"
|
||||
else
|
||||
ok "$KERNEL_OPTION is disabled"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
is_kernel_option_enabled $KERNEL_OPTION
|
||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
||||
else
|
||||
ok "$KERNEL_OPTION is disabled, nothing to do"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
69
bin/hardening/2.1_tmp_partition.sh
Executable file
69
bin/hardening/2.1_tmp_partition.sh
Executable file
@ -0,0 +1,69 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.1 Create Separate Partition for /tmp (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
PARTITION="/tmp"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
crit "$PARTITION is not a partition"
|
||||
FNRET=2
|
||||
else
|
||||
ok "$PARTITION is a partition"
|
||||
is_mounted "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
warn "$PARTITION is not mounted"
|
||||
FNRET=1
|
||||
else
|
||||
ok "$PARTITION is mounted"
|
||||
fi
|
||||
fi
|
||||
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||
else
|
||||
info "mounting $PARTITION"
|
||||
mount $PARTITION
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
# No parameter for this script
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
57
bin/hardening/2.20_disable_jffs2.sh
Executable file
57
bin/hardening/2.20_disable_jffs2.sh
Executable file
@ -0,0 +1,57 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.20 Disable Mounting of jffs2 Filesystems (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
|
||||
KERNEL_OPTION="jffs2"
|
||||
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
is_kernel_option_enabled $KERNEL_OPTION
|
||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$KERNEL_OPTION is enabled !"
|
||||
else
|
||||
ok "$KERNEL_OPTION is disabled"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
is_kernel_option_enabled $KERNEL_OPTION
|
||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
||||
else
|
||||
ok "$KERNEL_OPTION is disabled, nothing to do"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
57
bin/hardening/2.21_disable_hfs.sh
Executable file
57
bin/hardening/2.21_disable_hfs.sh
Executable file
@ -0,0 +1,57 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.21 Disable Mounting of hfs Filesystems (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
|
||||
KERNEL_OPTION="hfs"
|
||||
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
is_kernel_option_enabled $KERNEL_OPTION
|
||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$KERNEL_OPTION is enabled !"
|
||||
else
|
||||
ok "$KERNEL_OPTION is disabled"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
is_kernel_option_enabled $KERNEL_OPTION
|
||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
||||
else
|
||||
ok "$KERNEL_OPTION is disabled, nothing to do"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
57
bin/hardening/2.22_disable_hfsplus.sh
Executable file
57
bin/hardening/2.22_disable_hfsplus.sh
Executable file
@ -0,0 +1,57 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.22 Disable Mounting of hfsplus Filesystems (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
|
||||
KERNEL_OPTION="hfsplus"
|
||||
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
is_kernel_option_enabled $KERNEL_OPTION
|
||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$KERNEL_OPTION is enabled !"
|
||||
else
|
||||
ok "$KERNEL_OPTION is disabled"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
is_kernel_option_enabled $KERNEL_OPTION
|
||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
||||
else
|
||||
ok "$KERNEL_OPTION is disabled, nothing to do"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
57
bin/hardening/2.23_disable_squashfs.sh
Executable file
57
bin/hardening/2.23_disable_squashfs.sh
Executable file
@ -0,0 +1,57 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.23 Disable Mounting of squashfs Filesystems (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
|
||||
KERNEL_OPTION="squashfs"
|
||||
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
is_kernel_option_enabled $KERNEL_OPTION
|
||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$KERNEL_OPTION is enabled !"
|
||||
else
|
||||
ok "$KERNEL_OPTION is disabled"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
is_kernel_option_enabled $KERNEL_OPTION
|
||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
||||
else
|
||||
ok "$KERNEL_OPTION is disabled, nothing to do"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
57
bin/hardening/2.24_disable_udf.sh
Executable file
57
bin/hardening/2.24_disable_udf.sh
Executable file
@ -0,0 +1,57 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.24 Disable Mounting of udf Filesystems (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
|
||||
KERNEL_OPTION="udf"
|
||||
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
is_kernel_option_enabled $KERNEL_OPTION
|
||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$KERNEL_OPTION is enabled !"
|
||||
else
|
||||
ok "$KERNEL_OPTION is disabled"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
is_kernel_option_enabled $KERNEL_OPTION
|
||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
||||
else
|
||||
ok "$KERNEL_OPTION is disabled, nothing to do"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
56
bin/hardening/2.25_disable_automounting.sh
Executable file
56
bin/hardening/2.25_disable_automounting.sh
Executable file
@ -0,0 +1,56 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.25 Disable Automounting (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
SERVICE_NAME="autofs"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Checking if $SERVICE_NAME is enabled"
|
||||
is_service_enabled $SERVICE_NAME
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$SERVICE_NAME is enabled"
|
||||
else
|
||||
ok "$SERVICE_NAME is disabled"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
info "Checking if $SERVICE_NAME is enabled"
|
||||
is_service_enabled $SERVICE_NAME
|
||||
if [ $FNRET = 0 ]; then
|
||||
info "Disabling $SERVICE_NAME"
|
||||
update-rc.d $SERVICE_NAME remove > /dev/null 2>&1
|
||||
else
|
||||
ok "$SERVICE_NAME is disabled"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
80
bin/hardening/2.2_tmp_nodev.sh
Executable file
80
bin/hardening/2.2_tmp_nodev.sh
Executable file
@ -0,0 +1,80 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.2 Set nodev option for /tmp Partition (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
PARTITION="/tmp"
|
||||
OPTION="nodev"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
crit "$PARTITION is not a partition"
|
||||
FNRET=2
|
||||
else
|
||||
ok "$PARTITION is a partition"
|
||||
has_mount_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
crit "$PARTITION have no option $OPTION in fstab !"
|
||||
FNRET=1
|
||||
else
|
||||
ok "$PARTITION have $OPTION in fstab"
|
||||
has_mounted_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||
FNRET=3
|
||||
else
|
||||
ok "$PARTITION mounted with $OPTION"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
info "Adding $OPTION to fstab"
|
||||
add_option_to_fstab $PARTITION $OPTION
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
elif [ $FNRET = 3 ]; then
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
# No param for this script
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
80
bin/hardening/2.3_tmp_nosuid.sh
Executable file
80
bin/hardening/2.3_tmp_nosuid.sh
Executable file
@ -0,0 +1,80 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.3 Set nosuid option for /tmp Partition (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
PARTITION="/tmp"
|
||||
OPTION="nosuid"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
crit "$PARTITION is not a partition"
|
||||
FNRET=2
|
||||
else
|
||||
ok "$PARTITION is a partition"
|
||||
has_mount_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
crit "$PARTITION have no option $OPTION in fstab !"
|
||||
FNRET=1
|
||||
else
|
||||
ok "$PARTITION have $OPTION in fstab"
|
||||
has_mounted_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||
FNRET=3
|
||||
else
|
||||
ok "$PARTITION mounted with $OPTION"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
info "Adding $OPTION to fstab"
|
||||
add_option_to_fstab $PARTITION $OPTION
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
elif [ $FNRET = 3 ]; then
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
# No param for this script
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
80
bin/hardening/2.4_tmp_noexec.sh
Executable file
80
bin/hardening/2.4_tmp_noexec.sh
Executable file
@ -0,0 +1,80 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.4 Set noexec option for /tmp Partition (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
PARTITION="/tmp"
|
||||
OPTION="noexec"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
crit "$PARTITION is not a partition"
|
||||
FNRET=2
|
||||
else
|
||||
ok "$PARTITION is a partition"
|
||||
has_mount_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
crit "$PARTITION have no option $OPTION in fstab !"
|
||||
FNRET=1
|
||||
else
|
||||
ok "$PARTITION have $OPTION in fstab"
|
||||
has_mounted_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||
FNRET=3
|
||||
else
|
||||
ok "$PARTITION mounted with $OPTION"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
info "Adding $OPTION to fstab"
|
||||
add_option_to_fstab $PARTITION $OPTION
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
elif [ $FNRET = 3 ]; then
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
# No param for this script
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
69
bin/hardening/2.5_var_partition.sh
Executable file
69
bin/hardening/2.5_var_partition.sh
Executable file
@ -0,0 +1,69 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.5 Create Separate Partition for /var (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
PARTITION="/var"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
crit "$PARTITION is not a partition"
|
||||
FNRET=2
|
||||
else
|
||||
ok "$PARTITION is a partition"
|
||||
is_mounted "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
warn "$PARTITION is not mounted"
|
||||
FNRET=1
|
||||
else
|
||||
ok "$PARTITION is mounted"
|
||||
fi
|
||||
fi
|
||||
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||
else
|
||||
info "mounting $PARTITION"
|
||||
mount $PARTITION
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
# No parameter for this script
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
69
bin/hardening/2.6.1_var_tmp_partition.sh
Executable file
69
bin/hardening/2.6.1_var_tmp_partition.sh
Executable file
@ -0,0 +1,69 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.6.1 Create Separate Partition for /var/tmp (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
PARTITION="/var/tmp"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
crit "$PARTITION is not a partition"
|
||||
FNRET=2
|
||||
else
|
||||
ok "$PARTITION is a partition"
|
||||
is_mounted "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
warn "$PARTITION is not mounted"
|
||||
FNRET=1
|
||||
else
|
||||
ok "$PARTITION is mounted"
|
||||
fi
|
||||
fi
|
||||
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||
else
|
||||
info "mounting $PARTITION"
|
||||
mount $PARTITION
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
# No parameter for this script
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
80
bin/hardening/2.6.2_var_tmp_nodev.sh
Executable file
80
bin/hardening/2.6.2_var_tmp_nodev.sh
Executable file
@ -0,0 +1,80 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.6.2 Set nodev option for /var/tmp Partition (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
PARTITION="/var/tmp"
|
||||
OPTION="nodev"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
crit "$PARTITION is not a partition"
|
||||
FNRET=2
|
||||
else
|
||||
ok "$PARTITION is a partition"
|
||||
has_mount_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
crit "$PARTITION have no option $OPTION in fstab !"
|
||||
FNRET=1
|
||||
else
|
||||
ok "$PARTITION have $OPTION in fstab"
|
||||
has_mounted_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||
FNRET=3
|
||||
else
|
||||
ok "$PARTITION mounted with $OPTION"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
info "Adding $OPTION to fstab"
|
||||
add_option_to_fstab $PARTITION $OPTION
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
elif [ $FNRET = 3 ]; then
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
# No param for this script
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
80
bin/hardening/2.6.3_var_tmp_nosuid.sh
Executable file
80
bin/hardening/2.6.3_var_tmp_nosuid.sh
Executable file
@ -0,0 +1,80 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.6.3 Set nosuid option for /var/tmp Partition (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
PARTITION="/var/tmp"
|
||||
OPTION="nosuid"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
crit "$PARTITION is not a partition"
|
||||
FNRET=2
|
||||
else
|
||||
ok "$PARTITION is a partition"
|
||||
has_mount_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
crit "$PARTITION have no option $OPTION in fstab !"
|
||||
FNRET=1
|
||||
else
|
||||
ok "$PARTITION have $OPTION in fstab"
|
||||
has_mounted_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||
FNRET=3
|
||||
else
|
||||
ok "$PARTITION mounted with $OPTION"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
info "Adding $OPTION to fstab"
|
||||
add_option_to_fstab $PARTITION $OPTION
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
elif [ $FNRET = 3 ]; then
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
# No param for this script
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
80
bin/hardening/2.6.4_var_tmp_noexec.sh
Executable file
80
bin/hardening/2.6.4_var_tmp_noexec.sh
Executable file
@ -0,0 +1,80 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.6.4 Set noexec option for /var/tmp Partition (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
PARTITION="/var/tmp"
|
||||
OPTION="noexec"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
crit "$PARTITION is not a partition"
|
||||
FNRET=2
|
||||
else
|
||||
ok "$PARTITION is a partition"
|
||||
has_mount_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
crit "$PARTITION have no option $OPTION in fstab !"
|
||||
FNRET=1
|
||||
else
|
||||
ok "$PARTITION have $OPTION in fstab"
|
||||
has_mounted_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||
FNRET=3
|
||||
else
|
||||
ok "$PARTITION mounted with $OPTION"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
info "Adding $OPTION to fstab"
|
||||
add_option_to_fstab $PARTITION $OPTION
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
elif [ $FNRET = 3 ]; then
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
# No param for this script
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
69
bin/hardening/2.7_var_log_partition.sh
Executable file
69
bin/hardening/2.7_var_log_partition.sh
Executable file
@ -0,0 +1,69 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.7 Create Separate Partition for /var/log (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
PARTITION="/var/log"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
crit "$PARTITION is not a partition"
|
||||
FNRET=2
|
||||
else
|
||||
ok "$PARTITION is a partition"
|
||||
is_mounted "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
warn "$PARTITION is not mounted"
|
||||
FNRET=1
|
||||
else
|
||||
ok "$PARTITION is mounted"
|
||||
fi
|
||||
fi
|
||||
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||
else
|
||||
info "mounting $PARTITION"
|
||||
mount $PARTITION
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
# No parameter for this script
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
69
bin/hardening/2.8_var_log_audit_partition.sh
Executable file
69
bin/hardening/2.8_var_log_audit_partition.sh
Executable file
@ -0,0 +1,69 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.8 Create Separate Partition for /var/log/audit (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
PARTITION="/var/log/audit"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
crit "$PARTITION is not a partition"
|
||||
FNRET=2
|
||||
else
|
||||
ok "$PARTITION is a partition"
|
||||
is_mounted "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
warn "$PARTITION is not mounted"
|
||||
FNRET=1
|
||||
else
|
||||
ok "$PARTITION is mounted"
|
||||
fi
|
||||
fi
|
||||
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||
else
|
||||
info "mounting $PARTITION"
|
||||
mount $PARTITION
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
# No parameter for this script
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
69
bin/hardening/2.9_home_partition.sh
Executable file
69
bin/hardening/2.9_home_partition.sh
Executable file
@ -0,0 +1,69 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.9 Create Separate Partition for /home (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
PARTITION="/home"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
crit "$PARTITION is not a partition"
|
||||
FNRET=2
|
||||
else
|
||||
ok "$PARTITION is a partition"
|
||||
is_mounted "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
warn "$PARTITION is not mounted"
|
||||
FNRET=1
|
||||
else
|
||||
ok "$PARTITION is mounted"
|
||||
fi
|
||||
fi
|
||||
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||
else
|
||||
info "mounting $PARTITION"
|
||||
mount $PARTITION
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
# No parameter for this script
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
78
bin/hardening/3.1_bootloader_ownership.sh
Executable file
78
bin/hardening/3.1_bootloader_ownership.sh
Executable file
@ -0,0 +1,78 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 3.1 Set User/Group Owner on bootloader config (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Assertion : Grub Based.
|
||||
|
||||
FILE='/boot/grub/grub.cfg'
|
||||
USER='root'
|
||||
GROUP='root'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
has_file_correct_ownership $FILE $USER $GROUP
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
crit "$FILE is not $USER:$GROUP ownership set"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
has_file_correct_ownership $FILE $USER $GROUP
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
info "fixing $FILE ownership to $USER:$GROUP"
|
||||
chown $USER:$GROUP $FILE
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
|
||||
is_pkg_installed "grub-pc"
|
||||
if [ $FNRET != 0 ]; then
|
||||
warn "Grub is not installed, not handling configuration"
|
||||
exit 128
|
||||
fi
|
||||
does_user_exist $USER
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$USER does not exist"
|
||||
exit 128
|
||||
fi
|
||||
does_group_exist $GROUP
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$GROUP does not exist"
|
||||
exit 128
|
||||
fi
|
||||
does_file_exist $FILE
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
exit 128
|
||||
fi
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
65
bin/hardening/3.2_bootloader_permissions.sh
Executable file
65
bin/hardening/3.2_bootloader_permissions.sh
Executable file
@ -0,0 +1,65 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 3.2 Set Permissions on bootloader config (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Assertion : Grub Based.
|
||||
|
||||
FILE='/boot/grub/grub.cfg'
|
||||
PERMISSIONS='400'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
has_file_correct_permissions $FILE $PERMISSIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
crit "$FILE has not $PERMISSIONS permissions set"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
has_file_correct_permissions $FILE $PERMISSIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0$PERMISSIONS $FILE
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
is_pkg_installed "grub-pc"
|
||||
if [ $FNRET != 0 ]; then
|
||||
warn "grub-pc is not installed, not handling configuration"
|
||||
exit 128
|
||||
fi
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
exit 128
|
||||
fi
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
76
bin/hardening/3.3_bootloader_password.sh
Executable file
76
bin/hardening/3.3_bootloader_password.sh
Executable file
@ -0,0 +1,76 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 3.3 Set Boot Loader Password (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
FILE='/boot/grub/grub.cfg'
|
||||
USER_PATTERN="^set superusers"
|
||||
PWD_PATTERN="^password_pbkdf2"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
does_pattern_exists_in_file $FILE "$USER_PATTERN"
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$USER_PATTERN not present in $FILE"
|
||||
else
|
||||
ok "$USER_PATTERN is present in $FILE"
|
||||
fi
|
||||
does_pattern_exists_in_file $FILE "$PWD_PATTERN"
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$PWD_PATTERN not present in $FILE"
|
||||
else
|
||||
ok "$PWD_PATTERN is present in $FILE"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
does_pattern_exists_in_file $FILE "$USER_PATTERN"
|
||||
if [ $FNRET != 0 ]; then
|
||||
warn "$USER_PATTERN not present in $FILE, please configure password for grub"
|
||||
else
|
||||
ok "$USER_PATTERN is present in $FILE"
|
||||
fi
|
||||
does_pattern_exists_in_file $FILE "$PWD_PATTERN"
|
||||
if [ $FNRET != 0 ]; then
|
||||
warn "$PWD_PATTERN not present in $FILE, please configure password for grub"
|
||||
else
|
||||
ok "$PWD_PATTERN is present in $FILE"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
is_pkg_installed "grub-pc"
|
||||
if [ $FNRET != 0 ]; then
|
||||
warn "grub-pc is not installed, not handling configuration"
|
||||
exit 128
|
||||
fi
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
exit 128
|
||||
fi
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
55
bin/hardening/3.4_root_password.sh
Executable file
55
bin/hardening/3.4_root_password.sh
Executable file
@ -0,0 +1,55 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 3.4 Require Authentication for Single-User Mode (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
FILE="/etc/shadow"
|
||||
PATTERN="^root:[*\!]:"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
does_pattern_exists_in_file $FILE $PATTERN
|
||||
if [ $FNRET != 1 ]; then
|
||||
crit "$PATTERN present in $FILE"
|
||||
else
|
||||
ok "$PATTERN not present in $FILE"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
does_pattern_exists_in_file $FILE $PATTERN
|
||||
if [ $FNRET != 1 ]; then
|
||||
warn "$PATTERN present in $FILE, please put a root password"
|
||||
else
|
||||
ok "$PATTERN not present in $FILE"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
75
bin/hardening/4.1_restrict_core_dumps.sh
Executable file
75
bin/hardening/4.1_restrict_core_dumps.sh
Executable file
@ -0,0 +1,75 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 4.1 Restrict Core Dumps (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
LIMIT_FILE='/etc/security/limits.conf'
|
||||
LIMIT_PATTERN='^\*[[:space:]]*hard[[:space:]]*core[[:space:]]*0$'
|
||||
SYSCTL_PARAM='fs.suid_dumpable'
|
||||
SYSCTL_EXP_RESULT=0
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
does_pattern_exists_in_file $LIMIT_FILE $LIMIT_PATTERN
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$LIMIT_PATTERN not present in $LIMIT_FILE"
|
||||
else
|
||||
ok "$LIMIT_PATTERN present in $LIMIT_FILE"
|
||||
fi
|
||||
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !"
|
||||
elif [ $FNRET = 255 ]; then
|
||||
warn "$SYSCTL_PARAM does not exist, typo ?"
|
||||
else
|
||||
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
does_pattern_exists_in_file $LIMIT_FILE $LIMIT_PATTERN
|
||||
if [ $FNRET != 0 ]; then
|
||||
warn "$LIMIT_PATTERN not present in $LIMIT_FILE, addning at the end of $LIMIT_FILE"
|
||||
add_end_of_file $LIMIT_FILE "* hard core 0"
|
||||
else
|
||||
ok "$LIMIT_PATTERN present in $LIMIT_FILE"
|
||||
fi
|
||||
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
|
||||
if [ $FNRET != 0 ]; then
|
||||
warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it"
|
||||
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||
elif [ $FNRET = 255 ]; then
|
||||
warn "$SYSCTL_PARAM does not exist, typo ?"
|
||||
else
|
||||
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
53
bin/hardening/4.2_enable_nx_support.sh
Executable file
53
bin/hardening/4.2_enable_nx_support.sh
Executable file
@ -0,0 +1,53 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 4.2 Enable XD/NX Support on 32-bit x86 Systems (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
PATTERN='NX[[:space:]]\(Execute[[:space:]]Disable\)[[:space:]]protection:[[:space:]]active'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
does_pattern_exists_in_dmesg $PATTERN
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$PATTERN not present in dmesg"
|
||||
else
|
||||
ok "$PATTERN present in dmesg"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
does_pattern_exists_in_dmesg $PATTERN
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$PATTERN not present in dmesg, please go to the bios to activate this option or change for CPU compatible"
|
||||
else
|
||||
ok "$PATTERN present in dmesg"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
59
bin/hardening/4.3_enable_randomized_vm_placement.sh
Executable file
59
bin/hardening/4.3_enable_randomized_vm_placement.sh
Executable file
@ -0,0 +1,59 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 4.3 Enable Randomized Virtual Memory Region Placement (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
SYSCTL_PARAM='kernel.randomize_va_space'
|
||||
SYSCTL_EXP_RESULT=2
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !"
|
||||
elif [ $FNRET = 255 ]; then
|
||||
warn "$SYSCTL_PARAM does not exist, typo ?"
|
||||
else
|
||||
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||
if [ $FNRET != 0 ]; then
|
||||
warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it"
|
||||
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||
elif [ $FNRET = 255 ]; then
|
||||
warn "$SYSCTL_PARAM does not exist, typo ?"
|
||||
else
|
||||
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
58
bin/hardening/4.4_disable_prelink.sh
Executable file
58
bin/hardening/4.4_disable_prelink.sh
Executable file
@ -0,0 +1,58 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 4.4 Disable Prelink (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
PACKAGE='prelink'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PACKAGE is installed !"
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PACKAGE is installed, purging it"
|
||||
/usr/sbin/prelink -ua
|
||||
apt-get purge $PACKAGE -y
|
||||
apt-get autoremove
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
55
bin/hardening/4.5_enable_apparmor.sh
Executable file
55
bin/hardening/4.5_enable_apparmor.sh
Executable file
@ -0,0 +1,55 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 4.5 Activate AppArmor (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
PACKAGE='apparmor'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$PACKAGE is absent !"
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$PACKAGE is not installed, please install $PACKAGE and configure it"
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
56
bin/hardening/5.1.1_disable_nis.sh
Executable file
56
bin/hardening/5.1.1_disable_nis.sh
Executable file
@ -0,0 +1,56 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 5.1.1 Ensure NIS is not installed (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
PACKAGE='nis'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PACKAGE is installed !"
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PACKAGE is installed, purging it"
|
||||
apt-get purge $PACKAGE -y
|
||||
apt-get autoremove
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
88
bin/hardening/5.1.2_disable_rsh.sh
Executable file
88
bin/hardening/5.1.2_disable_rsh.sh
Executable file
@ -0,0 +1,88 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 5.1.2 Ensure rsh server is not enabled (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Based on aptitude search '~Prsh-server'
|
||||
PACKAGES='rsh-server rsh-redone-server heimdal-servers'
|
||||
FILE='/etc/inetd.conf'
|
||||
PATTERN='^(shell|login|exec)'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
warn "$PACKAGE is installed, checking configuration"
|
||||
does_file_exist $FILE
|
||||
if [ $FNRET != 0 ]; then
|
||||
ok "$FILE does not exist"
|
||||
else
|
||||
does_pattern_exists_in_file $FILE $PATTERN
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PATTERN exists, $PACKAGE services are enabled !"
|
||||
else
|
||||
ok "$PATTERN not present in $FILE"
|
||||
fi
|
||||
fi
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PACKAGE is installed, purging it"
|
||||
apt-get purge $PACKAGE -y
|
||||
apt-get autoremove
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
does_file_exist $FILE
|
||||
if [ $FNRET != 0 ]; then
|
||||
ok "$FILE does not exist"
|
||||
else
|
||||
info "$FILE exists, checking patterns"
|
||||
does_pattern_exists_in_file $FILE $PATTERN
|
||||
if [ $FNRET = 0 ]; then
|
||||
warn "$PATTERN present in $FILE, purging it"
|
||||
backup_file $FILE
|
||||
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
|
||||
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
|
||||
else
|
||||
ok "$PATTERN not present in $FILE"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
60
bin/hardening/5.1.3_disable_rsh_client.sh
Executable file
60
bin/hardening/5.1.3_disable_rsh_client.sh
Executable file
@ -0,0 +1,60 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 5.1.3 Ensure rsh client is not installed (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Based on aptitude search '~Prsh-client', exluding ssh-client OFC
|
||||
PACKAGES='rsh-client rsh-redone-client heimdal-clients'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PACKAGE is installed"
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
warn "$PACKAGE is installed, purging"
|
||||
apt-get purge $PACKAGE -y
|
||||
apt-get autoremove
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
87
bin/hardening/5.1.4_disable_talk.sh
Executable file
87
bin/hardening/5.1.4_disable_talk.sh
Executable file
@ -0,0 +1,87 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 5.1.4 Ensure talk server is not enabled (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
PACKAGES='inetutils-talkd talkd'
|
||||
FILE='/etc/inetd.conf'
|
||||
PATTERN='^(talk|ntalk)'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
warn "$PACKAGE is installed, checking configuration"
|
||||
does_file_exist $FILE
|
||||
if [ $FNRET != 0 ]; then
|
||||
ok "$FILE does not exist"
|
||||
else
|
||||
does_pattern_exists_in_file $FILE $PATTERN
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PATTERN exists, $PACKAGE services are enabled !"
|
||||
else
|
||||
ok "$PATTERN not present in $FILE"
|
||||
fi
|
||||
fi
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PACKAGE is installed, purging it"
|
||||
apt-get purge $PACKAGE -y
|
||||
apt-get autoremove
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
does_file_exist $FILE
|
||||
if [ $FNRET != 0 ]; then
|
||||
ok "$FILE does not exist"
|
||||
else
|
||||
info "$FILE exists, checking patterns"
|
||||
does_pattern_exists_in_file $FILE $PATTERN
|
||||
if [ $FNRET = 0 ]; then
|
||||
warn "$PATTERN present in $FILE, purging it"
|
||||
backup_file $FILE
|
||||
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
|
||||
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
|
||||
else
|
||||
ok "$PATTERN not present in $FILE"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
59
bin/hardening/5.1.5_disable_talk_client.sh
Executable file
59
bin/hardening/5.1.5_disable_talk_client.sh
Executable file
@ -0,0 +1,59 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 5.1.5 Ensure talk client is not installed (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
PACKAGES='talk inetutils-talk'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PACKAGE is installed"
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
warn "$PACKAGE is installed, purging"
|
||||
apt-get purge $PACKAGE -y
|
||||
apt-get autoremove
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
88
bin/hardening/5.1.6_disable_telnet_server.sh
Executable file
88
bin/hardening/5.1.6_disable_telnet_server.sh
Executable file
@ -0,0 +1,88 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 5.1.6 Ensure telnet server is not enabled (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Based on aptitude search '~Ptelnet-server'
|
||||
PACKAGES='telnetd inetutils-telnetd telnetd-ssl krb5-telnetd heimdal-servers'
|
||||
FILE='/etc/inetd.conf'
|
||||
PATTERN='^telnet'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
warn "$PACKAGE is installed, checking configuration"
|
||||
does_file_exist $FILE
|
||||
if [ $FNRET != 0 ]; then
|
||||
ok "$FILE does not exist"
|
||||
else
|
||||
does_pattern_exists_in_file $FILE $PATTERN
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PATTERN exists, $PACKAGE services are enabled !"
|
||||
else
|
||||
ok "$PATTERN not present in $FILE"
|
||||
fi
|
||||
fi
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PACKAGE is installed, purging it"
|
||||
apt-get purge $PACKAGE -y
|
||||
apt-get autoremove
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
does_file_exist $FILE
|
||||
if [ $FNRET != 0 ]; then
|
||||
ok "$FILE does not exist"
|
||||
else
|
||||
info "$FILE exists, checking patterns"
|
||||
does_pattern_exists_in_file $FILE $PATTERN
|
||||
if [ $FNRET = 0 ]; then
|
||||
warn "$PATTERN present in $FILE, purging it"
|
||||
backup_file $FILE
|
||||
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
|
||||
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
|
||||
else
|
||||
ok "$PATTERN not present in $FILE"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
88
bin/hardening/5.1.7_disable_tftp_server.sh
Executable file
88
bin/hardening/5.1.7_disable_tftp_server.sh
Executable file
@ -0,0 +1,88 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 5.1.7 Ensure tftp-server is not enabled (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
PACKAGES='tftpd tftpd-hpa atftpd'
|
||||
FILE='/etc/inetd.conf'
|
||||
PATTERN='^tftp'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
warn "$PACKAGE is installed, checking configuration"
|
||||
does_file_exist $FILE
|
||||
if [ $FNRET != 0 ]; then
|
||||
ok "$FILE does not exist"
|
||||
else
|
||||
does_pattern_exists_in_file $FILE $PATTERN
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PATTERN exists, $PACKAGE services are enabled !"
|
||||
else
|
||||
ok "$PATTERN not present in $FILE"
|
||||
fi
|
||||
fi
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PACKAGE is installed, purging it"
|
||||
apt-get purge $PACKAGE -y
|
||||
apt-get autoremove
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
does_file_exist $FILE
|
||||
if [ $FNRET != 0 ]; then
|
||||
ok "$FILE does not exist"
|
||||
else
|
||||
info "$FILE exists, checking patterns"
|
||||
does_pattern_exists_in_file $FILE $PATTERN
|
||||
if [ $FNRET = 0 ]; then
|
||||
warn "$PATTERN present in $FILE, purging it"
|
||||
backup_file $FILE
|
||||
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
|
||||
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
|
||||
echo "coucou"
|
||||
else
|
||||
ok "$PATTERN not present in $FILE"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
59
bin/hardening/5.1.8_disable_inetd.sh
Executable file
59
bin/hardening/5.1.8_disable_inetd.sh
Executable file
@ -0,0 +1,59 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 5.1.8 Ensure xinetd is not enabled (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
PACKAGES='openbsd-inetd xinetd rlinetd'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PACKAGE is installed"
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
warn "$PACKAGE is installed, purging"
|
||||
apt-get purge $PACKAGE -y
|
||||
apt-get autoremove
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
68
bin/hardening/5.2_disable_chargen.sh
Executable file
68
bin/hardening/5.2_disable_chargen.sh
Executable file
@ -0,0 +1,68 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 5.2 Ensure chargen is not enabled (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
FILE='/etc/inetd.conf'
|
||||
PATTERN='^chargen'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
does_file_exist $FILE
|
||||
if [ $FNRET != 0 ]; then
|
||||
ok "$FILE does not exist"
|
||||
else
|
||||
does_pattern_exists_in_file $FILE $PATTERN
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PATTERN exists, chargen services are enabled !"
|
||||
else
|
||||
ok "$PATTERN not present in $FILE"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
does_file_exist $FILE
|
||||
if [ $FNRET != 0 ]; then
|
||||
ok "$FILE does not exist"
|
||||
else
|
||||
info "$FILE exists, checking patterns"
|
||||
does_pattern_exists_in_file $FILE $PATTERN
|
||||
if [ $FNRET = 0 ]; then
|
||||
warn "$PATTERN present in $FILE, purging it"
|
||||
backup_file $FILE
|
||||
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
|
||||
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
|
||||
else
|
||||
ok "$PATTERN not present in $FILE"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
68
bin/hardening/5.3_disable_daytime.sh
Executable file
68
bin/hardening/5.3_disable_daytime.sh
Executable file
@ -0,0 +1,68 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 5.3 Ensure daytime is not enabled (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
FILE='/etc/inetd.conf'
|
||||
PATTERN='^daytime'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
does_file_exist $FILE
|
||||
if [ $FNRET != 0 ]; then
|
||||
ok "$FILE does not exist"
|
||||
else
|
||||
does_pattern_exists_in_file $FILE $PATTERN
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PATTERN exists, chargen services are enabled !"
|
||||
else
|
||||
ok "$PATTERN not present in $FILE"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
does_file_exist $FILE
|
||||
if [ $FNRET != 0 ]; then
|
||||
ok "$FILE does not exist"
|
||||
else
|
||||
info "$FILE exists, checking patterns"
|
||||
does_pattern_exists_in_file $FILE $PATTERN
|
||||
if [ $FNRET = 0 ]; then
|
||||
warn "$PATTERN present in $FILE, purging it"
|
||||
backup_file $FILE
|
||||
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
|
||||
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
|
||||
else
|
||||
ok "$PATTERN not present in $FILE"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
68
bin/hardening/5.4_disable_echo.sh
Executable file
68
bin/hardening/5.4_disable_echo.sh
Executable file
@ -0,0 +1,68 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 5.4 Ensure echo is not enabled (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
FILE='/etc/inetd.conf'
|
||||
PATTERN='^echo'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
does_file_exist $FILE
|
||||
if [ $FNRET != 0 ]; then
|
||||
ok "$FILE does not exist"
|
||||
else
|
||||
does_pattern_exists_in_file $FILE $PATTERN
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PATTERN exists, chargen services are enabled !"
|
||||
else
|
||||
ok "$PATTERN not present in $FILE"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
does_file_exist $FILE
|
||||
if [ $FNRET != 0 ]; then
|
||||
ok "$FILE does not exist"
|
||||
else
|
||||
info "$FILE exists, checking patterns"
|
||||
does_pattern_exists_in_file $FILE $PATTERN
|
||||
if [ $FNRET = 0 ]; then
|
||||
warn "$PATTERN present in $FILE, purging it"
|
||||
backup_file $FILE
|
||||
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
|
||||
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
|
||||
else
|
||||
ok "$PATTERN not present in $FILE"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
68
bin/hardening/5.5_disable_discard.sh
Executable file
68
bin/hardening/5.5_disable_discard.sh
Executable file
@ -0,0 +1,68 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 5.5 Ensure discard is not enabled (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
FILE='/etc/inetd.conf'
|
||||
PATTERN='^discard'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
does_file_exist $FILE
|
||||
if [ $FNRET != 0 ]; then
|
||||
ok "$FILE does not exist"
|
||||
else
|
||||
does_pattern_exists_in_file $FILE $PATTERN
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PATTERN exists, chargen services are enabled !"
|
||||
else
|
||||
ok "$PATTERN not present in $FILE"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
does_file_exist $FILE
|
||||
if [ $FNRET != 0 ]; then
|
||||
ok "$FILE does not exist"
|
||||
else
|
||||
info "$FILE exists, checking patterns"
|
||||
does_pattern_exists_in_file $FILE $PATTERN
|
||||
if [ $FNRET = 0 ]; then
|
||||
warn "$PATTERN present in $FILE, purging it"
|
||||
backup_file $FILE
|
||||
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
|
||||
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
|
||||
else
|
||||
ok "$PATTERN not present in $FILE"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
68
bin/hardening/5.6_disable_time.sh
Executable file
68
bin/hardening/5.6_disable_time.sh
Executable file
@ -0,0 +1,68 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 5.6 Ensure time is not enabled (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
FILE='/etc/inetd.conf'
|
||||
PATTERN='^time'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
does_file_exist $FILE
|
||||
if [ $FNRET != 0 ]; then
|
||||
ok "$FILE does not exist"
|
||||
else
|
||||
does_pattern_exists_in_file $FILE $PATTERN
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PATTERN exists, chargen services are enabled !"
|
||||
else
|
||||
ok "$PATTERN not present in $FILE"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
does_file_exist $FILE
|
||||
if [ $FNRET != 0 ]; then
|
||||
ok "$FILE does not exist"
|
||||
else
|
||||
info "$FILE exists, checking patterns"
|
||||
does_pattern_exists_in_file $FILE $PATTERN
|
||||
if [ $FNRET = 0 ]; then
|
||||
warn "$PATTERN present in $FILE, purging it"
|
||||
backup_file $FILE
|
||||
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
|
||||
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
|
||||
else
|
||||
ok "$PATTERN not present in $FILE"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
60
bin/hardening/6.10_disable_http_server.sh
Executable file
60
bin/hardening/6.10_disable_http_server.sh
Executable file
@ -0,0 +1,60 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 6.10 Ensure HTTP Server is not enabled (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Based on aptitude search '~Phttpd'
|
||||
PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PACKAGE is installed !"
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PACKAGE is installed, purging it"
|
||||
apt-get purge $PACKAGE -y
|
||||
apt-get autoremove
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
60
bin/hardening/6.11_disable_imap_pop.sh
Executable file
60
bin/hardening/6.11_disable_imap_pop.sh
Executable file
@ -0,0 +1,60 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 6.11 Ensure IMAP and POP server is not enabled (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Based on aptitude search '~Pimap-server' and aptitude search '~Ppop3-server'
|
||||
PACKAGES='citadel-server courier-imap cyrus-imapd-2.4 dovecot-imapd mailutils-imap4d courier-pop cyrus-pop3d-2.4 dovecot-pop3d heimdal-servers mailutils-pop3d popa3d solid-pop3d xmail'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PACKAGE is installed !"
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PACKAGE is installed, purging it"
|
||||
apt-get purge $PACKAGE -y
|
||||
apt-get autoremove
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
59
bin/hardening/6.12_disable_samba.sh
Executable file
59
bin/hardening/6.12_disable_samba.sh
Executable file
@ -0,0 +1,59 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 6.12 Ensure Samba is not enabled (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
PACKAGES='samba'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PACKAGE is installed !"
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PACKAGE is installed, purging it"
|
||||
apt-get purge $PACKAGE -y
|
||||
apt-get autoremove
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
59
bin/hardening/6.13_diable_http_proxy.sh
Executable file
59
bin/hardening/6.13_diable_http_proxy.sh
Executable file
@ -0,0 +1,59 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 6.13 Ensure HTTP Proxy Server is not enabled (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
PACKAGES='squid3 squid'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PACKAGE is installed !"
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PACKAGE is installed, purging it"
|
||||
apt-get purge $PACKAGE -y
|
||||
apt-get autoremove
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
59
bin/hardening/6.14_disable_snmp_server.sh
Executable file
59
bin/hardening/6.14_disable_snmp_server.sh
Executable file
@ -0,0 +1,59 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 6.14 Ensure SNMP Server is not enabled (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
PACKAGES='snmpd'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PACKAGE is installed !"
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PACKAGE is installed, purging it"
|
||||
apt-get purge $PACKAGE -y
|
||||
apt-get autoremove
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
66
bin/hardening/6.15_mta_localhost.sh
Executable file
66
bin/hardening/6.15_mta_localhost.sh
Executable file
@ -0,0 +1,66 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 6.15 Configure Mail Transfer Agent for Local-Only Mode (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Checking netport ports opened"
|
||||
eval 'RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]")'
|
||||
debug "Result is $RESULT"
|
||||
if [ -z "$RESULT" ]; then
|
||||
ok "Nothing listens on 25 port, probably unix socket configured"
|
||||
else
|
||||
info "Checking $RESULT"
|
||||
if $(grep -q "127.0.0.1" <<< $RESULT); then
|
||||
ok "MTA is configured to localhost only"
|
||||
else
|
||||
crit "MTA listens worldwide"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
info "Checking netport ports opened"
|
||||
eval 'RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]")'
|
||||
debug "Result is $RESULT"
|
||||
if [ -z "$RESULT" ]; then
|
||||
ok "Nothing listens on 25 port, probably unix socket configured"
|
||||
else
|
||||
info "Checking $RESULT"
|
||||
if $(grep -q "127.0.0.1" <<< $RESULT); then
|
||||
ok "MTA is configured to localhost only"
|
||||
else
|
||||
warn "MTA listens worldwide, correct this considering your MTA"
|
||||
fi
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user