mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-22 21:47:02 +01:00
add hardening templating and several enhancements
This commit is contained in:
Stéphane Lesimple
Stéphane Lesimple
parent
78569b5583
commit
dfaf4c2093
1
AUTHORS
1
AUTHORS
@ -2,6 +2,7 @@ Contributors of this project :
|
|||||||
|
|
||||||
Developers :
|
Developers :
|
||||||
Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||||
|
Stéphane Lesimple, OVH <stephane.lesimple@corp.ovh.com>
|
||||||
|
|
||||||
Debian package maintainers :
|
Debian package maintainers :
|
||||||
Kevin Tanguy, OVH <kevin.tanguy@corp.ovh.com>
|
Kevin Tanguy, OVH <kevin.tanguy@corp.ovh.com>
|
||||||
|
|||||||
@ -20,11 +20,13 @@ AUDIT=0
|
|||||||
APPLY=0
|
APPLY=0
|
||||||
AUDIT_ALL=0
|
AUDIT_ALL=0
|
||||||
AUDIT_ALL_ENABLE_PASSED=0
|
AUDIT_ALL_ENABLE_PASSED=0
|
||||||
|
ALLOW_SERVICE_LIST=0
|
||||||
|
SET_HARDENING_LEVEL=0
|
||||||
CIS_ROOT_DIR=''
|
CIS_ROOT_DIR=''
|
||||||
|
|
||||||
usage() {
|
usage() {
|
||||||
cat << EOF
|
cat << EOF
|
||||||
$LONG_SCRIPT_NAME RUN_MODE, where RUN_MODE is one of:
|
$LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
|
||||||
|
|
||||||
--help -h
|
--help -h
|
||||||
Show this help
|
Show this help
|
||||||
@ -53,6 +55,35 @@ $LONG_SCRIPT_NAME RUN_MODE, where RUN_MODE is one of:
|
|||||||
Don't run this if you have already customized the scripts enable/disable
|
Don't run this if you have already customized the scripts enable/disable
|
||||||
configurations, obviously.
|
configurations, obviously.
|
||||||
|
|
||||||
|
--set-hardening-level <level>
|
||||||
|
Modifies the configuration to enable/disable tests given an hardening level,
|
||||||
|
between 1 to 5. Don't run this if you have already customized the scripts
|
||||||
|
enable/disable configurations.
|
||||||
|
1: very basic policy, failure to pass tests at this level indicates severe
|
||||||
|
misconfiguration of the machine that can have a huge security impact
|
||||||
|
2: basic policy, some good practice rules that, once applied, shouldn't
|
||||||
|
break anything on most systems
|
||||||
|
3: best practices policy, passing all tests might need some configuration
|
||||||
|
modifications (such as specific partitioning, etc.)
|
||||||
|
4: high security policy, passing all tests might be time-consuming and
|
||||||
|
require high adaptation of your workflow
|
||||||
|
5: placebo, policy rules that might be very difficult to apply and maintain,
|
||||||
|
with questionable security benefits
|
||||||
|
|
||||||
|
--allow-service <service>
|
||||||
|
Use with --set-hardening-level.
|
||||||
|
Modifies the policy to allow a certain kind of services on the machine, such
|
||||||
|
as http, mail, etc. Can be specified multiple times to allow multiple services.
|
||||||
|
Use --allow-service-list to get a list of supported services.
|
||||||
|
|
||||||
|
OPTIONS:
|
||||||
|
|
||||||
|
--only <test_number>
|
||||||
|
Modifies the RUN_MODE to only work on the test_number script.
|
||||||
|
Can be specified multiple times to work only on several scripts.
|
||||||
|
The test number is the numbered prefix of the script,
|
||||||
|
i.e. the test number of 1.2_script_name.sh is 1.2.
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
exit 0
|
exit 0
|
||||||
}
|
}
|
||||||
@ -61,6 +92,8 @@ if [ $# = 0 ]; then
|
|||||||
usage
|
usage
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
declare -a TEST_LIST ALLOWED_SERVICES_LIST
|
||||||
|
|
||||||
# Arguments parsing
|
# Arguments parsing
|
||||||
while [[ $# > 0 ]]; do
|
while [[ $# > 0 ]]; do
|
||||||
ARG="$1"
|
ARG="$1"
|
||||||
@ -77,6 +110,21 @@ while [[ $# > 0 ]]; do
|
|||||||
--apply)
|
--apply)
|
||||||
APPLY=1
|
APPLY=1
|
||||||
;;
|
;;
|
||||||
|
--allow-service-list)
|
||||||
|
ALLOW_SERVICE_LIST=1
|
||||||
|
;;
|
||||||
|
--allow-service)
|
||||||
|
ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2"
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
--set-hardening-level)
|
||||||
|
SET_HARDENING_LEVEL="$2"
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
--only)
|
||||||
|
TEST_LIST[${#TEST_LIST[@]}]="$2"
|
||||||
|
shift
|
||||||
|
;;
|
||||||
-h|--help)
|
-h|--help)
|
||||||
usage
|
usage
|
||||||
;;
|
;;
|
||||||
@ -104,8 +152,51 @@ fi
|
|||||||
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
|
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
|
||||||
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
|
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
|
||||||
|
|
||||||
|
# If --allow-service-list is specified, don't run anything, just list the supported services
|
||||||
|
if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then
|
||||||
|
declare -a HARDENING_EXCEPTIONS_LIST
|
||||||
|
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
|
||||||
|
template=$(grep "^HARDENING_EXCEPTION=" "$SCRIPT" | cut -d= -f2)
|
||||||
|
[ -n "$template" ] && HARDENING_EXCEPTIONS_LIST[${#HARDENING_EXCEPTIONS_LIST[@]}]="$template"
|
||||||
|
done
|
||||||
|
echo "Supported services are: "$(echo "${HARDENING_EXCEPTIONS_LIST[@]}" | tr " " "\n" | sort -u | tr "\n" " ")
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
# If --set-hardening-level is specified, don't run anything, just apply config for each script
|
||||||
|
if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then
|
||||||
|
if ! grep -q "^[12345]$" <<< "$SET_HARDENING_LEVEL" ; then
|
||||||
|
echo "Bad --set-hardening-level specified ('$SET_HARDENING_LEVEL'), expected 1 to 5"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
|
||||||
|
SCRIPT_BASENAME=$(basename $SCRIPT .sh)
|
||||||
|
script_level=$(grep "^HARDENING_LEVEL=" "$SCRIPT" | cut -d= -f2)
|
||||||
|
if [ -z "$script_level" ] ; then
|
||||||
|
echo "The script $SCRIPT_BASENAME doesn't have a hardening level, configuration untouched for it"
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
wantedstatus=disabled
|
||||||
|
[ "$script_level" -le "$SET_HARDENING_LEVEL" ] && wantedstatus=enabled
|
||||||
|
sed -i -re "s/^status=.+/status=$wantedstatus/" $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
|
||||||
|
done
|
||||||
|
echo "Configuration modified to enable scripts for hardening level at or below $SET_HARDENING_LEVEL"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
# Parse every scripts and execute them in the required mode
|
# Parse every scripts and execute them in the required mode
|
||||||
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
|
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
|
||||||
|
if [ ${#TEST_LIST[@]} -gt 0 ] ; then
|
||||||
|
# --only X has been specified at least once, is this script in my list ?
|
||||||
|
SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<< "$(basename $SCRIPT)")
|
||||||
|
SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<< "$SCRIPT_PREFIX")
|
||||||
|
if ! grep -qEw "$SCRIPT_PREFIX_RE" <<< "${TEST_LIST[@]}"; then
|
||||||
|
# not in the list
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
info "Treating $SCRIPT"
|
info "Treating $SCRIPT"
|
||||||
|
|
||||||
if [ $AUDIT = 1 ]; then
|
if [ $AUDIT = 1 ]; then
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit () {
|
||||||
info "Checking if apt needs an update"
|
info "Checking if apt needs an update"
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
PACKAGE='login'
|
PACKAGE='login'
|
||||||
OPTIONS='PASS_MAX_DAYS=90'
|
OPTIONS='PASS_MAX_DAYS=90'
|
||||||
FILE='/etc/login.defs'
|
FILE='/etc/login.defs'
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
PACKAGE='login'
|
PACKAGE='login'
|
||||||
OPTIONS='PASS_MIN_DAYS=7'
|
OPTIONS='PASS_MIN_DAYS=7'
|
||||||
FILE='/etc/login.defs'
|
FILE='/etc/login.defs'
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
PACKAGE='login'
|
PACKAGE='login'
|
||||||
OPTIONS='PASS_WARN_AGE=7'
|
OPTIONS='PASS_WARN_AGE=7'
|
||||||
FILE='/etc/login.defs'
|
FILE='/etc/login.defs'
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
SHELL='/bin/false'
|
SHELL='/bin/false'
|
||||||
FILE='/etc/passwd'
|
FILE='/etc/passwd'
|
||||||
RESULT=''
|
RESULT=''
|
||||||
@ -70,6 +72,15 @@ apply () {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# This function will create the config file for this check with default values
|
||||||
|
create_config() {
|
||||||
|
cat <<EOF
|
||||||
|
status=disabled
|
||||||
|
# Put here your exceptions concerning admin accounts shells separated by spaces
|
||||||
|
EXCEPTIONS=""
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
||||||
check_config() {
|
check_config() {
|
||||||
if [ -z "$EXCEPTIONS" ]; then
|
if [ -z "$EXCEPTIONS" ]; then
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
USER='root'
|
USER='root'
|
||||||
EXPECTED_GID='0'
|
EXPECTED_GID='0'
|
||||||
|
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
USER='root'
|
USER='root'
|
||||||
PATTERN='umask 077'
|
PATTERN='umask 077'
|
||||||
FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d/* /etc/profile'
|
FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d/* /etc/profile'
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit () {
|
||||||
info "Looking at the manual of useradd, it seems that this recommendation does not fill the title"
|
info "Looking at the manual of useradd, it seems that this recommendation does not fill the title"
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
PERMISSIONS='644'
|
PERMISSIONS='644'
|
||||||
USER='root'
|
USER='root'
|
||||||
GROUP='root'
|
GROUP='root'
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
FILES='/etc/motd /etc/issue /etc/issue.net'
|
FILES='/etc/motd /etc/issue /etc/issue.net'
|
||||||
PATTERN='(\\v|\\r|\\m|\\s)'
|
PATTERN='(\\v|\\r|\\m|\\s)'
|
||||||
|
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit () {
|
||||||
info "Not implemented yet"
|
info "Not implemented yet"
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit () {
|
||||||
info "Checking if there are suid files"
|
info "Checking if there are suid files"
|
||||||
@ -35,6 +37,15 @@ apply () {
|
|||||||
info "Removing suid on valid binary may seriously harm your system, report only here"
|
info "Removing suid on valid binary may seriously harm your system, report only here"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# This function will create the config file for this check with default values
|
||||||
|
create_config() {
|
||||||
|
cat <<EOF
|
||||||
|
status=disabled
|
||||||
|
# Put Here your valid suid binaries so that they do not appear during the audit
|
||||||
|
EXCEPTIONS="/bin/mount /bin/ping /bin/ping6 /bin/su /bin/umount /usr/bin/chfn /usr/bin/chsh /usr/bin/fping /usr/bin/fping6 /usr/bin/gpasswd /usr/bin/mtr /usr/bin/newgrp /usr/bin/passwd /usr/bin/sudo /usr/bin/sudoedit /usr/lib/openssh/ssh-keysign /usr/lib/pt_chown /usr/bin/at"
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
||||||
check_config() {
|
check_config() {
|
||||||
# No param for this function
|
# No param for this function
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit () {
|
||||||
info "Checking if there are sgid files"
|
info "Checking if there are sgid files"
|
||||||
@ -35,6 +37,15 @@ apply () {
|
|||||||
info "Removing sgid on valid binary may seriously harm your system, report only here"
|
info "Removing sgid on valid binary may seriously harm your system, report only here"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# This function will create the config file for this check with default values
|
||||||
|
create_config() {
|
||||||
|
cat <<EOF
|
||||||
|
status=disabled
|
||||||
|
# Put here valid binaries with sgid enabled separated by spaces
|
||||||
|
EXCEPTIONS="/sbin/unix_chkpwd /usr/bin/bsd-write /usr/bin/chage /usr/bin/crontab /usr/bin/expiry /usr/bin/mutt_dotlock /usr/bin/screen /usr/bin/ssh-agent /usr/bin/wall /usr/sbin/postdrop /usr/sbin/postqueue /usr/bin/at /usr/bin/dotlockfile /usr/bin/mail-lock /usr/bin/mail-touchlock /usr/bin/mail-unlock"
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
||||||
check_config() {
|
check_config() {
|
||||||
if [ -z "$EXCEPTIONS" ]; then
|
if [ -z "$EXCEPTIONS" ]; then
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=1
|
||||||
|
|
||||||
FILE='/etc/passwd'
|
FILE='/etc/passwd'
|
||||||
PERMISSIONS='644'
|
PERMISSIONS='644'
|
||||||
|
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=1
|
||||||
|
|
||||||
FILE='/etc/shadow'
|
FILE='/etc/shadow'
|
||||||
PERMISSIONS='640'
|
PERMISSIONS='640'
|
||||||
|
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=1
|
||||||
|
|
||||||
FILE='/etc/group'
|
FILE='/etc/group'
|
||||||
PERMISSIONS='644'
|
PERMISSIONS='644'
|
||||||
|
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=1
|
||||||
|
|
||||||
FILE='/etc/passwd'
|
FILE='/etc/passwd'
|
||||||
USER='root'
|
USER='root'
|
||||||
GROUP='root'
|
GROUP='root'
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=1
|
||||||
|
|
||||||
FILE='/etc/shadow'
|
FILE='/etc/shadow'
|
||||||
USER='root'
|
USER='root'
|
||||||
GROUP='shadow'
|
GROUP='shadow'
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=1
|
||||||
|
|
||||||
FILE='/etc/group'
|
FILE='/etc/group'
|
||||||
USER='root'
|
USER='root'
|
||||||
GROUP='root'
|
GROUP='root'
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit () {
|
||||||
info "Checking if there are world writable files"
|
info "Checking if there are world writable files"
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
USER='root'
|
USER='root'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
GROUP='root'
|
GROUP='root'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
ERRORS=0
|
ERRORS=0
|
||||||
FILENAME=".rhosts"
|
FILENAME=".rhosts"
|
||||||
|
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
ERRORS=0
|
ERRORS=0
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
ERRORS=0
|
ERRORS=0
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
ERRORS=0
|
ERRORS=0
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
ERRORS=0
|
ERRORS=0
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
ERRORS=0
|
ERRORS=0
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=1
|
||||||
|
|
||||||
ERRORS=0
|
ERRORS=0
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=1
|
||||||
|
|
||||||
ERRORS=0
|
ERRORS=0
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
ERRORS=0
|
ERRORS=0
|
||||||
FILENAME='.netrc'
|
FILENAME='.netrc'
|
||||||
|
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
ERRORS=0
|
ERRORS=0
|
||||||
FILENAME='.forward'
|
FILENAME='.forward'
|
||||||
|
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=1
|
||||||
|
|
||||||
FILE='/etc/shadow'
|
FILE='/etc/shadow'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=1
|
||||||
|
|
||||||
ERRORS=0
|
ERRORS=0
|
||||||
FILEGROUP='/etc/group'
|
FILEGROUP='/etc/group'
|
||||||
PATTERN='^shadow:x:[[:digit:]]+:'
|
PATTERN='^shadow:x:[[:digit:]]+:'
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=1
|
||||||
|
|
||||||
FILE='/etc/passwd'
|
FILE='/etc/passwd'
|
||||||
RESULT=''
|
RESULT=''
|
||||||
|
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=1
|
||||||
|
|
||||||
FILE='/etc/shadow'
|
FILE='/etc/shadow'
|
||||||
RESULT=''
|
RESULT=''
|
||||||
|
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=1
|
||||||
|
|
||||||
FILE='/etc/group'
|
FILE='/etc/group'
|
||||||
RESULT=''
|
RESULT=''
|
||||||
|
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
FILE='/etc/passwd'
|
FILE='/etc/passwd'
|
||||||
RESULT=''
|
RESULT=''
|
||||||
|
|
||||||
@ -33,7 +35,7 @@ audit () {
|
|||||||
crit "Some accounts have uid 0"
|
crit "Some accounts have uid 0"
|
||||||
crit $RESULT
|
crit $RESULT
|
||||||
else
|
else
|
||||||
ok "No account with uid 0 apart root"
|
ok "No account with uid 0 appart from root and potential configured exceptions"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -42,6 +44,15 @@ apply () {
|
|||||||
info "Removing accounts with uid 0 may seriously harm your system, report only here"
|
info "Removing accounts with uid 0 may seriously harm your system, report only here"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# This function will create the config file for this check with default values
|
||||||
|
create_config() {
|
||||||
|
cat <<EOF
|
||||||
|
status=disabled
|
||||||
|
# Put here valid accounts with uid 0 separated by spaces
|
||||||
|
EXCEPTIONS=""
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
||||||
check_config() {
|
check_config() {
|
||||||
if [ -z "$EXCEPTIONS" ]; then
|
if [ -z "$EXCEPTIONS" ]; then
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
ERRORS=0
|
ERRORS=0
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
ERRORS=0
|
ERRORS=0
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
@ -86,6 +88,15 @@ apply () {
|
|||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# This function will create the config file for this check with default values
|
||||||
|
create_config() {
|
||||||
|
cat <<EOF
|
||||||
|
status=disabled
|
||||||
|
# Put here user home directories exceptions, separated by spaces
|
||||||
|
EXCEPTIONS=""
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
||||||
check_config() {
|
check_config() {
|
||||||
if [ -z "$EXCEPTIONS" ]; then
|
if [ -z "$EXCEPTIONS" ]; then
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
ERRORS=0
|
ERRORS=0
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
PERMISSIONS="600"
|
PERMISSIONS="600"
|
||||||
ERRORS=0
|
ERRORS=0
|
||||||
|
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
# Quick factoring as many script use the same logic
|
# Quick factoring as many script use the same logic
|
||||||
PARTITION="/home"
|
PARTITION="/home"
|
||||||
OPTION="nodev"
|
OPTION="nodev"
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
|
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
|
||||||
|
|
||||||
# Quick factoring as many script use the same logic
|
# Quick factoring as many script use the same logic
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
|
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
|
||||||
|
|
||||||
# Quick factoring as many script use the same logic
|
# Quick factoring as many script use the same logic
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
|
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
|
||||||
|
|
||||||
# Quick factoring as many script use the same logic
|
# Quick factoring as many script use the same logic
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
# Quick factoring as many script use the same logic
|
# Quick factoring as many script use the same logic
|
||||||
PARTITION="/run/shm"
|
PARTITION="/run/shm"
|
||||||
OPTION="nodev"
|
OPTION="nodev"
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
# Quick factoring as many script use the same logic
|
# Quick factoring as many script use the same logic
|
||||||
PARTITION="/run/shm"
|
PARTITION="/run/shm"
|
||||||
OPTION="nosuid"
|
OPTION="nosuid"
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
# Quick factoring as many script use the same logic
|
# Quick factoring as many script use the same logic
|
||||||
PARTITION="/run/shm"
|
PARTITION="/run/shm"
|
||||||
OPTION="noexec"
|
OPTION="noexec"
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit () {
|
||||||
info "Checking if setuid is set on world writable Directories"
|
info "Checking if setuid is set on world writable Directories"
|
||||||
|
|||||||
@ -11,13 +11,15 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
|
HARDENING_LEVEL=2
|
||||||
KERNEL_OPTION="cramfs"
|
|
||||||
|
KERNEL_OPTION="CONFIG_CRAMFS"
|
||||||
|
MODULE_NAME="cramfs"
|
||||||
|
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit () {
|
||||||
is_kernel_option_enabled $KERNEL_OPTION
|
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
|
||||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
crit "$KERNEL_OPTION is enabled!"
|
crit "$KERNEL_OPTION is enabled!"
|
||||||
else
|
else
|
||||||
|
|||||||
@ -11,13 +11,15 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
|
HARDENING_LEVEL=2
|
||||||
KERNEL_OPTION="freevxfs"
|
|
||||||
|
KERNEL_OPTION="CONFIG_VXFS_FS"
|
||||||
|
MODULE_NAME="freevxfs"
|
||||||
|
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit () {
|
||||||
is_kernel_option_enabled $KERNEL_OPTION
|
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
|
||||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
crit "$KERNEL_OPTION is enabled!"
|
crit "$KERNEL_OPTION is enabled!"
|
||||||
else
|
else
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
# Quick factoring as many script use the same logic
|
# Quick factoring as many script use the same logic
|
||||||
PARTITION="/tmp"
|
PARTITION="/tmp"
|
||||||
|
|
||||||
|
|||||||
@ -11,13 +11,15 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
|
HARDENING_LEVEL=2
|
||||||
KERNEL_OPTION="jffs2"
|
|
||||||
|
KERNEL_OPTION="CONFIG_JFFS2_FS"
|
||||||
|
MODULE_NAME="jffs2"
|
||||||
|
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit () {
|
||||||
is_kernel_option_enabled $KERNEL_OPTION
|
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
|
||||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
crit "$KERNEL_OPTION is enabled!"
|
crit "$KERNEL_OPTION is enabled!"
|
||||||
else
|
else
|
||||||
|
|||||||
@ -11,13 +11,15 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
|
HARDENING_LEVEL=2
|
||||||
KERNEL_OPTION="hfs"
|
|
||||||
|
KERNEL_OPTION="CONFIG_HFS_FS"
|
||||||
|
MODULE_FILE="hfs"
|
||||||
|
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit () {
|
||||||
is_kernel_option_enabled $KERNEL_OPTION
|
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
|
||||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
crit "$KERNEL_OPTION is enabled!"
|
crit "$KERNEL_OPTION is enabled!"
|
||||||
else
|
else
|
||||||
|
|||||||
@ -11,13 +11,15 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
|
HARDENING_LEVEL=2
|
||||||
KERNEL_OPTION="hfsplus"
|
|
||||||
|
KERNEL_OPTION="CONFIG_HFSPLUS_FS"
|
||||||
|
MODULE_FILE="hfsplus"
|
||||||
|
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit () {
|
||||||
is_kernel_option_enabled $KERNEL_OPTION
|
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
|
||||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
crit "$KERNEL_OPTION is enabled!"
|
crit "$KERNEL_OPTION is enabled!"
|
||||||
else
|
else
|
||||||
|
|||||||
@ -11,13 +11,15 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
|
HARDENING_LEVEL=2
|
||||||
KERNEL_OPTION="squashfs"
|
|
||||||
|
KERNEL_OPTION="CONFIG_SQUASHFS"
|
||||||
|
MODULE_FILE="squashfs"
|
||||||
|
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit () {
|
||||||
is_kernel_option_enabled $KERNEL_OPTION
|
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
|
||||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
crit "$KERNEL_OPTION is enabled!"
|
crit "$KERNEL_OPTION is enabled!"
|
||||||
else
|
else
|
||||||
|
|||||||
@ -11,13 +11,15 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
|
HARDENING_LEVEL=2
|
||||||
KERNEL_OPTION="udf"
|
|
||||||
|
KERNEL_OPTION="CONFIG_UDF_FS"
|
||||||
|
MODULE_FILE="udf"
|
||||||
|
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit () {
|
||||||
is_kernel_option_enabled $KERNEL_OPTION
|
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
|
||||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
crit "$KERNEL_OPTION is enabled!"
|
crit "$KERNEL_OPTION is enabled!"
|
||||||
else
|
else
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
SERVICE_NAME="autofs"
|
SERVICE_NAME="autofs"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
# Quick factoring as many script use the same logic
|
# Quick factoring as many script use the same logic
|
||||||
PARTITION="/tmp"
|
PARTITION="/tmp"
|
||||||
OPTION="nodev"
|
OPTION="nodev"
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
# Quick factoring as many script use the same logic
|
# Quick factoring as many script use the same logic
|
||||||
PARTITION="/tmp"
|
PARTITION="/tmp"
|
||||||
OPTION="nosuid"
|
OPTION="nosuid"
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
# Quick factoring as many script use the same logic
|
# Quick factoring as many script use the same logic
|
||||||
PARTITION="/tmp"
|
PARTITION="/tmp"
|
||||||
OPTION="noexec"
|
OPTION="noexec"
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
# Quick factoring as many script use the same logic
|
# Quick factoring as many script use the same logic
|
||||||
PARTITION="/var"
|
PARTITION="/var"
|
||||||
|
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
# Quick factoring as many script use the same logic
|
# Quick factoring as many script use the same logic
|
||||||
PARTITION="/var/tmp"
|
PARTITION="/var/tmp"
|
||||||
|
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
# Quick factoring as many script use the same logic
|
# Quick factoring as many script use the same logic
|
||||||
PARTITION="/var/tmp"
|
PARTITION="/var/tmp"
|
||||||
OPTION="nodev"
|
OPTION="nodev"
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
# Quick factoring as many script use the same logic
|
# Quick factoring as many script use the same logic
|
||||||
PARTITION="/var/tmp"
|
PARTITION="/var/tmp"
|
||||||
OPTION="nosuid"
|
OPTION="nosuid"
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
# Quick factoring as many script use the same logic
|
# Quick factoring as many script use the same logic
|
||||||
PARTITION="/var/tmp"
|
PARTITION="/var/tmp"
|
||||||
OPTION="noexec"
|
OPTION="noexec"
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
# Quick factoring as many script use the same logic
|
# Quick factoring as many script use the same logic
|
||||||
PARTITION="/var/log"
|
PARTITION="/var/log"
|
||||||
|
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=4
|
||||||
|
|
||||||
# Quick factoring as many script use the same logic
|
# Quick factoring as many script use the same logic
|
||||||
PARTITION="/var/log/audit"
|
PARTITION="/var/log/audit"
|
||||||
|
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
# Quick factoring as many script use the same logic
|
# Quick factoring as many script use the same logic
|
||||||
PARTITION="/home"
|
PARTITION="/home"
|
||||||
|
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=1
|
||||||
|
|
||||||
# Assertion : Grub Based.
|
# Assertion : Grub Based.
|
||||||
|
|
||||||
FILE='/boot/grub/grub.cfg'
|
FILE='/boot/grub/grub.cfg'
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=1
|
||||||
|
|
||||||
# Assertion : Grub Based.
|
# Assertion : Grub Based.
|
||||||
|
|
||||||
FILE='/boot/grub/grub.cfg'
|
FILE='/boot/grub/grub.cfg'
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
FILE='/boot/grub/grub.cfg'
|
FILE='/boot/grub/grub.cfg'
|
||||||
USER_PATTERN="^set superusers"
|
USER_PATTERN="^set superusers"
|
||||||
PWD_PATTERN="^password_pbkdf2"
|
PWD_PATTERN="^password_pbkdf2"
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
FILE="/etc/shadow"
|
FILE="/etc/shadow"
|
||||||
PATTERN="^root:[*\!]:"
|
PATTERN="^root:[*\!]:"
|
||||||
|
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
LIMIT_FILE='/etc/security/limits.conf'
|
LIMIT_FILE='/etc/security/limits.conf'
|
||||||
LIMIT_PATTERN='^\*[[:space:]]*hard[[:space:]]*core[[:space:]]*0$'
|
LIMIT_PATTERN='^\*[[:space:]]*hard[[:space:]]*core[[:space:]]*0$'
|
||||||
SYSCTL_PARAM='fs.suid_dumpable'
|
SYSCTL_PARAM='fs.suid_dumpable'
|
||||||
|
|||||||
@ -11,13 +11,34 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
PATTERN='NX[[:space:]]\(Execute[[:space:]]Disable\)[[:space:]]protection:[[:space:]]active'
|
PATTERN='NX[[:space:]]\(Execute[[:space:]]Disable\)[[:space:]]protection:[[:space:]]active'
|
||||||
|
|
||||||
|
# Check if the NX bit is supported and noexec=off hasn't been asked
|
||||||
|
nx_supported_and_enabled() {
|
||||||
|
if grep -q ' nx ' /proc/cpuinfo; then
|
||||||
|
# NX supported, but if noexec=off specified, it's not enabled
|
||||||
|
if grep -qi 'noexec=off' /proc/cmdline; then
|
||||||
|
FNRET=1 # supported but disabled
|
||||||
|
else
|
||||||
|
FNRET=0 # supported and enabled
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
FNRET=1 # not supported
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit () {
|
||||||
does_pattern_exist_in_dmesg $PATTERN
|
does_pattern_exist_in_dmesg $PATTERN
|
||||||
if [ $FNRET != 0 ]; then
|
if [ $FNRET != 0 ]; then
|
||||||
crit "$PATTERN is not present in dmesg"
|
nx_supported_and_enabled
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
|
||||||
|
else
|
||||||
|
ok "NX is supported and enabled"
|
||||||
|
fi
|
||||||
else
|
else
|
||||||
ok "$PATTERN is present in dmesg"
|
ok "$PATTERN is present in dmesg"
|
||||||
fi
|
fi
|
||||||
@ -27,7 +48,12 @@ audit () {
|
|||||||
apply () {
|
apply () {
|
||||||
does_pattern_exist_in_dmesg $PATTERN
|
does_pattern_exist_in_dmesg $PATTERN
|
||||||
if [ $FNRET != 0 ]; then
|
if [ $FNRET != 0 ]; then
|
||||||
crit "$PATTERN is not present in dmesg, please go to the bios to activate this option or change for CPU compatible"
|
nx_supported_and_enabled
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
|
||||||
|
else
|
||||||
|
ok "NX is supported and enabled"
|
||||||
|
fi
|
||||||
else
|
else
|
||||||
ok "$PATTERN is present in dmesg"
|
ok "$PATTERN is present in dmesg"
|
||||||
fi
|
fi
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
SYSCTL_PARAM='kernel.randomize_va_space'
|
SYSCTL_PARAM='kernel.randomize_va_space'
|
||||||
SYSCTL_EXP_RESULT=2
|
SYSCTL_EXP_RESULT=2
|
||||||
|
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
PACKAGE='prelink'
|
PACKAGE='prelink'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
PACKAGE='apparmor'
|
PACKAGE='apparmor'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
PACKAGE='nis'
|
PACKAGE='nis'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
# Based on aptitude search '~Prsh-server'
|
# Based on aptitude search '~Prsh-server'
|
||||||
PACKAGES='rsh-server rsh-redone-server heimdal-servers'
|
PACKAGES='rsh-server rsh-redone-server heimdal-servers'
|
||||||
FILE='/etc/inetd.conf'
|
FILE='/etc/inetd.conf'
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
# Based on aptitude search '~Prsh-client', exluding ssh-client OFC
|
# Based on aptitude search '~Prsh-client', exluding ssh-client OFC
|
||||||
PACKAGES='rsh-client rsh-redone-client heimdal-clients'
|
PACKAGES='rsh-client rsh-redone-client heimdal-clients'
|
||||||
|
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
PACKAGES='inetutils-talkd talkd'
|
PACKAGES='inetutils-talkd talkd'
|
||||||
FILE='/etc/inetd.conf'
|
FILE='/etc/inetd.conf'
|
||||||
PATTERN='^(talk|ntalk)'
|
PATTERN='^(talk|ntalk)'
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
PACKAGES='talk inetutils-talk'
|
PACKAGES='talk inetutils-talk'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
# Based on aptitude search '~Ptelnet-server'
|
# Based on aptitude search '~Ptelnet-server'
|
||||||
PACKAGES='telnetd inetutils-telnetd telnetd-ssl krb5-telnetd heimdal-servers'
|
PACKAGES='telnetd inetutils-telnetd telnetd-ssl krb5-telnetd heimdal-servers'
|
||||||
FILE='/etc/inetd.conf'
|
FILE='/etc/inetd.conf'
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
PACKAGES='tftpd tftpd-hpa atftpd'
|
PACKAGES='tftpd tftpd-hpa atftpd'
|
||||||
FILE='/etc/inetd.conf'
|
FILE='/etc/inetd.conf'
|
||||||
PATTERN='^tftp'
|
PATTERN='^tftp'
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
PACKAGES='openbsd-inetd xinetd rlinetd'
|
PACKAGES='openbsd-inetd xinetd rlinetd'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
FILE='/etc/inetd.conf'
|
FILE='/etc/inetd.conf'
|
||||||
PATTERN='^chargen'
|
PATTERN='^chargen'
|
||||||
|
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
FILE='/etc/inetd.conf'
|
FILE='/etc/inetd.conf'
|
||||||
PATTERN='^daytime'
|
PATTERN='^daytime'
|
||||||
|
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
FILE='/etc/inetd.conf'
|
FILE='/etc/inetd.conf'
|
||||||
PATTERN='^echo'
|
PATTERN='^echo'
|
||||||
|
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
FILE='/etc/inetd.conf'
|
FILE='/etc/inetd.conf'
|
||||||
PATTERN='^discard'
|
PATTERN='^discard'
|
||||||
|
|
||||||
|
|||||||
@ -11,6 +11,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
FILE='/etc/inetd.conf'
|
FILE='/etc/inetd.conf'
|
||||||
PATTERN='^time'
|
PATTERN='^time'
|
||||||
|
|
||||||
|
|||||||
@ -11,6 +11,9 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
HARDENING_EXCEPTION=http
|
||||||
|
|
||||||
# Based on aptitude search '~Phttpd'
|
# Based on aptitude search '~Phttpd'
|
||||||
PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd'
|
PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd'
|
||||||
|
|
||||||
|
|||||||
@ -11,6 +11,9 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
HARDENING_EXCEPTION=mail
|
||||||
|
|
||||||
# Based on aptitude search '~Pimap-server' and aptitude search '~Ppop3-server'
|
# Based on aptitude search '~Pimap-server' and aptitude search '~Ppop3-server'
|
||||||
PACKAGES='citadel-server courier-imap cyrus-imapd-2.4 dovecot-imapd mailutils-imap4d courier-pop cyrus-pop3d-2.4 dovecot-pop3d heimdal-servers mailutils-pop3d popa3d solid-pop3d xmail'
|
PACKAGES='citadel-server courier-imap cyrus-imapd-2.4 dovecot-imapd mailutils-imap4d courier-pop cyrus-pop3d-2.4 dovecot-pop3d heimdal-servers mailutils-pop3d popa3d solid-pop3d xmail'
|
||||||
|
|
||||||
|
|||||||
@ -11,6 +11,9 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
HARDENING_EXCEPTION=samba
|
||||||
|
|
||||||
PACKAGES='samba'
|
PACKAGES='samba'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
|||||||
@ -11,6 +11,9 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
HARDENING_EXCEPTION=http
|
||||||
|
|
||||||
PACKAGES='squid3 squid'
|
PACKAGES='squid3 squid'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
|||||||
@ -11,6 +11,9 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
HARDENING_EXCEPTION=snmp
|
||||||
|
|
||||||
PACKAGES='snmpd'
|
PACKAGES='snmpd'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
|||||||
@ -11,6 +11,9 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
HARDENING_EXCEPTION=mail
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit () {
|
||||||
info "Checking netport ports opened"
|
info "Checking netport ports opened"
|
||||||
|
|||||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user