add hardening templating and several enhancements

This commit is contained in:
Stéphane Lesimple 2017-05-18 18:40:09 +02:00 committed by Stéphane Lesimple
parent 78569b5583
commit dfaf4c2093
386 changed files with 701 additions and 449 deletions

View File

@ -2,6 +2,7 @@ Contributors of this project :
Developers :
Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
Stéphane Lesimple, OVH <stephane.lesimple@corp.ovh.com>
Debian package maintainers :
Kevin Tanguy, OVH <kevin.tanguy@corp.ovh.com>

View File

@ -20,11 +20,13 @@ AUDIT=0
APPLY=0
AUDIT_ALL=0
AUDIT_ALL_ENABLE_PASSED=0
ALLOW_SERVICE_LIST=0
SET_HARDENING_LEVEL=0
CIS_ROOT_DIR=''
usage() {
cat << EOF
$LONG_SCRIPT_NAME RUN_MODE, where RUN_MODE is one of:
$LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
--help -h
Show this help
@ -53,6 +55,35 @@ $LONG_SCRIPT_NAME RUN_MODE, where RUN_MODE is one of:
Don't run this if you have already customized the scripts enable/disable
configurations, obviously.
--set-hardening-level <level>
Modifies the configuration to enable/disable tests given an hardening level,
between 1 to 5. Don't run this if you have already customized the scripts
enable/disable configurations.
1: very basic policy, failure to pass tests at this level indicates severe
misconfiguration of the machine that can have a huge security impact
2: basic policy, some good practice rules that, once applied, shouldn't
break anything on most systems
3: best practices policy, passing all tests might need some configuration
modifications (such as specific partitioning, etc.)
4: high security policy, passing all tests might be time-consuming and
require high adaptation of your workflow
5: placebo, policy rules that might be very difficult to apply and maintain,
with questionable security benefits
--allow-service <service>
Use with --set-hardening-level.
Modifies the policy to allow a certain kind of services on the machine, such
as http, mail, etc. Can be specified multiple times to allow multiple services.
Use --allow-service-list to get a list of supported services.
OPTIONS:
--only <test_number>
Modifies the RUN_MODE to only work on the test_number script.
Can be specified multiple times to work only on several scripts.
The test number is the numbered prefix of the script,
i.e. the test number of 1.2_script_name.sh is 1.2.
EOF
exit 0
}
@ -61,6 +92,8 @@ if [ $# = 0 ]; then
usage
fi
declare -a TEST_LIST ALLOWED_SERVICES_LIST
# Arguments parsing
while [[ $# > 0 ]]; do
ARG="$1"
@ -77,6 +110,21 @@ while [[ $# > 0 ]]; do
--apply)
APPLY=1
;;
--allow-service-list)
ALLOW_SERVICE_LIST=1
;;
--allow-service)
ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2"
shift
;;
--set-hardening-level)
SET_HARDENING_LEVEL="$2"
shift
;;
--only)
TEST_LIST[${#TEST_LIST[@]}]="$2"
shift
;;
-h|--help)
usage
;;
@ -104,8 +152,51 @@ fi
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
# If --allow-service-list is specified, don't run anything, just list the supported services
if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then
declare -a HARDENING_EXCEPTIONS_LIST
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
template=$(grep "^HARDENING_EXCEPTION=" "$SCRIPT" | cut -d= -f2)
[ -n "$template" ] && HARDENING_EXCEPTIONS_LIST[${#HARDENING_EXCEPTIONS_LIST[@]}]="$template"
done
echo "Supported services are: "$(echo "${HARDENING_EXCEPTIONS_LIST[@]}" | tr " " "\n" | sort -u | tr "\n" " ")
exit 0
fi
# If --set-hardening-level is specified, don't run anything, just apply config for each script
if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then
if ! grep -q "^[12345]$" <<< "$SET_HARDENING_LEVEL" ; then
echo "Bad --set-hardening-level specified ('$SET_HARDENING_LEVEL'), expected 1 to 5"
exit 1
fi
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
SCRIPT_BASENAME=$(basename $SCRIPT .sh)
script_level=$(grep "^HARDENING_LEVEL=" "$SCRIPT" | cut -d= -f2)
if [ -z "$script_level" ] ; then
echo "The script $SCRIPT_BASENAME doesn't have a hardening level, configuration untouched for it"
continue
fi
wantedstatus=disabled
[ "$script_level" -le "$SET_HARDENING_LEVEL" ] && wantedstatus=enabled
sed -i -re "s/^status=.+/status=$wantedstatus/" $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
done
echo "Configuration modified to enable scripts for hardening level at or below $SET_HARDENING_LEVEL"
exit 0
fi
# Parse every scripts and execute them in the required mode
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
if [ ${#TEST_LIST[@]} -gt 0 ] ; then
# --only X has been specified at least once, is this script in my list ?
SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<< "$(basename $SCRIPT)")
SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<< "$SCRIPT_PREFIX")
if ! grep -qEw "$SCRIPT_PREFIX_RE" <<< "${TEST_LIST[@]}"; then
# not in the list
continue
fi
fi
info "Treating $SCRIPT"
if [ $AUDIT = 1 ]; then

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if apt needs an update"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGE='login'
OPTIONS='PASS_MAX_DAYS=90'
FILE='/etc/login.defs'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGE='login'
OPTIONS='PASS_MIN_DAYS=7'
FILE='/etc/login.defs'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGE='login'
OPTIONS='PASS_WARN_AGE=7'
FILE='/etc/login.defs'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
SHELL='/bin/false'
FILE='/etc/passwd'
RESULT=''
@ -70,6 +72,15 @@ apply () {
fi
}
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=disabled
# Put here your exceptions concerning admin accounts shells separated by spaces
EXCEPTIONS=""
EOF
}
# This function will check config parameters required
check_config() {
if [ -z "$EXCEPTIONS" ]; then

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
USER='root'
EXPECTED_GID='0'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
USER='root'
PATTERN='umask 077'
FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d/* /etc/profile'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Looking at the manual of useradd, it seems that this recommendation does not fill the title"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PERMISSIONS='644'
USER='root'
GROUP='root'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
FILES='/etc/motd /etc/issue /etc/issue.net'
PATTERN='(\\v|\\r|\\m|\\s)'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Not implemented yet"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if there are suid files"
@ -35,6 +37,15 @@ apply () {
info "Removing suid on valid binary may seriously harm your system, report only here"
}
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=disabled
# Put Here your valid suid binaries so that they do not appear during the audit
EXCEPTIONS="/bin/mount /bin/ping /bin/ping6 /bin/su /bin/umount /usr/bin/chfn /usr/bin/chsh /usr/bin/fping /usr/bin/fping6 /usr/bin/gpasswd /usr/bin/mtr /usr/bin/newgrp /usr/bin/passwd /usr/bin/sudo /usr/bin/sudoedit /usr/lib/openssh/ssh-keysign /usr/lib/pt_chown /usr/bin/at"
EOF
}
# This function will check config parameters required
check_config() {
# No param for this function

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if there are sgid files"
@ -35,6 +37,15 @@ apply () {
info "Removing sgid on valid binary may seriously harm your system, report only here"
}
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=disabled
# Put here valid binaries with sgid enabled separated by spaces
EXCEPTIONS="/sbin/unix_chkpwd /usr/bin/bsd-write /usr/bin/chage /usr/bin/crontab /usr/bin/expiry /usr/bin/mutt_dotlock /usr/bin/screen /usr/bin/ssh-agent /usr/bin/wall /usr/sbin/postdrop /usr/sbin/postqueue /usr/bin/at /usr/bin/dotlockfile /usr/bin/mail-lock /usr/bin/mail-touchlock /usr/bin/mail-unlock"
EOF
}
# This function will check config parameters required
check_config() {
if [ -z "$EXCEPTIONS" ]; then

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/passwd'
PERMISSIONS='644'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/shadow'
PERMISSIONS='640'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/group'
PERMISSIONS='644'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/passwd'
USER='root'
GROUP='root'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/shadow'
USER='root'
GROUP='shadow'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/group'
USER='root'
GROUP='root'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if there are world writable files"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
USER='root'
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
GROUP='root'
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
FILENAME=".rhosts"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
ERRORS=0
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
ERRORS=0
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
FILENAME='.netrc'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
FILENAME='.forward'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/shadow'
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
ERRORS=0
FILEGROUP='/etc/group'
PATTERN='^shadow:x:[[:digit:]]+:'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/passwd'
RESULT=''

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/shadow'
RESULT=''

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/group'
RESULT=''

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
FILE='/etc/passwd'
RESULT=''
@ -33,7 +35,7 @@ audit () {
crit "Some accounts have uid 0"
crit $RESULT
else
ok "No account with uid 0 apart root"
ok "No account with uid 0 appart from root and potential configured exceptions"
fi
}
@ -42,6 +44,15 @@ apply () {
info "Removing accounts with uid 0 may seriously harm your system, report only here"
}
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=disabled
# Put here valid accounts with uid 0 separated by spaces
EXCEPTIONS=""
EOF
}
# This function will check config parameters required
check_config() {
if [ -z "$EXCEPTIONS" ]; then

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
# This function will be called if the script status is on enabled / audit mode
@ -86,6 +88,15 @@ apply () {
done
}
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=disabled
# Put here user home directories exceptions, separated by spaces
EXCEPTIONS=""
EOF
}
# This function will check config parameters required
check_config() {
if [ -z "$EXCEPTIONS" ]; then

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PERMISSIONS="600"
ERRORS=0

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Quick factoring as many script use the same logic
PARTITION="/home"
OPTION="nodev"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
# Quick factoring as many script use the same logic

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
# Quick factoring as many script use the same logic

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
# Quick factoring as many script use the same logic

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Quick factoring as many script use the same logic
PARTITION="/run/shm"
OPTION="nodev"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Quick factoring as many script use the same logic
PARTITION="/run/shm"
OPTION="nosuid"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# Quick factoring as many script use the same logic
PARTITION="/run/shm"
OPTION="noexec"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if setuid is set on world writable Directories"

View File

@ -11,13 +11,15 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
KERNEL_OPTION="cramfs"
HARDENING_LEVEL=2
KERNEL_OPTION="CONFIG_CRAMFS"
MODULE_NAME="cramfs"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
else

View File

@ -11,13 +11,15 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
KERNEL_OPTION="freevxfs"
HARDENING_LEVEL=2
KERNEL_OPTION="CONFIG_VXFS_FS"
MODULE_NAME="freevxfs"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
else

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# Quick factoring as many script use the same logic
PARTITION="/tmp"

View File

@ -11,13 +11,15 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
KERNEL_OPTION="jffs2"
HARDENING_LEVEL=2
KERNEL_OPTION="CONFIG_JFFS2_FS"
MODULE_NAME="jffs2"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
else

View File

@ -11,13 +11,15 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
KERNEL_OPTION="hfs"
HARDENING_LEVEL=2
KERNEL_OPTION="CONFIG_HFS_FS"
MODULE_FILE="hfs"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
else

View File

@ -11,13 +11,15 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
KERNEL_OPTION="hfsplus"
HARDENING_LEVEL=2
KERNEL_OPTION="CONFIG_HFSPLUS_FS"
MODULE_FILE="hfsplus"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
else

View File

@ -11,13 +11,15 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
KERNEL_OPTION="squashfs"
HARDENING_LEVEL=2
KERNEL_OPTION="CONFIG_SQUASHFS"
MODULE_FILE="squashfs"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
else

View File

@ -11,13 +11,15 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
KERNEL_OPTION="udf"
HARDENING_LEVEL=2
KERNEL_OPTION="CONFIG_UDF_FS"
MODULE_FILE="udf"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
else

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
SERVICE_NAME="autofs"
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Quick factoring as many script use the same logic
PARTITION="/tmp"
OPTION="nodev"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Quick factoring as many script use the same logic
PARTITION="/tmp"
OPTION="nosuid"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# Quick factoring as many script use the same logic
PARTITION="/tmp"
OPTION="noexec"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# Quick factoring as many script use the same logic
PARTITION="/var"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# Quick factoring as many script use the same logic
PARTITION="/var/tmp"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Quick factoring as many script use the same logic
PARTITION="/var/tmp"
OPTION="nodev"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Quick factoring as many script use the same logic
PARTITION="/var/tmp"
OPTION="nosuid"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# Quick factoring as many script use the same logic
PARTITION="/var/tmp"
OPTION="noexec"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# Quick factoring as many script use the same logic
PARTITION="/var/log"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
# Quick factoring as many script use the same logic
PARTITION="/var/log/audit"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# Quick factoring as many script use the same logic
PARTITION="/home"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
# Assertion : Grub Based.
FILE='/boot/grub/grub.cfg'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
# Assertion : Grub Based.
FILE='/boot/grub/grub.cfg'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
FILE='/boot/grub/grub.cfg'
USER_PATTERN="^set superusers"
PWD_PATTERN="^password_pbkdf2"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
FILE="/etc/shadow"
PATTERN="^root:[*\!]:"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
LIMIT_FILE='/etc/security/limits.conf'
LIMIT_PATTERN='^\*[[:space:]]*hard[[:space:]]*core[[:space:]]*0$'
SYSCTL_PARAM='fs.suid_dumpable'

View File

@ -11,13 +11,34 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PATTERN='NX[[:space:]]\(Execute[[:space:]]Disable\)[[:space:]]protection:[[:space:]]active'
# Check if the NX bit is supported and noexec=off hasn't been asked
nx_supported_and_enabled() {
if grep -q ' nx ' /proc/cpuinfo; then
# NX supported, but if noexec=off specified, it's not enabled
if grep -qi 'noexec=off' /proc/cmdline; then
FNRET=1 # supported but disabled
else
FNRET=0 # supported and enabled
fi
else
FNRET=1 # not supported
fi
}
# This function will be called if the script status is on enabled / audit mode
audit () {
does_pattern_exist_in_dmesg $PATTERN
if [ $FNRET != 0 ]; then
crit "$PATTERN is not present in dmesg"
nx_supported_and_enabled
if [ $FNRET != 0 ]; then
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
else
ok "NX is supported and enabled"
fi
else
ok "$PATTERN is present in dmesg"
fi
@ -27,7 +48,12 @@ audit () {
apply () {
does_pattern_exist_in_dmesg $PATTERN
if [ $FNRET != 0 ]; then
crit "$PATTERN is not present in dmesg, please go to the bios to activate this option or change for CPU compatible"
nx_supported_and_enabled
if [ $FNRET != 0 ]; then
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
else
ok "NX is supported and enabled"
fi
else
ok "$PATTERN is present in dmesg"
fi

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
SYSCTL_PARAM='kernel.randomize_va_space'
SYSCTL_EXP_RESULT=2

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGE='prelink'
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGE='apparmor'
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGE='nis'
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Based on aptitude search '~Prsh-server'
PACKAGES='rsh-server rsh-redone-server heimdal-servers'
FILE='/etc/inetd.conf'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Based on aptitude search '~Prsh-client', exluding ssh-client OFC
PACKAGES='rsh-client rsh-redone-client heimdal-clients'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGES='inetutils-talkd talkd'
FILE='/etc/inetd.conf'
PATTERN='^(talk|ntalk)'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGES='talk inetutils-talk'
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Based on aptitude search '~Ptelnet-server'
PACKAGES='telnetd inetutils-telnetd telnetd-ssl krb5-telnetd heimdal-servers'
FILE='/etc/inetd.conf'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGES='tftpd tftpd-hpa atftpd'
FILE='/etc/inetd.conf'
PATTERN='^tftp'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGES='openbsd-inetd xinetd rlinetd'
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
FILE='/etc/inetd.conf'
PATTERN='^chargen'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
FILE='/etc/inetd.conf'
PATTERN='^daytime'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
FILE='/etc/inetd.conf'
PATTERN='^echo'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
FILE='/etc/inetd.conf'
PATTERN='^discard'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
FILE='/etc/inetd.conf'
PATTERN='^time'

View File

@ -11,6 +11,9 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
HARDENING_EXCEPTION=http
# Based on aptitude search '~Phttpd'
PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd'

View File

@ -11,6 +11,9 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
HARDENING_EXCEPTION=mail
# Based on aptitude search '~Pimap-server' and aptitude search '~Ppop3-server'
PACKAGES='citadel-server courier-imap cyrus-imapd-2.4 dovecot-imapd mailutils-imap4d courier-pop cyrus-pop3d-2.4 dovecot-pop3d heimdal-servers mailutils-pop3d popa3d solid-pop3d xmail'

View File

@ -11,6 +11,9 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
HARDENING_EXCEPTION=samba
PACKAGES='samba'
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,9 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
HARDENING_EXCEPTION=http
PACKAGES='squid3 squid'
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,9 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
HARDENING_EXCEPTION=snmp
PACKAGES='snmpd'
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,9 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
HARDENING_EXCEPTION=mail
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking netport ports opened"

Some files were not shown because too many files have changed in this diff Show More