diff --git a/bin/hardening/2.2.1.1_use_time_sync.sh b/bin/hardening/2.2.1.1_use_time_sync.sh new file mode 100755 index 0000000..9c29af7 --- /dev/null +++ b/bin/hardening/2.2.1.1_use_time_sync.sh @@ -0,0 +1,56 @@ +#!/bin/bash + +# +# CIS Debian Hardening +# + +# +# 2.2.1.1 Ensure time synchronization is in use (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +HARDENING_LEVEL=3 +DESCRIPTION="Ensure time synchronization is in use" + +PACKAGES="ntp chrony" + +# This function will be called if the script status is on enabled / audit mode +audit () { + FOUND=false + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "Time synchronization is available through $PACKAGE" + FOUND=true + fi + done + if [ "$FOUND" = false ]; then + crit "None of the following time sync packages are installed: $PACKAGES" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r "$CIS_ROOT_DIR"/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh + diff --git a/bin/hardening/6.5_configure_ntp.sh b/bin/hardening/2.2.1.2_configure_ntp.sh similarity index 98% rename from bin/hardening/6.5_configure_ntp.sh rename to bin/hardening/2.2.1.2_configure_ntp.sh index b1e58fc..4932b6d 100755 --- a/bin/hardening/6.5_configure_ntp.sh +++ b/bin/hardening/2.2.1.2_configure_ntp.sh @@ -5,7 +5,7 @@ # # -# 6.5 Configure Network Time Protocol (NTP) (Scored) +# 2.2.1.2 Ensure ntp is configured (Scored) # set -e # One error, it's over diff --git a/bin/hardening/2.2.1.3_configure_chrony.sh b/bin/hardening/2.2.1.3_configure_chrony.sh new file mode 100755 index 0000000..1ba8114 --- /dev/null +++ b/bin/hardening/2.2.1.3_configure_chrony.sh @@ -0,0 +1,64 @@ +#!/bin/bash + +# +# CIS Debian Hardening +# + +# +# 2.2.1.3 Ensure chrony is configured (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +HARDENING_LEVEL=3 +DESCRIPTION="Configure Network Time Protocol (ntp). Check restrict parameters and ntp daemon runs ad unprivileged user." +HARDENING_EXCEPTION=ntp + +PACKAGE=chrony +CONF_DEFAULT_PATTERN='^(server|pool)' +CONF_FILE='/etc/chrony/chrony.conf' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed!" + else + ok "$PACKAGE is installed, checking configuration" + does_pattern_exist_in_file $CONF_FILE $CONF_DEFAULT_PATTERN + if [ $FNRET != 0 ]; then + crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE" + else + ok "$CONF_DEFAULT_PATTERN found in $CONF_FILE" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + . $CIS_ROOT_DIR/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/6.10_disable_http_server.sh b/bin/hardening/2.2.10_disable_http_server.sh similarity index 96% rename from bin/hardening/6.10_disable_http_server.sh rename to bin/hardening/2.2.10_disable_http_server.sh index e3608b5..db02370 100755 --- a/bin/hardening/6.10_disable_http_server.sh +++ b/bin/hardening/2.2.10_disable_http_server.sh @@ -5,7 +5,7 @@ # # -# 6.10 Ensure HTTP Server is not enabled (Not Scored) +# 2.2.10 Ensure HTTP Server is not enabled (Scored) # set -e # One error, it's over diff --git a/bin/hardening/6.11_disable_imap_pop.sh b/bin/hardening/2.2.11_disable_imap_pop.sh similarity index 93% rename from bin/hardening/6.11_disable_imap_pop.sh rename to bin/hardening/2.2.11_disable_imap_pop.sh index e0e6142..228757e 100755 --- a/bin/hardening/6.11_disable_imap_pop.sh +++ b/bin/hardening/2.2.11_disable_imap_pop.sh @@ -5,14 +5,14 @@ # # -# 6.11 Ensure IMAP and POP server is not enabled (Not Scored) +# 2.2.11 Ensure IMAP and POP server is not installed (Scored) # set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 -DESCRIPTION="Ensure IMAP and POP servers are not enabled." +DESCRIPTION="Ensure IMAP and POP servers are not installed" HARDENING_EXCEPTION=mail # Based on aptitude search '~Pimap-server' and aptitude search '~Ppop3-server' diff --git a/bin/hardening/6.12_disable_samba.sh b/bin/hardening/2.2.12_disable_samba.sh similarity index 95% rename from bin/hardening/6.12_disable_samba.sh rename to bin/hardening/2.2.12_disable_samba.sh index 7da7ce5..2a5dd31 100755 --- a/bin/hardening/6.12_disable_samba.sh +++ b/bin/hardening/2.2.12_disable_samba.sh @@ -5,7 +5,7 @@ # # -# 6.12 Ensure Samba is not enabled (Not Scored) +# 2.2.12 Ensure Samba is not enabled (Scored) # set -e # One error, it's over @@ -15,7 +15,7 @@ HARDENING_LEVEL=3 DESCRIPTION="Ensure Samba is not enabled." HARDENING_EXCEPTION=samba -PACKAGES='samba' +PACKAGES='samba smbd' # This function will be called if the script status is on enabled / audit mode audit () { diff --git a/bin/hardening/6.13_disable_http_proxy.sh b/bin/hardening/2.2.13_disable_http_proxy.sh similarity index 96% rename from bin/hardening/6.13_disable_http_proxy.sh rename to bin/hardening/2.2.13_disable_http_proxy.sh index 0830667..860be40 100755 --- a/bin/hardening/6.13_disable_http_proxy.sh +++ b/bin/hardening/2.2.13_disable_http_proxy.sh @@ -5,7 +5,7 @@ # # -# 6.13 Ensure HTTP Proxy Server is not enabled (Not Scored) +# 2.2.13 Ensure HTTP Proxy Server is not enabled (Scored) # set -e # One error, it's over diff --git a/bin/hardening/6.14_disable_snmp_server.sh b/bin/hardening/2.2.14_disable_snmp_server.sh similarity index 96% rename from bin/hardening/6.14_disable_snmp_server.sh rename to bin/hardening/2.2.14_disable_snmp_server.sh index c1897d4..890e1b2 100755 --- a/bin/hardening/6.14_disable_snmp_server.sh +++ b/bin/hardening/2.2.14_disable_snmp_server.sh @@ -5,7 +5,7 @@ # # -# 6.14 Ensure SNMP Server is not enabled (Not Scored) +# 2.2.14 Ensure SNMP Server is not enabled (Scored) # set -e # One error, it's over diff --git a/bin/hardening/6.15_mta_localhost.sh b/bin/hardening/2.2.15_mta_localhost.sh similarity index 96% rename from bin/hardening/6.15_mta_localhost.sh rename to bin/hardening/2.2.15_mta_localhost.sh index 8bda839..b03d49b 100755 --- a/bin/hardening/6.15_mta_localhost.sh +++ b/bin/hardening/2.2.15_mta_localhost.sh @@ -5,7 +5,7 @@ # # -# 6.15 Configure Mail Transfer Agent for Local-Only Mode (Scored) +# 2.2.15 Ensure Mail Transfer Agent is configured for Local-Only Mode (Scored) # set -e # One error, it's over diff --git a/bin/hardening/6.16_disable_rsync.sh b/bin/hardening/2.2.16_disable_rsync.sh similarity index 97% rename from bin/hardening/6.16_disable_rsync.sh rename to bin/hardening/2.2.16_disable_rsync.sh index 9c1852d..1df5884 100755 --- a/bin/hardening/6.16_disable_rsync.sh +++ b/bin/hardening/2.2.16_disable_rsync.sh @@ -5,7 +5,7 @@ # # -# 6.16 Ensure rsync service is not enabled (Scored) +# 2.2.16 Ensure rsync service is not enabled (Scored) # set -e # One error, it's over diff --git a/bin/hardening/6.1_disable_xwindow_system.sh b/bin/hardening/2.2.2_disable_xwindow_system.sh similarity index 96% rename from bin/hardening/6.1_disable_xwindow_system.sh rename to bin/hardening/2.2.2_disable_xwindow_system.sh index d1fd5d2..8f18efd 100755 --- a/bin/hardening/6.1_disable_xwindow_system.sh +++ b/bin/hardening/2.2.2_disable_xwindow_system.sh @@ -5,7 +5,7 @@ # # -# 6.1 Ensure the X Window system is not installed (Scored) +# 2.2.2 Ensure the X Window system is not installed (Scored) # set -e # One error, it's over diff --git a/bin/hardening/6.2_disable_avahi_server.sh b/bin/hardening/2.2.3_disable_avahi_server.sh similarity index 96% rename from bin/hardening/6.2_disable_avahi_server.sh rename to bin/hardening/2.2.3_disable_avahi_server.sh index b7ce290..f2d6c96 100755 --- a/bin/hardening/6.2_disable_avahi_server.sh +++ b/bin/hardening/2.2.3_disable_avahi_server.sh @@ -5,7 +5,7 @@ # # -# 6.2 Ensure Avahi Server is not enabled (Scored) +# 2.2.3 Ensure Avahi Server is not enabled (Scored) # set -e # One error, it's over diff --git a/bin/hardening/6.4_disable_dhcp.sh b/bin/hardening/2.2.5_disable_dhcp.sh similarity index 97% rename from bin/hardening/6.4_disable_dhcp.sh rename to bin/hardening/2.2.5_disable_dhcp.sh index c9284b6..ec3a8d9 100755 --- a/bin/hardening/6.4_disable_dhcp.sh +++ b/bin/hardening/2.2.5_disable_dhcp.sh @@ -5,7 +5,7 @@ # # -# 6.4 Ensure DHCP Server is not enabled (Scored) +# 2.2.5 Ensure DHCP Server is not enabled (Scored) # set -e # One error, it's over diff --git a/bin/hardening/6.6_disable_ldap.sh b/bin/hardening/2.2.6_disable_ldap.sh similarity index 96% rename from bin/hardening/6.6_disable_ldap.sh rename to bin/hardening/2.2.6_disable_ldap.sh index 3efcd25..0aa58b0 100755 --- a/bin/hardening/6.6_disable_ldap.sh +++ b/bin/hardening/2.2.6_disable_ldap.sh @@ -5,7 +5,7 @@ # # -# 6.6 Ensure LDAP is not enabled (Not Scored) +# 2.2.6 Ensure LDAP server is not enabled (Scored) # set -e # One error, it's over diff --git a/bin/hardening/6.7_disable_nfs_rpc.sh b/bin/hardening/2.2.7_disable_nfs_rpc.sh similarity index 96% rename from bin/hardening/6.7_disable_nfs_rpc.sh rename to bin/hardening/2.2.7_disable_nfs_rpc.sh index b345fd2..d023eb7 100755 --- a/bin/hardening/6.7_disable_nfs_rpc.sh +++ b/bin/hardening/2.2.7_disable_nfs_rpc.sh @@ -5,7 +5,7 @@ # # -# 6.7 Ensure NFS and RPC are not enabled (Not Scored) +# 2.2.7 Ensure NFS and RPC are not enabled (Scored) # set -e # One error, it's over diff --git a/bin/hardening/6.8_disable_dns_server.sh b/bin/hardening/2.2.8_disable_dns_server.sh similarity index 96% rename from bin/hardening/6.8_disable_dns_server.sh rename to bin/hardening/2.2.8_disable_dns_server.sh index 5069406..c7ddfe0 100755 --- a/bin/hardening/6.8_disable_dns_server.sh +++ b/bin/hardening/2.2.8_disable_dns_server.sh @@ -5,7 +5,7 @@ # # -# 6.8 Ensure DNS Server is not enabled (Not Scored) +# 2.2.8 Ensure DNS Server is not enabled (Scored) # set -e # One error, it's over diff --git a/bin/hardening/6.9_disable_ftp.sh b/bin/hardening/2.2.9_disable_ftp.sh similarity index 97% rename from bin/hardening/6.9_disable_ftp.sh rename to bin/hardening/2.2.9_disable_ftp.sh index 53509bb..5209d91 100755 --- a/bin/hardening/6.9_disable_ftp.sh +++ b/bin/hardening/2.2.9_disable_ftp.sh @@ -5,7 +5,7 @@ # # -# 6.9 Ensure FTP Server is not enabled (Not Scored) +# 2.2.9 Ensure FTP Server is not enabled (Scored) # set -e # One error, it's over diff --git a/bin/hardening/6.3_disable_print_server.sh b/bin/hardening/6.3_disable_print_server.sh deleted file mode 100755 index 713eeb2..0000000 --- a/bin/hardening/6.3_disable_print_server.sh +++ /dev/null @@ -1,67 +0,0 @@ -#!/bin/bash - -# -# CIS Debian Hardening -# - -# -# 6.3 Ensure print server is not enabled (Not Scored) -# - -set -e # One error, it's over -set -u # One variable unset, it's over - -HARDENING_LEVEL=3 -DESCRIPTION="Ensure print server (Common Unix Print System) is not enabled." -HARDENING_EXCEPTION=cups - -PACKAGES='libcups2 libcupscgi1 libcupsimage2 libcupsmime1 libcupsppdc1 cups-common cups-client cups-ppdc libcupsfilters1 cups-filters cups' - -# This function will be called if the script status is on enabled / audit mode -audit () { - for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - crit "$PACKAGE is installed!" - else - ok "$PACKAGE is absent" - fi - done -} - -# This function will be called if the script status is on enabled mode -apply () { - for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - crit "$PACKAGE is installed, purging it" - apt-get purge $PACKAGE -y - apt-get autoremove - else - ok "$PACKAGE is absent" - fi - done -} - -# This function will check config parameters required -check_config() { - : -} - -# Source Root Dir Parameter -if [ -r /etc/default/cis-hardening ]; then - . /etc/default/cis-hardening -fi -if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." - exit 128 -fi - -# Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then - . $CIS_ROOT_DIR/lib/main.sh -else - echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" - exit 128 -fi diff --git a/tests/hardening/2.2.1.1_use_time_sync.sh b/tests/hardening/2.2.1.1_use_time_sync.sh new file mode 100644 index 0000000..4526501 --- /dev/null +++ b/tests/hardening/2.2.1.1_use_time_sync.sh @@ -0,0 +1,20 @@ +# run-shellcheck +test_audit() { + # Make all variable local to the function by using `local` + + describe Running on blank host + register_test retvalshouldbe 1 + register_test contain "None of the following time sync packages are installed" + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe Correcting situation + apt update + apt install -y ntp + + # Finally assess that your corrective actions end up with a compliant system + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "Time synchronization is available through" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all +} + diff --git a/tests/hardening/6.10_disable_http_server.sh b/tests/hardening/2.2.1.2_configure_ntp.sh similarity index 100% rename from tests/hardening/6.10_disable_http_server.sh rename to tests/hardening/2.2.1.2_configure_ntp.sh diff --git a/tests/hardening/6.11_disable_imap_pop.sh b/tests/hardening/2.2.1.3_configure_chrony.sh similarity index 100% rename from tests/hardening/6.11_disable_imap_pop.sh rename to tests/hardening/2.2.1.3_configure_chrony.sh diff --git a/tests/hardening/6.12_disable_samba.sh b/tests/hardening/2.2.10_disable_http_server.sh similarity index 100% rename from tests/hardening/6.12_disable_samba.sh rename to tests/hardening/2.2.10_disable_http_server.sh diff --git a/tests/hardening/6.13_disable_http_proxy.sh b/tests/hardening/2.2.11_disable_imap_pop.sh similarity index 100% rename from tests/hardening/6.13_disable_http_proxy.sh rename to tests/hardening/2.2.11_disable_imap_pop.sh diff --git a/tests/hardening/6.14_disable_snmp_server.sh b/tests/hardening/2.2.12_disable_samba.sh similarity index 100% rename from tests/hardening/6.14_disable_snmp_server.sh rename to tests/hardening/2.2.12_disable_samba.sh diff --git a/tests/hardening/6.15_mta_localhost.sh b/tests/hardening/2.2.13_disable_http_proxy.sh similarity index 100% rename from tests/hardening/6.15_mta_localhost.sh rename to tests/hardening/2.2.13_disable_http_proxy.sh diff --git a/tests/hardening/6.16_disable_rsync.sh b/tests/hardening/2.2.14_disable_snmp_server.sh similarity index 100% rename from tests/hardening/6.16_disable_rsync.sh rename to tests/hardening/2.2.14_disable_snmp_server.sh diff --git a/tests/hardening/6.1_disable_xwindow_system.sh b/tests/hardening/2.2.15_mta_localhost.sh similarity index 100% rename from tests/hardening/6.1_disable_xwindow_system.sh rename to tests/hardening/2.2.15_mta_localhost.sh diff --git a/tests/hardening/6.2_disable_avahi_server.sh b/tests/hardening/2.2.16_disable_rsync.sh similarity index 100% rename from tests/hardening/6.2_disable_avahi_server.sh rename to tests/hardening/2.2.16_disable_rsync.sh diff --git a/tests/hardening/6.3_disable_print_server.sh b/tests/hardening/2.2.2_disable_xwindow_system.sh similarity index 100% rename from tests/hardening/6.3_disable_print_server.sh rename to tests/hardening/2.2.2_disable_xwindow_system.sh diff --git a/tests/hardening/6.4_disable_dhcp.sh b/tests/hardening/2.2.3_disable_avahi_server.sh similarity index 100% rename from tests/hardening/6.4_disable_dhcp.sh rename to tests/hardening/2.2.3_disable_avahi_server.sh diff --git a/tests/hardening/6.5_configure_ntp.sh b/tests/hardening/2.2.5_disable_dhcp.sh similarity index 100% rename from tests/hardening/6.5_configure_ntp.sh rename to tests/hardening/2.2.5_disable_dhcp.sh diff --git a/tests/hardening/6.6_disable_ldap.sh b/tests/hardening/2.2.6_disable_ldap.sh similarity index 100% rename from tests/hardening/6.6_disable_ldap.sh rename to tests/hardening/2.2.6_disable_ldap.sh diff --git a/tests/hardening/6.7_disable_nfs_rpc.sh b/tests/hardening/2.2.7_disable_nfs_rpc.sh similarity index 100% rename from tests/hardening/6.7_disable_nfs_rpc.sh rename to tests/hardening/2.2.7_disable_nfs_rpc.sh diff --git a/tests/hardening/6.8_disable_dns_server.sh b/tests/hardening/2.2.8_disable_dns_server.sh similarity index 100% rename from tests/hardening/6.8_disable_dns_server.sh rename to tests/hardening/2.2.8_disable_dns_server.sh diff --git a/tests/hardening/6.9_disable_ftp.sh b/tests/hardening/2.2.9_disable_ftp.sh similarity index 100% rename from tests/hardening/6.9_disable_ftp.sh rename to tests/hardening/2.2.9_disable_ftp.sh