From ea6361ddb514474756ee0d6a0c3d4aaa76b6b21a Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Thu, 14 Apr 2016 10:40:31 +0200 Subject: [PATCH] 8.0_enable_auditd_kernel.sh 8.1.1.2_halt_when_audit_log_full.sh 8.1.2_enable_auditd.sh --- bin/hardening/2.25_disable_automounting.sh | 2 +- bin/hardening/7.5.3_disable_rds.sh | 2 +- bin/hardening/7.5.4_disable_tipc.sh | 2 +- bin/hardening/7.7_enable_firewall.sh | 2 +- bin/hardening/8.0_enable_auditd_kernel.sh | 59 +++++++++++++ bin/hardening/8.1.1.1_audit_log_storage.sh | 2 +- .../8.1.1.2_halt_when_audit_log_full.sh | 88 +++++++++++++++++++ ...stall_auditd.sh => 8.1.2_enable_auditd.sh} | 21 ++++- ...uditd.cfg => 8.0_enable_auditd_kernel.cfg} | 0 .../8.1.1.2_halt_when_audit_log_full.cfg | 2 + etc/conf.d/8.1.2_enable_auditd.cfg | 2 + 11 files changed, 173 insertions(+), 9 deletions(-) create mode 100755 bin/hardening/8.0_enable_auditd_kernel.sh create mode 100755 bin/hardening/8.1.1.2_halt_when_audit_log_full.sh rename bin/hardening/{8.0_install_auditd.sh => 8.1.2_enable_auditd.sh} (66%) rename etc/conf.d/{8.0_install_auditd.cfg => 8.0_enable_auditd_kernel.cfg} (100%) create mode 100644 etc/conf.d/8.1.1.2_halt_when_audit_log_full.cfg create mode 100644 etc/conf.d/8.1.2_enable_auditd.cfg diff --git a/bin/hardening/2.25_disable_automounting.sh b/bin/hardening/2.25_disable_automounting.sh index 2abd21f..7094597 100755 --- a/bin/hardening/2.25_disable_automounting.sh +++ b/bin/hardening/2.25_disable_automounting.sh @@ -31,7 +31,7 @@ apply () { is_service_enabled $SERVICE_NAME if [ $FNRET = 0 ]; then info "Disabling $SERVICE_NAME" - update-rc.d $SERVICE_NAME disable + update-rc.d $SERVICE_NAME disable > /dev/null 2>&1 else ok "$SERVICE_NAME is disabled" fi diff --git a/bin/hardening/7.5.3_disable_rds.sh b/bin/hardening/7.5.3_disable_rds.sh index d521282..061a653 100755 --- a/bin/hardening/7.5.3_disable_rds.sh +++ b/bin/hardening/7.5.3_disable_rds.sh @@ -6,7 +6,7 @@ # # -# 7.5.2 Disable SCTP (Not Scored) +# 7.5.3 Disable RDS (Not Scored) # set -e # One error, it's over diff --git a/bin/hardening/7.5.4_disable_tipc.sh b/bin/hardening/7.5.4_disable_tipc.sh index d521282..db8dc27 100755 --- a/bin/hardening/7.5.4_disable_tipc.sh +++ b/bin/hardening/7.5.4_disable_tipc.sh @@ -6,7 +6,7 @@ # # -# 7.5.2 Disable SCTP (Not Scored) +# 7.5.4 Disable TIPC (Not Scored) # set -e # One error, it's over diff --git a/bin/hardening/7.7_enable_firewall.sh b/bin/hardening/7.7_enable_firewall.sh index 22ce33c..999fb2e 100755 --- a/bin/hardening/7.7_enable_firewall.sh +++ b/bin/hardening/7.7_enable_firewall.sh @@ -6,7 +6,7 @@ # # -# 7.4.1 Install TCP Wrappers (Scored) +# 7.7 Ensure Firewall is active (Scored) # set -e # One error, it's over diff --git a/bin/hardening/8.0_enable_auditd_kernel.sh b/bin/hardening/8.0_enable_auditd_kernel.sh new file mode 100755 index 0000000..03229c6 --- /dev/null +++ b/bin/hardening/8.0_enable_auditd_kernel.sh @@ -0,0 +1,59 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.0 Ensure CONFIG_AUDIT is enabled in your running kernel +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Note : Not part of the CIS guide, but what's the point configuring a software not compatible with your kernel ? :) + +KERNEL_OPTION="CONFIG_AUDIT" + + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_kernel_option_enabled "^$KERNEL_OPTION=" + if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + ok "$KERNEL_OPTION is enabled" + else + crit "$KERNEL_OPTION is disabled, auditd will not work" + fi + : +} + +# This function will be called if the script status is on enabled mode +apply () { + is_kernel_option_enabled "^$KERNEL_OPTION=" + if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + ok "$KERNEL_OPTION is enabled" + else + warn "I cannot fix $KERNEL_OPTION disabled, to make auditd work, recompile your kernel please" + fi + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.1.1_audit_log_storage.sh b/bin/hardening/8.1.1.1_audit_log_storage.sh index 85cfc3c..369c4c7 100755 --- a/bin/hardening/8.1.1.1_audit_log_storage.sh +++ b/bin/hardening/8.1.1.1_audit_log_storage.sh @@ -25,7 +25,7 @@ audit () { ok "$FILE exist, checking configuration" does_pattern_exists_in_file $FILE "^$PATTERN[[:space:]]" if [ $FNRET != 0 ]; then - crit "$PATTERN not present in $FILE, we have to deny everything" + crit "$PATTERN not present in $FILE" else ok "$PATTERN present in $FILE" fi diff --git a/bin/hardening/8.1.1.2_halt_when_audit_log_full.sh b/bin/hardening/8.1.1.2_halt_when_audit_log_full.sh new file mode 100755 index 0000000..899fd92 --- /dev/null +++ b/bin/hardening/8.1.1.2_halt_when_audit_log_full.sh @@ -0,0 +1,88 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.1.1.2 Disable System on Audit Log Full (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/audit/auditd.conf' +OPTIONS='space_left_action=email action_mail_acct=root admin_space_left_action=halt' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + crit "$FILE does not exist" + else + ok "$FILE exist, checking configuration" + for AUDIT_OPTION in $OPTIONS; do + AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) + AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) + PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" + debug "$AUDIT_PARAM must have value $AUDIT_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET != 0 ]; then + crit "$PATTERN not present in $FILE" + else + ok "$PATTERN present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + warn "$FILE does not exist, creating it" + touch $FILE + else + ok "$FILE exist" + fi + for AUDIT_OPTION in $OPTIONS; do + AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) + AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) + debug "$AUDIT_PARAM must have value $AUDIT_VALUE" + PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET != 0 ]; then + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$AUDIT_PARAM" + if [ $FNRET != 0 ]; then + info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end" + add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE" + else + info "Parameter $AUDIT_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$AUDIT_PARAM[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE" + fi + else + ok "$PATTERN present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.0_install_auditd.sh b/bin/hardening/8.1.2_enable_auditd.sh similarity index 66% rename from bin/hardening/8.0_install_auditd.sh rename to bin/hardening/8.1.2_enable_auditd.sh index 83af3bd..02962e9 100755 --- a/bin/hardening/8.0_install_auditd.sh +++ b/bin/hardening/8.1.2_enable_auditd.sh @@ -6,15 +6,14 @@ # # -# 8.0 Install auditd +# 8.1.2 Install and Enable auditd Service (Scored) # set -e # One error, it's over set -u # One variable unset, it's over -# Note : Not port of the CIS guide, but what's the point configuring a software not installed ? :) - PACKAGE='auditd' +SERVICE_NAME='auditd' # This function will be called if the script status is on enabled / audit mode audit () { @@ -23,6 +22,12 @@ audit () { crit "$PACKAGE is not installed !" else ok "$PACKAGE is installed" + is_service_enabled $SERVICE_NAME + if [ $FNRET = 0 ]; then + ok "$SERVICE_NAME is enabled" + else + crit "$SERVICE_NAME is not enabled" + fi fi } @@ -32,9 +37,17 @@ apply () { if [ $FNRET = 0 ]; then ok "$PACKAGE is installed" else - crit "$PACKAGE is absent, installing it" + warn "$PACKAGE is absent, installing it" apt_install $PACKAGE fi + is_service_enabled $SERVICE_NAME + if [ $FNRET = 0 ]; then + ok "$SERVICE_NAME is enabled" + else + warn "$SERVICE_NAME is not enabled, enabling it" + update-rc.d $SERVICE_NAME remove > /dev/null 2>&1 + update-rc.d $SERVICE_NAME defaults > /dev/null 2>&1 + fi } # This function will check config parameters required diff --git a/etc/conf.d/8.0_install_auditd.cfg b/etc/conf.d/8.0_enable_auditd_kernel.cfg similarity index 100% rename from etc/conf.d/8.0_install_auditd.cfg rename to etc/conf.d/8.0_enable_auditd_kernel.cfg diff --git a/etc/conf.d/8.1.1.2_halt_when_audit_log_full.cfg b/etc/conf.d/8.1.1.2_halt_when_audit_log_full.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.1.1.2_halt_when_audit_log_full.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/8.1.2_enable_auditd.cfg b/etc/conf.d/8.1.2_enable_auditd.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.1.2_enable_auditd.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled