elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-22 13:37:02 +01:00
Code Issues Packages Projects Releases Wiki Activity

Rephrase confusing messages

Browse Source
This commit is contained in:
Frank Denis 2016-04-21 18:32:36 +02:00
parent 85bae89dc3
commit ed410747df
112 changed files with 221 additions and 221 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
bin/hardening/10.1.1_set_password_exp_days.sh
View File

@ -58,7 +58,7 @@ apply () {
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else else
info "Parameter $SSH_PARAM is present but with the wrong value, correcting" info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi fi
fi fi

2
bin/hardening/10.1.2_set_password_min_days_change.sh
View File

@ -58,7 +58,7 @@ apply () {
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else else
info "Parameter $SSH_PARAM is present but with the wrong value, correcting" info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi fi
fi fi

2
bin/hardening/10.1.3_set_password_exp_warning_days.sh
View File

@ -58,7 +58,7 @@ apply () {
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else else
info "Parameter $SSH_PARAM is present but with the wrong value, correcting" info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi fi
fi fi

4
bin/hardening/10.2_disable_system_accounts.sh
View File

@ -33,7 +33,7 @@ audit () {
fi fi
done done
if [ ! -z "$RESULT" ]; then if [ ! -z "$RESULT" ]; then
crit "Some admin accounts have not $SHELL as shell" crit "Some admin accounts don't have $SHELL as shell"
crit "$RESULT" crit "$RESULT"
else else
ok "All admin accounts deactivated" ok "All admin accounts deactivated"
@ -57,7 +57,7 @@ apply () {
fi fi
done done
if [ ! -z "$RESULT" ]; then if [ ! -z "$RESULT" ]; then
warn "Some admin accounts have not $SHELL as shell" warn "Some admin accounts don't have $SHELL as shell"
warn "$RESULT" warn "$RESULT"
for USER in $( echo "$RESULT" | cut -d: -f 1 ); do for USER in $( echo "$RESULT" | cut -d: -f 1 ); do
info "Setting $SHELL to $USER" info "Setting $SHELL to $USER"

6
bin/hardening/10.3_default_root_group.sh
View File

@ -19,16 +19,16 @@ audit () {
if [ $(grep "^root:" /etc/passwd | cut -f4 -d:) = 0 ]; then if [ $(grep "^root:" /etc/passwd | cut -f4 -d:) = 0 ]; then
ok "Root group has GID $EXPECTED_GID" ok "Root group has GID $EXPECTED_GID"
else else
crit "Root group has not GID $EXPECTED_GID" crit "Root group GID should be $EXPECTED_GID"
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $(grep "^root:" /etc/passwd | cut -f4 -d:) = 0 ]; then if [ $(grep "^root:" /etc/passwd | cut -f4 -d:) = 0 ]; then
ok "Root group has GID $EXPECTED_GID" ok "Root group GID is $EXPECTED_GID"
else else
warn "Root group has not GID $EXPECTED_GID" warn "Root group GID is not $EXPECTED_GID"
usermod -g $EXPECTED_GID $USER usermod -g $EXPECTED_GID $USER
fi fi
} }

2
bin/hardening/11.1_warning_banners.sh
View File

@ -29,7 +29,7 @@ audit () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
crit "$FILE has not $PERMISSIONS permissions set" crit "$FILE permissions were not set to $PERMISSIONS"
fi fi
done done
} }

2
bin/hardening/12.1_etc_passwd_permissions.sh
View File

@ -20,7 +20,7 @@ audit () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
crit "$FILE has not $PERMISSIONS permissions set" crit "$FILE permissions were not set to $PERMISSIONS"
fi fi
} }

2
bin/hardening/12.2_etc_shadow_permissions.sh
View File

@ -20,7 +20,7 @@ audit () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
crit "$FILE has not $PERMISSIONS permissions set" crit "$FILE permissions were not set to $PERMISSIONS"
fi fi
} }

2
bin/hardening/12.3_etc_group_permissions.sh
View File

@ -20,7 +20,7 @@ audit () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
crit "$FILE has not $PERMISSIONS permissions set" crit "$FILE permissions were not set to $PERMISSIONS"
fi fi
} }

4
bin/hardening/13.9_set_perm_on_user_netrc.sh
View File

@ -24,7 +24,7 @@ audit () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
crit "$FILE has not $PERMISSIONS permissions set" crit "$FILE permissions were not set to $PERMISSIONS"
ERRORS=$((ERRORS+1)) ERRORS=$((ERRORS+1))
fi fi
fi fi
@ -47,7 +47,7 @@ apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
warn "$FILE has not $PERMISSIONS permissions set" warn "$FILE permissions were not set to $PERMISSIONS"
chmod 600 $FILE chmod 600 $FILE
fi fi
fi fi

4
bin/hardening/2.10_home_nodev.sh
View File

@ -27,10 +27,10 @@ audit () {
ok "$PARTITION is a partition" ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
crit "$PARTITION have no option $OPTION in fstab !" crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1 FNRET=1
else else
ok "$PARTITION have $OPTION in fstab" ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime" warn "$PARTITION is not mounted with $OPTION at runtime"

4
bin/hardening/2.11_removable_device_nodev.sh
View File

@ -29,10 +29,10 @@ audit () {
info "detected $PARTITION like" info "detected $PARTITION like"
has_mount_option $PARTITION $OPTION has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
crit "$PARTITION have no option $OPTION in fstab !" crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1 FNRET=1
else else
ok "$PARTITION have $OPTION in fstab" ok "$PARTITION has $OPTION in fstab"
fi fi
fi fi
} }

4
bin/hardening/2.12_removable_device_noexec.sh
View File

@ -29,10 +29,10 @@ audit () {
info "detected $PARTITION like" info "detected $PARTITION like"
has_mount_option $PARTITION $OPTION has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
crit "$PARTITION have no option $OPTION in fstab !" crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1 FNRET=1
else else
ok "$PARTITION have $OPTION in fstab" ok "$PARTITION has $OPTION in fstab"
fi fi
fi fi
} }

4
bin/hardening/2.13_removable_device_nosuid.sh
View File

@ -29,10 +29,10 @@ audit () {
info "detected $PARTITION like" info "detected $PARTITION like"
has_mount_option $PARTITION $OPTION has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
crit "$PARTITION have no option $OPTION in fstab !" crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1 FNRET=1
else else
ok "$PARTITION have $OPTION in fstab" ok "$PARTITION has $OPTION in fstab"
fi fi
fi fi
} }

4
bin/hardening/2.14_run_shm_nodev.sh
View File

@ -27,10 +27,10 @@ audit () {
ok "$PARTITION is a partition" ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
crit "$PARTITION have no option $OPTION in fstab !" crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1 FNRET=1
else else
ok "$PARTITION have $OPTION in fstab" ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime" warn "$PARTITION is not mounted with $OPTION at runtime"

4
bin/hardening/2.15_run_shm_nosuid.sh
View File

@ -27,10 +27,10 @@ audit () {
ok "$PARTITION is a partition" ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
crit "$PARTITION have no option $OPTION in fstab !" crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1 FNRET=1
else else
ok "$PARTITION have $OPTION in fstab" ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime" warn "$PARTITION is not mounted with $OPTION at runtime"

4
bin/hardening/2.16_run_shm_noexec.sh
View File

@ -27,10 +27,10 @@ audit () {
ok "$PARTITION is a partition" ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
crit "$PARTITION have no option $OPTION in fstab !" crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1 FNRET=1
else else
ok "$PARTITION have $OPTION in fstab" ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime" warn "$PARTITION is not mounted with $OPTION at runtime"

4
bin/hardening/2.2_tmp_nodev.sh
View File

@ -27,10 +27,10 @@ audit () {
ok "$PARTITION is a partition" ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
crit "$PARTITION have no option $OPTION in fstab !" crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1 FNRET=1
else else
ok "$PARTITION have $OPTION in fstab" ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime" warn "$PARTITION is not mounted with $OPTION at runtime"

4
bin/hardening/2.3_tmp_nosuid.sh
View File

@ -27,10 +27,10 @@ audit () {
ok "$PARTITION is a partition" ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
crit "$PARTITION have no option $OPTION in fstab !" crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1 FNRET=1
else else
ok "$PARTITION have $OPTION in fstab" ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime" warn "$PARTITION is not mounted with $OPTION at runtime"

4
bin/hardening/2.4_tmp_noexec.sh
View File

@ -27,10 +27,10 @@ audit () {
ok "$PARTITION is a partition" ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
crit "$PARTITION have no option $OPTION in fstab !" crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1 FNRET=1
else else
ok "$PARTITION have $OPTION in fstab" ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime" warn "$PARTITION is not mounted with $OPTION at runtime"

4
bin/hardening/2.6.2_var_tmp_nodev.sh
View File

@ -27,10 +27,10 @@ audit () {
ok "$PARTITION is a partition" ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
crit "$PARTITION have no option $OPTION in fstab !" crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1 FNRET=1
else else
ok "$PARTITION have $OPTION in fstab" ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime" warn "$PARTITION is not mounted with $OPTION at runtime"

4
bin/hardening/2.6.3_var_tmp_nosuid.sh
View File

@ -27,10 +27,10 @@ audit () {
ok "$PARTITION is a partition" ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
crit "$PARTITION have no option $OPTION in fstab !" crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1 FNRET=1
else else
ok "$PARTITION have $OPTION in fstab" ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime" warn "$PARTITION is not mounted with $OPTION at runtime"

4
bin/hardening/2.6.4_var_tmp_noexec.sh
View File

@ -27,10 +27,10 @@ audit () {
ok "$PARTITION is a partition" ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
crit "$PARTITION have no option $OPTION in fstab !" crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1 FNRET=1
else else
ok "$PARTITION have $OPTION in fstab" ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime" warn "$PARTITION is not mounted with $OPTION at runtime"

2
bin/hardening/3.2_bootloader_permissions.sh
View File

@ -22,7 +22,7 @@ audit () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
crit "$FILE has not $PERMISSIONS permissions set" crit "$FILE permissions were not set to $PERMISSIONS"
fi fi
} }

8
bin/hardening/4.1_restrict_core_dumps.sh
View File

@ -26,9 +26,9 @@ audit () {
fi fi
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist, typo ?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi fi
@ -45,10 +45,10 @@ apply () {
fi fi
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
elif [ $FNRET = 255 ]; then elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist, typo ?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi fi

8
bin/hardening/4.3_enable_randomized_vm_placement.sh
View File

@ -18,9 +18,9 @@ SYSCTL_EXP_RESULT=2
audit () { audit () {
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist, typo ?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi fi
@ -30,10 +30,10 @@ audit () {
apply () { apply () {
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
elif [ $FNRET = 255 ]; then elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist, typo ?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi fi

8
bin/hardening/7.1.1_disable_ip_forwarding.sh
View File

@ -18,9 +18,9 @@ SYSCTL_EXP_RESULT=0
audit () { audit () {
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist, typo ?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi fi
@ -30,11 +30,11 @@ audit () {
apply () { apply () {
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null sysctl -w net.ipv4.route.flush=1 > /dev/null
elif [ $FNRET = 255 ]; then elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist, typo ?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi fi

12
bin/hardening/7.1.2_disable_send_packet_redirects.sh
View File

@ -19,12 +19,12 @@ audit () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist, typo ?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi fi
@ -36,14 +36,14 @@ apply () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null sysctl -w net.ipv4.route.flush=1 > /dev/null
elif [ $FNRET = 255 ]; then elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist, typo ?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi fi

12
bin/hardening/7.2.1_disable_source_routed_packets.sh
View File

@ -18,12 +18,12 @@ audit () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist, typo ?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi fi
@ -35,14 +35,14 @@ apply () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT value -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null sysctl -w net.ipv4.route.flush=1 > /dev/null
elif [ $FNRET = 255 ]; then elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist, typo ?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi fi

12
bin/hardening/7.2.2_disable_icmp_redirect.sh
View File

@ -18,12 +18,12 @@ audit () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist, typo ?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi fi
@ -35,14 +35,14 @@ apply () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null sysctl -w net.ipv4.route.flush=1 > /dev/null
elif [ $FNRET = 255 ]; then elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist, typo ?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi fi

12
bin/hardening/7.2.3_disable_secure_icmp_redirect.sh
View File

@ -18,12 +18,12 @@ audit () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist, typo ?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi fi
@ -35,14 +35,14 @@ apply () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null sysctl -w net.ipv4.route.flush=1 > /dev/null
elif [ $FNRET = 255 ]; then elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist, typo ?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi fi

12
bin/hardening/7.2.4_log_martian_packets.sh
View File

@ -18,12 +18,12 @@ audit () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist, typo ?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi fi
@ -35,14 +35,14 @@ apply () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null sysctl -w net.ipv4.route.flush=1 > /dev/null
elif [ $FNRET = 255 ]; then elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist, typo ?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi fi

12
bin/hardening/7.2.5_ignore_broadcast_requests.sh
View File

@ -18,12 +18,12 @@ audit () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist, typo ?" warn "$SYSCTL_PARAM does not exist --Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi fi
@ -35,14 +35,14 @@ apply () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null sysctl -w net.ipv4.route.flush=1 > /dev/null
elif [ $FNRET = 255 ]; then elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist, typo ?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi fi

12
bin/hardening/7.2.6_enable_bad_error_message_protection.sh
View File

@ -18,12 +18,12 @@ audit () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist, typo ?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi fi
@ -35,14 +35,14 @@ apply () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null sysctl -w net.ipv4.route.flush=1 > /dev/null
elif [ $FNRET = 255 ]; then elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist, typo ?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi fi

12
bin/hardening/7.2.7_enable_source_route_validation.sh
View File

@ -18,12 +18,12 @@ audit () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist, typo ?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi fi
@ -35,14 +35,14 @@ apply () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null sysctl -w net.ipv4.route.flush=1 > /dev/null
elif [ $FNRET = 255 ]; then elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist, typo ?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi fi

12
bin/hardening/7.2.8_enable_tcp_syn_cookies.sh
View File

@ -18,12 +18,12 @@ audit () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist, typo ?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi fi
@ -35,14 +35,14 @@ apply () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null sysctl -w net.ipv4.route.flush=1 > /dev/null
elif [ $FNRET = 255 ]; then elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist, typo ?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi fi

12
bin/hardening/7.3.1_disable_ipv6_router_advertisement.sh
View File

@ -22,12 +22,12 @@ audit () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist, typo ?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi fi
@ -44,14 +44,14 @@ apply () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT, fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null sysctl -w net.ipv4.route.flush=1 > /dev/null
elif [ $FNRET = 255 ]; then elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist, typo ?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi fi

12
bin/hardening/7.3.2_disable_ipv6_redirect.sh
View File

@ -22,12 +22,12 @@ audit () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist, typo ?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi fi
@ -44,14 +44,14 @@ apply () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT, fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null sysctl -w net.ipv4.route.flush=1 > /dev/null
elif [ $FNRET = 255 ]; then elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist, typo ?" warn "$SYSCTL_PARAM does not exist -- typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi fi

12
bin/hardening/7.3.3_disable_ipv6.sh
View File

@ -22,12 +22,12 @@ audit () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist, typo ?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi fi
@ -44,14 +44,14 @@ apply () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT value, fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
warn "you may want to reboot or sysctl -p a file including $SYSCTL_PARAMS" warn "you may want to reboot or sysctl -p a file including $SYSCTL_PARAMS"
elif [ $FNRET = 255 ]; then elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist, typo ?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi fi

2
bin/hardening/7.4.3_hosts_allow_permissions.sh
View File

@ -20,7 +20,7 @@ audit () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
crit "$FILE has not $PERMISSIONS permissions set" crit "$FILE permissions were not set to $PERMISSIONS"
fi fi
} }

2
bin/hardening/7.4.5_hosts_deny_permissions.sh
View File

@ -20,7 +20,7 @@ audit () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
crit "$FILE has not $PERMISSIONS permissions set" crit "$FILE permissions were not set to $PERMISSIONS"
fi fi
} }

2
bin/hardening/8.0_enable_auditd_kernel.sh
View File

@ -11,7 +11,7 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# Note : Not part of the CIS guide, but what's the point configuring a software not compatible with your kernel ? :) # Note : Not part of the CIS guide, but what's the point of configuring software not compatible with your kernel? :)
KERNEL_OPTION="CONFIG_AUDIT" KERNEL_OPTION="CONFIG_AUDIT"

6
bin/hardening/8.1.1.2_halt_when_audit_log_full.sh
View File

@ -25,7 +25,7 @@ audit () {
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
debug "$AUDIT_PARAM must have value $AUDIT_VALUE" debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exists_in_file $FILE "$PATTERN"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$PATTERN not present in $FILE" crit "$PATTERN not present in $FILE"
@ -48,7 +48,7 @@ apply () {
for AUDIT_OPTION in $OPTIONS; do for AUDIT_OPTION in $OPTIONS; do
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
debug "$AUDIT_PARAM must have value $AUDIT_VALUE" debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exists_in_file $FILE "$PATTERN"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
@ -58,7 +58,7 @@ apply () {
info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end" info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end"
add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE" add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE"
else else
info "Parameter $AUDIT_PARAM is present but with the wrong value, correcting" info "Parameter $AUDIT_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$AUDIT_PARAM[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE" replace_in_file $FILE "^$AUDIT_PARAM[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE"
fi fi
else else

6
bin/hardening/8.1.1.3_keep_all_audit_logs.sh
View File

@ -25,7 +25,7 @@ audit () {
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
debug "$AUDIT_PARAM must have value $AUDIT_VALUE" debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exists_in_file $FILE "$PATTERN"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$PATTERN not present in $FILE" crit "$PATTERN not present in $FILE"
@ -48,7 +48,7 @@ apply () {
for AUDIT_OPTION in $OPTIONS; do for AUDIT_OPTION in $OPTIONS; do
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
debug "$AUDIT_PARAM must have value $AUDIT_VALUE" debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exists_in_file $FILE "$PATTERN"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
@ -58,7 +58,7 @@ apply () {
info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end" info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end"
add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE" add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE"
else else
info "Parameter $AUDIT_PARAM is present but with the wrong value, correcting" info "Parameter $AUDIT_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$AUDIT_PARAM[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE" replace_in_file $FILE "^$AUDIT_PARAM[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE"
fi fi
else else

6
bin/hardening/8.1.3_audit_bootloader.sh
View File

@ -25,7 +25,7 @@ audit () {
GRUB_PARAM=$(echo $GRUB_OPTION | cut -d= -f 1) GRUB_PARAM=$(echo $GRUB_OPTION | cut -d= -f 1)
GRUB_VALUE=$(echo $GRUB_OPTION | cut -d= -f 2,3) GRUB_VALUE=$(echo $GRUB_OPTION | cut -d= -f 2,3)
PATTERN="^$GRUB_PARAM=$GRUB_VALUE" PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
debug "$GRUB_PARAM must have value $GRUB_VALUE" debug "$GRUB_PARAM should be set to $GRUB_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exists_in_file $FILE "$PATTERN"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$PATTERN not present in $FILE" crit "$PATTERN not present in $FILE"
@ -48,7 +48,7 @@ apply () {
for GRUB_OPTION in $OPTIONS; do for GRUB_OPTION in $OPTIONS; do
GRUB_PARAM=$(echo $GRUB_OPTION | cut -d= -f 1) GRUB_PARAM=$(echo $GRUB_OPTION | cut -d= -f 1)
GRUB_VALUE=$(echo $GRUB_OPTION | cut -d= -f 2,3) GRUB_VALUE=$(echo $GRUB_OPTION | cut -d= -f 2,3)
debug "$GRUB_PARAM must have value $GRUB_VALUE" debug "$GRUB_PARAM should be set to $GRUB_VALUE"
PATTERN="^$GRUB_PARAM=$GRUB_VALUE" PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exists_in_file $FILE "$PATTERN"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
@ -58,7 +58,7 @@ apply () {
info "Parameter $GRUB_PARAM seems absent from $FILE, adding at the end" info "Parameter $GRUB_PARAM seems absent from $FILE, adding at the end"
add_end_of_file $FILE "$GRUB_PARAM = $GRUB_VALUE" add_end_of_file $FILE "$GRUB_PARAM = $GRUB_VALUE"
else else
info "Parameter $GRUB_PARAM is present but with the wrong value, correcting" info "Parameter $GRUB_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$GRUB_PARAM=.*" "$GRUB_PARAM=$GRUB_VALUE" replace_in_file $FILE "^$GRUB_PARAM=.*" "$GRUB_PARAM=$GRUB_VALUE"
fi fi
else else

2
bin/hardening/8.2.4_set_logfile_perm.sh
View File

@ -33,7 +33,7 @@ audit () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
crit "$FILE has not $PERMISSIONS permissions set" crit "$FILE permissions were not set to $PERMISSIONS"
fi fi
fi fi
done done

2
bin/hardening/9.1.2_crontab_perm_ownership.sh
View File

@ -28,7 +28,7 @@ audit () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
crit "$FILE has not $PERMISSIONS permissions set" crit "$FILE permissions were not set to $PERMISSIONS"
fi fi
} }

2
bin/hardening/9.1.3_cron_hourly_perm_ownership.sh
View File

@ -28,7 +28,7 @@ audit () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
crit "$FILE has not $PERMISSIONS permissions set" crit "$FILE permissions were not set to $PERMISSIONS"
fi fi
} }

2
bin/hardening/9.1.4_cron_daily_perm_ownership.sh
View File

@ -28,7 +28,7 @@ audit () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
crit "$FILE has not $PERMISSIONS permissions set" crit "$FILE permissions were not set to $PERMISSIONS"
fi fi
} }

2
bin/hardening/9.1.5_cron_weekly_perm_ownership.sh
View File

@ -28,7 +28,7 @@ audit () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
crit "$FILE has not $PERMISSIONS permissions set" crit "$FILE permissions were not set to $PERMISSIONS"
fi fi
} }

2
bin/hardening/9.1.6_cron_monthly_perm_ownership.sh
View File

@ -28,7 +28,7 @@ audit () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
crit "$FILE has not $PERMISSIONS permissions set" crit "$FILE permissions were not set to $PERMISSIONS"
fi fi
} }

2
bin/hardening/9.1.7_cron_d_perm_ownership.sh
View File

@ -28,7 +28,7 @@ audit () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
crit "$FILE has not $PERMISSIONS permissions set" crit "$FILE permissions were not set to $PERMISSIONS"
fi fi
} }

4
bin/hardening/9.1.8_cron_users.sh
View File

@ -42,7 +42,7 @@ audit () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
crit "$FILE has not $PERMISSIONS permissions set" crit "$FILE permissions were not set to $PERMISSIONS"
fi fi
fi fi
done done
@ -76,7 +76,7 @@ apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
warn "$FILE has not $PERMISSIONS permissions set" warn "$FILE permissions were not set to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE chmod 0$PERMISSIONS $FILE
fi fi
done done

2
bin/hardening/9.3.10_disable_sshd_setenv.sh
View File

@ -58,7 +58,7 @@ apply () {
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else else
info "Parameter $SSH_PARAM is present but with the wrong value, correcting" info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi fi
/etc/init.d/ssh reload /etc/init.d/ssh reload

2
bin/hardening/9.3.11_sshd_ciphers.sh
View File

@ -58,7 +58,7 @@ apply () {
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else else
info "Parameter $SSH_PARAM is present but with the wrong value, correcting" info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi fi
/etc/init.d/ssh reload /etc/init.d/ssh reload

2
bin/hardening/9.3.12_sshd_idle_timeout.sh
View File

@ -58,7 +58,7 @@ apply () {
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else else
info "Parameter $SSH_PARAM is present but with the wrong value, correcting" info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi fi
/etc/init.d/ssh reload /etc/init.d/ssh reload

2
bin/hardening/9.3.13_sshd_limit_access.sh
View File

@ -60,7 +60,7 @@ apply () {
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else else
info "Parameter $SSH_PARAM is present but with the wrong value, correcting" info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi fi
/etc/init.d/ssh reload /etc/init.d/ssh reload

2
bin/hardening/9.3.1_sshd_protocol.sh
View File

@ -58,7 +58,7 @@ apply () {
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else else
info "Parameter $SSH_PARAM is present but with the wrong value, correcting" info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi fi
/etc/init.d/ssh reload > /dev/null 2>&1 /etc/init.d/ssh reload > /dev/null 2>&1

2
bin/hardening/9.3.2_sshd_loglevel.sh
View File

@ -58,7 +58,7 @@ apply () {
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else else
info "Parameter $SSH_PARAM is present but with the wrong value, correcting" info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi fi
/etc/init.d/ssh reload > /dev/null 2>&1 /etc/init.d/ssh reload > /dev/null 2>&1

2
bin/hardening/9.3.3_sshd_conf_perm_ownership.sh
View File

@ -28,7 +28,7 @@ audit () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
crit "$FILE has not $PERMISSIONS permissions set" crit "$FILE permissions were not set to $PERMISSIONS"
fi fi
} }

2
bin/hardening/9.3.4_disable_x11_forwarding.sh
View File

@ -58,7 +58,7 @@ apply () {
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else else
info "Parameter $SSH_PARAM is present but with the wrong value, correcting" info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi fi
/etc/init.d/ssh reload > /dev/null 2>&1 /etc/init.d/ssh reload > /dev/null 2>&1

2
bin/hardening/9.3.5_sshd_maxauthtries.sh
View File

@ -58,7 +58,7 @@ apply () {
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else else
info "Parameter $SSH_PARAM is present but with the wrong value, correcting" info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi fi
/etc/init.d/ssh reload /etc/init.d/ssh reload

2
bin/hardening/9.3.6_enable_sshd_ignorerhosts.sh
View File

@ -58,7 +58,7 @@ apply () {
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else else
info "Parameter $SSH_PARAM is present but with the wrong value, correcting" info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi fi
/etc/init.d/ssh reload /etc/init.d/ssh reload

2
bin/hardening/9.3.7_disable_sshd_hostbasedauthentication.sh
View File

@ -58,7 +58,7 @@ apply () {
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else else
info "Parameter $SSH_PARAM is present but with the wrong value, correcting" info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi fi
/etc/init.d/ssh reload /etc/init.d/ssh reload

2
bin/hardening/9.3.8_disable_root_login.sh
View File

@ -58,7 +58,7 @@ apply () {
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else else
info "Parameter $SSH_PARAM is present but with the wrong value, correcting" info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi fi
/etc/init.d/ssh reload /etc/init.d/ssh reload

2
bin/hardening/9.3.9_disable_sshd_permitemptypasswords.sh
View File

@ -58,7 +58,7 @@ apply () {
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else else
info "Parameter $SSH_PARAM is present but with the wrong value, correcting" info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi fi
/etc/init.d/ssh reload /etc/init.d/ssh reload

4
lib/utils.sh
View File

@ -14,7 +14,7 @@ has_sysctl_param_expected_result() {
debug "$SYSCTL_PARAM does not exist" debug "$SYSCTL_PARAM does not exist"
FNRET=255 FNRET=255
else else
debug "$SYSCTL_PARAM has not a value of $EXP_RESULT" debug "$SYSCTL_PARAM should be set to $EXP_RESULT"
FNRET=1 FNRET=1
fi fi
} }
@ -39,7 +39,7 @@ set_sysctl_param() {
debug "$SYSCTL_PARAM does not exist" debug "$SYSCTL_PARAM does not exist"
FNRET=255 FNRET=255
else else
warn "$SYSCTL_PARAM Failed !" warn "$SYSCTL_PARAM failed!"
FNRET=1 FNRET=1
fi fi
} }