mirror of
https://github.com/ovh/debian-cis.git
synced 2024-12-22 22:15:24 +01:00
3.2_bootloader_permissions.sh 3.3_bootloader_password.sh
This commit is contained in:
parent
d44a8eb440
commit
f2a979e24c
66
bin/hardening/3.2_bootloader_permissions.sh
Executable file
66
bin/hardening/3.2_bootloader_permissions.sh
Executable file
@ -0,0 +1,66 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 3.2 Set Permissions on bootloader config (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Assertion : Grub Based.
|
||||
|
||||
FILE='/boot/grub/grub.cfg'
|
||||
PERMISSIONS='400'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
has_file_correct_permissions $FILE $PERMISSIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
crit "$FILE has not $PERMISSIONS permissions set"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
has_file_correct_permissions $FILE $PERMISSIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0$PERMISSIONS $FILE
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
|
||||
is_pkg_installed "grub-pc"
|
||||
if [ $FNRET != 0 ]; then
|
||||
warn "grub-pc is not installed, not handling configuration"
|
||||
exit 128
|
||||
fi
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
exit 128
|
||||
fi
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
76
bin/hardening/3.3_bootloader_password.sh
Executable file
76
bin/hardening/3.3_bootloader_password.sh
Executable file
@ -0,0 +1,76 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 3.3 Set Boot Loader Password (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
FILE='/boot/grub/grub.cfg'
|
||||
USER_PATTERN="^set superusers"
|
||||
PWD_PATTERN="^password_pbkdf2"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
does_pattern_exists_in_file $FILE "$USER_PATTERN"
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$USER_PATTERN not present in $FILE"
|
||||
else
|
||||
ok "$USER_PATTERN is present in $FILE"
|
||||
fi
|
||||
does_pattern_exists_in_file $FILE "$PWD_PATTERN"
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$PWD_PATTERN not present in $FILE"
|
||||
else
|
||||
ok "$PWD_PATTERN is present in $FILE"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
does_pattern_exists_in_file $FILE "$USER_PATTERN"
|
||||
if [ $FNRET != 0 ]; then
|
||||
warn "$USER_PATTERN not present in $FILE, please configure password for grub"
|
||||
else
|
||||
ok "$USER_PATTERN is present in $FILE"
|
||||
fi
|
||||
does_pattern_exists_in_file $FILE "$PWD_PATTERN"
|
||||
if [ $FNRET != 0 ]; then
|
||||
warn "$PWD_PATTERN not present in $FILE, please configure password for grub"
|
||||
else
|
||||
ok "$PWD_PATTERN is present in $FILE"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
is_pkg_installed "grub-pc"
|
||||
if [ $FNRET != 0 ]; then
|
||||
warn "grub-pc is not installed, not handling configuration"
|
||||
exit 128
|
||||
fi
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
exit 128
|
||||
fi
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
@ -1,2 +1,2 @@
|
||||
# Configuration for script of same name
|
||||
status=enabled
|
||||
status=disabled
|
||||
|
2
etc/conf.d/3.2_bootloader_permissions.cfg
Normal file
2
etc/conf.d/3.2_bootloader_permissions.cfg
Normal file
@ -0,0 +1,2 @@
|
||||
# Configuration for script of same name
|
||||
status=disabled
|
19
etc/conf.d/3.3_bootloader_password.cfg
Normal file
19
etc/conf.d/3.3_bootloader_password.cfg
Normal file
@ -0,0 +1,19 @@
|
||||
# Configuration for script of same name
|
||||
status=enabled
|
||||
|
||||
###### Grub configuration example :
|
||||
#~ # id
|
||||
#uid=0(root) gid=0(root) groups=0(root)
|
||||
#~ # ls /etc/grub.d/01_users -l
|
||||
#-rwxr-xr-x 1 root root 390 Apr 11 11:04 /etc/grub.d/01_users
|
||||
#
|
||||
# ~ # cat /etc/grub.d/01_users
|
||||
##!/bin/sh
|
||||
#
|
||||
## Grub password file
|
||||
#
|
||||
#cat << EOF
|
||||
#set superusers="osp"
|
||||
#password FOR_GRUB # this is a drity hack for chmod 400 by grub-mkconfig
|
||||
#password_pbkdf2 osp grub.pbkdf2.sha512.10000.28AC55867740A5F1820853347EEFE3CCC67D19540BE8ACCE5E354A18DDD8D4A48AACC5F9FCAE08593B05D0E131568456F02A44F1D01C7E194635CE664410F885.07A8B0B957098D4A13B6CE77A62431945A98DCF20313AFAC86346957E6F67827B252F3BF395D82E8C25036AA89AE6BA13F946523FB02F6C3A605B3B312658D6E
|
||||
#EOF
|
26
lib/utils.sh
26
lib/utils.sh
@ -20,13 +20,37 @@ has_file_correct_ownership() {
|
||||
local USERID=$(id -u $USER)
|
||||
local GROUPID=$(id -u $GROUP)
|
||||
|
||||
if [ "$(stat -c "%u %g" /boot/grub/grub.cfg)" = "$USERID $GROUPID" ]; then
|
||||
if [ "$(stat -c "%u %g" $1)" = "$USERID $GROUPID" ]; then
|
||||
FNRET=0
|
||||
else
|
||||
FNRET=1
|
||||
fi
|
||||
}
|
||||
|
||||
has_file_correct_permissions() {
|
||||
local FILE=$1
|
||||
local PERMISSIONS=$2
|
||||
|
||||
if [ $(stat -L -c "%a" $1) = "$PERMISSIONS" ]; then
|
||||
FNRET=0
|
||||
else
|
||||
FNRET=1
|
||||
fi
|
||||
}
|
||||
|
||||
does_pattern_exists_in_file() {
|
||||
local FILE=$1
|
||||
local PATTERN=$2
|
||||
|
||||
debug "Checking if $PATTERN is present in $FILE"
|
||||
if $(grep -qE "$PATTERN" $FILE); then
|
||||
FNRET=0
|
||||
else
|
||||
FNRET=1
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# User manipulation
|
||||
#
|
||||
|
Loading…
Reference in New Issue
Block a user