3.2_bootloader_permissions.sh 3.3_bootloader_password.sh

bin/hardening/3.2_bootloader_permissions.sh

@@ -0,0 +1,66 @@
+#!/bin/bash
+
+#
+# CIS Debian 7 Hardening
+#
+
+#
+# 3.2 Set Permissions on bootloader config (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# Assertion : Grub Based.
+
+FILE='/boot/grub/grub.cfg'
+PERMISSIONS='400'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    has_file_correct_permissions $FILE $PERMISSIONS
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct permissions"
+    else
+        crit "$FILE has not $PERMISSIONS permissions set"
+    fi 
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    has_file_correct_permissions $FILE $PERMISSIONS
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct permissions"
+    else
+        info "fixing $FILE permissions to $PERMISSIONS"
+        chmod 0$PERMISSIONS $FILE
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+
+    is_pkg_installed "grub-pc"
+    if [ $FNRET != 0 ]; then
+        warn "grub-pc is not installed, not handling configuration"
+        exit 128
+    fi
+    if [ $FNRET != 0 ]; then
+        crit "$FILE does not exist"
+        exit 128
+    fi
+}
+
+# Source Root Dir Parameter
+if [ ! -r /etc/default/cis-hardenning ]; then
+    echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
+    exit 128
+else
+    . /etc/default/cis-hardenning
+    if [ -z $CIS_ROOT_DIR ]; then
+        echo "No CIS_ROOT_DIR variable, aborting"
+    fi
+fi 
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

bin/hardening/3.3_bootloader_password.sh

@@ -0,0 +1,76 @@
+#!/bin/bash
+
+#
+# CIS Debian 7 Hardening
+#
+
+#
+# 3.3 Set Boot Loader Password (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+FILE='/boot/grub/grub.cfg'
+USER_PATTERN="^set superusers"
+PWD_PATTERN="^password_pbkdf2"
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    does_pattern_exists_in_file $FILE "$USER_PATTERN"
+    if [ $FNRET != 0 ]; then
+        crit "$USER_PATTERN not present in $FILE"
+    else
+        ok "$USER_PATTERN is present in $FILE"
+    fi
+    does_pattern_exists_in_file $FILE "$PWD_PATTERN"
+    if [ $FNRET != 0 ]; then
+        crit "$PWD_PATTERN not present in $FILE"
+    else
+        ok "$PWD_PATTERN is present in $FILE"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    does_pattern_exists_in_file $FILE "$USER_PATTERN"
+    if [ $FNRET != 0 ]; then
+        warn "$USER_PATTERN not present in $FILE, please configure password for grub"
+    else
+        ok "$USER_PATTERN is present in $FILE"
+    fi
+    does_pattern_exists_in_file $FILE "$PWD_PATTERN"
+    if [ $FNRET != 0 ]; then
+        warn "$PWD_PATTERN not present in $FILE, please configure password for grub"
+    else
+        ok "$PWD_PATTERN is present in $FILE"
+    fi
+    :
+}
+
+# This function will check config parameters required
+check_config() {
+    is_pkg_installed "grub-pc"
+    if [ $FNRET != 0 ]; then
+        warn "grub-pc is not installed, not handling configuration"
+        exit 128
+    fi
+    if [ $FNRET != 0 ]; then
+        crit "$FILE does not exist"
+        exit 128
+    fi
+}
+
+# Source Root Dir Parameter
+if [ ! -r /etc/default/cis-hardenning ]; then
+    echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
+    exit 128
+else
+    . /etc/default/cis-hardenning
+    if [ -z $CIS_ROOT_DIR ]; then
+        echo "No CIS_ROOT_DIR variable, aborting"
+    fi
+fi 
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

etc/conf.d/3.1_bootloader_ownership.cfg

@@ -1,2 +1,2 @@
 # Configuration for script of same name
-status=enabled
+status=disabled

etc/conf.d/3.2_bootloader_permissions.cfg

@@ -0,0 +1,2 @@
+# Configuration for script of same name
+status=disabled

etc/conf.d/3.3_bootloader_password.cfg

@@ -0,0 +1,19 @@
+# Configuration for script of same name
+status=enabled
+
+###### Grub configuration example :
+#~ # id
+#uid=0(root) gid=0(root) groups=0(root)
+#~ # ls /etc/grub.d/01_users -l
+#-rwxr-xr-x 1 root root 390 Apr 11 11:04 /etc/grub.d/01_users
+#
+# ~ # cat /etc/grub.d/01_users
+##!/bin/sh
+#
+## Grub password file
+#
+#cat << EOF
+#set superusers="osp"
+#password FOR_GRUB # this is a drity hack for chmod 400 by grub-mkconfig
+#password_pbkdf2 osp grub.pbkdf2.sha512.10000.28AC55867740A5F1820853347EEFE3CCC67D19540BE8ACCE5E354A18DDD8D4A48AACC5F9FCAE08593B05D0E131568456F02A44F1D01C7E194635CE664410F885.07A8B0B957098D4A13B6CE77A62431945A98DCF20313AFAC86346957E6F67827B252F3BF395D82E8C25036AA89AE6BA13F946523FB02F6C3A605B3B312658D6E
+#EOF

lib/utils.sh

@@ -20,13 +20,37 @@ has_file_correct_ownership() {
     local USERID=$(id -u $USER)
     local GROUPID=$(id -u $GROUP)
 
-    if [ "$(stat -c "%u %g" /boot/grub/grub.cfg)" = "$USERID $GROUPID" ]; then
+    if [ "$(stat -c "%u %g" $1)" = "$USERID $GROUPID" ]; then
         FNRET=0
     else
         FNRET=1
     fi
 }
 
+has_file_correct_permissions() {
+    local FILE=$1
+    local PERMISSIONS=$2
+    
+    if [ $(stat -L -c "%a" $1) = "$PERMISSIONS" ]; then
+        FNRET=0
+    else
+        FNRET=1
+    fi 
+}
+
+does_pattern_exists_in_file() {
+    local FILE=$1
+    local PATTERN=$2
+
+    debug "Checking if $PATTERN is present in $FILE"
+    if $(grep -qE "$PATTERN" $FILE); then
+        FNRET=0
+    else
+        FNRET=1
+    fi
+
+}
+
 #
 # User manipulation
 #