Renumbering OS services checks and removing obsolete ones

new file:   bin/hardening/2.1.1_disable_xinetd.sh
	renamed:    bin/hardening/5.1.8_disable_inetd.sh -> bin/hardening/2.1.2_disable_bsd_inetd.sh
	renamed:    bin/hardening/5.1.1_disable_nis.sh -> bin/hardening/2.3.1_disable_nis.sh
	renamed:    bin/hardening/5.1.3_disable_rsh_client.sh -> bin/hardening/2.3.2_disable_rsh_client.sh
	renamed:    bin/hardening/5.1.5_disable_talk_client.sh -> bin/hardening/2.3.3_disable_talk_client.sh
	deleted:    bin/hardening/5.1.2_disable_rsh.sh
	deleted:    bin/hardening/5.1.4_disable_talk.sh
	deleted:    bin/hardening/5.1.6_disable_telnet_server.sh
	deleted:    bin/hardening/5.1.7_disable_tftp_server.sh
	deleted:    bin/hardening/5.2_disable_chargen.sh
	deleted:    bin/hardening/5.3_disable_daytime.sh
	deleted:    bin/hardening/5.4_disable_echo.sh
	deleted:    bin/hardening/5.5_disable_discard.sh
	deleted:    bin/hardening/5.6_disable_time.sh
	renamed:    tests/hardening/5.6_disable_time.sh -> tests/hardening/2.1.1_disable_xinetd.sh
	renamed:    tests/hardening/5.5_disable_discard.sh -> tests/hardening/2.3.1_disable_nis.sh
	renamed:    tests/hardening/5.4_disable_echo.sh -> tests/hardening/2.3.2_disable_rsh_client.sh
	renamed:    tests/hardening/5.3_disable_daytime.sh -> tests/hardening/2.3.3_disable_talk_client.sh
	deleted:    tests/hardening/5.1.1_disable_nis.sh
	deleted:    tests/hardening/5.1.2_disable_rsh.sh
	deleted:    tests/hardening/5.1.3_disable_rsh_client.sh
	deleted:    tests/hardening/5.1.4_disable_talk.sh
	deleted:    tests/hardening/5.1.5_disable_talk_client.sh
	deleted:    tests/hardening/5.1.6_disable_telnet_server.sh
	deleted:    tests/hardening/5.1.7_disable_tftp_server.sh
	deleted:    tests/hardening/5.1.8_disable_inetd.sh
	deleted:    tests/hardening/5.2_disable_chargen.sh
This commit is contained in:
Charles Herlin 2019-08-29 10:33:23 +02:00 committed by Thibault Ayanides
parent 6365f58b4c
commit fbdf3b72ed
27 changed files with 70 additions and 851 deletions

View File

@ -0,0 +1,62 @@
#!/bin/bash
#
# CIS Debian Hardening
#
#
# 2.1.1 Ensure xinetd is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
DESCRIPTION="Ensure xinetd is not enabled."
PACKAGE='xinetd'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed"
else
ok "$PACKAGE is absent"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, purging"
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

View File

@ -5,20 +5,20 @@
#
#
# 5.1.8 Ensure xinetd is not enabled (Scored)
# 2.1.1 Ensure bsd-inetd is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
DESCRIPTION="Ensure xinetd is not enabled."
DESCRIPTION="Ensure bsd-inetd is not enabled."
PACKAGES='openbsd-inetd xinetd rlinetd'
PACKAGES='openbsd-inetd inetutils-inetd'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed"
@ -30,7 +30,7 @@ audit () {
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, purging"

View File

@ -5,7 +5,7 @@
#
#
# 5.1.1 Ensure NIS is not installed (Scored)
# 2.3.1 Ensure NIS client is not installed (Scored)
#
set -e # One error, it's over

View File

@ -5,7 +5,7 @@
#
#
# 5.1.3 Ensure rsh client is not installed (Scored)
# 2.3.2 Ensure rsh client is not installed (Scored)
#
set -e # One error, it's over

View File

@ -5,7 +5,7 @@
#
#
# 5.1.5 Ensure talk client is not installed (Scored)
# 2.3.3 Ensure talk client is not installed (Scored)
#
set -e # One error, it's over

View File

@ -1,95 +0,0 @@
#!/bin/bash
#
# CIS Debian Hardening
#
#
# 5.1.2 Ensure rsh server is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Ensure rsh server is not enabled. Recommended alternative : sshd (openssh-server)."
# Based on aptitude search '~Prsh-server'
PACKAGES='rsh-server rsh-redone-server heimdal-servers'
FILE='/etc/inetd.conf'
PATTERN='^(shell|login|exec)'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, checking configuration"
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, $PACKAGE services are enabled!"
else
ok "$PATTERN is not present in $FILE"
fi
fi
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN is not present in $FILE"
fi
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

View File

@ -1,94 +0,0 @@
#!/bin/bash
#
# CIS Debian Hardening
#
#
# 5.1.4 Ensure talk server is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Ensure talk server is not enabled."
PACKAGES='inetutils-talkd talkd'
FILE='/etc/inetd.conf'
PATTERN='^(talk|ntalk)'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, checking configuration"
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, $PACKAGE services are enabled!"
else
ok "$PATTERN is not present in $FILE"
fi
fi
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN is not present in $FILE"
fi
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

View File

@ -1,95 +0,0 @@
#!/bin/bash
#
# CIS Debian Hardening
#
#
# 5.1.6 Ensure telnet server is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Ensure telnet server is not enabled. Recommended alternative : sshd (OpenSSH-server)."
# Based on aptitude search '~Ptelnet-server'
PACKAGES='telnetd inetutils-telnetd telnetd-ssl krb5-telnetd heimdal-servers'
FILE='/etc/inetd.conf'
PATTERN='^telnet'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, checking configuration"
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, $PACKAGE services are enabled!"
else
ok "$PATTERN is not present in $FILE"
fi
fi
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN is not present in $FILE"
fi
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

View File

@ -1,94 +0,0 @@
#!/bin/bash
#
# CIS Debian Hardening
#
#
# 5.1.7 Ensure tftp-server is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Ensure tftp-server is not enabled."
PACKAGES='tftpd tftpd-hpa atftpd'
FILE='/etc/inetd.conf'
PATTERN='^tftp'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, checking configuration"
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, $PACKAGE services are enabled!"
else
ok "$PATTERN is not present in $FILE"
fi
fi
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN is not present in $FILE"
fi
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

View File

@ -1,75 +0,0 @@
#!/bin/bash
#
# CIS Debian Hardening
#
#
# 5.2 Ensure chargen is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Ensure chargen debugging network service is not enabled."
FILE='/etc/inetd.conf'
PATTERN='^chargen'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, chargen service is enabled!"
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

View File

@ -1,75 +0,0 @@
#!/bin/bash
#
# CIS Debian Hardening
#
#
# 5.3 Ensure daytime is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Ensure daytime debugging network service is not enabled."
FILE='/etc/inetd.conf'
PATTERN='^daytime'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, daytime service is enabled!"
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

View File

@ -1,75 +0,0 @@
#!/bin/bash
#
# CIS Debian Hardening
#
#
# 5.4 Ensure echo is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Ensure echo debugging network service is not enabled."
FILE='/etc/inetd.conf'
PATTERN='^echo'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, echo service is enabled!"
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

View File

@ -1,75 +0,0 @@
#!/bin/bash
#
# CIS Debian Hardening
#
#
# 5.5 Ensure discard is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Ensure discard debugging network service is not enabled."
FILE='/etc/inetd.conf'
PATTERN='^discard'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, discard service is enabled!"
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

View File

@ -1,75 +0,0 @@
#!/bin/bash
#
# CIS Debian Hardening
#
#
# 5.6 Ensure time is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Ensure time debugging network service is not enabled."
FILE='/etc/inetd.conf'
PATTERN='^time'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, time service is enabled!"
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

View File

@ -1,10 +0,0 @@
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests
}

View File

@ -1,10 +0,0 @@
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests
}

View File

@ -1,10 +0,0 @@
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests
}

View File

@ -1,10 +0,0 @@
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests
}

View File

@ -1,10 +0,0 @@
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests
}

View File

@ -1,10 +0,0 @@
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests
}

View File

@ -1,10 +0,0 @@
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests
}

View File

@ -1,10 +0,0 @@
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests
}

View File

@ -1,10 +0,0 @@
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests
}