From fbdf3b72edba3e081b140c3b1d0cce2c2c96441d Mon Sep 17 00:00:00 2001 From: Charles Herlin Date: Thu, 29 Aug 2019 10:33:23 +0200 Subject: [PATCH] Renumbering OS services checks and removing obsolete ones new file: bin/hardening/2.1.1_disable_xinetd.sh renamed: bin/hardening/5.1.8_disable_inetd.sh -> bin/hardening/2.1.2_disable_bsd_inetd.sh renamed: bin/hardening/5.1.1_disable_nis.sh -> bin/hardening/2.3.1_disable_nis.sh renamed: bin/hardening/5.1.3_disable_rsh_client.sh -> bin/hardening/2.3.2_disable_rsh_client.sh renamed: bin/hardening/5.1.5_disable_talk_client.sh -> bin/hardening/2.3.3_disable_talk_client.sh deleted: bin/hardening/5.1.2_disable_rsh.sh deleted: bin/hardening/5.1.4_disable_talk.sh deleted: bin/hardening/5.1.6_disable_telnet_server.sh deleted: bin/hardening/5.1.7_disable_tftp_server.sh deleted: bin/hardening/5.2_disable_chargen.sh deleted: bin/hardening/5.3_disable_daytime.sh deleted: bin/hardening/5.4_disable_echo.sh deleted: bin/hardening/5.5_disable_discard.sh deleted: bin/hardening/5.6_disable_time.sh renamed: tests/hardening/5.6_disable_time.sh -> tests/hardening/2.1.1_disable_xinetd.sh renamed: tests/hardening/5.5_disable_discard.sh -> tests/hardening/2.3.1_disable_nis.sh renamed: tests/hardening/5.4_disable_echo.sh -> tests/hardening/2.3.2_disable_rsh_client.sh renamed: tests/hardening/5.3_disable_daytime.sh -> tests/hardening/2.3.3_disable_talk_client.sh deleted: tests/hardening/5.1.1_disable_nis.sh deleted: tests/hardening/5.1.2_disable_rsh.sh deleted: tests/hardening/5.1.3_disable_rsh_client.sh deleted: tests/hardening/5.1.4_disable_talk.sh deleted: tests/hardening/5.1.5_disable_talk_client.sh deleted: tests/hardening/5.1.6_disable_telnet_server.sh deleted: tests/hardening/5.1.7_disable_tftp_server.sh deleted: tests/hardening/5.1.8_disable_inetd.sh deleted: tests/hardening/5.2_disable_chargen.sh --- bin/hardening/2.1.1_disable_xinetd.sh | 62 ++++++++++++ ...le_inetd.sh => 2.1.2_disable_bsd_inetd.sh} | 10 +- ....1_disable_nis.sh => 2.3.1_disable_nis.sh} | 2 +- ..._client.sh => 2.3.2_disable_rsh_client.sh} | 2 +- ...client.sh => 2.3.3_disable_talk_client.sh} | 2 +- bin/hardening/5.1.2_disable_rsh.sh | 95 ------------------- bin/hardening/5.1.4_disable_talk.sh | 94 ------------------ bin/hardening/5.1.6_disable_telnet_server.sh | 95 ------------------- bin/hardening/5.1.7_disable_tftp_server.sh | 94 ------------------ bin/hardening/5.2_disable_chargen.sh | 75 --------------- bin/hardening/5.3_disable_daytime.sh | 75 --------------- bin/hardening/5.4_disable_echo.sh | 75 --------------- bin/hardening/5.5_disable_discard.sh | 75 --------------- bin/hardening/5.6_disable_time.sh | 75 --------------- ...disable_nis.sh => 2.1.1_disable_xinetd.sh} | 0 ....2_disable_rsh.sh => 2.3.1_disable_nis.sh} | 0 ..._client.sh => 2.3.2_disable_rsh_client.sh} | 0 ...e_talk.sh => 2.3.3_disable_talk_client.sh} | 0 tests/hardening/5.1.5_disable_talk_client.sh | 10 -- .../hardening/5.1.6_disable_telnet_server.sh | 10 -- tests/hardening/5.1.7_disable_tftp_server.sh | 10 -- tests/hardening/5.1.8_disable_inetd.sh | 10 -- tests/hardening/5.2_disable_chargen.sh | 10 -- tests/hardening/5.3_disable_daytime.sh | 10 -- tests/hardening/5.4_disable_echo.sh | 10 -- tests/hardening/5.5_disable_discard.sh | 10 -- tests/hardening/5.6_disable_time.sh | 10 -- 27 files changed, 70 insertions(+), 851 deletions(-) create mode 100755 bin/hardening/2.1.1_disable_xinetd.sh rename bin/hardening/{5.1.8_disable_inetd.sh => 2.1.2_disable_bsd_inetd.sh} (87%) rename bin/hardening/{5.1.1_disable_nis.sh => 2.3.1_disable_nis.sh} (96%) rename bin/hardening/{5.1.3_disable_rsh_client.sh => 2.3.2_disable_rsh_client.sh} (97%) rename bin/hardening/{5.1.5_disable_talk_client.sh => 2.3.3_disable_talk_client.sh} (96%) delete mode 100755 bin/hardening/5.1.2_disable_rsh.sh delete mode 100755 bin/hardening/5.1.4_disable_talk.sh delete mode 100755 bin/hardening/5.1.6_disable_telnet_server.sh delete mode 100755 bin/hardening/5.1.7_disable_tftp_server.sh delete mode 100755 bin/hardening/5.2_disable_chargen.sh delete mode 100755 bin/hardening/5.3_disable_daytime.sh delete mode 100755 bin/hardening/5.4_disable_echo.sh delete mode 100755 bin/hardening/5.5_disable_discard.sh delete mode 100755 bin/hardening/5.6_disable_time.sh rename tests/hardening/{5.1.1_disable_nis.sh => 2.1.1_disable_xinetd.sh} (100%) rename tests/hardening/{5.1.2_disable_rsh.sh => 2.3.1_disable_nis.sh} (100%) rename tests/hardening/{5.1.3_disable_rsh_client.sh => 2.3.2_disable_rsh_client.sh} (100%) rename tests/hardening/{5.1.4_disable_talk.sh => 2.3.3_disable_talk_client.sh} (100%) delete mode 100644 tests/hardening/5.1.5_disable_talk_client.sh delete mode 100644 tests/hardening/5.1.6_disable_telnet_server.sh delete mode 100644 tests/hardening/5.1.7_disable_tftp_server.sh delete mode 100644 tests/hardening/5.1.8_disable_inetd.sh delete mode 100644 tests/hardening/5.2_disable_chargen.sh delete mode 100644 tests/hardening/5.3_disable_daytime.sh delete mode 100644 tests/hardening/5.4_disable_echo.sh delete mode 100644 tests/hardening/5.5_disable_discard.sh delete mode 100644 tests/hardening/5.6_disable_time.sh diff --git a/bin/hardening/2.1.1_disable_xinetd.sh b/bin/hardening/2.1.1_disable_xinetd.sh new file mode 100755 index 0000000..5965f5c --- /dev/null +++ b/bin/hardening/2.1.1_disable_xinetd.sh @@ -0,0 +1,62 @@ +#!/bin/bash + +# +# CIS Debian Hardening +# + +# +# 2.1.1 Ensure xinetd is not enabled (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +HARDENING_LEVEL=3 +DESCRIPTION="Ensure xinetd is not enabled." + +PACKAGE='xinetd' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed" + else + ok "$PACKAGE is absent" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + warn "$PACKAGE is installed, purging" + apt-get purge $PACKAGE -y + apt-get autoremove + else + ok "$PACKAGE is absent" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + . $CIS_ROOT_DIR/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/5.1.8_disable_inetd.sh b/bin/hardening/2.1.2_disable_bsd_inetd.sh similarity index 87% rename from bin/hardening/5.1.8_disable_inetd.sh rename to bin/hardening/2.1.2_disable_bsd_inetd.sh index 241a15f..00d08fe 100755 --- a/bin/hardening/5.1.8_disable_inetd.sh +++ b/bin/hardening/2.1.2_disable_bsd_inetd.sh @@ -5,20 +5,20 @@ # # -# 5.1.8 Ensure xinetd is not enabled (Scored) +# 2.1.1 Ensure bsd-inetd is not enabled (Scored) # set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 -DESCRIPTION="Ensure xinetd is not enabled." +DESCRIPTION="Ensure bsd-inetd is not enabled." -PACKAGES='openbsd-inetd xinetd rlinetd' +PACKAGES='openbsd-inetd inetutils-inetd' # This function will be called if the script status is on enabled / audit mode audit () { - for PACKAGE in $PACKAGES; do + for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then crit "$PACKAGE is installed" @@ -30,7 +30,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - for PACKAGE in $PACKAGES; do + for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then warn "$PACKAGE is installed, purging" diff --git a/bin/hardening/5.1.1_disable_nis.sh b/bin/hardening/2.3.1_disable_nis.sh similarity index 96% rename from bin/hardening/5.1.1_disable_nis.sh rename to bin/hardening/2.3.1_disable_nis.sh index 7967b33..4425ac4 100755 --- a/bin/hardening/5.1.1_disable_nis.sh +++ b/bin/hardening/2.3.1_disable_nis.sh @@ -5,7 +5,7 @@ # # -# 5.1.1 Ensure NIS is not installed (Scored) +# 2.3.1 Ensure NIS client is not installed (Scored) # set -e # One error, it's over diff --git a/bin/hardening/5.1.3_disable_rsh_client.sh b/bin/hardening/2.3.2_disable_rsh_client.sh similarity index 97% rename from bin/hardening/5.1.3_disable_rsh_client.sh rename to bin/hardening/2.3.2_disable_rsh_client.sh index c04eeda..a6fb834 100755 --- a/bin/hardening/5.1.3_disable_rsh_client.sh +++ b/bin/hardening/2.3.2_disable_rsh_client.sh @@ -5,7 +5,7 @@ # # -# 5.1.3 Ensure rsh client is not installed (Scored) +# 2.3.2 Ensure rsh client is not installed (Scored) # set -e # One error, it's over diff --git a/bin/hardening/5.1.5_disable_talk_client.sh b/bin/hardening/2.3.3_disable_talk_client.sh similarity index 96% rename from bin/hardening/5.1.5_disable_talk_client.sh rename to bin/hardening/2.3.3_disable_talk_client.sh index 5c7aa07..0513347 100755 --- a/bin/hardening/5.1.5_disable_talk_client.sh +++ b/bin/hardening/2.3.3_disable_talk_client.sh @@ -5,7 +5,7 @@ # # -# 5.1.5 Ensure talk client is not installed (Scored) +# 2.3.3 Ensure talk client is not installed (Scored) # set -e # One error, it's over diff --git a/bin/hardening/5.1.2_disable_rsh.sh b/bin/hardening/5.1.2_disable_rsh.sh deleted file mode 100755 index c641c6f..0000000 --- a/bin/hardening/5.1.2_disable_rsh.sh +++ /dev/null @@ -1,95 +0,0 @@ -#!/bin/bash - -# -# CIS Debian Hardening -# - -# -# 5.1.2 Ensure rsh server is not enabled (Scored) -# - -set -e # One error, it's over -set -u # One variable unset, it's over - -HARDENING_LEVEL=2 -DESCRIPTION="Ensure rsh server is not enabled. Recommended alternative : sshd (openssh-server)." - -# Based on aptitude search '~Prsh-server' -PACKAGES='rsh-server rsh-redone-server heimdal-servers' -FILE='/etc/inetd.conf' -PATTERN='^(shell|login|exec)' - -# This function will be called if the script status is on enabled / audit mode -audit () { - for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - warn "$PACKAGE is installed, checking configuration" - does_file_exist $FILE - if [ $FNRET != 0 ]; then - ok "$FILE does not exist" - else - does_pattern_exist_in_file $FILE $PATTERN - if [ $FNRET = 0 ]; then - crit "$PATTERN exists, $PACKAGE services are enabled!" - else - ok "$PATTERN is not present in $FILE" - fi - fi - else - ok "$PACKAGE is absent" - fi - done -} - -# This function will be called if the script status is on enabled mode -apply () { - for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - crit "$PACKAGE is installed, purging it" - apt-get purge $PACKAGE -y - apt-get autoremove - else - ok "$PACKAGE is absent" - fi - does_file_exist $FILE - if [ $FNRET != 0 ]; then - ok "$FILE does not exist" - else - info "$FILE exists, checking patterns" - does_pattern_exist_in_file $FILE $PATTERN - if [ $FNRET = 0 ]; then - warn "$PATTERN is present in $FILE, purging it" - backup_file $FILE - ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) - sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE - else - ok "$PATTERN is not present in $FILE" - fi - fi - done -} - -# This function will check config parameters required -check_config() { - : -} - -# Source Root Dir Parameter -if [ -r /etc/default/cis-hardening ]; then - . /etc/default/cis-hardening -fi -if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." - exit 128 -fi - -# Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then - . $CIS_ROOT_DIR/lib/main.sh -else - echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" - exit 128 -fi diff --git a/bin/hardening/5.1.4_disable_talk.sh b/bin/hardening/5.1.4_disable_talk.sh deleted file mode 100755 index 4df2705..0000000 --- a/bin/hardening/5.1.4_disable_talk.sh +++ /dev/null @@ -1,94 +0,0 @@ -#!/bin/bash - -# -# CIS Debian Hardening -# - -# -# 5.1.4 Ensure talk server is not enabled (Scored) -# - -set -e # One error, it's over -set -u # One variable unset, it's over - -HARDENING_LEVEL=2 -DESCRIPTION="Ensure talk server is not enabled." - -PACKAGES='inetutils-talkd talkd' -FILE='/etc/inetd.conf' -PATTERN='^(talk|ntalk)' - -# This function will be called if the script status is on enabled / audit mode -audit () { - for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - warn "$PACKAGE is installed, checking configuration" - does_file_exist $FILE - if [ $FNRET != 0 ]; then - ok "$FILE does not exist" - else - does_pattern_exist_in_file $FILE $PATTERN - if [ $FNRET = 0 ]; then - crit "$PATTERN exists, $PACKAGE services are enabled!" - else - ok "$PATTERN is not present in $FILE" - fi - fi - else - ok "$PACKAGE is absent" - fi - done -} - -# This function will be called if the script status is on enabled mode -apply () { - for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - crit "$PACKAGE is installed, purging it" - apt-get purge $PACKAGE -y - apt-get autoremove - else - ok "$PACKAGE is absent" - fi - does_file_exist $FILE - if [ $FNRET != 0 ]; then - ok "$FILE does not exist" - else - info "$FILE exists, checking patterns" - does_pattern_exist_in_file $FILE $PATTERN - if [ $FNRET = 0 ]; then - warn "$PATTERN is present in $FILE, purging it" - backup_file $FILE - ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) - sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE - else - ok "$PATTERN is not present in $FILE" - fi - fi - done -} - -# This function will check config parameters required -check_config() { - : -} - -# Source Root Dir Parameter -if [ -r /etc/default/cis-hardening ]; then - . /etc/default/cis-hardening -fi -if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." - exit 128 -fi - -# Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then - . $CIS_ROOT_DIR/lib/main.sh -else - echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" - exit 128 -fi diff --git a/bin/hardening/5.1.6_disable_telnet_server.sh b/bin/hardening/5.1.6_disable_telnet_server.sh deleted file mode 100755 index fb2b8c9..0000000 --- a/bin/hardening/5.1.6_disable_telnet_server.sh +++ /dev/null @@ -1,95 +0,0 @@ -#!/bin/bash - -# -# CIS Debian Hardening -# - -# -# 5.1.6 Ensure telnet server is not enabled (Scored) -# - -set -e # One error, it's over -set -u # One variable unset, it's over - -HARDENING_LEVEL=2 -DESCRIPTION="Ensure telnet server is not enabled. Recommended alternative : sshd (OpenSSH-server)." - -# Based on aptitude search '~Ptelnet-server' -PACKAGES='telnetd inetutils-telnetd telnetd-ssl krb5-telnetd heimdal-servers' -FILE='/etc/inetd.conf' -PATTERN='^telnet' - -# This function will be called if the script status is on enabled / audit mode -audit () { - for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - warn "$PACKAGE is installed, checking configuration" - does_file_exist $FILE - if [ $FNRET != 0 ]; then - ok "$FILE does not exist" - else - does_pattern_exist_in_file $FILE $PATTERN - if [ $FNRET = 0 ]; then - crit "$PATTERN exists, $PACKAGE services are enabled!" - else - ok "$PATTERN is not present in $FILE" - fi - fi - else - ok "$PACKAGE is absent" - fi - done -} - -# This function will be called if the script status is on enabled mode -apply () { - for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - crit "$PACKAGE is installed, purging it" - apt-get purge $PACKAGE -y - apt-get autoremove - else - ok "$PACKAGE is absent" - fi - does_file_exist $FILE - if [ $FNRET != 0 ]; then - ok "$FILE does not exist" - else - info "$FILE exists, checking patterns" - does_pattern_exist_in_file $FILE $PATTERN - if [ $FNRET = 0 ]; then - warn "$PATTERN is present in $FILE, purging it" - backup_file $FILE - ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) - sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE - else - ok "$PATTERN is not present in $FILE" - fi - fi - done -} - -# This function will check config parameters required -check_config() { - : -} - -# Source Root Dir Parameter -if [ -r /etc/default/cis-hardening ]; then - . /etc/default/cis-hardening -fi -if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." - exit 128 -fi - -# Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then - . $CIS_ROOT_DIR/lib/main.sh -else - echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" - exit 128 -fi diff --git a/bin/hardening/5.1.7_disable_tftp_server.sh b/bin/hardening/5.1.7_disable_tftp_server.sh deleted file mode 100755 index b0c7e34..0000000 --- a/bin/hardening/5.1.7_disable_tftp_server.sh +++ /dev/null @@ -1,94 +0,0 @@ -#!/bin/bash - -# -# CIS Debian Hardening -# - -# -# 5.1.7 Ensure tftp-server is not enabled (Scored) -# - -set -e # One error, it's over -set -u # One variable unset, it's over - -HARDENING_LEVEL=2 -DESCRIPTION="Ensure tftp-server is not enabled." - -PACKAGES='tftpd tftpd-hpa atftpd' -FILE='/etc/inetd.conf' -PATTERN='^tftp' - -# This function will be called if the script status is on enabled / audit mode -audit () { - for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - warn "$PACKAGE is installed, checking configuration" - does_file_exist $FILE - if [ $FNRET != 0 ]; then - ok "$FILE does not exist" - else - does_pattern_exist_in_file $FILE $PATTERN - if [ $FNRET = 0 ]; then - crit "$PATTERN exists, $PACKAGE services are enabled!" - else - ok "$PATTERN is not present in $FILE" - fi - fi - else - ok "$PACKAGE is absent" - fi - done -} - -# This function will be called if the script status is on enabled mode -apply () { - for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - crit "$PACKAGE is installed, purging it" - apt-get purge $PACKAGE -y - apt-get autoremove - else - ok "$PACKAGE is absent" - fi - does_file_exist $FILE - if [ $FNRET != 0 ]; then - ok "$FILE does not exist" - else - info "$FILE exists, checking patterns" - does_pattern_exist_in_file $FILE $PATTERN - if [ $FNRET = 0 ]; then - warn "$PATTERN is present in $FILE, purging it" - backup_file $FILE - ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) - sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE - else - ok "$PATTERN is not present in $FILE" - fi - fi - done -} - -# This function will check config parameters required -check_config() { - : -} - -# Source Root Dir Parameter -if [ -r /etc/default/cis-hardening ]; then - . /etc/default/cis-hardening -fi -if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." - exit 128 -fi - -# Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then - . $CIS_ROOT_DIR/lib/main.sh -else - echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" - exit 128 -fi diff --git a/bin/hardening/5.2_disable_chargen.sh b/bin/hardening/5.2_disable_chargen.sh deleted file mode 100755 index 689e7ab..0000000 --- a/bin/hardening/5.2_disable_chargen.sh +++ /dev/null @@ -1,75 +0,0 @@ -#!/bin/bash - -# -# CIS Debian Hardening -# - -# -# 5.2 Ensure chargen is not enabled (Scored) -# - -set -e # One error, it's over -set -u # One variable unset, it's over - -HARDENING_LEVEL=2 -DESCRIPTION="Ensure chargen debugging network service is not enabled." - -FILE='/etc/inetd.conf' -PATTERN='^chargen' - -# This function will be called if the script status is on enabled / audit mode -audit () { - does_file_exist $FILE - if [ $FNRET != 0 ]; then - ok "$FILE does not exist" - else - does_pattern_exist_in_file $FILE $PATTERN - if [ $FNRET = 0 ]; then - crit "$PATTERN exists, chargen service is enabled!" - else - ok "$PATTERN is not present in $FILE" - fi - fi -} - -# This function will be called if the script status is on enabled mode -apply () { - does_file_exist $FILE - if [ $FNRET != 0 ]; then - ok "$FILE does not exist" - else - info "$FILE exists, checking patterns" - does_pattern_exist_in_file $FILE $PATTERN - if [ $FNRET = 0 ]; then - warn "$PATTERN is present in $FILE, purging it" - backup_file $FILE - ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) - sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE - else - ok "$PATTERN is not present in $FILE" - fi - fi -} - -# This function will check config parameters required -check_config() { - : -} - -# Source Root Dir Parameter -if [ -r /etc/default/cis-hardening ]; then - . /etc/default/cis-hardening -fi -if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." - exit 128 -fi - -# Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then - . $CIS_ROOT_DIR/lib/main.sh -else - echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" - exit 128 -fi diff --git a/bin/hardening/5.3_disable_daytime.sh b/bin/hardening/5.3_disable_daytime.sh deleted file mode 100755 index b525b51..0000000 --- a/bin/hardening/5.3_disable_daytime.sh +++ /dev/null @@ -1,75 +0,0 @@ -#!/bin/bash - -# -# CIS Debian Hardening -# - -# -# 5.3 Ensure daytime is not enabled (Scored) -# - -set -e # One error, it's over -set -u # One variable unset, it's over - -HARDENING_LEVEL=2 -DESCRIPTION="Ensure daytime debugging network service is not enabled." - -FILE='/etc/inetd.conf' -PATTERN='^daytime' - -# This function will be called if the script status is on enabled / audit mode -audit () { - does_file_exist $FILE - if [ $FNRET != 0 ]; then - ok "$FILE does not exist" - else - does_pattern_exist_in_file $FILE $PATTERN - if [ $FNRET = 0 ]; then - crit "$PATTERN exists, daytime service is enabled!" - else - ok "$PATTERN is not present in $FILE" - fi - fi -} - -# This function will be called if the script status is on enabled mode -apply () { - does_file_exist $FILE - if [ $FNRET != 0 ]; then - ok "$FILE does not exist" - else - info "$FILE exists, checking patterns" - does_pattern_exist_in_file $FILE $PATTERN - if [ $FNRET = 0 ]; then - warn "$PATTERN is present in $FILE, purging it" - backup_file $FILE - ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) - sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE - else - ok "$PATTERN is not present in $FILE" - fi - fi -} - -# This function will check config parameters required -check_config() { - : -} - -# Source Root Dir Parameter -if [ -r /etc/default/cis-hardening ]; then - . /etc/default/cis-hardening -fi -if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." - exit 128 -fi - -# Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then - . $CIS_ROOT_DIR/lib/main.sh -else - echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" - exit 128 -fi diff --git a/bin/hardening/5.4_disable_echo.sh b/bin/hardening/5.4_disable_echo.sh deleted file mode 100755 index 984b0b2..0000000 --- a/bin/hardening/5.4_disable_echo.sh +++ /dev/null @@ -1,75 +0,0 @@ -#!/bin/bash - -# -# CIS Debian Hardening -# - -# -# 5.4 Ensure echo is not enabled (Scored) -# - -set -e # One error, it's over -set -u # One variable unset, it's over - -HARDENING_LEVEL=2 -DESCRIPTION="Ensure echo debugging network service is not enabled." - -FILE='/etc/inetd.conf' -PATTERN='^echo' - -# This function will be called if the script status is on enabled / audit mode -audit () { - does_file_exist $FILE - if [ $FNRET != 0 ]; then - ok "$FILE does not exist" - else - does_pattern_exist_in_file $FILE $PATTERN - if [ $FNRET = 0 ]; then - crit "$PATTERN exists, echo service is enabled!" - else - ok "$PATTERN is not present in $FILE" - fi - fi -} - -# This function will be called if the script status is on enabled mode -apply () { - does_file_exist $FILE - if [ $FNRET != 0 ]; then - ok "$FILE does not exist" - else - info "$FILE exists, checking patterns" - does_pattern_exist_in_file $FILE $PATTERN - if [ $FNRET = 0 ]; then - warn "$PATTERN is present in $FILE, purging it" - backup_file $FILE - ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) - sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE - else - ok "$PATTERN is not present in $FILE" - fi - fi -} - -# This function will check config parameters required -check_config() { - : -} - -# Source Root Dir Parameter -if [ -r /etc/default/cis-hardening ]; then - . /etc/default/cis-hardening -fi -if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." - exit 128 -fi - -# Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then - . $CIS_ROOT_DIR/lib/main.sh -else - echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" - exit 128 -fi diff --git a/bin/hardening/5.5_disable_discard.sh b/bin/hardening/5.5_disable_discard.sh deleted file mode 100755 index 181be4a..0000000 --- a/bin/hardening/5.5_disable_discard.sh +++ /dev/null @@ -1,75 +0,0 @@ -#!/bin/bash - -# -# CIS Debian Hardening -# - -# -# 5.5 Ensure discard is not enabled (Scored) -# - -set -e # One error, it's over -set -u # One variable unset, it's over - -HARDENING_LEVEL=2 -DESCRIPTION="Ensure discard debugging network service is not enabled." - -FILE='/etc/inetd.conf' -PATTERN='^discard' - -# This function will be called if the script status is on enabled / audit mode -audit () { - does_file_exist $FILE - if [ $FNRET != 0 ]; then - ok "$FILE does not exist" - else - does_pattern_exist_in_file $FILE $PATTERN - if [ $FNRET = 0 ]; then - crit "$PATTERN exists, discard service is enabled!" - else - ok "$PATTERN is not present in $FILE" - fi - fi -} - -# This function will be called if the script status is on enabled mode -apply () { - does_file_exist $FILE - if [ $FNRET != 0 ]; then - ok "$FILE does not exist" - else - info "$FILE exists, checking patterns" - does_pattern_exist_in_file $FILE $PATTERN - if [ $FNRET = 0 ]; then - warn "$PATTERN is present in $FILE, purging it" - backup_file $FILE - ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) - sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE - else - ok "$PATTERN is not present in $FILE" - fi - fi -} - -# This function will check config parameters required -check_config() { - : -} - -# Source Root Dir Parameter -if [ -r /etc/default/cis-hardening ]; then - . /etc/default/cis-hardening -fi -if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." - exit 128 -fi - -# Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then - . $CIS_ROOT_DIR/lib/main.sh -else - echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" - exit 128 -fi diff --git a/bin/hardening/5.6_disable_time.sh b/bin/hardening/5.6_disable_time.sh deleted file mode 100755 index 9f3f6ed..0000000 --- a/bin/hardening/5.6_disable_time.sh +++ /dev/null @@ -1,75 +0,0 @@ -#!/bin/bash - -# -# CIS Debian Hardening -# - -# -# 5.6 Ensure time is not enabled (Scored) -# - -set -e # One error, it's over -set -u # One variable unset, it's over - -HARDENING_LEVEL=2 -DESCRIPTION="Ensure time debugging network service is not enabled." - -FILE='/etc/inetd.conf' -PATTERN='^time' - -# This function will be called if the script status is on enabled / audit mode -audit () { - does_file_exist $FILE - if [ $FNRET != 0 ]; then - ok "$FILE does not exist" - else - does_pattern_exist_in_file $FILE $PATTERN - if [ $FNRET = 0 ]; then - crit "$PATTERN exists, time service is enabled!" - else - ok "$PATTERN is not present in $FILE" - fi - fi -} - -# This function will be called if the script status is on enabled mode -apply () { - does_file_exist $FILE - if [ $FNRET != 0 ]; then - ok "$FILE does not exist" - else - info "$FILE exists, checking patterns" - does_pattern_exist_in_file $FILE $PATTERN - if [ $FNRET = 0 ]; then - warn "$PATTERN is present in $FILE, purging it" - backup_file $FILE - ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) - sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE - else - ok "$PATTERN is not present in $FILE" - fi - fi -} - -# This function will check config parameters required -check_config() { - : -} - -# Source Root Dir Parameter -if [ -r /etc/default/cis-hardening ]; then - . /etc/default/cis-hardening -fi -if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." - exit 128 -fi - -# Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then - . $CIS_ROOT_DIR/lib/main.sh -else - echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" - exit 128 -fi diff --git a/tests/hardening/5.1.1_disable_nis.sh b/tests/hardening/2.1.1_disable_xinetd.sh similarity index 100% rename from tests/hardening/5.1.1_disable_nis.sh rename to tests/hardening/2.1.1_disable_xinetd.sh diff --git a/tests/hardening/5.1.2_disable_rsh.sh b/tests/hardening/2.3.1_disable_nis.sh similarity index 100% rename from tests/hardening/5.1.2_disable_rsh.sh rename to tests/hardening/2.3.1_disable_nis.sh diff --git a/tests/hardening/5.1.3_disable_rsh_client.sh b/tests/hardening/2.3.2_disable_rsh_client.sh similarity index 100% rename from tests/hardening/5.1.3_disable_rsh_client.sh rename to tests/hardening/2.3.2_disable_rsh_client.sh diff --git a/tests/hardening/5.1.4_disable_talk.sh b/tests/hardening/2.3.3_disable_talk_client.sh similarity index 100% rename from tests/hardening/5.1.4_disable_talk.sh rename to tests/hardening/2.3.3_disable_talk_client.sh diff --git a/tests/hardening/5.1.5_disable_talk_client.sh b/tests/hardening/5.1.5_disable_talk_client.sh deleted file mode 100644 index b333419..0000000 --- a/tests/hardening/5.1.5_disable_talk_client.sh +++ /dev/null @@ -1,10 +0,0 @@ -# run-shellcheck -test_audit() { - describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test - # shellcheck disable=2154 - run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - - # TODO fill comprehensive tests -} diff --git a/tests/hardening/5.1.6_disable_telnet_server.sh b/tests/hardening/5.1.6_disable_telnet_server.sh deleted file mode 100644 index b333419..0000000 --- a/tests/hardening/5.1.6_disable_telnet_server.sh +++ /dev/null @@ -1,10 +0,0 @@ -# run-shellcheck -test_audit() { - describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test - # shellcheck disable=2154 - run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - - # TODO fill comprehensive tests -} diff --git a/tests/hardening/5.1.7_disable_tftp_server.sh b/tests/hardening/5.1.7_disable_tftp_server.sh deleted file mode 100644 index b333419..0000000 --- a/tests/hardening/5.1.7_disable_tftp_server.sh +++ /dev/null @@ -1,10 +0,0 @@ -# run-shellcheck -test_audit() { - describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test - # shellcheck disable=2154 - run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - - # TODO fill comprehensive tests -} diff --git a/tests/hardening/5.1.8_disable_inetd.sh b/tests/hardening/5.1.8_disable_inetd.sh deleted file mode 100644 index b333419..0000000 --- a/tests/hardening/5.1.8_disable_inetd.sh +++ /dev/null @@ -1,10 +0,0 @@ -# run-shellcheck -test_audit() { - describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test - # shellcheck disable=2154 - run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - - # TODO fill comprehensive tests -} diff --git a/tests/hardening/5.2_disable_chargen.sh b/tests/hardening/5.2_disable_chargen.sh deleted file mode 100644 index b333419..0000000 --- a/tests/hardening/5.2_disable_chargen.sh +++ /dev/null @@ -1,10 +0,0 @@ -# run-shellcheck -test_audit() { - describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test - # shellcheck disable=2154 - run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - - # TODO fill comprehensive tests -} diff --git a/tests/hardening/5.3_disable_daytime.sh b/tests/hardening/5.3_disable_daytime.sh deleted file mode 100644 index b333419..0000000 --- a/tests/hardening/5.3_disable_daytime.sh +++ /dev/null @@ -1,10 +0,0 @@ -# run-shellcheck -test_audit() { - describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test - # shellcheck disable=2154 - run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - - # TODO fill comprehensive tests -} diff --git a/tests/hardening/5.4_disable_echo.sh b/tests/hardening/5.4_disable_echo.sh deleted file mode 100644 index b333419..0000000 --- a/tests/hardening/5.4_disable_echo.sh +++ /dev/null @@ -1,10 +0,0 @@ -# run-shellcheck -test_audit() { - describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test - # shellcheck disable=2154 - run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - - # TODO fill comprehensive tests -} diff --git a/tests/hardening/5.5_disable_discard.sh b/tests/hardening/5.5_disable_discard.sh deleted file mode 100644 index b333419..0000000 --- a/tests/hardening/5.5_disable_discard.sh +++ /dev/null @@ -1,10 +0,0 @@ -# run-shellcheck -test_audit() { - describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test - # shellcheck disable=2154 - run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - - # TODO fill comprehensive tests -} diff --git a/tests/hardening/5.6_disable_time.sh b/tests/hardening/5.6_disable_time.sh deleted file mode 100644 index b333419..0000000 --- a/tests/hardening/5.6_disable_time.sh +++ /dev/null @@ -1,10 +0,0 @@ -# run-shellcheck -test_audit() { - describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test - # shellcheck disable=2154 - run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - - # TODO fill comprehensive tests -}