Renumbering of bootloader checks

renamed: 3.1_bootloader_ownership.sh -> 1.4.1_bootloader_ownership.sh renamed: 3.3_bootloader_password.sh -> 1.4.2_bootloader_password.sh renamed: 3.4_root_password.sh -> 1.4.3_root_password.sh deleted: 3.2_bootloader_permissions.sh renamed: ../../tests/hardening/3.4_root_password.sh -> ../../tests/hardening/1.4.1_bootloader_ownership.sh renamed: ../../tests/hardening/3.3_bootloader_password.sh -> ../../tests/hardening/1.4.2_bootloader_password.sh renamed: ../../tests/hardening/3.1_bootloader_ownership.sh -> ../../tests/hardening/1.4.3_root_password.sh
2024-11-22 05:27:01 +01:00 · 2019-08-28 17:19:59 +02:00 · 2019-08-28 17:19:59 +02:00 · fe25b1ba38
commit fe25b1ba38
parent 0b85d16c16
7 changed files with 19 additions and 75 deletions
--- a/bin/hardening/1.4.1_bootloader_ownership.sh
+++ b/bin/hardening/1.4.1_bootloader_ownership.sh
@ -5,7 +5,7 @@
 #

 #
-# 3.1 Set User/Group Owner on bootloader config (Scored)
+# 1.4.1 Ensure permissions on bootloader config are configured (Scored)
 #

 set -e # One error, it's over
@ -19,6 +19,7 @@ DESCRIPTION="User and group root owner of grub bootloader config."
 FILE='/boot/grub/grub.cfg'
 USER='root'
 GROUP='root'
+PERMISSIONS='400'

 # This function will be called if the script status is on enabled / audit mode
 audit () {
@ -28,6 +29,13 @@ audit () {
    else
        crit "$FILE ownership was not set to $USER:$GROUP"
    fi 
+
+    has_file_correct_permissions $FILE $PERMISSIONS
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct permissions"
+    else
+        crit "$FILE permissions were not set to $PERMISSIONS"
+    fi 
 }

 # This function will be called if the script status is on enabled mode
@ -39,6 +47,14 @@ apply () {
        info "fixing $FILE ownership to $USER:$GROUP"
        chown $USER:$GROUP $FILE
    fi
+
+    has_file_correct_permissions $FILE $PERMISSIONS
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct permissions"
+    else
+        info "fixing $FILE permissions to $PERMISSIONS"
+        chmod 0$PERMISSIONS $FILE
+    fi
 }

 # This function will check config parameters required
--- a/bin/hardening/1.4.2_bootloader_password.sh
+++ b/bin/hardening/1.4.2_bootloader_password.sh
@ -5,7 +5,7 @@
 #

 #
-# 3.3 Set Boot Loader Password (Scored)
+# 1.4.2 Ensure bootloader password is set (Scored)
 #

 set -e # One error, it's over
--- a/bin/hardening/1.4.3_root_password.sh
+++ b/bin/hardening/1.4.3_root_password.sh
@ -5,7 +5,7 @@
 #

 #
-# 3.4 Require Authentication for Single-User Mode (Scored)
+# 1.4.3 Ensure authentication required for single user mode (Scored)
 #

 set -e # One error, it's over
--- a/bin/hardening/3.2_bootloader_permissions.sh
+++ b/bin/hardening/3.2_bootloader_permissions.sh
@ -1,72 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian Hardening
-#
-
-#
-# 3.2 Set Permissions on bootloader config (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=1
-DESCRIPTION="Permissions for root only on grub bootloader config."
-
-# Assertion : Grub Based.
-
-FILE='/boot/grub/grub.cfg'
-PERMISSIONS='400'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    has_file_correct_permissions $FILE $PERMISSIONS
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    has_file_correct_permissions $FILE $PERMISSIONS
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0$PERMISSIONS $FILE
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    is_pkg_installed "grub-pc"
-    if [ $FNRET != 0 ]; then
-        warn "grub-pc is not installed, not handling configuration"
-        exit 128
-    fi
-    if [ $FNRET != 0 ]; then
-        crit "$FILE does not exist"
-        exit 128
-    fi
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/tests/hardening/1.4.1_bootloader_ownership.sh
+++ b/tests/hardening/1.4.1_bootloader_ownership.sh
--- a/tests/hardening/1.4.2_bootloader_password.sh
+++ b/tests/hardening/1.4.2_bootloader_password.sh
--- a/tests/hardening/1.4.3_root_password.sh
+++ b/tests/hardening/1.4.3_root_password.sh