diff --git a/bin/hardening/3.1_bootloader_ownership.sh b/bin/hardening/1.4.1_bootloader_ownership.sh similarity index 80% rename from bin/hardening/3.1_bootloader_ownership.sh rename to bin/hardening/1.4.1_bootloader_ownership.sh index ba25f21..d0135d5 100755 --- a/bin/hardening/3.1_bootloader_ownership.sh +++ b/bin/hardening/1.4.1_bootloader_ownership.sh @@ -5,7 +5,7 @@ # # -# 3.1 Set User/Group Owner on bootloader config (Scored) +# 1.4.1 Ensure permissions on bootloader config are configured (Scored) # set -e # One error, it's over @@ -19,6 +19,7 @@ DESCRIPTION="User and group root owner of grub bootloader config." FILE='/boot/grub/grub.cfg' USER='root' GROUP='root' +PERMISSIONS='400' # This function will be called if the script status is on enabled / audit mode audit () { @@ -28,6 +29,13 @@ audit () { else crit "$FILE ownership was not set to $USER:$GROUP" fi + + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE permissions were not set to $PERMISSIONS" + fi } # This function will be called if the script status is on enabled mode @@ -39,6 +47,14 @@ apply () { info "fixing $FILE ownership to $USER:$GROUP" chown $USER:$GROUP $FILE fi + + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi } # This function will check config parameters required diff --git a/bin/hardening/3.3_bootloader_password.sh b/bin/hardening/1.4.2_bootloader_password.sh similarity index 97% rename from bin/hardening/3.3_bootloader_password.sh rename to bin/hardening/1.4.2_bootloader_password.sh index ac450d4..60d72ec 100755 --- a/bin/hardening/3.3_bootloader_password.sh +++ b/bin/hardening/1.4.2_bootloader_password.sh @@ -5,7 +5,7 @@ # # -# 3.3 Set Boot Loader Password (Scored) +# 1.4.2 Ensure bootloader password is set (Scored) # set -e # One error, it's over diff --git a/bin/hardening/3.4_root_password.sh b/bin/hardening/1.4.3_root_password.sh similarity index 95% rename from bin/hardening/3.4_root_password.sh rename to bin/hardening/1.4.3_root_password.sh index 553aa42..6220703 100755 --- a/bin/hardening/3.4_root_password.sh +++ b/bin/hardening/1.4.3_root_password.sh @@ -5,7 +5,7 @@ # # -# 3.4 Require Authentication for Single-User Mode (Scored) +# 1.4.3 Ensure authentication required for single user mode (Scored) # set -e # One error, it's over diff --git a/bin/hardening/3.2_bootloader_permissions.sh b/bin/hardening/3.2_bootloader_permissions.sh deleted file mode 100755 index d86f7db..0000000 --- a/bin/hardening/3.2_bootloader_permissions.sh +++ /dev/null @@ -1,72 +0,0 @@ -#!/bin/bash - -# -# CIS Debian Hardening -# - -# -# 3.2 Set Permissions on bootloader config (Scored) -# - -set -e # One error, it's over -set -u # One variable unset, it's over - -HARDENING_LEVEL=1 -DESCRIPTION="Permissions for root only on grub bootloader config." - -# Assertion : Grub Based. - -FILE='/boot/grub/grub.cfg' -PERMISSIONS='400' - -# This function will be called if the script status is on enabled / audit mode -audit () { - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then - ok "$FILE has correct permissions" - else - crit "$FILE permissions were not set to $PERMISSIONS" - fi -} - -# This function will be called if the script status is on enabled mode -apply () { - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then - ok "$FILE has correct permissions" - else - info "fixing $FILE permissions to $PERMISSIONS" - chmod 0$PERMISSIONS $FILE - fi -} - -# This function will check config parameters required -check_config() { - is_pkg_installed "grub-pc" - if [ $FNRET != 0 ]; then - warn "grub-pc is not installed, not handling configuration" - exit 128 - fi - if [ $FNRET != 0 ]; then - crit "$FILE does not exist" - exit 128 - fi -} - -# Source Root Dir Parameter -if [ -r /etc/default/cis-hardening ]; then - . /etc/default/cis-hardening -fi -if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." - exit 128 -fi - -# Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then - . $CIS_ROOT_DIR/lib/main.sh -else - echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" - exit 128 -fi diff --git a/tests/hardening/3.1_bootloader_ownership.sh b/tests/hardening/1.4.1_bootloader_ownership.sh similarity index 100% rename from tests/hardening/3.1_bootloader_ownership.sh rename to tests/hardening/1.4.1_bootloader_ownership.sh diff --git a/tests/hardening/3.3_bootloader_password.sh b/tests/hardening/1.4.2_bootloader_password.sh similarity index 100% rename from tests/hardening/3.3_bootloader_password.sh rename to tests/hardening/1.4.2_bootloader_password.sh diff --git a/tests/hardening/3.4_root_password.sh b/tests/hardening/1.4.3_root_password.sh similarity index 100% rename from tests/hardening/3.4_root_password.sh rename to tests/hardening/1.4.3_root_password.sh