elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2025-07-19 15:22:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: elie:damcava35/deb12_scripts_3
Branches Tags
elie:master elie:damcava35/deb12_scripts_3 elie:damcava35/deb12_scripts_2 elie:damcava35/update_lib elie:damcava35/new_scripts elie:damcava35/issue_249 elie:damcava35/drop_debian10 elie:damcava35/is_ip_v6_enabled elie:damcava35/issue_195 elie:damcava35/fix_only elie:damcava35/fix_packaging elie:damcava35/set_version elie:damcava35/test_pre_commit elie:dev/thibault.dewailly/deb12 elie:dependabot/github_actions/luizm/action-sh-checker-0.9.0 elie:dev/thibault.dewailly/set_hardening_level elie:dev/thibault.dewailly/syslogng_remotecheck
elie:latest elie:v4.1-5 elie:v4.1-4 elie:v4.1-3 elie:v4.1-2 elie:v4.1-1 elie:v4.0-1 elie:v3.8-1 elie:v3.7-1 elie:v3.6-1 elie:v3.5-1 elie:v3.4-1 elie:v3.3-1 elie:v3.2-2 elie:v3.2-1 elie:v3.2-0 elie:v3.1-6 elie:v3.1-5 elie:v3.1-4 elie:v3.1-3 elie:v3.1-2 elie:v3.1-1 elie:v3.1-0 elie:v3.0-1 elie:v3.0 elie:v2.1-6 elie:v2.1-5 elie:v2.1-4 elie:v2.1-3 elie:v2.1-2 elie:v2.1-1 elie:v2.0-6 elie:v2.0-5 elie:v2.0-4 elie:v1.3-4 elie:v1.3-3 elie:v1.3-2 elie:v1.3 elie:v1.2-1 elie:v1.1-1
..
compare: elie:damcava35/issue_249
Branches Tags
elie:damcava35/deb12_scripts_3 elie:damcava35/deb12_scripts_2 elie:damcava35/update_lib elie:damcava35/new_scripts elie:master elie:damcava35/issue_249 elie:damcava35/drop_debian10 elie:damcava35/is_ip_v6_enabled elie:damcava35/issue_195 elie:damcava35/fix_only elie:damcava35/fix_packaging elie:damcava35/set_version elie:damcava35/test_pre_commit elie:dev/thibault.dewailly/deb12 elie:dependabot/github_actions/luizm/action-sh-checker-0.9.0 elie:dev/thibault.dewailly/set_hardening_level elie:dev/thibault.dewailly/syslogng_remotecheck
elie:latest elie:v4.1-5 elie:v4.1-4 elie:v4.1-3 elie:v4.1-2 elie:v4.1-1 elie:v4.0-1 elie:v3.8-1 elie:v3.7-1 elie:v3.6-1 elie:v3.5-1 elie:v3.4-1 elie:v3.3-1 elie:v3.2-2 elie:v3.2-1 elie:v3.2-0 elie:v3.1-6 elie:v3.1-5 elie:v3.1-4 elie:v3.1-3 elie:v3.1-2 elie:v3.1-1 elie:v3.1-0 elie:v3.0-1 elie:v3.0 elie:v2.1-6 elie:v2.1-5 elie:v2.1-4 elie:v2.1-3 elie:v2.1-2 elie:v2.1-1 elie:v2.0-6 elie:v2.0-5 elie:v2.0-4 elie:v1.3-4 elie:v1.3-3 elie:v1.3-2 elie:v1.3 elie:v1.2-1 elie:v1.1-1

1 Commits
damcava35/ ... damcava35/

Author SHA1 Message Date
Damien Cavagnini
3753a72723 refactor: is_kernel_option_enabled 
Current "is_kernel_option_enabled" function is doing many things, like checking for a kernel option AND checking a kernel module state AND checking if it is disabled
We split it in different functions:
        - is_kernel_monolithic
        - is_kernel_option_enabled -> check for a kernel configuration in the running kernel
        - is_kernel_module_loaded -> check if a module is currently loaded
        - is_kernel_module_available -> check if a module is configured in all available kernel configs
        - is_kernel_module_disabled   -> check if a kernel module is disabled in the modprobe configuration

Also:

- update its behaviour to debian 12 CIS recommendation, to check if a module is "available in ANY installed kernel"
- fix "disable_usb_storage" to look for correct module name once loaded : issue #249
- the associated checks now check separately if the module is loaded, and if it is configured
- for checks about kernel module presence, the "apply" function now manages to disable the module in the modprobe configuration (if kernel not monolithic) (but still wont unload it)
 2025-07-11 09:16:27 +02:00
43 changed files with 26 additions and 1737 deletions
Expand all files Collapse all files

105
bin/hardening/apt_gpg_is_configured.sh
View File

@ -1,105 +0,0 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# Ensure GPG keys are configured (Manual)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure GPG keys are configured"
APT_KEY_PATH="/etc/apt/trusted.gpg.d"
APT_KEY_FILE="/etc/apt/trusted.gpg"
# from "man apt-secure"
SOURCES_UNSECURE_OPTION='allow-insecure=yes'
APT_UNSECURE_OPTION='Acquire::AllowInsecureRepositories=true'
# This function will be called if the script status is on enabled / audit mode
audit() {
key_files=0
info "Verifying that apt keys are present"
# apt-key list requires that gnupg2 is installed
# we are not going to install it for the sake of a test, so we only check the presence of key files
is_file_empty "$APT_KEY_FILE"
if [ "$FNRET" -eq 1 ]; then
info "$APT_KEY_FILE present and not empty"
key_files=$((key_files + 1))
fi
does_file_exist "$APT_KEY_PATH"
if [ "$FNRET" -ne 0 ]; then
info "$APT_KEY_PATH is missing"
else
asc_files=$(find "$APT_KEY_PATH" -name '*.asc' | wc -l)
key_files=$((key_files + asc_files))
gpg_files=$(find "$APT_KEY_PATH" -name '*.gpg' | wc -l)
key_files=$((key_files + gpg_files))
if [ "$asc_files" -eq 0 ] && [ "$gpg_files" -eq 0 ]; then
info "No key found in $APT_KEY_PATH"
fi
fi
if [ "$key_files" -eq 0 ]; then
crit "No GPG file found"
else
# we do not test the GPG keys validity, but we ensure we don't bypass them
info "Ensure an unsecure option is not set in some sources list"
unsecure_sources=$(find /etc/apt/ -name '*.list' -exec grep -l "$SOURCES_UNSECURE_OPTION" {} \;)
if [ -n "$unsecure_sources" ]; then
crit "Some source files use $SOURCES_UNSECURE_OPTION : $unsecure_sources"
fi
info "Ensure an unsecure option is not set in some apt configuration"
unsecure_option=$(grep -R "$APT_UNSECURE_OPTION" /etc/apt | wc -l)
if [ "$unsecure_option" -gt 0 ]; then
crit "$APT_UNSECURE_OPTION is set in apt configuration"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
audit
if [ "$FNRET" -gt 0 ]; then
crit "Your configuraiton does not match the recommendation. Please fix it manually"
else
info "Nothing to apply"
fi
}
# This function will check config parameters required
check_config() {
# No parameter for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "${CIS_LIB_DIR}"/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128
fi

91
bin/hardening/chrony_is_enabled_and_running.sh
View File

@ -1,91 +0,0 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# Ensure chrony is enabled and running (Automated)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure chrony is enabled and running."
PACKAGE="chrony"
SERVICE="chrony"
# This function will be called if the script status is on enabled / audit mode
audit() {
CHRONY_INSTALLED=0
CHRONY_ENABLED=0
CHRONY_RUNNING=0
is_pkg_installed "$PACKAGE"
if [ "$FNRET" -ne 0 ]; then
CHRONY_INSTALLED=1
crit "chrony is not installed"
fi
# no package, no need to check further
return
is_service_enabled "$SERVICE"
if [ "$FNRET" -ne 0 ]; then
CHRONY_INSTALLED=1
crit "chrony is not enabled"
fi
is_service_active "$SERVICE"
if [ "$FNRET" -ne 0 ]; then
CHRONY_RUNNING=1
crit "chrony is not running"
fi
}
# This function will be called if the script status is on enabled mode
apply() {
audit
if [ "$CHRONY_INSTALLED" -eq 1 ]; then
warn "Please install chrony manually to ensure only one time synchronization system is installed"
fi
if [ "$CHRONY_ENABLED" -eq 1 ]; then
info "Enablign chrony service"
manage_service "enable" "$SERVICE"
fi
if [ "$CHRONY_RUNNING" -eq 1 ]; then
info "Starting chrony service"
manage_service "start" "$SERVICE"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "${CIS_LIB_DIR}"/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128
fi

4
bin/hardening/configure_systemd-timesyncd.sh
View File

@ -21,8 +21,8 @@ SERVICE_NAME="systemd-timesyncd"
# This function will be called if the script status is on enabled / audit mode
audit() {
is_service_enabled "$SERVICE_NAME"
if [ "$FNRET" -eq 0 ]; then
status=$(systemctl is-enabled "$SERVICE_NAME")
if [ "$status" = "enabled" ]; then
ok "$SERVICE_NAME is enabled"
else
crit "$SERVICE_NAME is disabled"

80
bin/hardening/dev_shm_separate_partition.sh
View File

@ -1,80 +0,0 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# Ensure /dev/shm is a separate partition (Automated)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure /dev/shm is a separate partition"
# Quick factoring as many script use the same logic
PARTITION="/dev/shm"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
is_mounted "$PARTITION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted"
FNRET=1
else
ok "$PARTITION is mounted"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
audit
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
else
info "mounting $PARTITION"
mount "$PARTITION"
fi
}
# This function will check config parameters required
check_config() {
# No parameter for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "${CIS_LIB_DIR}"/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128
fi

2
bin/hardening/disable_automounting.sh
View File

@ -36,7 +36,7 @@ apply() {
is_service_enabled "$SERVICE_NAME"
if [ "$FNRET" = 0 ]; then
info "Disabling $SERVICE_NAME"
manage_service disable "$SERVICE_NAME"
update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
else
ok "$SERVICE_NAME is disabled"
fi

3
bin/hardening/enable_auditd.sh
View File

@ -50,7 +50,8 @@ apply() {
ok "$SERVICE_NAME is enabled"
else
warn "$SERVICE_NAME is not enabled, enabling it"
manage_service enable "$SERVICE_NAME"
update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
update-rc.d "$SERVICE_NAME" defaults >/dev/null 2>&1
fi
}

3
bin/hardening/enable_cron.sh
View File

@ -47,7 +47,8 @@ apply() {
is_service_enabled "$SERVICE_NAME"
if [ "$FNRET" != 0 ]; then
info "Enabling $SERVICE_NAME"
manage_service enable "$SERVICE_NAME"
update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
update-rc.d "$SERVICE_NAME" defaults >/dev/null 2>&1
else
ok "$SERVICE_NAME is enabled"
fi

67
bin/hardening/enable_libpam_pwquality.sh
View File

@ -1,67 +0,0 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# Ensure pam_pwquality module is enabled (Automated)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Ensure pam_pwquality module is enabled."
PATTERN_COMMON='pam_pwquality.so'
FILE_COMMON='/etc/pam.d/common-password'
# This function will be called if the script status is on enabled / audit mode
audit() {
does_pattern_exist_in_file "$FILE_COMMON" "$PATTERN_COMMON"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN_COMMON is present in $FILE_COMMON"
else
crit "$PATTERN_COMMON is not present in $FILE_COMMON"
fi
}
# This function will be called if the script status is on enabled mode
apply() {
does_pattern_exist_in_file $FILE_COMMON $PATTERN_COMMON
if [ "$FNRET" = 0 ]; then
ok "$PATTERN_COMMON is present in $FILE_COMMON"
else
warn "$PATTERN_COMMON is not present in $FILE_COMMON"
add_line_file_before_pattern "$FILE_COMMON" "password requisite pam_pwquality.so retry=3" "# pam-auth-update(8) for details."
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "${CIS_LIB_DIR}"/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128
fi

3
bin/hardening/enable_syslog-ng.sh
View File

@ -46,7 +46,8 @@ apply() {
is_service_enabled "$SERVICE_NAME"
if [ "$FNRET" != 0 ]; then
info "Enabling $SERVICE_NAME"
manage_service enable "$SERVICE_NAME" >/dev/null 2>&1
update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
update-rc.d "$SERVICE_NAME" defaults >/dev/null 2>&1
else
ok "$SERVICE_NAME is enabled"
fi

78
bin/hardening/install_iptables.sh
View File

@ -1,78 +0,0 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# Ensure iptables packages are installed (Automated)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Ensure iptables firewall is installed, does not check for its configuration."
# Note: CIS recommends your iptables rules to be persistent.
# Do as you want, but this script does not handle this
PACKAGES='iptables iptables-persistent'
# This function will be called if the script status is on enabled / audit mode
audit() {
FOUND=false
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
ok "$PACKAGE provides firewalling feature"
FOUND=true
fi
done
if [ "$FOUND" = false ]; then
crit "None of the following firewall packages are installed: $PACKAGES"
fi
}
# This function will be called if the script status is on enabled mode
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
ok "$PACKAGE provides firewalling feature"
FOUND=true
fi
done
if [ "$FOUND" = false ]; then
crit "None of the following firewall packages are installed: $PACKAGES, installing them"
apt_install "$PACKAGES"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "${CIS_LIB_DIR}"/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128
fi

66
bin/hardening/install_libpam_pwquality.sh
View File

@ -1,66 +0,0 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# Ensure libpam-pwquality is installed (Automated)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Ensure libpam-pwquality is installed "
PACKAGE='libpam-pwquality'
# This function will be called if the script status is on enabled / audit mode
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
fi
}
# This function will be called if the script status is on enabled mode
apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
apt_install "$PACKAGE"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "${CIS_LIB_DIR}"/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128
fi

78
bin/hardening/install_nftables.sh
View File

@ -1,78 +0,0 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# Ensure nftables is installed (Automated)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Ensure nftables firewall is installed, does not check for its configuration."
# Note: CIS recommends your iptables rules to be persistent.
# Do as you want, but this script does not handle this
PACKAGES='nftables'
# This function will be called if the script status is on enabled / audit mode
audit() {
FOUND=false
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
ok "$PACKAGE provides firewalling feature"
FOUND=true
fi
done
if [ "$FOUND" = false ]; then
crit "None of the following firewall packages are installed: $PACKAGES"
fi
}
# This function will be called if the script status is on enabled mode
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
ok "$PACKAGE provides firewalling feature"
FOUND=true
fi
done
if [ "$FOUND" = false ]; then
crit "None of the following firewall packages are installed: $PACKAGES, installing them"
apt_install "$PACKAGES"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "${CIS_LIB_DIR}"/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128
fi

0
bin/hardening/password_last_change_past.sh → bin/hardening/last_password_change_past.sh
View File

0
bin/hardening/password_history_remember.sh → bin/hardening/limit_password_reuse.sh
View File

61
bin/hardening/network_services _listening.sh
View File

@ -1,61 +0,0 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# Ensure only approved services are listening on a network interface (Manual)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure only approved services are listening on a network interface"
# This function will be called if the script status is on enabled / audit mode
audit() {
ss -plntuH | while read i ;
do socket=$(echo "$i" | awk '{print $5}') ;
proc=$(echo "$i" | awk '{print $7}' | awk -F ',' '{print $1}' | sed 's/users:((//') ;
info -e "$proc listening on \t$socket" ;
done
# output example :
# "ntpd" listening on 127.0.0.1:123
# "ntpd" listening on 0.0.0.0:123
}
# This function will be called if the script status is on enabled mode
apply() {
info "This recommendation has to be reviewed and applied manually"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "${CIS_LIB_DIR}"/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128
fi

77
bin/hardening/password_complexity.sh
View File

@ -1,77 +0,0 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# Ensure password complexity is configured (Manual)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Ensure password minimum length is configured "
OPTIONS=''
FILE_QUALITY='/etc/security/pwquality.conf'
# This function will be called if the script status is on enabled / audit mode
audit() {
for PW_OPT in $OPTIONS; do
PW_PARAM=$(echo "$PW_OPT" | cut -d= -f1)
PW_VALUE=$(echo "$PW_OPT" | cut -d= -f2)
# note : dont backslash regex characters, as 'does_pattern_exist_in_file' use "grep -E" which don't need it
PATTERN="${PW_PARAM}[[:space:]]?+=[[:space:]]?+$PW_VALUE"
does_pattern_exist_in_file "$FILE_QUALITY" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE_QUALITY"
else
crit "$PATTERN is not present in $FILE_QUALITY"
fi
done
}
# This function will be called if the script status is on enabled mode
apply() {
info "The values defined here should be adapted to one needs before applying."
}
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=audit
# Put your custom configuration here
OPTIONS="minclass=3 dcredit=-1 ucredit=-2 ocredit=-1 lcredit=-1"
EOF
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "${CIS_LIB_DIR}"/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128
fi

94
bin/hardening/password_consecutive_characters.sh
View File

@ -1,94 +0,0 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# Ensure password same consecutive characters is configured (Automated)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Ensure password same consecutive characters is configured"
OPTIONS=''
FILE_QUALITY='/etc/security/pwquality.conf'
# This function will be called if the script status is on enabled / audit mode
audit() {
for PW_OPT in $OPTIONS; do
PW_PARAM=$(echo "$PW_OPT" | cut -d= -f1)
PW_VALUE=$(echo "$PW_OPT" | cut -d= -f2)
PATTERN="^${PW_PARAM}[[:space:]]?+=[[:space:]]?+$PW_VALUE"
does_pattern_exist_in_file "$FILE_QUALITY" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE_QUALITY"
else
crit "$PATTERN is not present in $FILE_QUALITY"
fi
done
}
# This function will be called if the script status is on enabled mode
apply() {
for PW_OPT in $OPTIONS; do
PW_PARAM=$(echo "$PW_OPT" | cut -d= -f1)
PW_VALUE=$(echo "$PW_OPT" | cut -d= -f2)
# note : dont backslash regex characters, as 'does_pattern_exist_in_file' use "grep -E" which don't need it
PATTERN="^${PW_PARAM}[[:space:]]?+=[[:space:]]?+$PW_VALUE"
does_pattern_exist_in_file "$FILE_QUALITY" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE_QUALITY"
else
warn "$PATTERN is not present in $FILE_QUALITY, adding it"
does_pattern_exist_in_file "$FILE_QUALITY" "^${PW_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE_QUALITY" "$PW_PARAM = $PW_VALUE"
else
info "Parameter $PW_PARAM is present but with the wrong value -- Fixing"
replace_in_file "$FILE_QUALITY" "^${PW_PARAM}*.*" "$PW_PARAM = $PW_VALUE"
fi
fi
done
}
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=audit
# Put your custom configuration here
OPTIONS="maxrepeat=3"
EOF
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "${CIS_LIB_DIR}"/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128
fi

94
bin/hardening/password_max_sequential_characters.sh
View File

@ -1,94 +0,0 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# Ensure password maximum sequential characters is configured (Automated)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Ensure password maximum sequential characters is configured"
OPTIONS=''
FILE_QUALITY='/etc/security/pwquality.conf'
# This function will be called if the script status is on enabled / audit mode
audit() {
for PW_OPT in $OPTIONS; do
PW_PARAM=$(echo "$PW_OPT" | cut -d= -f1)
PW_VALUE=$(echo "$PW_OPT" | cut -d= -f2)
# note : dont backslash regex characters, as 'does_pattern_exist_in_file' use "grep -E" which don't need it
PATTERN="^${PW_PARAM}[[:space:]]?+=[[:space:]]?+$PW_VALUE"
does_pattern_exist_in_file "$FILE_QUALITY" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE_QUALITY"
else
crit "$PATTERN is not present in $FILE_QUALITY"
fi
done
}
# This function will be called if the script status is on enabled mode
apply() {
for PW_OPT in $OPTIONS; do
PW_PARAM=$(echo "$PW_OPT" | cut -d= -f1)
PW_VALUE=$(echo "$PW_OPT" | cut -d= -f2)
PATTERN="^${PW_PARAM}[[:space:]]?+=[[:space:]]?+$PW_VALUE"
does_pattern_exist_in_file "$FILE_QUALITY" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE_QUALITY"
else
warn "$PATTERN is not present in $FILE_QUALITY, adding it"
does_pattern_exist_in_file "$FILE_QUALITY" "^${PW_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE_QUALITY" "$PW_PARAM = $PW_VALUE"
else
info "Parameter $PW_PARAM is present but with the wrong value -- Fixing"
replace_in_file "$FILE_QUALITY" "^${PW_PARAM}*.*" "$PW_PARAM = $PW_VALUE"
fi
fi
done
}
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=audit
# Put your custom configuration here
OPTIONS="maxsequence=3"
EOF
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "${CIS_LIB_DIR}"/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128
fi

94
bin/hardening/password_min_length.sh
View File

@ -1,94 +0,0 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# Ensure minimum password length is configured (Automated)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Ensure password minimum length is configured "
OPTIONS=''
FILE_QUALITY='/etc/security/pwquality.conf'
# This function will be called if the script status is on enabled / audit mode
audit() {
for PW_OPT in $OPTIONS; do
PW_PARAM=$(echo "$PW_OPT" | cut -d= -f1)
PW_VALUE=$(echo "$PW_OPT" | cut -d= -f2)
# note : dont backslash regex characters, as 'does_pattern_exist_in_file' use "grep -E" which don't need it
PATTERN="^${PW_PARAM}[[:space:]]?+=[[:space:]]?+$PW_VALUE"
does_pattern_exist_in_file "$FILE_QUALITY" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE_QUALITY"
else
crit "$PATTERN is not present in $FILE_QUALITY"
fi
done
}
# This function will be called if the script status is on enabled mode
apply() {
for PW_OPT in $OPTIONS; do
PW_PARAM=$(echo "$PW_OPT" | cut -d= -f1)
PW_VALUE=$(echo "$PW_OPT" | cut -d= -f2)
PATTERN="^${PW_PARAM}[[:space:]]?+=[[:space:]]?+$PW_VALUE"
does_pattern_exist_in_file "$FILE_QUALITY" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE_QUALITY"
else
warn "$PATTERN is not present in $FILE_QUALITY, adding it"
does_pattern_exist_in_file "$FILE_QUALITY" "^${PW_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE_QUALITY" "$PW_PARAM = $PW_VALUE"
else
info "Parameter $PW_PARAM is present but with the wrong value -- Fixing"
replace_in_file "$FILE_QUALITY" "^${PW_PARAM}*.*" "$PW_PARAM = $PW_VALUE"
fi
fi
done
}
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=audit
# Put your custom configuration here
OPTIONS="minlen=14"
EOF
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "${CIS_LIB_DIR}"/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128
fi

91
bin/hardening/tftp_is_disabled.sh
View File

@ -1,91 +0,0 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# Ensure tftp services are not in use (Automated)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure tftp services are not in use."
PACKAGE='tftpd-hpa'
SERVICE="tftpd-hpa.service"
# 2 scenario here:
# - tftp is a dependency for another package -> disable the service
# - tftp is not a dependency for another package -> remove the package
# This function will be called if the script status is on enabled / audit mode
audit() {
# 0 means true in bash
PACKAGE_INSTALLED=1
PACKAGE_IS_DEPENDENCY=1
SERVICE_ENABLED=1
is_pkg_installed "$PACKAGE"
[ "$FNRET" = 0 ] && PACKAGE_INSTALLED=0 # 0 means true in bash
is_pkg_a_dependency "$PACKAGE"
# dnsmasq is installed with dnsmasq-base, which
[ "$FNRET" = 0 ] && PACKAGE_IS_DEPENDENCY=0
is_service_enabled "$SERVICE"
[ "$FNRET" = 0 ] && SERVICE_ENABLED=0
if [ "$PACKAGE_INSTALLED" -eq 0 ] && [ "$PACKAGE_IS_DEPENDENCY" -eq 1 ]; then
crit "$PACKAGE is installed and not a dependency"
elif [ "$PACKAGE_INSTALLED" -eq 0 ] && [ "$PACKAGE_IS_DEPENDENCY" -eq 0 ] && [ "$SERVICE_ENABLED" -eq 0 ]; then
crit "$SERVICE is enabled"
else
ok "$PACKAGE is not in use"
fi
}
# This function will be called if the script status is on enabled mode
apply() {
audit
if [ "$PACKAGE_INSTALLED" -eq 0 ] && [ "$PACKAGE_IS_DEPENDENCY" -eq 1 ]; then
crit "$PACKAGE is installed and not a dependency, removing it"
apt-get purge "$PACKAGE" -y
apt-get autoremove -y
elif [ "$PACKAGE_INSTALLED" -eq 0 ] && [ "$PACKAGE_IS_DEPENDENCY" -eq 0 ] && [ "$SERVICE_ENABLED" -eq 0 ] && [ "$IS_CONTAINER" -eq 1 ]; then
crit "$SERVICE is enabled, i'm going to stop and mask it"
systemctl stop "$SERVICE"
systemctl mask "$SERVICE"
else
ok "$PACKAGE is not in use"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "${CIS_LIB_DIR}"/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128
fi

19
bin/hardening/use_time_sync.sh
View File

@ -6,7 +6,7 @@
#
#
# Ensure a single time synchronization daemon is in use (Automated)
# Ensure time synchronization is in use (Not Scored)
#
set -e # One error, it's over
@ -15,31 +15,28 @@ set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure a single time synchronization is in use"
DESCRIPTION="Ensure time synchronization is in use"
PACKAGES="systemd-timesyncd ntp chrony"
# This function will be called if the script status is on enabled / audit mode
audit() {
local count=0
FOUND=false
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" -eq 0 ]; then
let count=$((count+1))
if [ "$FNRET" = 0 ]; then
ok "Time synchronization is available through $PACKAGE"
FOUND=true
fi
done
if [ "$count" -eq 0 ]; then
if [ "$FOUND" = false ]; then
crit "None of the following time sync packages are installed: $PACKAGES"
elif [ "$count" -gt 1 ]; then
crit "Multiple time sync packages are installed, from $PACKAGES. Pick one and remove the others"
else
info "A single time sync package from $PACKAGES is installed"
fi
}
# This function will be called if the script status is on enabled mode
apply() {
info "This recommendation has to be reviewed and applied manually"
:
}
# This function will check config parameters required

161
bin/hardening/users_homedir_is_configured.sh
View File

@ -1,161 +0,0 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# Ensure local interactive user home directories are configured (Automated)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Users are assigned valid home directories"
# a home is purposefully owned by another user
# format: <dir>:<user_name>:<owner_name>
# ex: HOME_OWNER_EXCEPTIONS="/usr/sbin:daemon:root"
HOME_OWNER_EXCEPTIONS=""
# space separated list of path, where permissions are different than 0750
HOME_PERM_EXCEPTIONS=""
ERRORS=0
check_home_owner() {
# user owns home
local user=$1
local home=$2
FNRET=0
owner=$(stat -L -c "%U" "$home")
if [ "$owner" != "$user" ]; then
EXCEP_FOUND=0
for excep in $HOME_OWNER_EXCEPTIONS; do
if [ "$home:$user:$owner" = "$excep" ]; then
ok "The home directory ($home) of user $user is owned by $owner but is part of exceptions ($home:$user:$owner)."
EXCEP_FOUND=1
break
fi
done
if [ "$EXCEP_FOUND" -eq 0 ]; then
crit "The home directory ($home) of user $user is owned by $owner."
FNRET=1
fi
fi
}
check_home_perm() {
# 750 or more restrictive
local home=$1
HOME_PERM_ERRORS=0
debug "Exceptions : $HOME_PERM_EXCEPTIONS"
debug "echo \"$HOME_PERM_EXCEPTIONS\" | grep -q $home"
if echo "$HOME_PERM_EXCEPTIONS" | grep -q "$home"; then
debug "$home is confirmed as an exception"
# shellcheck disable=SC2001
RESULT=$(sed "s!$home!!" <<<"$RESULT")
else
debug "$home not found in exceptions"
fi
if [ -d "$home" ]; then
dirperm=$(/bin/ls -ld "$home" | cut -f1 -d" ")
if [ "$(echo "$dirperm" | cut -c6)" != "-" ]; then
crit "Group Write permission set on directory $home"
HOME_PERM_ERRORS=$((HOME_PERM_ERRORS + 1))
fi
if [ "$(echo "$dirperm" | cut -c8)" != "-" ]; then
crit "Other Read permission set on directory $home"
HOME_PERM_ERRORS=$((HOME_PERM_ERRORS + 1))
fi
if [ "$(echo "$dirperm" | cut -c9)" != "-" ]; then
crit "Other Write permission set on directory $home"
HOME_PERM_ERRORS=$((HOME_PERM_ERRORS + 1))
fi
if [ "$(echo "$dirperm" | cut -c10)" != "-" ]; then
crit "Other Execute permission set on directory $home"
HOME_PERM_ERRORS=$((HOME_PERM_ERRORS + 1))
fi
fi
}
# This function will be called if the script status is on enabled / audit mode
audit() {
RESULT=$(get_db passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
for LINE in $RESULT; do
debug "Working on $LINE"
USER=$(awk -F: '{print $1}' <<<"$LINE")
USERID=$(awk -F: '{print $2}' <<<"$LINE")
DIR=$(awk -F: '{print $3}' <<<"$LINE")
if [ "$USERID" -ge 1000 ]; then
if [ ! -d "$DIR" ] && [ "$USER" != "nfsnobody" ] && [ "$USER" != "nobody" ] && [ "$DIR" != "/nonexistent" ]; then
crit "The home directory ($DIR) of user $USER does not exist."
ERRORS=$((ERRORS + 1))
fi
if [ -d "$DIR" ] && [ "$USER" != "nfsnobody" ]; then
check_home_owner "$USER" "$DIR"
[ $FNRET -ne 0 ] && ERRORS=$((ERRORS + 1))
fi
fi
done
for DIR in $(get_db passwd | grep -Ev '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
check_home_perm "$DIR"
ERRORS=$((ERRORS + HOME_PERM_ERRORS))
done
if [ "$ERRORS" -eq 0 ]; then
ok "All home directories are correctly configured"
fi
}
# This function will be called if the script status is on enabled mode
apply() {
info "Modifying home directories may seriously harm your system, report only here"
}
create_config() {
cat <<EOF
status=audit
# Put here user home directories exceptions
# format: <dir>:<user_name>:<owner_name>
HOME_OWNER_EXCEPTIONS=""
# space separated list of path, where permissions are different than 0750
HOME_PERM_EXCEPTIONS=""
EOF
}
# This function will check config parameters required
check_config() {
if [ -z "$HOME_PERM_EXCEPTIONS" ]; then
HOME_PERM_EXCEPTIONS="@"
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "${CIS_LIB_DIR}"/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128
fi

79
lib/utils.sh
View File

@ -100,15 +100,6 @@ does_file_exist() {
fi
}
is_file_empty() {
local FILE=$1
if $SUDO_CMD [ -s "$FILE" ]; then
FNRET=1
else
FNRET=0
fi
}
has_file_correct_ownership() {
local FILE=$1
local USER=$2
@ -316,17 +307,7 @@ does_group_exist() {
is_service_enabled() {
local SERVICE=$1
# if running in a container, it does not make much sense to test for systemd / service
# the var "IS_CONTAINER" defined in lib/constant may not be enough, in case we are using systemd slices
# currently, did not find a unified way to manage all cases, so we check this only for systemctl usage
is_using_sbin_init
if [ "$FNRET" -eq 1 ]; then
debug "host was not started using '/sbin/init', systemd should not be available"
FNRET=1
return
fi
if $SUDO_CMD systemctl -t service is-enabled "$SERVICE" >/dev/null; then
if [ "$($SUDO_CMD find /etc/rc?.d/ -name "S*$SERVICE" -print | wc -l)" -gt 0 ]; then
debug "Service $SERVICE is enabled"
FNRET=0
else
@ -335,27 +316,6 @@ is_service_enabled() {
fi
}
is_service_active() {
local SERVICE=$1
# if running in a container, it does not make much sense to test for systemd / service
# the var "IS_CONTAINER" defined in lib/constant may not be enough, in case we are using systemd slices
# currently, did not find a unified way to manage all cases, so we check this only for systemctl usage
is_using_sbin_init
if [ "$FNRET" -eq 1 ]; then
debug "host was not started using '/sbin/init', systemd should not be available"
FNRET=1
return
fi
if $SUDO_CMD systemctl -t service is-active "$SERVICE" >/dev/null; then
debug "Service $SERVICE is active"
FNRET=0
else
debug "Service $SERVICE is active"
FNRET=1
fi
}
#
# Kernel Options checks
#
@ -620,20 +580,6 @@ is_pkg_installed() {
fi
}
is_pkg_a_dependency() {
# check if package is needed by another installed package
local PKG_NAME=$1
local dependencies=0
dependencies=$(grep -w "${PKG_NAME}$" /var/lib/dpkg/status | grep -cEi "depends|recommends")
if [ "$dependencies" -gt 0 ]; then
debug "$PKG_NAME is a dependency for another installed package"
FNRET=0
else
FNRET=1
debug "$PKG_NAME is not a dependency for another installed package"
fi
}
# Returns Debian major version
get_debian_major_version() {
@ -666,26 +612,3 @@ get_distribution() {
is_running_in_container() {
awk -F/ '$2 == "'"$1"'"' /proc/self/cgroup
}
is_using_sbin_init() {
FNRET=0
# remove '\0' to avoid 'command substitution: ignored null byte in input'
if [[ $($SUDO_CMD cat /proc/1/cmdline | tr -d '\0') != "/sbin/init" ]]; then
debug "init process is not '/sbin/init'"
FNRET=1
fi
}
manage_service() {
local action="$1"
local service="$2"
is_using_sbin_init
if [ "$FNRET" -ne 0 ]; then
debug "/sbin/init not used, systemctl wont manage service $service"
return
fi
systemctl "$action" "$service" >/dev/null 2>&1
}

40
tests/hardening/apt_gpg_is_configured.sh
View File

@ -1,40 +0,0 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
local APT_KEY_FILE="/etc/apt/trusted.gpg"
local APT_KEY_PATH="/etc/apt/trusted.gpg.d"
local unsecure_source="/etc/apt/sources.list.d/unsecure.list"
local unsecure_conf_file="/etc/apt/apt.conf.d/unsecure"
# make sure we don't have any key
[ -f "$APT_KEY_FILE" ] && mv "$APT_KEY_FILE" /tmp
[ -d "$APT_KEY_PATH" ] && mv "$APT_KEY_PATH" /tmp
describe Running non compliant missing keys
register_test retvalshouldbe 1
# shellcheck disable=2154
run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# fix the situation
[ -d /tmp/trusted.gpg.d ] && mv /tmp/trusted.gpg.d /etc/apt/
[ -f /tmp/trusted.gpg ] && mv /tmp/trusted.gpg /etc/apt/
describe Checking resolved state
register_test retvalshouldbe 0
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
echo 'deb [allow-insecure=yes] http://deb.debian.org/debian bookworm main' >"$unsecure_source"
describe Running non compliant unsecure option in sources list
register_test retvalshouldbe 1
run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
rm -f "$unsecure_source"
echo 'Acquire::AllowInsecureRepositories=true' >"$unsecure_conf_file"
describe Running non compliant unsecure option in apt conf
register_test retvalshouldbe 1
run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
rm -f "$unsecure_conf_file"
}

18
tests/hardening/chrony_is_enabled_and_running.sh
View File

@ -1,18 +0,0 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
describe Ensure package is installed
# install dependencies
apt update
apt install -y chrony
# not much to test here, we are running in a container, we wont check service state
describe Checking blank host
register_test retvalshouldbe 0
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
apt remove -y chrony
}

16
tests/hardening/dev_shm_separate_partition.sh
View File

@ -1,16 +0,0 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
}

11
tests/hardening/enable_auditd.sh
View File

@ -1,11 +1,9 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
describe Prepare failing test
apt remove -y auditd
describe Running on blank host
register_test retvalshouldbe 1
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
@ -14,8 +12,7 @@ test_audit() {
"${CIS_CHECKS_DIR}/${script}.sh" || true
describe Checking resolved state
# service still wont be enabled due to tests running inside a docker container
register_test retvalshouldbe 1
register_test contain "[ OK ] auditd is installed"
register_test retvalshouldbe 0
register_test contain "[ OK ] auditd is enabled"
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
}

21
tests/hardening/enable_libpam_pwquality.sh
View File

@ -1,21 +0,0 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
PATTERN_COMMON='pam_pwquality.so'
FILE_COMMON='/etc/pam.d/common-password'
# create issue
sed -i '/'$PATTERN_COMMON'/d' "$FILE_COMMON"
describe Running non compliant
register_test retvalshouldbe 1
# shellcheck disable=2154
run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
"${CIS_CHECKS_DIR}/${script}.sh" || true
describe Checking resolved state
register_test retvalshouldbe 0
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
}

16
tests/hardening/install_iptables.sh
View File

@ -1,16 +0,0 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
}

16
tests/hardening/install_libpam_pwquality.sh
View File

@ -1,16 +0,0 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
}

16
tests/hardening/install_nftables.sh
View File

@ -1,16 +0,0 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
}

0
tests/hardening/password_last_change_past.sh → tests/hardening/last_password_change_past.sh
View File

0
tests/hardening/password_history_remember.sh → tests/hardening/limit_password_reuse.sh
View File

10
tests/hardening/network_services _listening.sh
View File

@ -1,10 +0,0 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
}

28
tests/hardening/password_complexity.sh
View File

@ -1,28 +0,0 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
local OPTIONS="minclass=3 dcredit=-1 ucredit=-2 ocredit=-1 lcredit=-1"
local FILE_QUALITY='/etc/security/pwquality.conf'
# install dependencies
apt-get update
apt-get install -y libpam-pwquality
# prepare to fail
describe Prepare on purpose failed test
sed -i '/minclass/d' $FILE_QUALITY
describe Running on purpose failed test
register_test retvalshouldbe 1
# shellcheck disable=2154
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe Correcting situation
echo "$OPTIONS" >>"$FILE_QUALITY"
describe Checking resolved state
register_test retvalshouldbe 0
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
}

28
tests/hardening/password_consecutive_characters.sh
View File

@ -1,28 +0,0 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
local OPTIONS="maxrepeat=3"
local FILE_QUALITY='/etc/security/pwquality.conf'
# install dependencies
apt-get update
apt-get install -y libpam-pwquality
# prepare to fail
describe Prepare on purpose failed test
sed -i '/maxrepeat/d' $FILE_QUALITY
describe Running on purpose failed test
register_test retvalshouldbe 1
# shellcheck disable=2154
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe Correcting situation
echo "$OPTIONS" >>"$FILE_QUALITY"
describe Checking resolved state
register_test retvalshouldbe 0
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
}

28
tests/hardening/password_max_sequential_characters.sh
View File

@ -1,28 +0,0 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
local OPTIONS="maxsequence=3"
local FILE_QUALITY='/etc/security/pwquality.conf'
# install dependencies
apt-get update
apt-get install -y libpam-pwquality
# prepare to fail
describe Prepare on purpose failed test
sed -i '/maxsequence/d' $FILE_QUALITY
describe Running on purpose failed test
register_test retvalshouldbe 1
# shellcheck disable=2154
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe Correcting situation
echo "$OPTIONS" >>"$FILE_QUALITY"
describe Checking resolved state
register_test retvalshouldbe 0
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
}

27
tests/hardening/password_min_length.sh
View File

@ -1,27 +0,0 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
local OPTIONS="minlen=14"
local FILE_QUALITY='/etc/security/pwquality.conf'
# install dependencies
apt-get update
apt-get install -y libpam-pwquality
# prepare to fail
describe Prepare on purpose failed test
sed -i '/minlen/d' $FILE_QUALITY
describe Running on purpose failed test
register_test retvalshouldbe 1
# shellcheck disable=2154
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe Correcting situation
echo "$OPTIONS" >>"$FILE_QUALITY"
describe Checking resolved state
register_test retvalshouldbe 0
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
}

36
tests/hardening/tftp_is_disabled.sh
View File

@ -1,36 +0,0 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
describe Prepare on purpose failed test
apt install -y tftp
# running on a container, will can only test the package installation, not the service management
describe Running on purpose failed test
register_test retvalshouldbe 1
# shellcheck disable=2154
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe correcting situation
sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
"${CIS_CHECKS_DIR}/${script}.sh" --apply || true
describe Checking resolved state
register_test retvalshouldbe 0
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe Prepare test package dependencies
# try to install a package that depends on 'tftp-hpa'
apt install -y tfpt-hpa-dbg
# running on a container, we can only test the package installation, not the service management
describe Running successfull test
register_test retvalshouldbe 0
# shellcheck disable=2154
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe clean installation
apt remove -y tfpt-hpa-dbg
apt autoremove -y
}

10
tests/hardening/use_time_sync.sh
View File

@ -3,6 +3,7 @@
test_audit() {
describe Running on blank host
register_test retvalshouldbe 1
dismiss_count_for_test
# shellcheck disable=2154
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
@ -13,13 +14,6 @@ test_audit() {
# Finally assess that your corrective actions end up with a compliant system
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "Time synchronization is available through"
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe Break things
apt-get update
apt-get install -y chrony
describe Checking broken state
register_test retvalshouldbe 1
run broken "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
}

88
tests/hardening/users_homedir_is_configured.sh
View File

@ -1,88 +0,0 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
local no_home_test_user="userwithouthome"
local owner_test_user="testhomeuser"
local perm_test_user="testhomepermuser"
describe Running on blank host
register_test retvalshouldbe 0
# shellcheck disable=2154
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
home_dir_missing "$no_home_test_user"
home_dir_ownership "$owner_test_user"
home_dir_perm "$perm_test_user"
fix_home "$no_home_test_user" "$owner_test_user" "$perm_test_user"
describe Checking resolved state
register_test retvalshouldbe 0
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
cleanup "$no_home_test_user" "$owner_test_user" "$perm_test_user"
}
home_dir_missing() {
local test_user="$1"
useradd -d /home/"$test_user" "$test_user"
describe Tests purposely failing that a homdedir does not exists
register_test retvalshouldbe 1
register_test contain "does not exist."
run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
}
home_dir_ownership() {
local test_user="$1"
describe Test purposely failing that a user does not own its home
useradd -d /home/"$test_user" -m "$test_user"
chown root:root /home/"$test_user"
chmod 0750 /home/"$test_user"
register_test retvalshouldbe 1
register_test contain "[ KO ] The home directory (/home/$test_user) of user $test_user is owned by root"
run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
}
home_dir_perm() {
local test_user="$1"
describe Tests purposely failing for wrong permissions on home
useradd -d /home/"$test_user" --create-home "$test_user"
chmod 777 /home/"$test_user"
register_test retvalshouldbe 1
register_test contain "Group Write permission set on directory"
register_test contain "Other Read permission set on directory"
register_test contain "Other Write permission set on directory"
register_test contain "Other Execute permission set on directory"
run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
}
fix_home() {
local missing_home_test_user="$1"
local owner_test_user="$2"
local perm_test_user="$3"
describe correcting situation for missing home
install -d -m 0750 -o "$missing_home_test_user" /home/"$missing_home_test_user"
describe correcting situation for ownership
# we don't want to erase default configurations, or others checks could fail
# shellcheck disable=2086
sed -i '/^HOME_OWNER_EXCEPTIONS/s|HOME_OWNER_EXCEPTIONS=\"|HOME_OWNER_EXCEPTIONS=\"/home/'$owner_test_user':'$owner_test_user':root |' ${CIS_CONF_DIR}/conf.d/${script}.cfg
describe correcting situation for permissions
chmod 0750 /home/"$perm_test_user"
}
cleanup() {
local users="$*"
for user in $users; do
# owner_test_user del will fail as its home is owned by another user
userdel -r "$user" || true
rm -rf /home/"${user:?}" || true
done
}

2
versions/ovh_legacy/5.3.3_limit_password_reuse.sh
View File

@ -1 +1 @@
../../bin/hardening/password_history_remember.sh
../../bin/hardening/limit_password_reuse.sh

2
versions/ovh_legacy/5.4.1.5_last_password_change_past.sh
View File

@ -1 +1 @@
../../bin/hardening/password_last_change_past.sh
../../bin/hardening/last_password_change_past.sh