Compare commits

..

8 Commits

Author SHA1 Message Date
51bc5825d6 refactor: is_kernel_option_enabled (#267)
Current "is_kernel_option_enabled" function is doing many things, like checking for a kernel option AND checking a kernel module state AND checking if it is disabled
We split it in different functions:
        - is_kernel_monolithic
        - is_kernel_option_enabled -> check for a kernel configuration in the running kernel
        - is_kernel_module_loaded -> check if a module is currently loaded
        - is_kernel_module_available -> check if a module is configured in all available kernel configs
        - is_kernel_module_disabled   -> check if a kernel module is disabled in the modprobe configuration

Also:

- update its behaviour to debian 12 CIS recommendation, to check if a module is "available in ANY installed kernel"
- fix "disable_usb_storage" to look for correct module name once loaded : issue #249
- the associated checks now check separately if the module is loaded, and if it is configured
- for checks about kernel module presence, the "apply" function now manages to disable the module in the modprobe configuration (if kernel not monolithic) (but still wont unload it)

Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
2025-07-11 11:20:59 +02:00
ab0dba9f95 chore: drop debian 10 and below support (#264)
Currently, the only LTS Debian are 11 and 12
We only support CIS for LTS debian

Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
2025-07-04 14:18:56 +02:00
f2c6f36b94 fix: ipv6_is_enabled related checks (#263)
fix issue #251 : https://github.com/ovh/debian-cis/issues/251

the 'is_ipv6_enabled' function was doing some 'crit' actions, which is not the expected behaviour: we don't want to fail if ipv6 is enabled, it is just an infor that checks are going to use.

Also, it was overriding the SYSCTL_PARAMS that could have been defined in the checks.

Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
2025-07-04 09:08:50 +02:00
6123a56653 fix: update record_mac_edit.sh to use apparmor instead of selinux (#262)
Update record_mac_edit.sh to be compliant with debian11 and debian12 CIS recommendations.

fix issue #195

Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
2025-07-03 09:27:09 +02:00
99e6694261 fix: "--only" option in "hardening.sh" (#261)
"--only" was broken, it did not match correctly a script passed in only

Previously we were checking the numerotation number, we now are using the full script name.

Ex: 1.1.1.1_disable_freevxfs.sh

Previously: (broken) look up for 1\.1\.1\.1, which could also match 1.1.1.1.1.1.1.1_foo.sh
Now: look up for 1.1.1.1_disable_freevxfs.sh

Usage example:
previously:
```
bin/hardening.sh --audit --only 1.1.10_var_tmp_noexec.sh --only 1.1.11.1_var_log_noexec.sh
      Total Available Checks : 0
         Total Runned Checks : 0
         Total Passed Checks : [     0/0 ]
         Total Failed Checks : [     0/0 ]
   Enabled Checks Percentage : 0 %
       Conformity Percentage : N.A %
```

now:
```
bin/hardening.sh --audit --only 1.1.10_var_tmp_noexec.sh --only 1.1.11.1_var_log_noexec.sh
hardening                 [INFO] Treating /opt/debian-cis/versions/default/1.1.10_var_tmp_noexec.sh
1.1.10_var_tmp_noexec     [INFO] Working on 1.1.10_var_tmp_noexec
1.1.10_var_tmp_noexec     [INFO] [DESCRIPTION] /var/tmp partition with noexec option.
1.1.10_var_tmp_noexec     [INFO] Checking Configuration
1.1.10_var_tmp_noexec     [INFO] Performing audit
1.1.10_var_tmp_noexec     [INFO] Verifying that /var/tmp is a partition
1.1.10_var_tmp_noexec     [ OK ] /var/tmp is a partition
1.1.10_var_tmp_noexec     [ OK ] /var/tmp has noexec in fstab
1.1.10_var_tmp_noexec     [ OK ] /var/tmp mounted with noexec
1.1.10_var_tmp_noexec     [ OK ] Check Passed
hardening                 [INFO] Treating /opt/debian-cis/versions/default/1.1.11.1_var_log_noexec.sh
1.1.11.1_var_log_noexec   [INFO] Working on 1.1.11.1_var_log_noexec
1.1.11.1_var_log_noexec   [INFO] [DESCRIPTION] /var/log partition with noexec option.
1.1.11.1_var_log_noexec   [INFO] Checking Configuration
1.1.11.1_var_log_noexec   [INFO] Performing audit
1.1.11.1_var_log_noexec   [INFO] Verifying that /var/log is a partition
1.1.11.1_var_log_noexec   [ OK ] /var/log is a partition
1.1.11.1_var_log_noexec   [ KO ] /var/log has no option noexec in fstab!
1.1.11.1_var_log_noexec   [ KO ] Check Failed
      Total Available Checks : 2
         Total Runned Checks : 2
         Total Passed Checks : [     1/2 ]
         Total Failed Checks : [     1/2 ]
   Enabled Checks Percentage : 100.00 %
       Conformity Percentage : 50.00 %
```

Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
2025-07-02 14:22:20 +02:00
231db2bf93 fix: debian package does not include "versions" (#260)
Related to #259: https://github.com/ovh/debian-cis/issues/259

Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
2025-07-01 13:55:26 +02:00
be33848d81 Damcava35/set version (#257)
* feat: add "--set-version" option

This feature will allow to chose a specific cis version to run, like debian 11 or debian 12

* chore: configure current repository as a version

And use it as default version.

To this end, the scripts in bin/hardening have been made generic by removing the associated recommendation number.
Only impact is if you are used to execute scripts directly from bin/hardening.
In this case, please use the "bin/hardening.sh" wrapper as intended.

I had to rename 2.3.1_disable_nis.sh to uninstall_nis.sh, as it was conflicting with 2.3.1_disable_nis.sh

Also, there was a doublon between 1.1.1.8_disable_cramfs.sh and 99.1.1.1_disable_cramfs.sh ; the former was kept

* chore: remove CIS recommendation numbers from bin/hardening scripts

* fix: some tests are failing

find_ungrouped_files.sh and find_unowned_files.sh tests can not be executed multiple times:
- test repository is not cleaned
- configuration is updated multiple times

Those tests are also failing, because:
- the sed to change the status in the configuration was also changing the test folder path.
- missing /proc in EXCLUDED paths
- the EXCLUDED configuration doesn't have the correct format for egrep

---------

Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
2025-07-01 08:41:55 +02:00
99bc575714 Damcava35/test pre commit (#256)
* chore: make linter happy for existing code

* fix: add missing test 2.1.2_disable_bsd_intetd.sh

* feat: add basic pre commit

Ensure a check has a corresponding test

---------

Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
2025-06-23 10:23:43 +02:00
752 changed files with 1312 additions and 914 deletions

View File

@ -4,13 +4,6 @@ on:
- pull_request
- push
jobs:
functionnal-tests-docker-debian10:
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v4
- name: Run the tests debian10
run: ./tests/docker_build_and_run_tests.sh debian10
functionnal-tests-docker-debian11:
runs-on: ubuntu-latest
steps:

View File

@ -10,7 +10,7 @@ jobs:
- name: Checkout repo
uses: actions/checkout@v4
- name: Run the sh-checker
uses: luizm/action-sh-checker@v0.9.0
uses: luizm/action-sh-checker@v0.8.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Optional if sh_checker_comment is false.
SHFMT_OPTS: -l -i 4 -w # Optional: pass arguments to shfmt.

10
.pre-commit-config.yaml Normal file
View File

@ -0,0 +1,10 @@
repos:
- repo: local
hooks:
- id: check_has_test
name: check_has_test.sh
description: Ensure a check has a corresponding test
entry: hooks/check_has_test.sh
language: script
pass_filenames: true
files: "^bin/hardening/"

View File

@ -4,7 +4,7 @@
# NAME
cis-hardening - CIS Debian 10/11/12 Hardening
cis-hardening - CIS Debian 11/12 Hardening
# SYNOPSIS
@ -12,7 +12,7 @@ cis-hardening - CIS Debian 10/11/12 Hardening
# DESCRIPTION
Modular Debian 10/11/12 security hardening scripts based on the CIS (https://www.cisecurity.org) recommendations.
Modular Debian 11/12 security hardening scripts based on the CIS (https://www.cisecurity.org) recommendations.
We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.

View File

@ -1,4 +1,4 @@
# :lock: CIS Debian 10/11/12 Hardening
# :lock: CIS Debian 11/12 Hardening
<p align="center">
@ -13,7 +13,7 @@
![License](https://img.shields.io/github/license/ovh/debian-cis)
---
Modular Debian 10/11/12 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
Modular Debian 11/12 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
recommendations. We use it at [OVHcloud](https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
NB : Although Debian 12 CIS Hardening guide is still in development, we do use this set of scripts
@ -174,7 +174,7 @@ Functional tests are available. They are to be run in a Docker environment.
$ ./tests/docker_build_and_run_tests.sh <target> [name of test script...]
```
With `target` being like `debian10` or `debian11`.
With `target` being like `debian11` or `debian12`.
Running without script arguments will run all tests in `./tests/hardening/` directory.
Or you can specify one or several test script to be run.

View File

@ -29,6 +29,7 @@ BATCH_MODE=''
SUMMARY_JSON=''
ASK_LOGLEVEL=''
ALLOW_UNSUPPORTED_DISTRIBUTION=0
USED_VERSION="default"
usage() {
cat <<EOF
@ -105,6 +106,13 @@ OPTIONS:
This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug or silent.
Default value is : info
--set-version <version>
This option allows to run the scripts as defined for a specific CIS debian version.
Supported version are the folders listed in the "versions" folder.
examples:
--set-version debian_11
--set-version ovh_legacy
--summary-json
While performing system audit, this option sets LOGLEVEL to silent and
only output a json summary at the end
@ -163,6 +171,10 @@ while [[ $# -gt 0 ]]; do
ASK_LOGLEVEL=$2
shift
;;
--set-version)
USED_VERSION=$2
shift
;;
--only)
TEST_LIST[${#TEST_LIST[@]}]="$2"
shift
@ -217,9 +229,20 @@ if [ "$ASK_LOGLEVEL" ]; then LOGLEVEL=$ASK_LOGLEVEL; fi
# shellcheck source=../lib/constants.sh
[ -r "${CIS_LIB_DIR}"/constants.sh ] && . "${CIS_LIB_DIR}"/constants.sh
# ensure the CIS version exists
does_file_exist "$CIS_VERSIONS_DIR/$USED_VERSION"
if [ "$FNRET" -ne 0 ]; then
echo "$USED_VERSION is not a valid version"
echo "Please use '--set-version' with one of $(ls "$CIS_VERSIONS_DIR" --hide=default -m)"
exit 1
fi
# If we're on a unsupported platform and there is no flag --allow-unsupported-distribution
# print warning, otherwise quit
# update path for the remaining of the script
CIS_CHECKS_DIR="$CIS_VERSIONS_DIR/$USED_VERSION"
if [ "$DISTRIBUTION" != "debian" ]; then
echo "Your distribution has been identified as $DISTRIBUTION which is not debian"
if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
@ -231,7 +254,7 @@ if [ "$DISTRIBUTION" != "debian" ]; then
echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
fi
else
if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
if [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
echo "Your debian version is too recent and is not supported yet because there is no official CIS PDF for this version yet."
if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
@ -296,10 +319,7 @@ fi
for SCRIPT in $(find "${CIS_CHECKS_DIR}"/ -name "*.sh" | sort -V); do
if [ "${#TEST_LIST[@]}" -gt 0 ]; then
# --only X has been specified at least once, is this script in my list ?
SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename "$SCRIPT")")
# shellcheck disable=SC2001
SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX")
if ! grep -qE "(^|[[:space:]])$SCRIPT_PREFIX_RE([[:space:]]|$)" <<<"${TEST_LIST[@]}"; then
if ! grep -qE "$(basename "$SCRIPT")" <<<"${TEST_LIST[@]}"; then
# not in the list
continue
fi

View File

@ -1,103 +0,0 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 4.1.6 Ensure that events that modify the system's Mandatory Access Controls are collected (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=4
# shellcheck disable=2034
DESCRIPTION="Record events that modify the system's mandatory access controls (MAC)."
AUDIT_PARAMS='-w /etc/selinux/ -p wa -k MAC-policy'
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit() {
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode
apply() {
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "${CIS_LIB_DIR}"/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128
fi

View File

@ -1,115 +0,0 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 5.2.15 Ensure only strong Key Exchange algorithms are used (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Checking key exchange ciphers."
PACKAGE='openssh-server'
OPTIONS=''
FILE='/etc/ssh/sshd_config'
# This function will be called if the script status is on enabled / audit mode
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
ok "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
fi
done
fi
}
# This function will be called if the script status is on enabled mode
apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
apt_install "$PACKAGE"
fi
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi
/etc/init.d/ssh reload >/dev/null 2>&1
fi
done
}
create_config() {
set +u
debug "Debian version : $DEB_MAJ_VER "
if [[ "$DEB_MAJ_VER" -le 7 ]]; then
KEX='diffie-hellman-group-exchange-sha256'
else
KEX='curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256'
fi
set -u
cat <<EOF
status=audit
# Put your KexAlgorithms
OPTIONS="KexAlgorithms=$KEX"
EOF
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "${CIS_LIB_DIR}"/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128
fi

View File

@ -1,68 +0,0 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening Bonus Check
#
#
# 99.1.1.1 Ensure mounting of cramfs filesystems is disabled (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable mounting of cramfs filesystems."
KERNEL_OPTION="CONFIG_CRAMFS"
MODULE_NAME="cramfs"
# This function will be called if the script status is on enabled / audit mode
audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
else
ok "$KERNEL_OPTION is disabled"
fi
:
}
# This function will be called if the script status is on enabled mode
apply() {
is_kernel_option_enabled "$KERNEL_OPTION"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
else
ok "$KERNEL_OPTION is disabled, nothing to do"
fi
:
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "${CIS_LIB_DIR}"/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128
fi

View File

@ -6,7 +6,7 @@
#
#
# 99.5.4.5.1 Check that any password that will be created will use sha512crypt (or yescrypt for Debian 11+)
# Check that any password that will be created will use sha512crypt (or yescrypt for Debian 11+)
#
set -e # One error, it's over
@ -59,17 +59,9 @@ check_config() {
:
}
# As we use DEB_MAJ_VER, which is set by constants.sh, itself sourced by main.sh below,
# We need to call this in the subs called by main.sh when it is sourced, otherwise it would
# either be too soon (DEB_MAJ_VER not defined) or too late (test has already been run)
_set_vars_jit() {
if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -ge "11" ]; then
CONF_LINE_REGEX="ENCRYPT_METHOD (SHA512|yescrypt|YESCRYPT)"
CONF_LINE="ENCRYPT_METHOD YESCRYPT"
else
CONF_LINE_REGEX="ENCRYPT_METHOD SHA512"
CONF_LINE="ENCRYPT_METHOD SHA512"
fi
CONF_LINE_REGEX="ENCRYPT_METHOD (SHA512|yescrypt|YESCRYPT)"
CONF_LINE="ENCRYPT_METHOD YESCRYPT"
}
# Source Root Dir Parameter

View File

@ -6,7 +6,7 @@
#
#
# 5.3.4 Ensure password hashing algorithm is SHA-512 (Scored)
# Ensure password hashing algorithm is SHA-512 (Scored)
#
set -e # One error, it's over
@ -49,11 +49,7 @@ apply() {
ok "$CONF_LINE is present in $CONF_FILE"
else
warn "$CONF_LINE is not present in $CONF_FILE"
if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -ge "11" ]; then
add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so yescrypt" "# pam-auth-update(8) for details."
else
add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so sha512" "# pam-auth-update(8) for details."
fi
add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so yescrypt" "# pam-auth-update(8) for details."
fi
fi
}
@ -67,11 +63,7 @@ check_config() {
# We need to call this in the subs called by main.sh when it is sourced, otherwise it would
# either be too soon (DEB_MAJ_VER not defined) or too late (test has already been run)
_set_vars_jit() {
if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -ge "11" ]; then
CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*(sha512|yescrypt)" # https://github.com/ovh/debian-cis/issues/158
else
CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*sha512"
fi
CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*(sha512|yescrypt)" # https://github.com/ovh/debian-cis/issues/158
}
# Source Root Dir Parameter

View File

@ -6,7 +6,7 @@
#
#
# 99.5.4.5.2 Check that passwords in /etc/shadow are sha512crypt (or yescrypt for Debian 11+) hashed and salted
# Check that passwords in /etc/shadow are sha512crypt (or yescrypt for Debian 11+) hashed and salted
#
set -e # One error, it's over
@ -37,7 +37,7 @@ audit() {
pw_found+="$user "
ok "User $user has a disabled password."
# yescrypt: Check password against $y$<salt>$<base64>
elif [ "$DEB_MAJ_VER" -ge "11" ] && [[ $passwd =~ ^\$y\$[./A-Za-z0-9]+\$[./A-Za-z0-9]{,86}\$[./A-Za-z0-9]{43} ]]; then
elif [[ $passwd =~ ^\$y\$[./A-Za-z0-9]+\$[./A-Za-z0-9]{,86}\$[./A-Za-z0-9]{43} ]]; then
pw_found+="$user "
ok "User $user has suitable yescrypt hashed password."
# sha512: Check password against $6$<salt>$<base64>, see `man 3 crypt`
@ -46,11 +46,7 @@ audit() {
ok "User $user has suitable sha512crypt hashed password."
else
pw_found+="$user "
if [ "$DEB_MAJ_VER" -ge "11" ]; then
crit "User $user has a password that is not sha512crypt nor yescrypt hashed."
else
crit "User $user has a password that is not sha512crypt hashed."
fi
crit "User $user has a password that is not sha512crypt nor yescrypt hashed."
fi
done
if [[ -z "$users_reviewed" ]]; then

View File

@ -6,7 +6,7 @@
#
#
# 99.1.3 Check there are no carte-blanche authorization in sudoers file(s).
# Check there are no carte-blanche authorization in sudoers file(s).
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 4.1.1.4 Ensure audit_backlog_limit is sufficient (Scored)
# Ensure audit_backlog_limit is sufficient (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled (Scored)
# Ensure auditing for processes that start prior to auditd is enabled (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 4.1.2.1 Ensure audit log storage size is configured (Scored)
# Ensure audit log storage size is configured (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 1.5.1 Ensure permissions on bootloader config are configured (Scored)
# Ensure permissions on bootloader config are configured (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 1.5.2 Ensure bootloader password is set (Scored)
# Ensure bootloader password is set (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 99.99 Ensure that the distribution version is debian and that the version is 9 or 10
# Ensure that the distribution version is debian and supported
#
set -e # One error, it's over
@ -22,7 +22,7 @@ audit() {
if [ "$DISTRIBUTION" != "debian" ]; then
crit "Your distribution has been identified as $DISTRIBUTION which is not debian"
else
if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
if [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
crit "Your distribution is too recent and is not yet supported."
elif [ "$DEB_MAJ_VER" -lt "$SMALLEST_SUPPORTED_DEBIAN_VERSION" ]; then
crit "Your distribution is debian but is deprecated. Consider upgrading to a supported version."

View File

@ -6,7 +6,7 @@
#
#
# 6.2.17 Ensure no duplicate GIDs exist (Scored)
# Ensure no duplicate GIDs exist (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 6.2.19 Ensure no duplicate group names exist (Scored)
# Ensure no duplicate group names exist (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 6.2.16 Ensure no duplicate UIDs exist (Scored)
# Ensure no duplicate UIDs exist (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 6.2.18 Ensure no duplicate user names exist (Scored)
# Ensure no duplicate user names exist (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 6.2.8 Ensure users' home directories permissions are 750 or more restrictive (Scored
# Ensure users' home directories permissions are 750 or more restrictive (Scored
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 6.2.10 Ensure users' dot files are not group or world writable (Scored)
# Ensure users' dot files are not group or world writable (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 2.2.1.3 Ensure chrony is configured (Scored)
# Ensure chrony is configured (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 4.3 Ensure logrotate is configured (Not Scored)
# Ensure logrotate is configured (Not Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 2.2.1.2 Ensure ntp is configured (Scored)
# Ensure ntp is configured (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 5.2.22 Ensure SSH MaxStartups is configured (Scored)
# Ensure SSH MaxStartups is configured (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 4.2.1.3 Configure /etc/syslog-ng/syslog-ng.conf (Not Scored)
# Configure /etc/syslog-ng/syslog-ng.conf (Not Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 2.2.1.2 Ensure systemd-timesyncd is configured (Not Scored)
# Ensure systemd-timesyncd is configured (Not Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 5.1.7 Ensure permissions on /etc/cron.d are configured (Scored)
# Ensure permissions on /etc/cron.d are configured (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored)
# Ensure permissions on /etc/cron.daily are configured (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored)
# Ensure permissions on /etc/cron.hourly are configured (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored)
# Ensure permissions on /etc/cron.monthly are configured (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 5.1.8 Ensure at/cron is restricted to authorized users (Scored)
# Ensure at/cron is restricted to authorized users (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored)
# Ensure permissions on /etc/cron.weekly are configured (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 5.1.2 Ensure permissions on /etc/crontab are configured (Scored)
# Ensure permissions on /etc/crontab are configured (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 5.4.3 Ensure default group for the root account is GID 0 (Scored)
# Ensure default group for the root account is GID 0 (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 5.4.4 Ensure default usershell timeout is 900 seconds or less
# Ensure default usershell timeout is 900 seconds or less
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 5.4.4 Ensure default user umask is 027 or more restrictive (Scored)
# Ensure default user umask is 027 or more restrictive (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 1.6.3.1 Ensure apport is disabled (Scored)
# Ensure apport is disabled (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 1.1.22 Disable Automounting (Scored)
# Disable Automounting (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 2.2.3 Ensure Avahi Server is not enabled (Scored)
# Ensure Avahi Server is not enabled (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 2.1.2 Ensure bsd-inetd is not enabled (Scored)
# Ensure bsd-inetd is not enabled (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 1.1.1.1 Ensure Mounting of cramfs filesystems is disabled (Scored)
# Ensure Mounting of cramfs filesystems is disabled (Scored)
#
set -e # One error, it's over
@ -26,11 +26,25 @@ audit() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is loaded!"
else
ok "$MODULE_NAME is disabled"
ok "$MODULE_NAME is not loaded"
fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then
ok "$MODULE_NAME is disabled in the modprobe configuration"
else
is_kernel_module_available "$KERNEL_OPTION"
if [ "$FNRET" -eq 0 ]; then
crit "$MODULE_NAME is available in some kernel config, but not disabled"
else
ok "$MODULE_NAME is not available in any kernel config"
fi
fi
fi
fi
}
@ -41,11 +55,18 @@ apply() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
crit "$LOADED_MODULE_NAME is loaded!"
warn "I wont unload the module, unload it manually or recompile the kernel if needed"
fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 1 ]; then
echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
info "$MODULE_NAME has been disabled in the modprobe configuration"
fi
fi
fi
}

View File

@ -6,7 +6,7 @@
#
#
# 3.4.1 Ensure DCCP is disabled (Not Scored)
# Ensure DCCP is disabled (Not Scored)
#
set -e # One error, it's over
@ -28,11 +28,25 @@ audit() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is loaded!"
else
ok "$MODULE_NAME is disabled"
ok "$MODULE_NAME is not loaded"
fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then
ok "$MODULE_NAME is disabled in the modprobe configuration"
else
is_kernel_module_available "$KERNEL_OPTION"
if [ "$FNRET" -eq 0 ]; then
crit "$MODULE_NAME is available in some kernel config, but not disabled"
else
ok "$MODULE_NAME is not available in any kernel config"
fi
fi
fi
fi
}
@ -43,11 +57,18 @@ apply() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
crit "$LOADED_MODULE_NAME is loaded!"
warn "I wont unload the module, unload it manually or recompile the kernel if needed"
fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 1 ]; then
echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
info "$MODULE_NAME has been disabled in the modprobe configuration"
fi
fi
fi
}

View File

@ -6,7 +6,7 @@
#
#
# 2.2.5 Ensure DHCP Server is not enabled (Scored)
# Ensure DHCP Server is not enabled (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 2.2.8 Ensure DNS Server is not enabled (Scored)
# Ensure DNS Server is not enabled (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 1.1.1.1 Ensure Mounting of freevxfs filesystems is disabled (Scored)
# Ensure Mounting of freevxfs filesystems is disabled (Scored)
#
set -e # One error, it's over
@ -26,11 +26,25 @@ audit() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is loaded!"
else
ok "$MODULE_NAME is disabled"
ok "$MODULE_NAME is not loaded"
fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then
ok "$MODULE_NAME is disabled in the modprobe configuration"
else
is_kernel_module_available "$KERNEL_OPTION"
if [ "$FNRET" -eq 0 ]; then
crit "$MODULE_NAME is available in some kernel config, but not disabled"
else
ok "$MODULE_NAME is not available in any kernel config"
fi
fi
fi
fi
}
@ -41,11 +55,18 @@ apply() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
crit "$LOADED_MODULE_NAME is loaded!"
warn "I wont unload the module, unload it manually or recompile the kernel if needed"
fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 1 ]; then
echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
info "$MODULE_NAME has been disabled in the modprobe configuration"
fi
fi
fi
}

View File

@ -6,7 +6,7 @@
#
#
# 2.2.9 Ensure FTP Server is not enabled (Scored)
# Ensure FTP Server is not enabled (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 1.1.1.3 Ensure mounting of hfs filesystems is disabled (Scored)
# Ensure mounting of hfs filesystems is disabled (Scored)
#
set -e # One error, it's over
@ -26,11 +26,25 @@ audit() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is loaded!"
else
ok "$MODULE_NAME is disabled"
ok "$MODULE_NAME is not loaded"
fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then
ok "$MODULE_NAME is disabled in the modprobe configuration"
else
is_kernel_module_available "$KERNEL_OPTION"
if [ "$FNRET" -eq 0 ]; then
crit "$MODULE_NAME is available in some kernel config, but not disabled"
else
ok "$MODULE_NAME is not available in any kernel config"
fi
fi
fi
fi
}
@ -41,11 +55,18 @@ apply() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
crit "$LOADED_MODULE_NAME is loaded!"
warn "I wont unload the module, unload it manually or recompile the kernel if needed"
fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 1 ]; then
echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
info "$MODULE_NAME has been disabled in the modprobe configuration"
fi
fi
fi
}

View File

@ -6,7 +6,7 @@
#
#
# 1.1.1.4 Ensure mounting of hfsplus filesystems is disabled (Scored)
# Ensure mounting of hfsplus filesystems is disabled (Scored)
#
set -e # One error, it's over
@ -26,11 +26,25 @@ audit() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is loaded!"
else
ok "$MODULE_NAME is disabled"
ok "$MODULE_NAME is not loaded"
fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then
ok "$MODULE_NAME is disabled in the modprobe configuration"
else
is_kernel_module_available "$KERNEL_OPTION"
if [ "$FNRET" -eq 0 ]; then
crit "$MODULE_NAME is available in some kernel config, but not disabled"
else
ok "$MODULE_NAME is not available in any kernel config"
fi
fi
fi
fi
}
@ -41,11 +55,18 @@ apply() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
crit "$LOADED_MODULE_NAME is loaded!"
warn "I wont unload the module, unload it manually or recompile the kernel if needed"
fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 1 ]; then
echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
info "$MODULE_NAME has been disabled in the modprobe configuration"
fi
fi
fi
}

View File

@ -6,7 +6,7 @@
#
#
# 2.2.13 Ensure HTTP Proxy Server is not enabled (Scored)
# Ensure HTTP Proxy Server is not enabled (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 2.2.10 Ensure HTTP Server is not enabled (Scored)
# Ensure HTTP Server is not enabled (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 3.3.2 Ensure ICMP redirects are not accepted (Scored)
# Ensure ICMP redirects are not accepted (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 2.2.11 Ensure IMAP and POP server is not installed (Scored)
# Ensure IMAP and POP server is not installed (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 3.2.2 Ensure IP forwarding is disabled (Scored)
# Ensure IP forwarding is disabled (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 3.1.1 Disable IPv6 (Not Scored)
# Disable IPv6 (Not Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 3.3.9 Ensure IPv6 router advertisements are not accepted (Scored)
# Ensure IPv6 router advertisements are not accepted (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 1.1.1.2 Esnure mounting of jffs2 filesystems is disabled (Scored)
# Esnure mounting of jffs2 filesystems is disabled (Scored)
#
set -e # One error, it's over
@ -26,11 +26,25 @@ audit() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is loaded!"
else
ok "$MODULE_NAME is disabled"
ok "$MODULE_NAME is not loaded"
fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then
ok "$MODULE_NAME is disabled in the modprobe configuration"
else
is_kernel_module_available "$KERNEL_OPTION"
if [ "$FNRET" -eq 0 ]; then
crit "$MODULE_NAME is available in some kernel config, but not disabled"
else
ok "$MODULE_NAME is not available in any kernel config"
fi
fi
fi
fi
}
@ -41,11 +55,18 @@ apply() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
crit "$LOADED_MODULE_NAME is loaded!"
warn "I wont unload the module, unload it manually or recompile the kernel if needed"
fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 1 ]; then
echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
info "$MODULE_NAME has been disabled in the modprobe configuration"
fi
fi
fi
}

View File

@ -6,7 +6,7 @@
#
#
# 2.2.6 Ensure LDAP server is not enabled (Scored)
# Ensure LDAP server is not enabled (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 2.3.5 Ensure LDAP client is not installed (Scored)
# Ensure LDAP client is not installed (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 2.2.7 Ensure NFS and RPC are not enabled (Scored)
# Ensure NFS and RPC are not enabled (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 2.2.17 Ensure NIS Server is not enabled (Scored)
# Ensure NIS Server is not enabled (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 1.6.3 Ensure prelink is disabled (Scored)
# Ensure prelink is disabled (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 2.2.4 Ensure CUPS is not enabled (Scored)
# Ensure CUPS is not enabled (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 3.4.3 Ensure SCTP is disabled (Not Scored)
# Ensure SCTP is disabled (Not Scored)
#
set -e # One error, it's over
@ -28,11 +28,25 @@ audit() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is loaded!"
else
ok "$MODULE_NAME is disabled"
ok "$MODULE_NAME is not loaded"
fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then
ok "$MODULE_NAME is disabled in the modprobe configuration"
else
is_kernel_module_available "$KERNEL_OPTION"
if [ "$FNRET" -eq 0 ]; then
crit "$MODULE_NAME is available in some kernel config, but not disabled"
else
ok "$MODULE_NAME is not available in any kernel config"
fi
fi
fi
fi
}
@ -43,11 +57,18 @@ apply() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
crit "$LOADED_MODULE_NAME is loaded!"
warn "I wont unload the module, unload it manually or recompile the kernel if needed"
fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 1 ]; then
echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
info "$MODULE_NAME has been disabled in the modprobe configuration"
fi
fi
fi
}

View File

@ -6,7 +6,7 @@
#
#
# 5.2.10 Ensure SSH root login is disabled (Scored)
# Ensure SSH root login is disabled (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 2.3.2 Ensure rsh client is not installed (Scored)
# Ensure rsh client is not installed (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 2.2.16 Ensure rsync service is not enabled (Scored)
# Ensure rsync service is not enabled (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 2.2.12 Ensure Samba is not enabled (Scored)
# Ensure Samba is not enabled (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 3.4.2 Ensure SCTP is disabled (Not Scored)
# Ensure SCTP is disabled (Not Scored)
#
set -e # One error, it's over
@ -28,11 +28,25 @@ audit() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is loaded!"
else
ok "$MODULE_NAME is disabled"
ok "$MODULE_NAME is not loaded"
fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then
ok "$MODULE_NAME is disabled in the modprobe configuration"
else
is_kernel_module_available "$KERNEL_OPTION"
if [ "$FNRET" -eq 0 ]; then
crit "$MODULE_NAME is available in some kernel config, but not disabled"
else
ok "$MODULE_NAME is not available in any kernel config"
fi
fi
fi
fi
}
@ -43,11 +57,18 @@ apply() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
crit "$LOADED_MODULE_NAME is loaded!"
warn "I wont unload the module, unload it manually or recompile the kernel if needed"
fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 1 ]; then
echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
info "$MODULE_NAME has been disabled in the modprobe configuration"
fi
fi
fi
}

View File

@ -6,7 +6,7 @@
#
#
# 3.3.3 Ensure secure ICMP redirects are not accepted (Scored)
# Ensure secure ICMP redirects are not accepted (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 3.2.1 Ensure packet redirect sending is disabled (Scored)
# Ensure packet redirect sending is disabled (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 2.2.14 Ensure SNMP Server is not enabled (Scored)
# Ensure SNMP Server is not enabled (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 3.3.1 Ensure source routed packets are not accepted (Scored)
# Ensure source routed packets are not accepted (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 1.1.1.5 Ensure mounting of squashfs filesystems is disabled (Scored)
# Ensure mounting of squashfs filesystems is disabled (Scored)
#
set -e # One error, it's over
@ -26,11 +26,25 @@ audit() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is loaded!"
else
ok "$MODULE_NAME is disabled"
ok "$MODULE_NAME is not loaded"
fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then
ok "$MODULE_NAME is disabled in the modprobe configuration"
else
is_kernel_module_available "$KERNEL_OPTION"
if [ "$FNRET" -eq 0 ]; then
crit "$MODULE_NAME is available in some kernel config, but not disabled"
else
ok "$MODULE_NAME is not available in any kernel config"
fi
fi
fi
fi
}
@ -41,11 +55,18 @@ apply() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
crit "$LOADED_MODULE_NAME is loaded!"
warn "I wont unload the module, unload it manually or recompile the kernel if needed"
fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 1 ]; then
echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
info "$MODULE_NAME has been disabled in the modprobe configuration"
fi
fi
fi
}

View File

@ -6,7 +6,7 @@
#
#
# 5.2.21 Ensure SSH AllowTCPForwarding is disabled (Scored)
# Ensure SSH AllowTCPForwarding is disabled (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 5.2.9 Ensure SSH HostbasedAuthentication is disabled (Scored)
# Ensure SSH HostbasedAuthentication is disabled (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 5.2.11 Ensure SSH PermitEmptyPasswords is disabled (Scored)
# Ensure SSH PermitEmptyPasswords is disabled (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 5.2.12 Ensure SSH PermitUserEnvironment is disabled (Scored)
# Ensure SSH PermitUserEnvironment is disabled (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 5.4.2 Ensure system accounts are non-login (Scored)
# Ensure system accounts are non-login (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 2.3.3 Ensure talk client is not installed (Scored)
# Ensure talk client is not installed (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 2.3.4 Ensure telnet client is not installed (Scored)
# Ensure telnet client is not installed (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 99.2.2 Ensure telnet server is not enabled (Scored)
# Ensure telnet server is not enabled (Scored)
#
# Note: this check is not anymore in CIS hardening but we decided to keep it anyway

View File

@ -6,7 +6,7 @@
#
#
# 3.4.4 Ensure TIPC is disabled (Not Scored)
# Ensure TIPC is disabled (Not Scored)
#
set -e # One error, it's over
@ -28,11 +28,25 @@ audit() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is loaded!"
else
ok "$MODULE_NAME is disabled"
ok "$MODULE_NAME is not loaded"
fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then
ok "$MODULE_NAME is disabled in the modprobe configuration"
else
is_kernel_module_available "$KERNEL_OPTION"
if [ "$FNRET" -eq 0 ]; then
crit "$MODULE_NAME is available in some kernel config, but not disabled"
else
ok "$MODULE_NAME is not available in any kernel config"
fi
fi
fi
fi
}
@ -43,11 +57,18 @@ apply() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
crit "$LOADED_MODULE_NAME is loaded!"
warn "I wont unload the module, unload it manually or recompile the kernel if needed"
fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 1 ]; then
echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
info "$MODULE_NAME has been disabled in the modprobe configuration"
fi
fi
fi
}

View File

@ -6,7 +6,7 @@
#
#
# 1.1.1.6 Ensure mounting of udf filesystems is disabled (Scored)
# Ensure mounting of udf filesystems is disabled (Scored)
#
set -e # One error, it's over
@ -26,11 +26,25 @@ audit() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is loaded!"
else
ok "$MODULE_NAME is disabled"
ok "$MODULE_NAME is not loaded"
fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then
ok "$MODULE_NAME is disabled in the modprobe configuration"
else
is_kernel_module_available "$KERNEL_OPTION"
if [ "$FNRET" -eq 0 ]; then
crit "$MODULE_NAME is available in some kernel config, but not disabled"
else
ok "$MODULE_NAME is not available in any kernel config"
fi
fi
fi
fi
}
@ -41,11 +55,18 @@ apply() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
crit "$LOADED_MODULE_NAME is loaded!"
warn "I wont unload the module, unload it manually or recompile the kernel if needed"
fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 1 ]; then
echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
info "$MODULE_NAME has been disabled in the modprobe configuration"
fi
fi
fi
}

View File

@ -6,7 +6,7 @@
#
#
# 99.1.1.23 Disable USB Devices
# Disable USB Devices
#
set -e # One error, it's over
@ -26,6 +26,8 @@ FILE='/etc/udev/rules.d/10-CIS_99.2_usb_devices.sh'
# This function will be called if the script status is on enabled / audit mode
audit() {
SEARCH_RES=0
# if SC2086 is fixed (double quotes) instead of skipped, then shellcheck will complain that double quotes will prevent the loop (SC2066)
# shellcheck disable=SC2086
for FILE_SEARCHED in $FILES_TO_SEARCH; do
if [ "$SEARCH_RES" = 1 ]; then break; fi
if $SUDO_CMD test -d "$FILE_SEARCHED"; then

View File

@ -6,7 +6,7 @@
#
#
# 1.1.23 Disable USB storage (Scored)
# Disable USB storage (Scored)
#
set -e # One error, it's over
@ -20,7 +20,10 @@ DESCRIPTION="Disable USB storage."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_USB_STORAGE"
# name as used for "modprobe"
MODULE_NAME="usb-storage"
# name as returned by "modinfo -F name <module_file.ko>"
LOADED_MODULE_NAME="usb_storage"
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -28,11 +31,25 @@ audit() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
crit "$LOADED_MODULE_NAME is loaded!"
else
ok "$MODULE_NAME is disabled"
ok "$LOADED_MODULE_NAME is not loaded"
fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then
ok "$MODULE_NAME is disabled in the modprobe configuration"
else
is_kernel_module_available "$KERNEL_OPTION"
if [ "$FNRET" -eq 0 ]; then
crit "$MODULE_NAME is available in some kernel config, but not disabled"
else
ok "$MODULE_NAME is not available in any kernel config"
fi
fi
fi
fi
}
@ -43,11 +60,18 @@ apply() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
crit "$LOADED_MODULE_NAME is loaded!"
warn "I wont unload the module, unload it manually or recompile the kernel if needed"
fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 1 ]; then
echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
info "$MODULE_NAME has been disabled in the modprobe configuration"
fi
fi
fi
}

View File

@ -6,7 +6,7 @@
#
#
# 3.1.2 Ensure wireless interfaces are disabled (Not Scored)
# Ensure wireless interfaces are disabled (Not Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 5.2.6 Ensure SSH X11 forwarding is disabled (Scored)
# Ensure SSH X11 forwarding is disabled (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 2.1.1 Ensure xinetd is not enabled (Scored)
# Ensure xinetd is not enabled (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 2.2.2 Ensure the X Window system is not installed (Scored)
# Ensure the X Window system is not installed (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 1.7.2.2 Ensure AppArmor is enabled in the bootloader configuration (Scored)
# Ensure AppArmor is enabled in the bootloader configuration (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 4.1.1.2 Ensure auditd service is enabled (Scored)
# Ensure auditd service is enabled (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 99.4.0 Ensure CONFIG_AUDIT is enabled in your running kernel
# Ensure CONFIG_AUDIT is enabled in your running kernel
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 3.3.6 Ensure bogus ICMP responses are ignored (Scored)
# Ensure bogus ICMP responses are ignored (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 5.1.1 Ensure cron daemon is enabled (Scored)
# Ensure cron daemon is enabled (Scored)
#
set -e # One error, it's over

View File

@ -6,7 +6,7 @@
#
#
# 3.5.1.1 Ensure Firewall is active (Scored)
# Ensure Firewall is active (Scored)
#
set -e # One error, it's over

Some files were not shown because too many files have changed in this diff Show More