mirror of
https://github.com/ovh/debian-cis.git
synced 2025-07-16 13:52:17 +02:00
Compare commits
180 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 624aba950d | |||
| 0ca73899d3 | |||
| a5e1cb90cd | |||
| b6fff5b8b6 | |||
| e0c6692ff2 | |||
| 7c69305b44 | |||
| e2ad0a5dcc | |||
| d0ab72dd26 | |||
| 520ab63b29 | |||
| f626201fdd | |||
| 8da1107532 | |||
| 936b84c0f2 | |||
| 9cbc3f85a9 | |||
| 87e242a42d | |||
| 7f990b5e53 | |||
| 38ca43c125 | |||
| 7d87619744 | |||
| c9e19b51e6 | |||
| 7ce8ec8b89 | |||
| 2034aa7b8a | |||
| 87bf29b5fe | |||
| 0204bb0942 | |||
| 6e0b47ab8f | |||
| 5c40d48f85 | |||
| a2adf0f15c | |||
| 233f75023a | |||
| 3560f67e3f | |||
| f4ba90352b | |||
| cdaee7786a | |||
| 13a070319b | |||
| 65bdb42eb3 | |||
| 0c16e500f5 | |||
| fad8e8c1f1 | |||
| 2ab1bd50dc | |||
| db27cfc39c | |||
| dee0ebc821 | |||
| 16cc2bef71 | |||
| b9e129d8fe | |||
| 36528b55e0 | |||
| 1c56bd9930 | |||
| 99ac9339f4 | |||
| b09b75a51e | |||
| 6826f377e6 | |||
| e2f7426664 | |||
| ac66cdacd0 | |||
| 8012234096 | |||
| 63835dd10c | |||
| ef800954f4 | |||
| addd48c4dd | |||
| 72bb3e2b84 | |||
| d371b8d057 | |||
| eaf56ca25e | |||
| 106fa5fc8a | |||
| 3a342b784a | |||
| bc1aa65b91 | |||
| dba1dae963 | |||
| 4add6ddc33 | |||
| c17d04ecc2 | |||
| cccc0881e9 | |||
| 9c3aa51982 | |||
| b994ca11a7 | |||
| f4e0aafacc | |||
| d40a85085d | |||
| 467e5f178c | |||
| d244a2e810 | |||
| 84bff4ac88 | |||
| d640a467e2 | |||
| 9bfb7efca1 | |||
| 7b8cca20d6 | |||
| a6de243808 | |||
| 7e8c976722 | |||
| ffd5b28840 | |||
| ce1e87b1a3 | |||
| b5865947ba | |||
| ee4b2417c2 | |||
| 5568065c35 | |||
| 91a2824246 | |||
| 47f8b7b677 | |||
| 728011f846 | |||
| 17e43753b9 | |||
| 9aac4c3504 | |||
| 8af91dd6a8 | |||
| feefee28e4 | |||
| 774af39a34 | |||
| e288835381 | |||
| fbd26ceefa | |||
| 501ce8c651 | |||
| 829ee8631f | |||
| 6620a82f34 | |||
| 3c7a03445c | |||
| 03c8e25ff3 | |||
| 7b73eac6d6 | |||
| 67649ec407 | |||
| a7afb1099a | |||
| fe568561bf | |||
| 4dc8701132 | |||
| 6aae84f4b2 | |||
| 668dc80bb8 | |||
| c2090b74b3 | |||
| 26c119c4a1 | |||
| aff5d708e8 | |||
| b266982a3c | |||
| a0b025deac | |||
| ccef85ebe3 | |||
| 258da6b4a1 | |||
| 9eb6bac993 | |||
| df802b4882 | |||
| f71d34a31b | |||
| ab712b4a6c | |||
| 2559dd82cb | |||
| b33ab3d9bf | |||
| 67badc0ed1 | |||
| 7a09e0fb9a | |||
| 5d16ee5c98 | |||
| 4680465095 | |||
| 027552f364 | |||
| a0df6837ea | |||
| 20f432765d | |||
| 97bb1927c3 | |||
| fec0ac159c | |||
| f89a864b33 | |||
| 5ea053a502 | |||
| 58277716c7 | |||
| 912718a014 | |||
| 01d02b5d5c | |||
| bb266ebe4a | |||
| 1e64a14299 | |||
| 7ab41f7b88 | |||
| a0796af547 | |||
| 990f191111 | |||
| f82712203d | |||
| e2616b024d | |||
| 36d55a6f79 | |||
| e1846ebd4c | |||
| bb9f60a939 | |||
| c0e9b96ffc | |||
| de3da21a38 | |||
| c81cf79fea | |||
| d4bbc786a6 | |||
| 625a6206c7 | |||
| 5074c5a8bd | |||
| 0fa10240cd | |||
| d91fdbf84b | |||
| 2b60594a06 | |||
| d6dae89966 | |||
| 80b97940fa | |||
| 609444a47f | |||
| 440aeaf45f | |||
| a085785321 | |||
| fbb73d1953 | |||
| 47a9ffdc9c | |||
| 8a4a28a35b | |||
| 9e61ca8367 | |||
| c863a01305 | |||
| 124dde8254 | |||
| 65f92a7556 | |||
| 00dd3ef591 | |||
| 032aaa7c79 | |||
| 68f9f56192 | |||
| c5674c3627 | |||
| e205dc7481 | |||
| fbdf3b72ed | |||
| 6365f58b4c | |||
| fe25b1ba38 | |||
| 0b85d16c16 | |||
| 88e3a515ef | |||
| 55c1cdbdde | |||
| 6f5d714b55 | |||
| a37c5bdc4e | |||
| d6e5803252 | |||
| 922f28c200 | |||
| 70be679567 | |||
| 413277d7eb | |||
| e62648d6a4 | |||
| ef5c00fef5 | |||
| 20dacdf6c7 | |||
| 19ee1cabf8 | |||
| 5a1a70bbd3 | |||
| a4969e6ba6 | |||
| 96f3b74334 |
1
.gitignore
vendored
1
.gitignore
vendored
@ -0,0 +1 @@
|
||||
tmp/shfmt
|
||||
101
bin/hardening.sh
101
bin/hardening.sh
@ -1,5 +1,6 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||
@ -9,7 +10,7 @@
|
||||
# Main script : Execute hardening considering configuration
|
||||
#
|
||||
|
||||
LONG_SCRIPT_NAME=$(basename $0)
|
||||
LONG_SCRIPT_NAME=$(basename "$0")
|
||||
SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh}
|
||||
DISABLED_CHECKS=0
|
||||
PASSED_CHECKS=0
|
||||
@ -20,6 +21,7 @@ AUDIT=0
|
||||
APPLY=0
|
||||
AUDIT_ALL=0
|
||||
AUDIT_ALL_ENABLE_PASSED=0
|
||||
CREATE_CONFIG=0
|
||||
ALLOW_SERVICE_LIST=0
|
||||
SET_HARDENING_LEVEL=0
|
||||
SUDO_MODE=''
|
||||
@ -77,6 +79,10 @@ $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
|
||||
as http, mail, etc. Can be specified multiple times to allow multiple services.
|
||||
Use --allow-service-list to get a list of supported services.
|
||||
|
||||
--create-config-files-only
|
||||
Create the config files in etc/conf.d
|
||||
Must be run as root, before running the audit with user secaudit
|
||||
|
||||
OPTIONS:
|
||||
|
||||
--only <test_number>
|
||||
@ -108,7 +114,7 @@ fi
|
||||
declare -a TEST_LIST ALLOWED_SERVICES_LIST
|
||||
|
||||
# Arguments parsing
|
||||
while [[ $# > 0 ]]; do
|
||||
while [[ $# -gt 0 ]]; do
|
||||
ARG="$1"
|
||||
case $ARG in
|
||||
--audit)
|
||||
@ -126,6 +132,9 @@ while [[ $# > 0 ]]; do
|
||||
--allow-service-list)
|
||||
ALLOW_SERVICE_LIST=1
|
||||
;;
|
||||
--create-config-files-only)
|
||||
CREATE_CONFIG=1
|
||||
;;
|
||||
--allow-service)
|
||||
ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2"
|
||||
shift
|
||||
@ -156,12 +165,13 @@ while [[ $# > 0 ]]; do
|
||||
done
|
||||
|
||||
# if no RUN_MODE was passed, usage and quit
|
||||
if [ "$AUDIT" -eq 0 -a "$AUDIT_ALL" -eq 0 -a "$AUDIT_ALL_ENABLE_PASSED" -eq 0 -a "$APPLY" -eq 0 ]; then
|
||||
if [ "$AUDIT" -eq 0 ] && [ "$AUDIT_ALL" -eq 0 ] && [ "$AUDIT_ALL_ENABLE_PASSED" -eq 0 ] && [ "$APPLY" -eq 0 ] && [ "$CREATE_CONFIG" -eq 0 ]; then
|
||||
usage
|
||||
fi
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -169,34 +179,37 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
# shellcheck source=../lib/constants.sh
|
||||
[ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
|
||||
# shellcheck source=../etc/hardening.cfg
|
||||
[ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
|
||||
# shellcheck source=../lib/common.sh
|
||||
[ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
|
||||
# shellcheck source=../lib/utils.sh
|
||||
[ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh
|
||||
|
||||
[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh
|
||||
[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg
|
||||
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
|
||||
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
|
||||
|
||||
if [ $BATCH_MODE ]; then MACHINE_LOG_LEVEL=3; fi
|
||||
if [ "$BATCH_MODE" ]; then MACHINE_LOG_LEVEL=3; fi
|
||||
|
||||
# If --allow-service-list is specified, don't run anything, just list the supported services
|
||||
if [ "$ALLOW_SERVICE_LIST" = 1 ]; then
|
||||
declare -a HARDENING_EXCEPTIONS_LIST
|
||||
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
|
||||
for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
|
||||
template=$(grep "^HARDENING_EXCEPTION=" "$SCRIPT" | cut -d= -f2)
|
||||
[ -n "$template" ] && HARDENING_EXCEPTIONS_LIST[${#HARDENING_EXCEPTIONS_LIST[@]}]="$template"
|
||||
done
|
||||
echo "Supported services are: "$(echo "${HARDENING_EXCEPTIONS_LIST[@]}" | tr " " "\n" | sort -u | tr "\n" " ")
|
||||
echo "Supported services are:" "$(echo "${HARDENING_EXCEPTIONS_LIST[@]}" | tr " " "\n" | sort -u | tr "\n" " ")"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# If --set-hardening-level is specified, don't run anything, just apply config for each script
|
||||
if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then
|
||||
if [ -n "$SET_HARDENING_LEVEL" ] && [ "$SET_HARDENING_LEVEL" != 0 ]; then
|
||||
if ! grep -q "^[12345]$" <<<"$SET_HARDENING_LEVEL"; then
|
||||
echo "Bad --set-hardening-level specified ('$SET_HARDENING_LEVEL'), expected 1 to 5"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
|
||||
SCRIPT_BASENAME=$(basename $SCRIPT .sh)
|
||||
for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
|
||||
SCRIPT_BASENAME=$(basename "$SCRIPT" .sh)
|
||||
script_level=$(grep "^HARDENING_LEVEL=" "$SCRIPT" | cut -d= -f2)
|
||||
if [ -z "$script_level" ]; then
|
||||
echo "The script $SCRIPT_BASENAME doesn't have a hardening level, configuration untouched for it"
|
||||
@ -204,17 +217,23 @@ if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then
|
||||
fi
|
||||
wantedstatus=disabled
|
||||
[ "$script_level" -le "$SET_HARDENING_LEVEL" ] && wantedstatus=enabled
|
||||
sed -i -re "s/^status=.+/status=$wantedstatus/" $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
|
||||
sed -i -re "s/^status=.+/status=$wantedstatus/" "$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
|
||||
done
|
||||
echo "Configuration modified to enable scripts for hardening level at or below $SET_HARDENING_LEVEL"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ "$CREATE_CONFIG" = 1 ] && [ "$EUID" -ne 0 ]; then
|
||||
echo "For --create-config-files-only, please run as root"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Parse every scripts and execute them in the required mode
|
||||
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
|
||||
if [ ${#TEST_LIST[@]} -gt 0 ] ; then
|
||||
for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
|
||||
if [ "${#TEST_LIST[@]}" -gt 0 ]; then
|
||||
# --only X has been specified at least once, is this script in my list ?
|
||||
SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<< "$(basename $SCRIPT)")
|
||||
SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename "$SCRIPT")")
|
||||
# shellcheck disable=SC2001
|
||||
SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX")
|
||||
if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<<"${TEST_LIST[@]}"; then
|
||||
# not in the list
|
||||
@ -223,19 +242,21 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
|
||||
fi
|
||||
|
||||
info "Treating $SCRIPT"
|
||||
|
||||
if [ $AUDIT = 1 ]; then
|
||||
if [ "$CREATE_CONFIG" = 1 ]; then
|
||||
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only"
|
||||
"$SCRIPT" --create-config-files-only "$BATCH_MODE"
|
||||
elif [ "$AUDIT" = 1 ]; then
|
||||
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
|
||||
$SCRIPT --audit $SUDO_MODE $BATCH_MODE
|
||||
elif [ $AUDIT_ALL = 1 ]; then
|
||||
"$SCRIPT" --audit "$SUDO_MODE" "$BATCH_MODE"
|
||||
elif [ "$AUDIT_ALL" = 1 ]; then
|
||||
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
|
||||
$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE
|
||||
elif [ $AUDIT_ALL_ENABLE_PASSED = 1 ]; then
|
||||
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE" $BATCH_MODE
|
||||
$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE
|
||||
elif [ $APPLY = 1 ]; then
|
||||
"$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
|
||||
elif [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then
|
||||
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
|
||||
"$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
|
||||
elif [ "$APPLY" = 1 ]; then
|
||||
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT"
|
||||
$SCRIPT
|
||||
"$SCRIPT"
|
||||
fi
|
||||
|
||||
SCRIPT_EXITCODE=$?
|
||||
@ -245,9 +266,9 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
|
||||
0)
|
||||
debug "$SCRIPT passed"
|
||||
PASSED_CHECKS=$((PASSED_CHECKS + 1))
|
||||
if [ $AUDIT_ALL_ENABLE_PASSED = 1 ] ; then
|
||||
SCRIPT_BASENAME=$(basename $SCRIPT .sh)
|
||||
sed -i -re 's/^status=.+/status=enabled/' $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
|
||||
if [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then
|
||||
SCRIPT_BASENAME=$(basename "$SCRIPT" .sh)
|
||||
sed -i -re 's/^status=.+/status=enabled/' "$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
|
||||
info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
|
||||
fi
|
||||
;;
|
||||
@ -267,26 +288,30 @@ done
|
||||
|
||||
TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS - DISABLED_CHECKS))
|
||||
|
||||
if [ $BATCH_MODE ]; then
|
||||
if [ "$BATCH_MODE" ]; then
|
||||
BATCH_SUMMARY="AUDIT_SUMMARY "
|
||||
BATCH_SUMMARY+="PASSED_CHECKS:${PASSED_CHECKS:-0} "
|
||||
BATCH_SUMMARY+="RUN_CHECKS:${TOTAL_TREATED_CHECKS:-0} "
|
||||
BATCH_SUMMARY+="TOTAL_CHECKS_AVAIL:${TOTAL_CHECKS:-0}"
|
||||
if [ $TOTAL_TREATED_CHECKS != 0 ]; then
|
||||
BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:$(printf "%.2f" $( echo "($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100" | bc -l))"
|
||||
if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
|
||||
CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
|
||||
BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:$(printf "%s" "$CONFORMITY_PERCENTAGE")"
|
||||
else
|
||||
BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0
|
||||
fi
|
||||
becho $BATCH_SUMMARY
|
||||
becho "$BATCH_SUMMARY"
|
||||
else
|
||||
printf "%40s\n" "################### SUMMARY ###################"
|
||||
printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"
|
||||
printf "%30s %s\n" "Total Runned Checks :" "$TOTAL_TREATED_CHECKS"
|
||||
printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
|
||||
printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
|
||||
printf "%30s %.2f %%\n" "Enabled Checks Percentage :" "$( echo "($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100" | bc -l)"
|
||||
if [ $TOTAL_TREATED_CHECKS != 0 ]; then
|
||||
printf "%30s %.2f %%\n" "Conformity Percentage :" "$( echo "($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100" | bc -l)"
|
||||
|
||||
ENABLED_CHECKS_PERCENTAGE=$(bc -l <<<"scale=2; ($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100")
|
||||
CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
|
||||
printf "%30s %s %%\n" "Enabled Checks Percentage :" "$ENABLED_CHECKS_PERCENTAGE"
|
||||
if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
|
||||
printf "%30s %s %%\n" "Conformity Percentage :" "$CONFORMITY_PERCENTAGE"
|
||||
else
|
||||
printf "%30s %s %%\n" "Conformity Percentage :" "N.A" # No check runned, avoid division by 0
|
||||
fi
|
||||
|
||||
@ -1,43 +1,45 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.19 Disable Mounting of freevxfs Filesystems (Not Scored)
|
||||
# 1.1.1.1 Ensure Mounting of freevxfs filesystems is disabled (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Disable mounting of freevxfs filesystems."
|
||||
|
||||
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
|
||||
|
||||
KERNEL_OPTION="CONFIG_VXFS_FS"
|
||||
MODULE_NAME="freevxfs"
|
||||
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
|
||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$KERNEL_OPTION is enabled!"
|
||||
else
|
||||
ok "$KERNEL_OPTION is disabled"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
is_kernel_option_enabled $KERNEL_OPTION
|
||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
is_kernel_option_enabled "$KERNEL_OPTION"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
||||
else
|
||||
ok "$KERNEL_OPTION is disabled, nothing to do"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
@ -47,6 +49,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -56,8 +59,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,43 +1,45 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.20 Disable Mounting of jffs2 Filesystems (Not Scored)
|
||||
# 1.1.1.2 Esnure mounting of jffs2 filesystems is disabled (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Disable mounting of jffs2 filesystems."
|
||||
|
||||
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
|
||||
|
||||
KERNEL_OPTION="CONFIG_JFFS2_FS"
|
||||
MODULE_NAME="jffs2"
|
||||
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
|
||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$KERNEL_OPTION is enabled!"
|
||||
else
|
||||
ok "$KERNEL_OPTION is disabled"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
is_kernel_option_enabled $KERNEL_OPTION
|
||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
is_kernel_option_enabled "$KERNEL_OPTION"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
||||
else
|
||||
ok "$KERNEL_OPTION is disabled, nothing to do"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
@ -47,6 +49,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -56,8 +59,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,43 +1,45 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.21 Disable Mounting of hfs Filesystems (Not Scored)
|
||||
# 1.1.1.3 Ensure mounting of hfs filesystems is disabled (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Disable mounting of hfs filesystems."
|
||||
|
||||
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
|
||||
|
||||
KERNEL_OPTION="CONFIG_HFS_FS"
|
||||
MODULE_FILE="hfs"
|
||||
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
|
||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$KERNEL_OPTION is enabled!"
|
||||
else
|
||||
ok "$KERNEL_OPTION is disabled"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
is_kernel_option_enabled $KERNEL_OPTION
|
||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
is_kernel_option_enabled "$KERNEL_OPTION"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
||||
else
|
||||
ok "$KERNEL_OPTION is disabled, nothing to do"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
@ -47,6 +49,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -56,8 +59,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,43 +1,45 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.22 Disable Mounting of hfsplus Filesystems (Not Scored)
|
||||
# 1.1.1.4 Ensure mounting of hfsplus filesystems is disabled (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Disable mounting of hfsplus filesystems."
|
||||
|
||||
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
|
||||
|
||||
KERNEL_OPTION="CONFIG_HFSPLUS_FS"
|
||||
MODULE_FILE="hfsplus"
|
||||
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
|
||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$KERNEL_OPTION is enabled!"
|
||||
else
|
||||
ok "$KERNEL_OPTION is disabled"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
is_kernel_option_enabled $KERNEL_OPTION
|
||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
is_kernel_option_enabled "$KERNEL_OPTION"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
||||
else
|
||||
ok "$KERNEL_OPTION is disabled, nothing to do"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
@ -47,6 +49,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -56,8 +59,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,27 +1,31 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.23 Disable Mounting of squashfs Filesystems (Not Scored)
|
||||
# 1.1.1.5 Ensure mounting of squashfs filesystems is disabled (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Disable mounting of squashfs filesytems."
|
||||
|
||||
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
|
||||
|
||||
KERNEL_OPTION="CONFIG_SQUASHFS"
|
||||
MODULE_FILE="squashfs"
|
||||
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
|
||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$KERNEL_OPTION is enabled!"
|
||||
else
|
||||
ok "$KERNEL_OPTION is disabled"
|
||||
@ -31,8 +35,8 @@ audit () {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
is_kernel_option_enabled $KERNEL_OPTION
|
||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
is_kernel_option_enabled "$KERNEL_OPTION"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
||||
else
|
||||
ok "$KERNEL_OPTION is disabled, nothing to do"
|
||||
@ -47,6 +51,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -56,8 +61,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,43 +1,45 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.24 Disable Mounting of udf Filesystems (Not Scored)
|
||||
# 1.1.1.6 Ensure mounting of udf filesystems is disabled (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Disable mounting of udf filesystems."
|
||||
|
||||
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
|
||||
|
||||
KERNEL_OPTION="CONFIG_UDF_FS"
|
||||
MODULE_FILE="udf"
|
||||
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
|
||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$KERNEL_OPTION is enabled!"
|
||||
else
|
||||
ok "$KERNEL_OPTION is disabled"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
is_kernel_option_enabled $KERNEL_OPTION
|
||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
is_kernel_option_enabled "$KERNEL_OPTION"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
||||
else
|
||||
ok "$KERNEL_OPTION is disabled, nothing to do"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
@ -47,6 +49,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -56,8 +59,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
68
bin/hardening/1.1.1.7_restrict_fat.sh
Executable file
68
bin/hardening/1.1.1.7_restrict_fat.sh
Executable file
@ -0,0 +1,68 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 1.1.1.7 Ensure mounting of FAT filesystems is limited (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=5
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Limit mounting of FAT filesystems."
|
||||
|
||||
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
|
||||
|
||||
KERNEL_OPTION="CONFIG_VFAT_FS"
|
||||
MODULE_FILE="vfat"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$KERNEL_OPTION is enabled!"
|
||||
else
|
||||
ok "$KERNEL_OPTION is disabled"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
is_kernel_option_enabled "$KERNEL_OPTION"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
||||
else
|
||||
ok "$KERNEL_OPTION is disabled, nothing to do"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
@ -1,17 +1,20 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.6.4 Set noexec option for /var/tmp Partition (Scored)
|
||||
# 1.1.10 Ensure noexec option set on /var/tmp partition (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="/var/tmp partition with noexec option."
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
@ -23,19 +26,19 @@ audit () {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
crit "$PARTITION is not a partition"
|
||||
FNRET=2
|
||||
else
|
||||
ok "$PARTITION is a partition"
|
||||
has_mount_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
has_mount_option "$PARTITION" "$OPTION"
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
crit "$PARTITION has no option $OPTION in fstab!"
|
||||
FNRET=1
|
||||
else
|
||||
ok "$PARTITION has $OPTION in fstab"
|
||||
has_mounted_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
has_mounted_option "$PARTITION" "$OPTION"
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||
FNRET=3
|
||||
else
|
||||
@ -47,18 +50,18 @@ audit () {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
if [ $FNRET = 0 ]; then
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
elif [ "$FNRET" = 2 ]; then
|
||||
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
elif [ "$FNRET" = 1 ]; then
|
||||
info "Adding $OPTION to fstab"
|
||||
add_option_to_fstab $PARTITION $OPTION
|
||||
add_option_to_fstab "$PARTITION" "$OPTION"
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
elif [ $FNRET = 3 ]; then
|
||||
remount_partition "$PARTITION"
|
||||
elif [ "$FNRET" = 3 ]; then
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
remount_partition "$PARTITION"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -70,6 +73,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -79,8 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,17 +1,20 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.7 Create Separate Partition for /var/log (Scored)
|
||||
# 1.1.11 Ensure separate partition exists for /var/log (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="/var/log on separate partition."
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
@ -22,32 +25,30 @@ audit () {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
crit "$PARTITION is not a partition"
|
||||
FNRET=2
|
||||
else
|
||||
ok "$PARTITION is a partition"
|
||||
is_mounted "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
warn "$PARTITION is not mounted"
|
||||
FNRET=1
|
||||
else
|
||||
ok "$PARTITION is mounted"
|
||||
fi
|
||||
fi
|
||||
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
if [ $FNRET = 0 ]; then
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
elif [ "$FNRET" = 2 ]; then
|
||||
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||
else
|
||||
info "mounting $PARTITION"
|
||||
mount $PARTITION
|
||||
mount "$PARTITION"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -59,6 +60,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -68,8 +70,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,17 +1,20 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.8 Create Separate Partition for /var/log/audit (Scored)
|
||||
# 1.1.12 Ensure separate partition exists for /var/log/audit (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=4
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="/var/log/audit on a separate partition."
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
@ -22,32 +25,30 @@ audit () {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
crit "$PARTITION is not a partition"
|
||||
FNRET=2
|
||||
else
|
||||
ok "$PARTITION is a partition"
|
||||
is_mounted "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
warn "$PARTITION is not mounted"
|
||||
FNRET=1
|
||||
else
|
||||
ok "$PARTITION is mounted"
|
||||
fi
|
||||
fi
|
||||
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
if [ $FNRET = 0 ]; then
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
elif [ "$FNRET" = 2 ]; then
|
||||
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||
else
|
||||
info "mounting $PARTITION"
|
||||
mount $PARTITION
|
||||
mount "$PARTITION"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -59,6 +60,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -68,8 +70,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,17 +1,20 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.9 Create Separate Partition for /home (Scored)
|
||||
# 1.1.13 Ensure separate partition exists for /home (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="/home on a separate partition."
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
@ -22,32 +25,30 @@ audit () {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
crit "$PARTITION is not a partition"
|
||||
FNRET=2
|
||||
else
|
||||
ok "$PARTITION is a partition"
|
||||
is_mounted "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
warn "$PARTITION is not mounted"
|
||||
FNRET=1
|
||||
else
|
||||
ok "$PARTITION is mounted"
|
||||
fi
|
||||
fi
|
||||
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
if [ $FNRET = 0 ]; then
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
elif [ "$FNRET" = 2 ]; then
|
||||
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||
else
|
||||
info "mounting $PARTITION"
|
||||
mount $PARTITION
|
||||
mount "$PARTITION"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -59,6 +60,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -68,8 +70,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,17 +1,20 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.10 Add nodev Option to /home (Scored)
|
||||
# 1.1.14 Ensure nodev Option set on /home (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="/home partition with nodev option."
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
@ -23,19 +26,19 @@ audit () {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
crit "$PARTITION is not a partition"
|
||||
FNRET=2
|
||||
else
|
||||
ok "$PARTITION is a partition"
|
||||
has_mount_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
has_mount_option "$PARTITION" "$OPTION"
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
crit "$PARTITION has no option $OPTION in fstab!"
|
||||
FNRET=1
|
||||
else
|
||||
ok "$PARTITION has $OPTION in fstab"
|
||||
has_mounted_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
has_mounted_option "$PARTITION" "$OPTION"
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||
FNRET=3
|
||||
else
|
||||
@ -47,18 +50,18 @@ audit () {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
if [ $FNRET = 0 ]; then
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
elif [ "$FNRET" = 2 ]; then
|
||||
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
elif [ "$FNRET" = 1 ]; then
|
||||
info "Adding $OPTION to fstab"
|
||||
add_option_to_fstab $PARTITION $OPTION
|
||||
add_option_to_fstab "$PARTITION" "$OPTION"
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
elif [ $FNRET = 3 ]; then
|
||||
remount_partition "$PARTITION"
|
||||
elif [ "$FNRET" = 3 ]; then
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
remount_partition "$PARTITION"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -70,6 +73,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -79,8 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -6,7 +6,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 2.14 Add nodev Option to /run/shm Partition (Scored)
|
||||
# 1.1.15 Ensure nodev option set on /dev/shm partition (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
@ -27,19 +27,19 @@ audit () {
|
||||
PARTITION=$(readlink -e "$PARTITION")
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
crit "$PARTITION is not a partition"
|
||||
FNRET=2
|
||||
else
|
||||
ok "$PARTITION is a partition"
|
||||
has_mount_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
has_mount_option "$PARTITION" "$OPTION"
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
crit "$PARTITION has no option $OPTION in fstab!"
|
||||
FNRET=1
|
||||
else
|
||||
ok "$PARTITION has $OPTION in fstab"
|
||||
has_mounted_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
has_mounted_option "$PARTITION" "$OPTION"
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||
FNRET=3
|
||||
else
|
||||
@ -51,18 +51,18 @@ audit () {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
if [ $FNRET = 0 ]; then
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
elif [ "$FNRET" = 2 ]; then
|
||||
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
elif [ "$FNRET" = 1 ]; then
|
||||
info "Adding $OPTION to fstab"
|
||||
add_option_to_fstab $PARTITION $OPTION
|
||||
add_option_to_fstab "$PARTITION" "$OPTION"
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
elif [ $FNRET = 3 ]; then
|
||||
remount_partition "$PARTITION"
|
||||
elif [ "$FNRET" = 3 ]; then
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
remount_partition "$PARTITION"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -74,6 +74,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -84,7 +85,7 @@ fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=/opt/debian-cis/lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
@ -6,7 +6,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 2.15 Add nosuid Option to /run/shm Partition (Scored)
|
||||
# 1.1.16 Ensure nosuid option set on /run/shm partition (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
@ -27,19 +27,19 @@ audit () {
|
||||
PARTITION=$(readlink -e "$PARTITION")
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
crit "$PARTITION is not a partition"
|
||||
FNRET=2
|
||||
else
|
||||
ok "$PARTITION is a partition"
|
||||
has_mount_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
has_mount_option "$PARTITION" "$OPTION"
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
crit "$PARTITION has no option $OPTION in fstab!"
|
||||
FNRET=1
|
||||
else
|
||||
ok "$PARTITION has $OPTION in fstab"
|
||||
has_mounted_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
has_mounted_option "$PARTITION" "$OPTION"
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||
FNRET=3
|
||||
else
|
||||
@ -51,18 +51,18 @@ audit () {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
if [ $FNRET = 0 ]; then
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
elif [ "$FNRET" = 2 ]; then
|
||||
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
elif [ "$FNRET" = 1 ]; then
|
||||
info "Adding $OPTION to fstab"
|
||||
add_option_to_fstab $PARTITION $OPTION
|
||||
add_option_to_fstab "$PARTITION" "$OPTION"
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
elif [ $FNRET = 3 ]; then
|
||||
remount_partition "$PARTITION"
|
||||
elif [ "$FNRET" = 3 ]; then
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
remount_partition "$PARTITION"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -74,6 +74,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -84,7 +85,7 @@ fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=/opt/debian-cis/lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
@ -6,7 +6,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 2.16 Add noexec Option to /run/shm Partition (Scored)
|
||||
# 1.1.17 Ensure noexec option set on /run/shm partition (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
@ -27,19 +27,19 @@ audit () {
|
||||
PARTITION=$(readlink -e "$PARTITION")
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
crit "$PARTITION is not a partition"
|
||||
FNRET=2
|
||||
else
|
||||
ok "$PARTITION is a partition"
|
||||
has_mount_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
has_mount_option "$PARTITION" "$OPTION"
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
crit "$PARTITION has no option $OPTION in fstab!"
|
||||
FNRET=1
|
||||
else
|
||||
ok "$PARTITION has $OPTION in fstab"
|
||||
has_mounted_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
has_mounted_option "$PARTITION" "$OPTION"
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||
FNRET=3
|
||||
else
|
||||
@ -51,18 +51,18 @@ audit () {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
if [ $FNRET = 0 ]; then
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
elif [ "$FNRET" = 2 ]; then
|
||||
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
elif [ "$FNRET" = 1 ]; then
|
||||
info "Adding $OPTION to fstab"
|
||||
add_option_to_fstab $PARTITION $OPTION
|
||||
add_option_to_fstab "$PARTITION" "$OPTION"
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
elif [ $FNRET = 3 ]; then
|
||||
remount_partition "$PARTITION"
|
||||
elif [ "$FNRET" = 3 ]; then
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
remount_partition "$PARTITION"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -74,6 +74,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -84,7 +85,7 @@ fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=/opt/debian-cis/lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
@ -1,17 +1,20 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.11 Add nodev Option to Removable Media Partitions (Not Scored)
|
||||
# 1.1.18 Ensure nodev option set on removable media partition (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="nodev option for removable media partitions."
|
||||
|
||||
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
|
||||
@ -25,13 +28,13 @@ audit () {
|
||||
info "Verifying if there is $PARTITION like partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
ok "There is no partition like $PARTITION"
|
||||
FNRET=0
|
||||
else
|
||||
info "detected $PARTITION like"
|
||||
has_mount_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
has_mount_option "$PARTITION" "$OPTION"
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
crit "$PARTITION has no option $OPTION in fstab!"
|
||||
FNRET=1
|
||||
else
|
||||
@ -42,11 +45,11 @@ audit () {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
if [ $FNRET = 0 ]; then
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
elif [ "$FNRET" = 1 ]; then
|
||||
info "Adding $OPTION to fstab"
|
||||
add_option_to_fstab $PARTITION $OPTION
|
||||
add_option_to_fstab "$PARTITION" "$OPTION"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -58,6 +61,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -67,8 +71,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,17 +1,20 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.13 Add nosuid Option to Removable Media Partitions (Not Scored)
|
||||
# 1.1.19 Ensure nosuid option set on removable media partitions (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="nosuid option for removable media partitions."
|
||||
|
||||
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
|
||||
@ -25,13 +28,13 @@ audit () {
|
||||
info "Verifying if there is $PARTITION like partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
ok "There is no partition like $PARTITION"
|
||||
FNRET=0
|
||||
else
|
||||
info "detected $PARTITION like"
|
||||
has_mount_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
has_mount_option "$PARTITION" "$OPTION"
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
crit "$PARTITION has no option $OPTION in fstab!"
|
||||
FNRET=1
|
||||
else
|
||||
@ -42,11 +45,11 @@ audit () {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
if [ $FNRET = 0 ]; then
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
elif [ "$FNRET" = 1 ]; then
|
||||
info "Adding $OPTION to fstab"
|
||||
add_option_to_fstab $PARTITION $OPTION
|
||||
add_option_to_fstab "$PARTITION" "$OPTION"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -58,6 +61,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -67,8 +71,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,17 +1,20 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.12 Add noexec Option to Removable Media Partitions (Not Scored)
|
||||
# 1.1.20 Ensure noexec option set on removable media partition (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="noexec option for removable media partitions."
|
||||
|
||||
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
|
||||
@ -25,13 +28,13 @@ audit () {
|
||||
info "Verifying if there is $PARTITION like partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
ok "There is no partition like $PARTITION"
|
||||
FNRET=0
|
||||
else
|
||||
info "detected $PARTITION like"
|
||||
has_mount_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
has_mount_option "$PARTITION" "$OPTION"
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
crit "$PARTITION has no option $OPTION in fstab!"
|
||||
FNRET=1
|
||||
else
|
||||
@ -42,11 +45,11 @@ audit () {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
if [ $FNRET = 0 ]; then
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
elif [ "$FNRET" = 1 ]; then
|
||||
info "Adding $OPTION to fstab"
|
||||
add_option_to_fstab $PARTITION $OPTION
|
||||
add_option_to_fstab "$PARTITION" "$OPTION"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -58,6 +61,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -67,8 +71,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,27 +1,32 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.17 Set Sticky Bit on All World-Writable Directories (Scored)
|
||||
# 1.1.21 Ensure sticky bit is set on all world-writable directories (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them."
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
info "Checking if setuid is set on world writable Directories"
|
||||
FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} )
|
||||
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
|
||||
# shellcheck disable=SC2086
|
||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
if [ -n "$RESULT" ]; then
|
||||
crit "Some world writable directories are not on sticky bit mode!"
|
||||
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
|
||||
# shellcheck disable=SC2001
|
||||
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$RESULT" | sort | uniq | tr '\n' ' ')
|
||||
crit "$FORMATTED_RESULT"
|
||||
else
|
||||
ok "All world writable directories have a sticky bit"
|
||||
@ -30,9 +35,9 @@ audit () {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
|
||||
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
|
||||
if [ -n "$RESULT" ]; then
|
||||
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
|
||||
else
|
||||
ok "All world writable directories have a sticky bit, nothing to apply"
|
||||
fi
|
||||
@ -46,6 +51,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -55,8 +61,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,17 +1,20 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.25 Disable Automounting (Scored)
|
||||
# 1.1.22 Disable Automounting (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Disable automounting of devices."
|
||||
|
||||
SERVICE_NAME="autofs"
|
||||
@ -19,8 +22,8 @@ SERVICE_NAME="autofs"
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
info "Checking if $SERVICE_NAME is enabled"
|
||||
is_service_enabled $SERVICE_NAME
|
||||
if [ $FNRET = 0 ]; then
|
||||
is_service_enabled "$SERVICE_NAME"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$SERVICE_NAME is enabled"
|
||||
else
|
||||
ok "$SERVICE_NAME is disabled"
|
||||
@ -30,10 +33,10 @@ audit () {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
info "Checking if $SERVICE_NAME is enabled"
|
||||
is_service_enabled $SERVICE_NAME
|
||||
if [ $FNRET = 0 ]; then
|
||||
is_service_enabled "$SERVICE_NAME"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
info "Disabling $SERVICE_NAME"
|
||||
update-rc.d $SERVICE_NAME remove > /dev/null 2>&1
|
||||
update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
|
||||
else
|
||||
ok "$SERVICE_NAME is disabled"
|
||||
fi
|
||||
@ -46,6 +49,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -55,8 +59,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
68
bin/hardening/1.1.23_disable_usb_storage.sh
Executable file
68
bin/hardening/1.1.23_disable_usb_storage.sh
Executable file
@ -0,0 +1,68 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 1.1.23 Disable USB storage (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Disable USB storage."
|
||||
|
||||
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
|
||||
|
||||
KERNEL_OPTION="CONFIG_USB_STORAGE"
|
||||
MODULE_FILE="usb-storage"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$KERNEL_OPTION is enabled!"
|
||||
else
|
||||
ok "$KERNEL_OPTION is disabled"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
is_kernel_option_enabled "$KERNEL_OPTION"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
||||
else
|
||||
ok "$KERNEL_OPTION is disabled, nothing to do"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
@ -1,18 +1,21 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.1 Create Separate Partition for /tmp (Scored)
|
||||
# 1.1.2 Ensure /tmp is configured (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
DESCRIPTION="/tmp on a separate partition."
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Ensure /tmp is configured (Scored)"
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
PARTITION="/tmp"
|
||||
@ -22,32 +25,30 @@ audit () {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
crit "$PARTITION is not a partition"
|
||||
FNRET=2
|
||||
else
|
||||
ok "$PARTITION is a partition"
|
||||
is_mounted "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
warn "$PARTITION is not mounted"
|
||||
FNRET=1
|
||||
else
|
||||
ok "$PARTITION is mounted"
|
||||
fi
|
||||
fi
|
||||
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
if [ $FNRET = 0 ]; then
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
elif [ "$FNRET" = 2 ]; then
|
||||
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||
else
|
||||
info "mounting $PARTITION"
|
||||
mount $PARTITION
|
||||
mount "$PARTITION"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -59,6 +60,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -68,8 +70,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,17 +1,20 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.2 Set nodev option for /tmp Partition (Scored)
|
||||
# 1.1.3 Ensure nodev option set for /tmp Partition (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="/tmp partition with nodev option."
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
@ -23,19 +26,19 @@ audit () {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
crit "$PARTITION is not a partition"
|
||||
FNRET=2
|
||||
else
|
||||
ok "$PARTITION is a partition"
|
||||
has_mount_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
has_mount_option "$PARTITION" "$OPTION"
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
crit "$PARTITION has no option $OPTION in fstab!"
|
||||
FNRET=1
|
||||
else
|
||||
ok "$PARTITION has $OPTION in fstab"
|
||||
has_mounted_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
has_mounted_option "$PARTITION" "$OPTION"
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||
FNRET=3
|
||||
else
|
||||
@ -47,18 +50,18 @@ audit () {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
if [ $FNRET = 0 ]; then
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
elif [ "$FNRET" = 2 ]; then
|
||||
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
elif [ "$FNRET" = 1 ]; then
|
||||
info "Adding $OPTION to fstab"
|
||||
add_option_to_fstab $PARTITION $OPTION
|
||||
add_option_to_fstab "$PARTITION" "$OPTION"
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
elif [ $FNRET = 3 ]; then
|
||||
remount_partition "$PARTITION"
|
||||
elif [ "$FNRET" = 3 ]; then
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
remount_partition "$PARTITION"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -70,6 +73,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -79,8 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,17 +1,20 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.3 Set nosuid option for /tmp Partition (Scored)
|
||||
# 1.1.4 Ensure nosuid option set for /tmp Partition (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="/tmp partition with nosuid option."
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
@ -23,19 +26,19 @@ audit () {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
crit "$PARTITION is not a partition"
|
||||
FNRET=2
|
||||
else
|
||||
ok "$PARTITION is a partition"
|
||||
has_mount_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
has_mount_option "$PARTITION" "$OPTION"
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
crit "$PARTITION has no option $OPTION in fstab!"
|
||||
FNRET=1
|
||||
else
|
||||
ok "$PARTITION has $OPTION in fstab"
|
||||
has_mounted_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
has_mounted_option "$PARTITION" "$OPTION"
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||
FNRET=3
|
||||
else
|
||||
@ -47,18 +50,18 @@ audit () {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
if [ $FNRET = 0 ]; then
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
elif [ "$FNRET" = 2 ]; then
|
||||
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
elif [ "$FNRET" = 1 ]; then
|
||||
info "Adding $OPTION to fstab"
|
||||
add_option_to_fstab $PARTITION $OPTION
|
||||
add_option_to_fstab "$PARTITION" "$OPTION"
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
elif [ $FNRET = 3 ]; then
|
||||
remount_partition "$PARTITION"
|
||||
elif [ "$FNRET" = 3 ]; then
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
remount_partition "$PARTITION"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -70,6 +73,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -79,8 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,17 +1,20 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.4 Set noexec option for /tmp Partition (Scored)
|
||||
# 1.1.5 Ensure noexec option set for /tmp Partition (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="/tmp partition with noexec option."
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
@ -23,19 +26,19 @@ audit () {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
crit "$PARTITION is not a partition"
|
||||
FNRET=2
|
||||
else
|
||||
ok "$PARTITION is a partition"
|
||||
has_mount_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
has_mount_option "$PARTITION" "$OPTION"
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
crit "$PARTITION has no option $OPTION in fstab!"
|
||||
FNRET=1
|
||||
else
|
||||
ok "$PARTITION has $OPTION in fstab"
|
||||
has_mounted_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
has_mounted_option "$PARTITION" "$OPTION"
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||
FNRET=3
|
||||
else
|
||||
@ -47,18 +50,18 @@ audit () {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
if [ $FNRET = 0 ]; then
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
elif [ "$FNRET" = 2 ]; then
|
||||
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
elif [ "$FNRET" = 1 ]; then
|
||||
info "Adding $OPTION to fstab"
|
||||
add_option_to_fstab $PARTITION $OPTION
|
||||
add_option_to_fstab "$PARTITION" "$OPTION"
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
elif [ $FNRET = 3 ]; then
|
||||
remount_partition "$PARTITION"
|
||||
elif [ "$FNRET" = 3 ]; then
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
remount_partition "$PARTITION"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -70,6 +73,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -79,8 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,17 +1,20 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.5 Create Separate Partition for /var (Scored)
|
||||
# 1.1.6 Ensure separate partition exists for /var (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="/var on a separate partition."
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
@ -22,13 +25,13 @@ audit () {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
crit "$PARTITION is not a partition"
|
||||
FNRET=2
|
||||
else
|
||||
ok "$PARTITION is a partition"
|
||||
is_mounted "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
warn "$PARTITION is not mounted"
|
||||
FNRET=1
|
||||
else
|
||||
@ -41,13 +44,13 @@ audit () {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
if [ $FNRET = 0 ]; then
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
elif [ "$FNRET" = 2 ]; then
|
||||
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||
else
|
||||
info "mounting $PARTITION"
|
||||
mount $PARTITION
|
||||
mount "$PARTITION"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -59,6 +62,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -68,8 +72,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,17 +1,20 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.6.1 Create Separate Partition for /var/tmp (Scored)
|
||||
# 1.1.7 Ensure separate partition exists for /var/tmp (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="/var/tmp on a separate partition."
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
@ -22,13 +25,13 @@ audit () {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
crit "$PARTITION is not a partition"
|
||||
FNRET=2
|
||||
else
|
||||
ok "$PARTITION is a partition"
|
||||
is_mounted "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
warn "$PARTITION is not mounted"
|
||||
FNRET=1
|
||||
else
|
||||
@ -41,13 +44,13 @@ audit () {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
if [ $FNRET = 0 ]; then
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
elif [ "$FNRET" = 2 ]; then
|
||||
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||
else
|
||||
info "mounting $PARTITION"
|
||||
mount $PARTITION
|
||||
mount "$PARTITION"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -59,6 +62,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -68,8 +72,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,17 +1,20 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.6.2 Set nodev option for /var/tmp Partition (Scored)
|
||||
# 1.1.8 Ensure nodev option set on /var/tmp partition (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="/var/tmp partition with nodev option."
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
@ -23,19 +26,19 @@ audit () {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
crit "$PARTITION is not a partition"
|
||||
FNRET=2
|
||||
else
|
||||
ok "$PARTITION is a partition"
|
||||
has_mount_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
has_mount_option "$PARTITION" "$OPTION"
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
crit "$PARTITION has no option $OPTION in fstab!"
|
||||
FNRET=1
|
||||
else
|
||||
ok "$PARTITION has $OPTION in fstab"
|
||||
has_mounted_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
has_mounted_option "$PARTITION" "$OPTION"
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||
FNRET=3
|
||||
else
|
||||
@ -47,18 +50,18 @@ audit () {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
if [ $FNRET = 0 ]; then
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
elif [ "$FNRET" = 2 ]; then
|
||||
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
elif [ "$FNRET" = 1 ]; then
|
||||
info "Adding $OPTION to fstab"
|
||||
add_option_to_fstab $PARTITION $OPTION
|
||||
add_option_to_fstab "$PARTITION" "$OPTION"
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
elif [ $FNRET = 3 ]; then
|
||||
remount_partition "$PARTITION"
|
||||
elif [ "$FNRET" = 3 ]; then
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
remount_partition "$PARTITION"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -70,6 +73,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -79,8 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,17 +1,20 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.6.3 Set nosuid option for /var/tmp Partition (Scored)
|
||||
# 1.1.9 Ensure nosuid option set on /var/tmp partition (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="/var/tmp partition with nosuid option."
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
@ -23,19 +26,19 @@ audit () {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
crit "$PARTITION is not a partition"
|
||||
FNRET=2
|
||||
else
|
||||
ok "$PARTITION is a partition"
|
||||
has_mount_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
has_mount_option "$PARTITION" "$OPTION"
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
crit "$PARTITION has no option $OPTION in fstab!"
|
||||
FNRET=1
|
||||
else
|
||||
ok "$PARTITION has $OPTION in fstab"
|
||||
has_mounted_option $PARTITION $OPTION
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
has_mounted_option "$PARTITION" "$OPTION"
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||
FNRET=3
|
||||
else
|
||||
@ -47,18 +50,18 @@ audit () {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
if [ $FNRET = 0 ]; then
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
elif [ "$FNRET" = 2 ]; then
|
||||
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
elif [ "$FNRET" = 1 ]; then
|
||||
info "Adding $OPTION to fstab"
|
||||
add_option_to_fstab $PARTITION $OPTION
|
||||
add_option_to_fstab "$PARTITION" "$OPTION"
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
elif [ $FNRET = 3 ]; then
|
||||
remount_partition "$PARTITION"
|
||||
elif [ "$FNRET" = 3 ]; then
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition $PARTITION
|
||||
remount_partition "$PARTITION"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -70,6 +73,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -79,8 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
66
bin/hardening/1.3.1_install_sudo.sh
Executable file
66
bin/hardening/1.3.1_install_sudo.sh
Executable file
@ -0,0 +1,66 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 1.3.1 Ensure sudo is installed (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Install sudo to permit users to execute command as superuser or as another user."
|
||||
|
||||
PACKAGE='sudo'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is not installed!"
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PACKAGE is installed"
|
||||
else
|
||||
crit "$PACKAGE is absent, installing it"
|
||||
apt_install "$PACKAGE"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
80
bin/hardening/1.3.2_pty_sudo.sh
Executable file
80
bin/hardening/1.3.2_pty_sudo.sh
Executable file
@ -0,0 +1,80 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 1.3.2 Ensure sudo commands use pty (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Ensure sudo can only be run from a pseudo pty."
|
||||
|
||||
PATTERN='^\s*Defaults\s+([^#]+,\s*)?use_pty(,\s+\S+\s*)*(\s+#.*)?$'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
FOUND=0
|
||||
for f in /etc/{sudoers,sudoers.d/*}; do
|
||||
does_pattern_exist_in_file_nocase "$f" "$PATTERN"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
FOUND=1
|
||||
fi
|
||||
done
|
||||
|
||||
if [[ "$FOUND" = 1 ]]; then
|
||||
ok "Defaults use_pty found in sudoers file"
|
||||
else
|
||||
crit "Defaults use_pty not found in sudoers files"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
FOUND=0
|
||||
for f in /etc/{sudoers,sudoers.d/*}; do
|
||||
does_pattern_exist_in_file_nocase "$f" "$PATTERN"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
FOUND=1
|
||||
fi
|
||||
done
|
||||
|
||||
if [[ "$FOUND" = 1 ]]; then
|
||||
ok "Defaults use_pty found in sudoers file"
|
||||
else
|
||||
warn "Defaults use_pty not found in sudoers files, fixing"
|
||||
add_line_file_before_pattern /etc/sudoers "Defaults use_pty" "# Host alias specification"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
80
bin/hardening/1.3.3_logfile_sudo.sh
Executable file
80
bin/hardening/1.3.3_logfile_sudo.sh
Executable file
@ -0,0 +1,80 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 1.3.3 Ensure sudo log file exists (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Ensure sudo log files exists."
|
||||
|
||||
PATTERN="^\s*Defaults\s+logfile=\S+"
|
||||
LOGFILE="/var/log/sudo.log"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
FOUND=0
|
||||
for f in /etc/{sudoers,sudoers.d/*}; do
|
||||
does_pattern_exist_in_file_nocase "$f" "$PATTERN"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
FOUND=1
|
||||
fi
|
||||
done
|
||||
|
||||
if [[ "$FOUND" = 1 ]]; then
|
||||
ok "Defaults log file found in sudoers file"
|
||||
else
|
||||
crit "Defaults log file not found in sudoers files"
|
||||
fi
|
||||
}
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
FOUND=0
|
||||
for f in /etc/{sudoers,sudoers.d/*}; do
|
||||
does_pattern_exist_in_file_nocase "$f" "$PATTERN"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
FOUND=1
|
||||
fi
|
||||
done
|
||||
|
||||
if [[ "$FOUND" = 1 ]]; then
|
||||
ok "Defaults log file found in sudoers file"
|
||||
else
|
||||
warn "Defaults log file not found in sudoers files, fixing"
|
||||
add_line_file_before_pattern /etc/sudoers "Defaults logfile=\"$LOGFILE\"" "# Host alias specification"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
@ -1,26 +1,30 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 8.3.1 Install tripwire package (Scored)
|
||||
# 1.4.1 Ensure tripwire is installed (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=4
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Ensure tripwire package is installed."
|
||||
|
||||
# NB : in CIS, AIDE has been chosen, however we chose tripwire
|
||||
# Note : in CIS, AIDE has been chosen, however we chose tripwire
|
||||
|
||||
PACKAGE='tripwire'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET != 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is not installed!"
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
@ -29,12 +33,12 @@ audit () {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PACKAGE is installed"
|
||||
else
|
||||
crit "$PACKAGE is absent, installing it"
|
||||
apt_install $PACKAGE
|
||||
apt_install "$PACKAGE"
|
||||
info "Tripwire is now installed but not fully functionnal, please see readme to go further"
|
||||
fi
|
||||
}
|
||||
@ -46,6 +50,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -55,8 +60,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -6,7 +6,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 8.3.2 Implement Periodic Execution of File Integrity (Scored)
|
||||
# 1.4.2 Ensure filesysteme integrity is regularly checked (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
@ -17,6 +17,8 @@ HARDENING_LEVEL=4
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Implemet periodic execution of file integrity."
|
||||
|
||||
# Note : in CIS, AIDE has been chosen, however we chose tripwire
|
||||
|
||||
FILES="/etc/crontab"
|
||||
DIRECTORY="/etc/cron.d"
|
||||
PATTERN='tripwire --check'
|
||||
@ -63,6 +65,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -73,7 +76,7 @@ fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=/opt/debian-cis/lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
@ -1,17 +1,20 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 3.1 Set User/Group Owner on bootloader config (Scored)
|
||||
# 1.5.1 Ensure permissions on bootloader config are configured (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=1
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="User and group root owner of grub bootloader config."
|
||||
|
||||
# Assertion : Grub Based.
|
||||
@ -19,25 +22,41 @@ DESCRIPTION="User and group root owner of grub bootloader config."
|
||||
FILE='/boot/grub/grub.cfg'
|
||||
USER='root'
|
||||
GROUP='root'
|
||||
PERMISSIONS='400'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
has_file_correct_ownership $FILE $USER $GROUP
|
||||
if [ $FNRET = 0 ]; then
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||
fi
|
||||
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
has_file_correct_ownership $FILE $USER $GROUP
|
||||
if [ $FNRET = 0 ]; then
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
info "fixing $FILE ownership to $USER:$GROUP"
|
||||
chown $USER:$GROUP $FILE
|
||||
chown "$USER":"$GROUP" "$FILE"
|
||||
fi
|
||||
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0"$PERMISSIONS" "$FILE"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -45,22 +64,22 @@ apply () {
|
||||
check_config() {
|
||||
|
||||
is_pkg_installed "grub-pc"
|
||||
if [ $FNRET != 0 ]; then
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "Grub is not installed, not handling configuration"
|
||||
exit 128
|
||||
fi
|
||||
does_user_exist $USER
|
||||
if [ $FNRET != 0 ]; then
|
||||
does_user_exist "$USER"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$USER does not exist"
|
||||
exit 128
|
||||
fi
|
||||
does_group_exist $GROUP
|
||||
if [ $FNRET != 0 ]; then
|
||||
does_group_exist "$GROUP"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$GROUP does not exist"
|
||||
exit 128
|
||||
fi
|
||||
does_file_exist $FILE
|
||||
if [ $FNRET != 0 ]; then
|
||||
does_file_exist "$FILE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
exit 128
|
||||
fi
|
||||
@ -68,6 +87,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -77,8 +97,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,17 +1,20 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 3.3 Set Boot Loader Password (Scored)
|
||||
# 1.5.2 Ensure bootloader password is set (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Setting bootloader password to secure boot parameters."
|
||||
|
||||
FILE='/boot/grub/grub.cfg'
|
||||
@ -20,14 +23,14 @@ PWD_PATTERN="^password_pbkdf2"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
does_pattern_exist_in_file $FILE "$USER_PATTERN"
|
||||
if [ $FNRET != 0 ]; then
|
||||
does_pattern_exist_in_file "$FILE" "$USER_PATTERN"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$USER_PATTERN not present in $FILE"
|
||||
else
|
||||
ok "$USER_PATTERN is present in $FILE"
|
||||
fi
|
||||
does_pattern_exist_in_file $FILE "$PWD_PATTERN"
|
||||
if [ $FNRET != 0 ]; then
|
||||
does_pattern_exist_in_file "$FILE" "$PWD_PATTERN"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PWD_PATTERN not present in $FILE"
|
||||
else
|
||||
ok "$PWD_PATTERN is present in $FILE"
|
||||
@ -36,14 +39,14 @@ audit () {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
does_pattern_exist_in_file $FILE "$USER_PATTERN"
|
||||
if [ $FNRET != 0 ]; then
|
||||
does_pattern_exist_in_file "$FILE" "$USER_PATTERN"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$USER_PATTERN not present in $FILE, please configure password for grub"
|
||||
else
|
||||
ok "$USER_PATTERN is present in $FILE"
|
||||
fi
|
||||
does_pattern_exist_in_file $FILE "$PWD_PATTERN"
|
||||
if [ $FNRET != 0 ]; then
|
||||
does_pattern_exist_in_file "$FILE" "$PWD_PATTERN"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$PWD_PATTERN not present in $FILE, please configure password for grub"
|
||||
else
|
||||
ok "$PWD_PATTERN is present in $FILE"
|
||||
@ -54,11 +57,11 @@ apply () {
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
is_pkg_installed "grub-pc"
|
||||
if [ $FNRET != 0 ]; then
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "grub-pc is not installed, not handling configuration"
|
||||
exit 128
|
||||
fi
|
||||
if [ $FNRET != 0 ]; then
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
exit 128
|
||||
fi
|
||||
@ -66,6 +69,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -75,8 +79,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,17 +1,20 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 3.4 Require Authentication for Single-User Mode (Scored)
|
||||
# 1.5.3 Ensure authentication required for single user mode (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Root password for single user mode."
|
||||
|
||||
FILE="/etc/shadow"
|
||||
@ -19,8 +22,8 @@ PATTERN="^root:[*\!]:"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
does_pattern_exist_in_file $FILE $PATTERN
|
||||
if [ $FNRET != 1 ]; then
|
||||
does_pattern_exist_in_file "$FILE" "$PATTERN"
|
||||
if [ "$FNRET" != 1 ]; then
|
||||
crit "$PATTERN is present in $FILE"
|
||||
else
|
||||
ok "$PATTERN is not present in $FILE"
|
||||
@ -29,8 +32,8 @@ audit () {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
does_pattern_exist_in_file $FILE $PATTERN
|
||||
if [ $FNRET != 1 ]; then
|
||||
does_pattern_exist_in_file "$FILE" "$PATTERN"
|
||||
if [ "$FNRET" != 1 ]; then
|
||||
warn "$PATTERN is present in $FILE, please put a root password"
|
||||
else
|
||||
ok "$PATTERN is not present in $FILE"
|
||||
@ -45,6 +48,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -54,8 +58,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,17 +1,20 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 4.2 Enable XD/NX Support on 32-bit x86 Systems (Not Scored)
|
||||
# 1.6.1 Ensure XD/NX support is enabled (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Enable NoExecute/ExecuteDisable to prevent buffer overflow attacks."
|
||||
|
||||
PATTERN='NX[[:space:]]\(Execute[[:space:]]Disable\)[[:space:]]protection:[[:space:]]active'
|
||||
@ -32,10 +35,10 @@ nx_supported_and_enabled() {
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
does_pattern_exist_in_dmesg $PATTERN
|
||||
if [ $FNRET != 0 ]; then
|
||||
does_pattern_exist_in_dmesg "$PATTERN"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
nx_supported_and_enabled
|
||||
if [ $FNRET != 0 ]; then
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
|
||||
else
|
||||
ok "NX is supported and enabled"
|
||||
@ -47,10 +50,10 @@ audit () {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
does_pattern_exist_in_dmesg $PATTERN
|
||||
if [ $FNRET != 0 ]; then
|
||||
does_pattern_exist_in_dmesg "$PATTERN"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
nx_supported_and_enabled
|
||||
if [ $FNRET != 0 ]; then
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
|
||||
else
|
||||
ok "NX is supported and enabled"
|
||||
@ -67,6 +70,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -76,8 +80,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,17 +1,20 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 4.3 Enable Randomized Virtual Memory Region Placement (Scored)
|
||||
# 1.6.2 Ensure address space layout randomization (ASLR) is enabled (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Enable Randomized Virtual Memory Region Placement to prevent memory page exploits."
|
||||
|
||||
SYSCTL_PARAM='kernel.randomize_va_space'
|
||||
@ -19,10 +22,10 @@ SYSCTL_EXP_RESULT=2
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||
if [ $FNRET != 0 ]; then
|
||||
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
|
||||
elif [ $FNRET = 255 ]; then
|
||||
elif [ "$FNRET" = 255 ]; then
|
||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||
else
|
||||
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
||||
@ -31,11 +34,11 @@ audit () {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||
if [ $FNRET != 0 ]; then
|
||||
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
||||
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||
elif [ $FNRET = 255 ]; then
|
||||
set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
|
||||
elif [ "$FNRET" = 255 ]; then
|
||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||
else
|
||||
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
||||
@ -49,6 +52,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -58,8 +62,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,25 +1,28 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 4.4 Disable Prelink (Scored)
|
||||
# 1.6.3 Ensure prelink is disabled (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Disable prelink to prevent libraries compromission."
|
||||
|
||||
PACKAGE='prelink'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed!"
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
@ -29,11 +32,11 @@ audit () {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed, purging it"
|
||||
/usr/sbin/prelink -ua
|
||||
apt-get purge $PACKAGE -y
|
||||
apt-get purge "$PACKAGE" -y
|
||||
apt-get autoremove
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
@ -48,6 +51,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -57,8 +61,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,17 +1,20 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 4.1 Restrict Core Dumps (Scored)
|
||||
# 1.6.4 Ensure core dumps are restricted (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Restrict core dumps."
|
||||
|
||||
LIMIT_FILE='/etc/security/limits.conf'
|
||||
@ -24,15 +27,15 @@ SYSCTL_EXP_RESULT=0
|
||||
audit() {
|
||||
SEARCH_RES=0
|
||||
LIMIT_FILES=""
|
||||
if $SUDO_CMD [ -d $LIMIT_DIR ]; then
|
||||
for file in $($SUDO_CMD ls $LIMIT_DIR/*.conf 2>/dev/null); do
|
||||
if $SUDO_CMD [ -d "$LIMIT_DIR" ]; then
|
||||
for file in $($SUDO_CMD ls "$LIMIT_DIR"/*.conf 2>/dev/null); do
|
||||
LIMIT_FILES="$LIMIT_FILES $LIMIT_DIR/$file"
|
||||
done
|
||||
fi
|
||||
debug "Files to search $LIMIT_FILE $LIMIT_FILES"
|
||||
for file in $LIMIT_FILE $LIMIT_FILES; do
|
||||
does_pattern_exist_in_file $file $LIMIT_PATTERN
|
||||
if [ $FNRET != 0 ]; then
|
||||
does_pattern_exist_in_file "$file" "$LIMIT_PATTERN"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
debug "$LIMIT_PATTERN not present in $file"
|
||||
else
|
||||
ok "$LIMIT_PATTERN present in $file"
|
||||
@ -40,13 +43,13 @@ audit () {
|
||||
break
|
||||
fi
|
||||
done
|
||||
if [ $SEARCH_RES = 0 ]; then
|
||||
if [ "$SEARCH_RES" = 0 ]; then
|
||||
crit "$LIMIT_PATTERN is not present in $LIMIT_FILE $LIMIT_FILES"
|
||||
fi
|
||||
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
|
||||
if [ $FNRET != 0 ]; then
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
|
||||
elif [ $FNRET = 255 ]; then
|
||||
elif [ "$FNRET" = 255 ]; then
|
||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||
else
|
||||
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
||||
@ -55,18 +58,18 @@ audit () {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN
|
||||
if [ $FNRET != 0 ]; then
|
||||
does_pattern_exist_in_file "$LIMIT_FILE" "$LIMIT_PATTERN"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$LIMIT_PATTERN not present in $LIMIT_FILE, adding at the end of $LIMIT_FILE"
|
||||
add_end_of_file $LIMIT_FILE "* hard core 0"
|
||||
else
|
||||
ok "$LIMIT_PATTERN present in $LIMIT_FILE"
|
||||
fi
|
||||
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
|
||||
if [ $FNRET != 0 ]; then
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
||||
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||
elif [ $FNRET = 255 ]; then
|
||||
set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
|
||||
elif [ "$FNRET" = 255 ]; then
|
||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||
else
|
||||
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
||||
@ -81,6 +84,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -90,8 +94,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
70
bin/hardening/1.7.1.1_install_apparmor.sh
Executable file
70
bin/hardening/1.7.1.1_install_apparmor.sh
Executable file
@ -0,0 +1,70 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 1.7.1.1 Ensure AppArmor is installed (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Install AppArmor."
|
||||
|
||||
PACKAGES='apparmor apparmor-utils'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is absent!"
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PACKAGE is installed"
|
||||
else
|
||||
crit "$PACKAGE is absent, installing it"
|
||||
apt_install "$PACKAGE"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
111
bin/hardening/1.7.1.2_enable_apparmor.sh
Executable file
111
bin/hardening/1.7.1.2_enable_apparmor.sh
Executable file
@ -0,0 +1,111 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 1.7.2.2 Ensure AppArmor is enabled in the bootloader configuration (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Activate AppArmor to enforce permissions control."
|
||||
|
||||
PACKAGES='apparmor apparmor-utils'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is absent!"
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
fi
|
||||
done
|
||||
|
||||
ERROR=0
|
||||
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
|
||||
|
||||
# define custom IFS and save default one
|
||||
d_IFS=$IFS
|
||||
c_IFS=$'\n'
|
||||
IFS=$c_IFS
|
||||
for line in $RESULT; do
|
||||
if [[ ! "$line" =~ "apparmor=1" ]] || [[ ! "$line" =~ "security=apparmor" ]]; then
|
||||
crit "$line is not configured"
|
||||
ERROR=1
|
||||
fi
|
||||
done
|
||||
IFS=$d_IFS
|
||||
if [ "$ERROR" = 0 ]; then
|
||||
ok "$PACKAGES are configured"
|
||||
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PACKAGE is installed"
|
||||
else
|
||||
crit "$PACKAGE is absent, installing it"
|
||||
apt_install "$PACKAGE"
|
||||
fi
|
||||
done
|
||||
|
||||
ERROR=0
|
||||
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
|
||||
|
||||
# define custom IFS and save default one
|
||||
d_IFS=$IFS
|
||||
c_IFS=$'\n'
|
||||
IFS=$c_IFS
|
||||
for line in $RESULT; do
|
||||
if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
|
||||
crit "$line is not configured"
|
||||
ERROR=1
|
||||
fi
|
||||
done
|
||||
IFS=$d_IFS
|
||||
|
||||
if [ $ERROR = 1 ]; then
|
||||
$SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor/" /etc/default/grub
|
||||
$SUDO_CMD update-grub
|
||||
else
|
||||
ok "$PACKAGES are configured"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
87
bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh
Executable file
87
bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh
Executable file
@ -0,0 +1,87 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 1.7.1.3 Ensure all AppArmor profiles are in enforce or complain mode (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Enforce or complain AppArmor profiles."
|
||||
|
||||
PACKAGES='apparmor apparmor-utils'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is absent!"
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
fi
|
||||
done
|
||||
|
||||
RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
|
||||
|
||||
if [ -n "$RESULT_UNCONFINED" ]; then
|
||||
ok "No profiles are unconfined"
|
||||
|
||||
else
|
||||
crit "Some processes are unconfined while they have defined profile"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGES is absent!"
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
fi
|
||||
done
|
||||
|
||||
RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined")
|
||||
|
||||
if [ -n "$RESULT_UNCONFINED" ]; then
|
||||
ok "No profiles are unconfined"
|
||||
else
|
||||
warn "Some processes are unconfined while they have defined profile, setting profiles to complain mode"
|
||||
aa-complain /etc/apparmor.d/*
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
101
bin/hardening/1.7.1.4_enforcing_apparmor.sh
Executable file
101
bin/hardening/1.7.1.4_enforcing_apparmor.sh
Executable file
@ -0,0 +1,101 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 1.7.1.4 Ensure all AppArmor profiles are enforcing (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Enforce Apparmor profiles."
|
||||
|
||||
PACKAGES='apparmor apparmor-utils'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is absent!"
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
fi
|
||||
done
|
||||
|
||||
RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
|
||||
RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode.")
|
||||
|
||||
if [ -n "$RESULT_UNCONFINED" ]; then
|
||||
ok "No profiles are unconfined"
|
||||
else
|
||||
crit "Some processes are unconfined while they have defined profile"
|
||||
fi
|
||||
|
||||
if [ -n "$RESULT_COMPLAIN" ]; then
|
||||
ok "No profiles are in complain mode"
|
||||
else
|
||||
crit "Some processes are in complain mode"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is absent!"
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
fi
|
||||
done
|
||||
|
||||
RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined")
|
||||
RESULT_COMPLAIN=$(apparmor_status | grep "^0 profiles are in complain mode.")
|
||||
|
||||
if [ -n "$RESULT_UNCONFINED" ]; then
|
||||
ok "No profiles are unconfined"
|
||||
else
|
||||
warn "Some processes are unconfined while they have defined profile, setting profiles to enforce mode"
|
||||
aa-enforce /etc/apparmor.d/*
|
||||
fi
|
||||
|
||||
if [ -n "$RESULT_COMPLAIN" ]; then
|
||||
ok "No profiles are in complain mode"
|
||||
else
|
||||
warn "Some processes are in complain mode, setting profiles to enforce mode"
|
||||
aa-enforce /etc/apparmor.d/*
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
67
bin/hardening/1.8.1.1_remove_os_info_motd.sh
Executable file
67
bin/hardening/1.8.1.1_remove_os_info_motd.sh
Executable file
@ -0,0 +1,67 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 1.8.1.1 Ensure message of the day is configured properly (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Remove OS information from motd"
|
||||
|
||||
FILE='/etc/motd'
|
||||
PATTERN='(\\v|\\r|\\m|\\s)'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
does_pattern_exist_in_file "$FILE" "$PATTERN"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PATTERN is present in $FILE"
|
||||
else
|
||||
ok "$PATTERN is not present in $FILE"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
does_pattern_exist_in_file "$FILE" "$PATTERN"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
warn "$PATTERN is present in $FILE"
|
||||
delete_line_in_file "$FILE" "$PATTERN"
|
||||
else
|
||||
ok "$PATTERN is not present in $FILE"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
67
bin/hardening/1.8.1.2_remove_os_info_issue.sh
Executable file
67
bin/hardening/1.8.1.2_remove_os_info_issue.sh
Executable file
@ -0,0 +1,67 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 1.8.1.2 Ensure local login warning banner is configured properly (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Remove OS information from Login Warning Banners."
|
||||
|
||||
FILE='/etc/issue'
|
||||
PATTERN='(\\v|\\r|\\m|\\s)'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
does_pattern_exist_in_file "$FILE" "$PATTERN"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PATTERN is present in $FILE"
|
||||
else
|
||||
ok "$PATTERN is not present in $FILE"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
warn "$PATTERN is present in $FILE"
|
||||
delete_line_in_file "$FILE" "$PATTERN"
|
||||
else
|
||||
ok "$PATTERN is not present in $FILE"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
67
bin/hardening/1.8.1.3_remove_os_info_issue_net.sh
Executable file
67
bin/hardening/1.8.1.3_remove_os_info_issue_net.sh
Executable file
@ -0,0 +1,67 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 1.8.1.3 Ensure remote login warning banner is configured properly (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Remove OS information from remote Login Warning Banners."
|
||||
|
||||
FILE='/etc/issue.net'
|
||||
PATTERN='(\\v|\\r|\\m|\\s)'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
does_pattern_exist_in_file "$FILE" "$PATTERN"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PATTERN is present in $FILE"
|
||||
else
|
||||
ok "$PATTERN is not present in $FILE"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
does_pattern_exist_in_file "$FILE" "$PATTERN"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
warn "$PATTERN is present in $FILE"
|
||||
delete_line_in_file "$FILE" "$PATTERN"
|
||||
else
|
||||
ok "$PATTERN is not present in $FILE"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
92
bin/hardening/1.8.1.4_motd_perms.sh
Executable file
92
bin/hardening/1.8.1.4_motd_perms.sh
Executable file
@ -0,0 +1,92 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 1.8.1.4 Ensure permissions on /etc/motd are configured (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Checking root ownership and 644 permissions on banner files: /etc/motd|issue|issue.net ."
|
||||
|
||||
PERMISSIONS='644'
|
||||
USER='root'
|
||||
GROUP='root'
|
||||
FILE='/etc/motd'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
does_file_exist "$FILE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
else
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||
fi
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
does_file_exist "$FILE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
info "$FILE does not exist"
|
||||
touch "$FILE"
|
||||
fi
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
warn "fixing $FILE ownership to $USER:$GROUP"
|
||||
chown "$USER":"$GROUP" "$FILE"
|
||||
fi
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0"$PERMISSIONS" "$FILE"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
92
bin/hardening/1.8.1.5_etc_issue_perms.sh
Executable file
92
bin/hardening/1.8.1.5_etc_issue_perms.sh
Executable file
@ -0,0 +1,92 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 1.8.1.5 Ensure permissions on /etc/issue are configured (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Checking root ownership and 644 permissions on banner files: /etc/motd|issue|issue.net ."
|
||||
|
||||
PERMISSIONS='644'
|
||||
USER='root'
|
||||
GROUP='root'
|
||||
FILE='/etc/issue'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
does_file_exist "$FILE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
else
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||
fi
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
does_file_exist "$FILE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
info "$FILE does not exist"
|
||||
touch "$FILE"
|
||||
fi
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
warn "fixing $FILE ownership to $USER:$GROUP"
|
||||
chown "$USER":"$GROUP" "$FILE"
|
||||
fi
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0"$PERMISSIONS" "$FILE"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
92
bin/hardening/1.8.1.6_etc_issue_net_perms.sh
Executable file
92
bin/hardening/1.8.1.6_etc_issue_net_perms.sh
Executable file
@ -0,0 +1,92 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 1.8.1.6 Ensure permissions on /etc/issue.net are configured (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Checking root ownership and 644 permissions on banner files: /etc/motd|issue|issue.net ."
|
||||
|
||||
PERMISSIONS='644'
|
||||
USER='root'
|
||||
GROUP='root'
|
||||
FILE='/etc/issue.net'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
does_file_exist "$FILE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
else
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||
fi
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
does_file_exist "$FILE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
info "$FILE does not exist"
|
||||
touch "$FILE"
|
||||
fi
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
warn "fixing $FILE ownership to $USER:$GROUP"
|
||||
chown "$USER":"$GROUP" "$FILE"
|
||||
fi
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0"$PERMISSIONS" "$FILE"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
@ -1,17 +1,20 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 11.3 Set Graphical Warning Banner (Not Scored)
|
||||
# 1.8.2 Ensure GDM login banner is configured (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Set graphical warning banner."
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
@ -31,6 +34,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -40,8 +44,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,18 +1,21 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 1.1 Install Updates, Patches and Additional Security Software (Not Scored)
|
||||
# 1.9 Ensure updates, patches and additional security software are installed (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
DESCRIPTION="Install updates, patches and additional secutiry software."
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Ensure updates, patches, and additional security software are installed (Not Scored)"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
@ -20,7 +23,7 @@ audit () {
|
||||
apt_update_if_needed
|
||||
info "Fetching upgrades ..."
|
||||
apt_check_updates "CIS_APT"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
crit "$RESULT"
|
||||
FNRET=1
|
||||
else
|
||||
@ -31,7 +34,7 @@ audit () {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
info "Applying Upgrades..."
|
||||
DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' upgrade -y
|
||||
else
|
||||
@ -47,6 +50,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -56,8 +60,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,92 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 10.1.1 Set Password Expiration Days (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=3
|
||||
DESCRIPTION="Set password expiration days."
|
||||
|
||||
PACKAGE='login'
|
||||
OPTIONS='PASS_MAX_DAYS=90'
|
||||
FILE='/etc/login.defs'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$PACKAGE is not installed!"
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
for SSH_OPTION in $OPTIONS; do
|
||||
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PATTERN is present in $FILE"
|
||||
else
|
||||
crit "$PATTERN is not present in $FILE"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PACKAGE is installed"
|
||||
else
|
||||
crit "$PACKAGE is absent, installing it"
|
||||
apt_install $PACKAGE
|
||||
fi
|
||||
for SSH_OPTION in $OPTIONS; do
|
||||
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PATTERN is present in $FILE"
|
||||
else
|
||||
warn "$PATTERN is not present in $FILE, adding it"
|
||||
does_pattern_exist_in_file $FILE "^$SSH_PARAM"
|
||||
if [ $FNRET != 0 ]; then
|
||||
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
|
||||
else
|
||||
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
|
||||
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
@ -1,92 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 10.1.2 Set Password Change Minimum Number of Days (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=3
|
||||
DESCRIPTION="Set password change minimum number of days."
|
||||
|
||||
PACKAGE='login'
|
||||
OPTIONS='PASS_MIN_DAYS=7'
|
||||
FILE='/etc/login.defs'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$PACKAGE is not installed!"
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
for SSH_OPTION in $OPTIONS; do
|
||||
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PATTERN is present in $FILE"
|
||||
else
|
||||
crit "$PATTERN is not present in $FILE"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PACKAGE is installed"
|
||||
else
|
||||
crit "$PACKAGE is absent, installing it"
|
||||
apt_install $PACKAGE
|
||||
fi
|
||||
for SSH_OPTION in $OPTIONS; do
|
||||
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PATTERN is present in $FILE"
|
||||
else
|
||||
warn "$PATTERN is not present in $FILE, adding it"
|
||||
does_pattern_exist_in_file $FILE "^$SSH_PARAM"
|
||||
if [ $FNRET != 0 ]; then
|
||||
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
|
||||
else
|
||||
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
|
||||
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
@ -1,92 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 10.1.3 Set Password Expiring Warning Days (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=3
|
||||
DESCRIPTION="Set password expiration warning days."
|
||||
|
||||
PACKAGE='login'
|
||||
OPTIONS='PASS_WARN_AGE=7'
|
||||
FILE='/etc/login.defs'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$PACKAGE is not installed!"
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
for SSH_OPTION in $OPTIONS; do
|
||||
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PATTERN is present in $FILE"
|
||||
else
|
||||
crit "$PATTERN is not present in $FILE"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PACKAGE is installed"
|
||||
else
|
||||
crit "$PACKAGE is absent, installing it"
|
||||
apt_install $PACKAGE
|
||||
fi
|
||||
for SSH_OPTION in $OPTIONS; do
|
||||
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PATTERN is present in $FILE"
|
||||
else
|
||||
warn "$PATTERN is not present in $FILE, adding it"
|
||||
does_pattern_exist_in_file $FILE "^$SSH_PARAM"
|
||||
if [ $FNRET != 0 ]; then
|
||||
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
|
||||
else
|
||||
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
|
||||
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
@ -1,91 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 11.1 Set Warning Banner for Standard Login Services (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=3
|
||||
DESCRIPTION="Checking root ownership and 644 permissions on banner files : /etc/motd|issue|issue.net ."
|
||||
|
||||
PERMISSIONS='644'
|
||||
USER='root'
|
||||
GROUP='root'
|
||||
FILES='/etc/motd /etc/issue /etc/issue.net'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
for FILE in $FILES; do
|
||||
does_file_exist $FILE
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
continue
|
||||
fi
|
||||
has_file_correct_ownership $FILE $USER $GROUP
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||
fi
|
||||
has_file_correct_permissions $FILE $PERMISSIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
for FILE in $FILES; do
|
||||
does_file_exist $FILE
|
||||
if [ $FNRET != 0 ]; then
|
||||
info "$FILE does not exist"
|
||||
touch $FILE
|
||||
fi
|
||||
has_file_correct_ownership $FILE $USER $GROUP
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
warn "fixing $FILE ownership to $USER:$GROUP"
|
||||
chown $USER:$GROUP $FILE
|
||||
fi
|
||||
has_file_correct_permissions $FILE $PERMISSIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0$PERMISSIONS $FILE
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
@ -1,66 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 11.2 Remove OS Information from Login Warning Banners (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=3
|
||||
DESCRIPTION="Remove OS information from Login Warning Banners."
|
||||
|
||||
FILES='/etc/motd /etc/issue /etc/issue.net'
|
||||
PATTERN='(\\v|\\r|\\m|\\s)'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
for FILE in $FILES; do
|
||||
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PATTERN is present in $FILE"
|
||||
else
|
||||
ok "$PATTERN is not present in $FILE"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
for FILE in $FILES; do
|
||||
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||
if [ $FNRET = 0 ]; then
|
||||
warn "$PATTERN is present in $FILE"
|
||||
delete_line_in_file $FILE $PATTERN
|
||||
else
|
||||
ok "$PATTERN is not present in $FILE"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
@ -1,62 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 12.1 Verify Permissions on /etc/passwd (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=1
|
||||
DESCRIPTION="Check permissions on /etc/passwd to 644."
|
||||
|
||||
FILE='/etc/passwd'
|
||||
PERMISSIONS='644'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
has_file_correct_permissions $FILE $PERMISSIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
has_file_correct_permissions $FILE $PERMISSIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0$PERMISSIONS $FILE
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
@ -1,62 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 12.2 Verify Permissions on /etc/shadow (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=1
|
||||
DESCRIPTION="Check permissions on /etc/shadow to 640."
|
||||
|
||||
FILE='/etc/shadow'
|
||||
PERMISSIONS='640'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
has_file_correct_permissions $FILE $PERMISSIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
has_file_correct_permissions $FILE $PERMISSIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0$PERMISSIONS $FILE
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
@ -1,62 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 12.3 Verify Permissions on /etc/group (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=1
|
||||
DESCRIPTION="Check permissions on /etc/group to 644."
|
||||
|
||||
FILE='/etc/group'
|
||||
PERMISSIONS='644'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
has_file_correct_permissions $FILE $PERMISSIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
has_file_correct_permissions $FILE $PERMISSIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0$PERMISSIONS $FILE
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
@ -1,77 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 12.4 Verify User/Group Ownership on /etc/passwd (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=1
|
||||
DESCRIPTION="Check user/group to root on /etc/passwd."
|
||||
|
||||
FILE='/etc/passwd'
|
||||
USER='root'
|
||||
GROUP='root'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
has_file_correct_ownership $FILE $USER $GROUP
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
has_file_correct_ownership $FILE $USER $GROUP
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
info "fixing $FILE ownership to $USER:$GROUP"
|
||||
chown $USER:$GROUP $FILE
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
does_user_exist $USER
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$USER does not exist"
|
||||
exit 128
|
||||
fi
|
||||
does_group_exist $GROUP
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$GROUP does not exist"
|
||||
exit 128
|
||||
fi
|
||||
does_file_exist $FILE
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
exit 128
|
||||
fi
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
@ -1,77 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 12.5 Verify User/Group Ownership on /etc/shadow (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=1
|
||||
DESCRIPTION="Check user/group to root on etc/shadow."
|
||||
|
||||
FILE='/etc/shadow'
|
||||
USER='root'
|
||||
GROUP='shadow'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
has_file_correct_ownership $FILE $USER $GROUP
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
has_file_correct_ownership $FILE $USER $GROUP
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
info "fixing $FILE ownership to $USER:$GROUP"
|
||||
chown $USER:$GROUP $FILE
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
does_user_exist $USER
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$USER does not exist"
|
||||
exit 128
|
||||
fi
|
||||
does_group_exist $GROUP
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$GROUP does not exist"
|
||||
exit 128
|
||||
fi
|
||||
does_file_exist $FILE
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
exit 128
|
||||
fi
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
@ -1,77 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 12.6 Verify User/Group Ownership on /etc/group (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=1
|
||||
DESCRIPTION="Check user/group to root on /etc/group."
|
||||
|
||||
FILE='/etc/group'
|
||||
USER='root'
|
||||
GROUP='root'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
has_file_correct_ownership $FILE $USER $GROUP
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
has_file_correct_ownership $FILE $USER $GROUP
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
info "fixing $FILE ownership to $USER:$GROUP"
|
||||
chown $USER:$GROUP $FILE
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
does_user_exist $USER
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$USER does not exist"
|
||||
exit 128
|
||||
fi
|
||||
does_group_exist $GROUP
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$GROUP does not exist"
|
||||
exit 128
|
||||
fi
|
||||
does_file_exist $FILE
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
exit 128
|
||||
fi
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
@ -1,66 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 12.8 Find Un-owned Files and Directories (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
DESCRIPTION="Find un-owned files and directories."
|
||||
|
||||
USER='root'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Checking if there are unowned files"
|
||||
FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} )
|
||||
RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nouser -print 2>/dev/null)
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
crit "Some unowned files are present"
|
||||
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
|
||||
crit "$FORMATTED_RESULT"
|
||||
else
|
||||
ok "No unowned files found"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
warn "Applying chown on all unowned files in the system"
|
||||
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER
|
||||
else
|
||||
ok "No unowned files found, nothing to apply"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
# No param for this function
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
@ -1,66 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 12.9 Find Un-grouped Files and Directories (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
DESCRIPTION="Find un-grouped files and directories."
|
||||
|
||||
GROUP='root'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Checking if there are ungrouped files"
|
||||
FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} )
|
||||
RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nogroup -print 2>/dev/null)
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
crit "Some ungrouped files are present"
|
||||
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
|
||||
crit "$FORMATTED_RESULT"
|
||||
else
|
||||
ok "No ungrouped files found"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
warn "Applying chgrp on all ungrouped files in the system"
|
||||
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp $GROUP
|
||||
else
|
||||
ok "No ungrouped files found, nothing to apply"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
# No param for this function
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
@ -1,83 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 13.8 Check User Dot File Permissions (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
DESCRIPTION="Check user dot file permissions."
|
||||
|
||||
ERRORS=0
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
|
||||
debug "Working on $DIR"
|
||||
for FILE in $DIR/.[A-Za-z0-9]*; do
|
||||
if [ ! -h "$FILE" -a -f "$FILE" ]; then
|
||||
FILEPERM=$(ls -ld $FILE | cut -f1 -d" ")
|
||||
if [ $(echo $FILEPERM | cut -c6) != "-" ]; then
|
||||
crit "Group Write permission set on FILE $FILE"
|
||||
ERRORS=$((ERRORS+1))
|
||||
fi
|
||||
if [ $(echo $FILEPERM | cut -c9) != "-" ]; then
|
||||
crit "Other Write permission set on FILE $FILE"
|
||||
ERRORS=$((ERRORS+1))
|
||||
fi
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
if [ $ERRORS = 0 ]; then
|
||||
ok "Dot file permission in users directories are correct"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
|
||||
for FILE in $DIR/.[A-Za-z0-9]*; do
|
||||
if [ ! -h "$FILE" -a -f "$FILE" ]; then
|
||||
FILEPERM=$(ls -ld $FILE | cut -f1 -d" ")
|
||||
if [ $(echo $FILEPERM | cut -c6) != "-" ]; then
|
||||
warn "Group Write permission set on FILE $FILE"
|
||||
chmod g-w $FILE
|
||||
fi
|
||||
if [ $(echo $FILEPERM | cut -c9) != "-" ]; then
|
||||
warn "Other Write permission set on FILE $FILE"
|
||||
chmod o-w $FILE
|
||||
fi
|
||||
fi
|
||||
done
|
||||
done
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
@ -1,82 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 13.9 Check Permissions on User .netrc Files (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
DESCRIPTION="Check user permissions on .netrc file."
|
||||
|
||||
PERMISSIONS="600"
|
||||
ERRORS=0
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
|
||||
debug "Working on $DIR"
|
||||
for FILE in $DIR/.netrc; do
|
||||
if [ ! -h "$FILE" -a -f "$FILE" ]; then
|
||||
has_file_correct_permissions $FILE $PERMISSIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
ERRORS=$((ERRORS+1))
|
||||
fi
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
if [ $ERRORS = 0 ]; then
|
||||
ok "permission $PERMISSIONS set on .netrc users files"
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
|
||||
debug "Working on $DIR"
|
||||
for FILE in $DIR/.netrc; do
|
||||
if [ ! -h "$FILE" -a -f "$FILE" ]; then
|
||||
has_file_correct_permissions $FILE $PERMISSIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
warn "$FILE permissions were not set to $PERMISSIONS"
|
||||
chmod 600 $FILE
|
||||
fi
|
||||
fi
|
||||
done
|
||||
done
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
67
bin/hardening/2.1.1_disable_xinetd.sh
Executable file
67
bin/hardening/2.1.1_disable_xinetd.sh
Executable file
@ -0,0 +1,67 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.1.1 Ensure xinetd is not enabled (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Ensure xinetd is not enabled."
|
||||
|
||||
PACKAGE='xinetd'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed"
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
warn "$PACKAGE is installed, purging"
|
||||
apt-get purge "$PACKAGE" -y
|
||||
apt-get autoremove
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
@ -1,26 +1,29 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 5.1.8 Ensure xinetd is not enabled (Scored)
|
||||
# 2.1.2 Ensure bsd-inetd is not enabled (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
DESCRIPTION="Ensure xinetd is not enabled."
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Ensure bsd-inetd is not enabled."
|
||||
|
||||
PACKAGES='openbsd-inetd xinetd rlinetd'
|
||||
PACKAGES='openbsd-inetd inetutils-inetd'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed"
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
@ -31,10 +34,10 @@ audit () {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
warn "$PACKAGE is installed, purging"
|
||||
apt-get purge $PACKAGE -y
|
||||
apt-get purge "$PACKAGE" -y
|
||||
apt-get autoremove
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
@ -49,6 +52,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -58,8 +62,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
65
bin/hardening/2.2.1.1_use_time_sync.sh
Executable file
65
bin/hardening/2.2.1.1_use_time_sync.sh
Executable file
@ -0,0 +1,65 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.2.1.1 Ensure time synchronization is in use (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Ensure time synchronization is in use"
|
||||
|
||||
PACKAGES="ntp chrony"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
FOUND=false
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "Time synchronization is available through $PACKAGE"
|
||||
FOUND=true
|
||||
fi
|
||||
done
|
||||
if [ "$FOUND" = false ]; then
|
||||
crit "None of the following time sync packages are installed: $PACKAGES"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
:
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
60
bin/hardening/2.2.1.2_configure_systemd-timesyncd.sh
Executable file
60
bin/hardening/2.2.1.2_configure_systemd-timesyncd.sh
Executable file
@ -0,0 +1,60 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.2.1.2 Ensure systemd-timesyncd is configured (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=4
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Configure systemd-timesyncd."
|
||||
|
||||
SERVICE_NAME="systemd-timesyncd"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
is_service_enabled "$SERVICE_NAME"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$SERVICE_NAME is enabled"
|
||||
else
|
||||
crit "$SERVICE_NAME is disabled"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
:
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
70
bin/hardening/2.2.1.3_configure_chrony.sh
Executable file
70
bin/hardening/2.2.1.3_configure_chrony.sh
Executable file
@ -0,0 +1,70 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.2.1.3 Ensure chrony is configured (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Configure Network Time Protocol (ntp). Check restrict parameters and ntp daemon runs ad unprivileged user."
|
||||
# shellcheck disable=2034
|
||||
HARDENING_EXCEPTION=ntp
|
||||
|
||||
PACKAGE=chrony
|
||||
CONF_DEFAULT_PATTERN='^(server|pool)'
|
||||
CONF_FILE='/etc/chrony/chrony.conf'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is not installed!"
|
||||
else
|
||||
ok "$PACKAGE is installed, checking configuration"
|
||||
does_pattern_exist_in_file "$CONF_FILE" "$CONF_DEFAULT_PATTERN"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE"
|
||||
else
|
||||
ok "$CONF_DEFAULT_PATTERN found in $CONF_FILE"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
:
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
101
bin/hardening/2.2.1.4_configure_ntp.sh
Executable file
101
bin/hardening/2.2.1.4_configure_ntp.sh
Executable file
@ -0,0 +1,101 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.2.1.2 Ensure ntp is configured (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Configure Network Time Protocol (ntp). Check restrict parameters and ntp daemon runs ad unprivileged user."
|
||||
# shellcheck disable=2034
|
||||
HARDENING_EXCEPTION=ntp
|
||||
|
||||
PACKAGE='ntp'
|
||||
NTP_CONF_DEFAULT_PATTERN='^restrict -4 default (kod nomodify notrap nopeer noquery|ignore)'
|
||||
NTP_CONF_FILE='/etc/ntp.conf'
|
||||
NTP_INIT_PATTERN='RUNASUSER=ntp'
|
||||
NTP_INIT_FILE='/etc/init.d/ntp'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is not installed!"
|
||||
else
|
||||
ok "$PACKAGE is installed, checking configuration"
|
||||
does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE"
|
||||
else
|
||||
ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
|
||||
fi
|
||||
does_pattern_exist_in_file "$NTP_INIT_FILE" "^$NTP_INIT_PATTERN"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE"
|
||||
else
|
||||
ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PACKAGE is installed"
|
||||
else
|
||||
crit "$PACKAGE is absent, installing it"
|
||||
apt_install "$PACKAGE"
|
||||
info "Checking $PACKAGE configuration"
|
||||
fi
|
||||
does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE, adding it"
|
||||
backup_file "$NTP_CONF_FILE"
|
||||
add_end_of_file "$NTP_CONF_FILE" "restrict -4 default kod notrap nomodify nopeer noquery"
|
||||
else
|
||||
ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
|
||||
fi
|
||||
does_pattern_exist_in_file "$NTP_INIT_FILE" "^$NTP_INIT_PATTERN"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE, adding it"
|
||||
backup_file "$NTP_INIT_FILE"
|
||||
add_line_file_before_pattern "$NTP_INIT_FILE" "$NTP_INIT_PATTERN" "^UGID"
|
||||
else
|
||||
ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
@ -1,18 +1,22 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 6.10 Ensure HTTP Server is not enabled (Not Scored)
|
||||
# 2.2.10 Ensure HTTP Server is not enabled (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Ensure HTTP server is not enabled."
|
||||
# shellcheck disable=2034
|
||||
HARDENING_EXCEPTION=http
|
||||
|
||||
# Based on aptitude search '~Phttpd'
|
||||
@ -21,8 +25,8 @@ PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd'
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed!"
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
@ -33,11 +37,11 @@ audit () {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed, purging it"
|
||||
apt-get purge $PACKAGE -y
|
||||
apt-get autoremove
|
||||
apt-get purge "$PACKAGE" -y
|
||||
apt-get autoremove -y
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
@ -51,6 +55,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -60,8 +65,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,18 +1,22 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 6.11 Ensure IMAP and POP server is not enabled (Not Scored)
|
||||
# 2.2.11 Ensure IMAP and POP server is not installed (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
DESCRIPTION="Ensure IMAP and POP servers are not enabled."
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Ensure IMAP and POP servers are not installed"
|
||||
# shellcheck disable=2034
|
||||
HARDENING_EXCEPTION=mail
|
||||
|
||||
# Based on aptitude search '~Pimap-server' and aptitude search '~Ppop3-server'
|
||||
@ -21,8 +25,8 @@ PACKAGES='citadel-server courier-imap cyrus-imapd-2.4 dovecot-imapd mailutils-im
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed!"
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
@ -33,11 +37,11 @@ audit () {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed, purging it"
|
||||
apt-get purge $PACKAGE -y
|
||||
apt-get autoremove
|
||||
apt-get purge "$PACKAGE" -y
|
||||
apt-get autoremove -y
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
@ -51,6 +55,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -60,8 +65,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,46 +1,64 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 6.12 Ensure Samba is not enabled (Not Scored)
|
||||
# 2.2.12 Ensure Samba is not enabled (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Ensure Samba is not enabled."
|
||||
# shellcheck disable=2034
|
||||
HARDENING_EXCEPTION=samba
|
||||
|
||||
PACKAGES='samba'
|
||||
SERVICE='smbd'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed!"
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
done
|
||||
is_service_enabled "$SERVICE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "Service $SERVICE is enabled!"
|
||||
else
|
||||
ok "Service $SERVICE is disabled"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed, purging it"
|
||||
apt-get purge $PACKAGE -y
|
||||
apt-get autoremove
|
||||
apt-get purge "$PACKAGE" -y
|
||||
apt-get autoremove -y
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
done
|
||||
is_service_enabled "$SERVICE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "Service $SERVICE is enabled!"
|
||||
systemctl disable "$SERVICE"
|
||||
else
|
||||
ok "Service $SERVICE is disabled"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
@ -50,6 +68,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -59,8 +78,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,18 +1,22 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 6.13 Ensure HTTP Proxy Server is not enabled (Not Scored)
|
||||
# 2.2.13 Ensure HTTP Proxy Server is not enabled (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Ensure HTTP-proxy is not enabled."
|
||||
# shellcheck disable=2034
|
||||
HARDENING_EXCEPTION=http
|
||||
|
||||
PACKAGES='squid3 squid'
|
||||
@ -20,8 +24,8 @@ PACKAGES='squid3 squid'
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed!"
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
@ -32,10 +36,10 @@ audit () {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed, purging it"
|
||||
apt-get purge $PACKAGE -y
|
||||
apt-get purge "$PACKAGE" -y
|
||||
apt-get autoremove
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
@ -50,6 +54,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -59,8 +64,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,18 +1,22 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 6.14 Ensure SNMP Server is not enabled (Not Scored)
|
||||
# 2.2.14 Ensure SNMP Server is not enabled (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Enure SNMP server is not enabled."
|
||||
# shellcheck disable=2034
|
||||
HARDENING_EXCEPTION=snmp
|
||||
|
||||
PACKAGES='snmpd'
|
||||
@ -20,8 +24,8 @@ PACKAGES='snmpd'
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed!"
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
@ -32,11 +36,11 @@ audit () {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed, purging it"
|
||||
apt-get purge $PACKAGE -y
|
||||
apt-get autoremove
|
||||
apt-get purge "$PACKAGE" -y
|
||||
apt-get autoremove -y
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
@ -50,6 +54,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -59,8 +64,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,18 +1,22 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 6.15 Configure Mail Transfer Agent for Local-Only Mode (Scored)
|
||||
# 2.2.15 Ensure Mail Transfer Agent is configured for Local-Only Mode (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Configure Mail Transfert Agent for Local-Only Mode."
|
||||
# shellcheck disable=2034
|
||||
HARDENING_EXCEPTION=mail
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
@ -25,7 +29,7 @@ audit () {
|
||||
ok "Nothing listens on 25 port, probably unix socket configured"
|
||||
else
|
||||
info "Checking $RESULT"
|
||||
if $(grep -q "127.0.0.1" <<< $RESULT); then
|
||||
if grep -q "127.0.0.1" <<<"$RESULT"; then
|
||||
ok "MTA is configured to localhost only"
|
||||
else
|
||||
crit "MTA listens worldwide"
|
||||
@ -43,7 +47,7 @@ apply () {
|
||||
ok "Nothing listens on 25 port, probably unix socket configured"
|
||||
else
|
||||
info "Checking $RESULT"
|
||||
if $(grep -q "127.0.0.1" <<< $RESULT); then
|
||||
if grep -q "127.0.0.1" <<<"$RESULT"; then
|
||||
ok "MTA is configured to localhost only"
|
||||
else
|
||||
warn "MTA listens worldwide, correct this considering your MTA"
|
||||
@ -59,6 +63,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -68,8 +73,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,18 +1,22 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 6.16 Ensure rsync service is not enabled (Scored)
|
||||
# 2.2.16 Ensure rsync service is not enabled (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Ensure rsync service is not enabled."
|
||||
# shellcheck disable=2034
|
||||
HARDENING_EXCEPTION=rsync
|
||||
|
||||
PACKAGE='rsync'
|
||||
@ -22,13 +26,13 @@ RSYNC_DEFAULT_PATTERN_TO_SEARCH='RSYNC_ENABLE=true'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET != 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
ok "$PACKAGE is not installed"
|
||||
else
|
||||
ok "$PACKAGE is installed, checking configuration"
|
||||
does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN"
|
||||
if [ $FNRET != 0 ]; then
|
||||
does_pattern_exist_in_file "$RSYNC_DEFAULT_FILE" "^$RSYNC_DEFAULT_PATTERN"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE"
|
||||
else
|
||||
ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE"
|
||||
@ -38,16 +42,16 @@ audit () {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET != 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
ok "$PACKAGE is not installed"
|
||||
else
|
||||
ok "$PACKAGE is installed, checking configuration"
|
||||
does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN"
|
||||
if [ $FNRET != 0 ]; then
|
||||
does_pattern_exist_in_file "$RSYNC_DEFAULT_FILE" "^$RSYNC_DEFAULT_PATTERN"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE, adding it"
|
||||
backup_file $RSYNC_DEFAULT_FILE
|
||||
replace_in_file $RSYNC_DEFAULT_FILE $RSYNC_DEFAULT_PATTERN_TO_SEARCH $RSYNC_DEFAULT_PATTERN
|
||||
backup_file "$RSYNC_DEFAULT_FILE"
|
||||
replace_in_file "$RSYNC_DEFAULT_FILE" "$RSYNC_DEFAULT_PATTERN_TO_SEARCH" "$RSYNC_DEFAULT_PATTERN"
|
||||
else
|
||||
ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE"
|
||||
fi
|
||||
@ -61,6 +65,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -70,8 +75,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,27 +1,30 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 8.2.6 Accept Remote rsyslog Messages Only on Designated Log Hosts (Not Scored)
|
||||
# 2.2.17 Ensure NIS Server is not enabled (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
DESCRIPTION="Configure syslog to accept remote syslog messages only on designated log hosts."
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Disable NIS Server."
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
info "Not implemented yet"
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
info "Not implemented yet"
|
||||
:
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
@ -31,6 +34,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -40,8 +44,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,18 +1,22 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 6.1 Ensure the X Window system is not installed (Scored)
|
||||
# 2.2.2 Ensure the X Window system is not installed (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Ensure the X Window system is not installed."
|
||||
# shellcheck disable=2034
|
||||
HARDENING_EXCEPTION=x11
|
||||
|
||||
# Based on aptitude search '~Pxserver'
|
||||
@ -21,8 +25,8 @@ PACKAGES='xserver-xorg-core xserver-xorg-core-dbg xserver-common xserver-xephyr
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed!"
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
@ -33,11 +37,11 @@ audit () {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed, purging it"
|
||||
apt-get purge $PACKAGE -y
|
||||
apt-get autoremove
|
||||
apt-get purge "$PACKAGE" -y
|
||||
apt-get autoremove -y
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
@ -51,6 +55,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -60,8 +65,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,17 +1,20 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 6.2 Ensure Avahi Server is not enabled (Scored)
|
||||
# 2.2.3 Ensure Avahi Server is not enabled (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Ensure Avahi server is not enabled."
|
||||
|
||||
PACKAGES='avahi-daemon libavahi-common-data libavahi-common3 libavahi-core7'
|
||||
@ -19,8 +22,8 @@ PACKAGES='avahi-daemon libavahi-common-data libavahi-common3 libavahi-core7'
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed!"
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
@ -31,11 +34,11 @@ audit () {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed, purging it"
|
||||
apt-get purge $PACKAGE -y
|
||||
apt-get autoremove
|
||||
apt-get purge "$PACKAGE" -y
|
||||
apt-get autoremove -y
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
@ -49,6 +52,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -58,8 +62,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,18 +1,22 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 6.3 Ensure print server is not enabled (Not Scored)
|
||||
# 2.2.4 Ensure CUPS is not enabled (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Ensure print server (Common Unix Print System) is not enabled."
|
||||
# shellcheck disable=2034
|
||||
HARDENING_EXCEPTION=cups
|
||||
|
||||
PACKAGES='libcups2 libcupscgi1 libcupsimage2 libcupsmime1 libcupsppdc1 cups-common cups-client cups-ppdc libcupsfilters1 cups-filters cups'
|
||||
@ -20,8 +24,8 @@ PACKAGES='libcups2 libcupscgi1 libcupsimage2 libcupsmime1 libcupsppdc1 cups-comm
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed!"
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
@ -32,11 +36,11 @@ audit () {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed, purging it"
|
||||
apt-get purge $PACKAGE -y
|
||||
apt-get autoremove
|
||||
apt-get purge "$PACKAGE" -y
|
||||
apt-get autoremove -y
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
@ -50,6 +54,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -59,8 +64,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,18 +1,22 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 6.4 Ensure DHCP Server is not enabled (Scored)
|
||||
# 2.2.5 Ensure DHCP Server is not enabled (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Ensure DHCP server is not enabled."
|
||||
# shellcheck disable=2034
|
||||
HARDENING_EXCEPTION=dhcp
|
||||
|
||||
PACKAGES='udhcpd isc-dhcp-server'
|
||||
@ -20,8 +24,8 @@ PACKAGES='udhcpd isc-dhcp-server'
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed!"
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
@ -32,11 +36,11 @@ audit () {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed, purging it"
|
||||
apt-get purge $PACKAGE -y
|
||||
apt-get autoremove
|
||||
apt-get purge "$PACKAGE" -y
|
||||
apt-get autoremove -y
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
@ -50,6 +54,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -59,8 +64,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,18 +1,22 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 6.6 Ensure LDAP is not enabled (Not Scored)
|
||||
# 2.2.6 Ensure LDAP server is not enabled (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Ensure LDAP is not enabled."
|
||||
# shellcheck disable=2034
|
||||
HARDENING_EXCEPTION=ldap
|
||||
|
||||
PACKAGES='slapd'
|
||||
@ -20,8 +24,8 @@ PACKAGES='slapd'
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed!"
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
@ -32,11 +36,11 @@ audit () {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed, purging it"
|
||||
apt-get purge $PACKAGE -y
|
||||
apt-get autoremove
|
||||
apt-get purge "$PACKAGE" -y
|
||||
apt-get autoremove -y
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
@ -50,6 +54,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -59,8 +64,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,18 +1,22 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 6.7 Ensure NFS and RPC are not enabled (Not Scored)
|
||||
# 2.2.7 Ensure NFS and RPC are not enabled (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Ensure Network File System (nfs) and RPC are not enabled."
|
||||
# shellcheck disable=2034
|
||||
HARDENING_EXCEPTION=nfs
|
||||
|
||||
PACKAGES='rpcbind nfs-kernel-server'
|
||||
@ -20,8 +24,8 @@ PACKAGES='rpcbind nfs-kernel-server'
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed!"
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
@ -32,11 +36,11 @@ audit () {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed, purging it"
|
||||
apt-get purge $PACKAGE -y
|
||||
apt-get autoremove
|
||||
apt-get purge "$PACKAGE" -y
|
||||
apt-get autoremove -y
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
@ -50,6 +54,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -59,8 +64,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,18 +1,22 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 6.8 Ensure DNS Server is not enabled (Not Scored)
|
||||
# 2.2.8 Ensure DNS Server is not enabled (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Ensure Domain Name System (dns) server is not enabled."
|
||||
# shellcheck disable=2034
|
||||
HARDENING_EXCEPTION=dns
|
||||
|
||||
PACKAGES='bind9 unbound'
|
||||
@ -20,8 +24,8 @@ PACKAGES='bind9 unbound'
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed!"
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
@ -32,11 +36,11 @@ audit () {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed, purging it"
|
||||
apt-get purge $PACKAGE -y
|
||||
apt-get autoremove
|
||||
apt-get purge "$PACKAGE" -y
|
||||
apt-get autoremove -y
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
@ -50,6 +54,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -59,8 +64,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,18 +1,22 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 6.9 Ensure FTP Server is not enabled (Not Scored)
|
||||
# 2.2.9 Ensure FTP Server is not enabled (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Ensure File Transfer Protocol (ftp) is not enabled."
|
||||
# shellcheck disable=2034
|
||||
HARDENING_EXCEPTION=ftp
|
||||
|
||||
# Based on aptitude search '~Pftp-server'
|
||||
@ -21,8 +25,8 @@ PACKAGES='ftpd ftpd-ssl heimdal-servers inetutils-ftpd krb5-ftpd muddleftpd prof
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed!"
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
@ -33,11 +37,11 @@ audit () {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed, purging it"
|
||||
apt-get purge $PACKAGE -y
|
||||
apt-get autoremove
|
||||
apt-get purge "$PACKAGE" -y
|
||||
apt-get autoremove -y
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
@ -51,6 +55,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -60,8 +65,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,25 +1,28 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 5.1.1 Ensure NIS is not installed (Scored)
|
||||
# 2.3.1 Ensure NIS client is not installed (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Ensure that Network Information Service is not installed. Recommended alternative : LDAP."
|
||||
|
||||
PACKAGE='nis'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed!"
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
@ -29,11 +32,11 @@ audit () {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed, purging it"
|
||||
apt-get purge $PACKAGE -y
|
||||
apt-get autoremove
|
||||
apt-get purge "$PACKAGE" -y
|
||||
apt-get autoremove -y
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
@ -46,6 +49,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -55,8 +59,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,17 +1,20 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 5.1.3 Ensure rsh client is not installed (Scored)
|
||||
# 2.3.2 Ensure rsh client is not installed (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Ensure rsh client is not installed, Recommended alternative : ssh."
|
||||
|
||||
# Based on aptitude search '~Prsh-client', exluding ssh-client OFC
|
||||
@ -20,8 +23,8 @@ PACKAGES='rsh-client rsh-redone-client heimdal-clients'
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed"
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
@ -32,11 +35,11 @@ audit () {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
warn "$PACKAGE is installed, purging"
|
||||
apt-get purge $PACKAGE -y
|
||||
apt-get autoremove
|
||||
apt-get purge "$PACKAGE" -y
|
||||
apt-get autoremove -y
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
@ -50,6 +53,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -59,8 +63,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,17 +1,20 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 5.1.5 Ensure talk client is not installed (Scored)
|
||||
# 2.3.3 Ensure talk client is not installed (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Ensure talk client is not installed."
|
||||
|
||||
PACKAGES='talk inetutils-talk'
|
||||
@ -19,8 +22,8 @@ PACKAGES='talk inetutils-talk'
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed"
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
@ -31,11 +34,11 @@ audit () {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
warn "$PACKAGE is installed, purging"
|
||||
apt-get purge $PACKAGE -y
|
||||
apt-get autoremove
|
||||
apt-get purge "$PACKAGE" -y
|
||||
apt-get autoremove -y
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
@ -49,6 +52,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -58,8 +62,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
71
bin/hardening/2.3.4_disable_telnet_client.sh
Executable file
71
bin/hardening/2.3.4_disable_telnet_client.sh
Executable file
@ -0,0 +1,71 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.3.4 Ensure telnet client is not installed (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Ensure telnet client is not installed."
|
||||
|
||||
PACKAGES='telnet'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed"
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
warn "$PACKAGE is installed, purging"
|
||||
apt-get purge "$PACKAGE" -y
|
||||
apt-get autoremove -y
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
71
bin/hardening/2.3.5_disable_ldap_client.sh
Executable file
71
bin/hardening/2.3.5_disable_ldap_client.sh
Executable file
@ -0,0 +1,71 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 2.3.5 Ensure LDAP client is not installed (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Ensure ldap client is not installed."
|
||||
|
||||
PACKAGES='ldap-utils'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed"
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
warn "$PACKAGE is installed, purging"
|
||||
apt-get purge "$PACKAGE" -y
|
||||
apt-get autoremove -y
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
@ -1,17 +1,20 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 7.3.3 Disable IPv6 (Not Scored)
|
||||
# 3.1.1 Disable IPv6 (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Disable IPv6."
|
||||
|
||||
SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1'
|
||||
@ -19,17 +22,17 @@ SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ip
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
does_sysctl_param_exists "net.ipv6"
|
||||
if [ $FNRET != 0 ]; then
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
ok "ipv6 is disabled"
|
||||
else
|
||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
|
||||
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
|
||||
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
|
||||
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||
if [ $FNRET != 0 ]; then
|
||||
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
|
||||
elif [ $FNRET = 255 ]; then
|
||||
elif [ "$FNRET" = 255 ]; then
|
||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||
else
|
||||
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
||||
@ -41,19 +44,19 @@ audit () {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
does_sysctl_param_exists "net.ipv6"
|
||||
if [ $FNRET != 0 ]; then
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
ok "ipv6 is disabled"
|
||||
else
|
||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
|
||||
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
|
||||
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
|
||||
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||
if [ $FNRET != 0 ]; then
|
||||
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT value, fixing"
|
||||
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||
set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
|
||||
warn "you may want to reboot or sysctl -p a file including $SYSCTL_PARAMS"
|
||||
elif [ $FNRET = 255 ]; then
|
||||
elif [ "$FNRET" = 255 ]; then
|
||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||
else
|
||||
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
||||
@ -69,6 +72,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -78,8 +82,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,17 +1,20 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 7.6 Deactivate Wireless Interfaces (Not Scored)
|
||||
# 3.1.2 Ensure wireless interfaces are disabled (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Deactivate wireless interfaces."
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
@ -31,6 +34,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -43,6 +47,7 @@ fi
|
||||
# echo "There is no /etc/default/cis-hardening file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
# exit 128
|
||||
#else
|
||||
# shellcheck source=../../debian/default
|
||||
# . /etc/default/cis-hardening
|
||||
# if [ -z ${CIS_ROOT_DIR:-} ]; then
|
||||
# echo "No CIS_ROOT_DIR variable, aborting"
|
||||
@ -51,8 +56,9 @@ fi
|
||||
#fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
@ -1,17 +1,20 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 7.1.2 Disable Send Packet Redirects (Scored)
|
||||
# 3.2.1 Ensure packet redirect sending is disabled (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Disable send packet redirects to prevent malicious ICMP corruption."
|
||||
|
||||
#net.ipv4.conf.all.send_redirects = 0
|
||||
@ -21,13 +24,13 @@ SYSCTL_PARAMS='net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_red
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
|
||||
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
|
||||
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
|
||||
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||
if [ $FNRET != 0 ]; then
|
||||
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
|
||||
elif [ $FNRET = 255 ]; then
|
||||
elif [ "$FNRET" = 255 ]; then
|
||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||
else
|
||||
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
||||
@ -38,15 +41,15 @@ audit () {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
|
||||
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
|
||||
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
|
||||
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||
if [ $FNRET != 0 ]; then
|
||||
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
||||
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||
set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
|
||||
sysctl -w net.ipv4.route.flush=1 >/dev/null
|
||||
elif [ $FNRET = 255 ]; then
|
||||
elif [ "$FNRET" = 255 ]; then
|
||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||
else
|
||||
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
||||
@ -61,6 +64,7 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
@ -70,8 +74,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user