5.2.17_sshd_login_grace_time

I added two functions in utils that checks perms and ownership for file
resulting for a certain find. It takes parameters to filter the results
if needed.

bin/hardening/10.2_disable_system_accounts.sh

@@ -14,14 +14,18 @@ set -u # One variable unset, it's over
 HARDENING_LEVEL=3
 DESCRIPTION="Disable system accounts, preventing them from interactive login."
 
-SHELL='/bin/false'
+ACCEPTED_SHELLS='/bin/false /usr/sbin/nologin /sbin/nologin'
+SHELL_TO_APPLY='/bin/false'
 FILE='/etc/passwd'
 RESULT=''
 
+ACCEPTED_SHELLS_GREP=''
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    info "Checking if admin accounts have a login shell different than $SHELL"
+    shells_to_grep_helper
-    RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}')
+    info "Checking if admin accounts have a login shell different than $ACCEPTED_SHELLS"
+    RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 ) {print}' | grep -v $ACCEPTED_SHELLS_GREP || true )
+    IFS_BAK=$IFS
     IFS=$'\n'
     for LINE in $RESULT; do
         debug "line : $LINE"
@@ -36,8 +40,9 @@ audit () {
             debug "$ACCOUNT not found in exceptions"
         fi
     done
+    IFS=$IFS_BAK
     if [ ! -z "$RESULT" ]; then
-        crit "Some admin accounts don't have $SHELL as their login shell"
+        crit "Some admin accounts don't have any of $ACCEPTED_SHELLS as their login shell"
         crit "$RESULT"
     else
         ok "All admin accounts deactivated"
@@ -46,7 +51,8 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}')
+    RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 ) {print}' | grep -v $ACCEPTED_SHELLS_GREP || true )
+    IFS_BAK=$IFS
     IFS=$'\n'
     for LINE in $RESULT; do
         debug "line : $LINE"
@@ -61,18 +67,25 @@ apply () {
             debug "$ACCOUNT not found in exceptions"
         fi
     done
+    IFS=$IFS_BAK
     if [ ! -z "$RESULT" ]; then
-        warn "Some admin accounts don't have $SHELL as their login shell -- Fixing"
+        warn "Some admin accounts don't have any of $ACCEPTED_SHELLS as their login shell -- Fixing"
         warn "$RESULT"
         for USER in $( echo "$RESULT" | cut -d: -f 1 ); do
-            info "Setting $SHELL as $USER login shell"
+            info "Setting $SHELL_TO_APPLY as $USER login shell"
-            usermod -s $SHELL $USER
+            usermod -s "$SHELL_TO_APPLY" "$USER"
         done
     else
         ok "All admin accounts deactivated, nothing to apply"
     fi
 }
 
+shells_to_grep_helper(){
+    for shell in $ACCEPTED_SHELLS; do
+        ACCEPTED_SHELLS_GREP+=" -e $shell"
+    done
+}
+
 # This function will create the config file for this check with default values
 create_config() {
     cat <<EOF

bin/hardening/12.10_find_suid_files.sh

@@ -14,13 +14,18 @@ set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 DESCRIPTION="Find SUID system executables."
+IGNORED_PATH=''
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     info "Checking if there are suid files"
     FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' )
     # shellcheck disable=2086
-    FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -print)
+    if [ ! -z $IGNORED_PATH ]; then
+        FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)
+    else
+        FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -print)
+    fi
     BAD_BINARIES=""
     for BINARY in $FOUND_BINARIES; do
         if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then

bin/hardening/12.11_find_sgid_files.sh

@@ -14,13 +14,18 @@ set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 DESCRIPTION="Find SGID system executables."
+IGNORED_PATH=''
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     info "Checking if there are sgid files"
     FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' )
     # shellcheck disable=2086
-    FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print)
+    if [ ! -z $IGNORED_PATH ]; then
+        FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)
+    else
+        FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print)
+    fi
     BAD_BINARIES=""
     for BINARY in $FOUND_BINARIES; do
         if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then

bin/hardening/12.8_find_unowned_files.sh

@@ -15,12 +15,17 @@ HARDENING_LEVEL=2
 DESCRIPTION="Find un-owned files and directories."
 
 USER='root'
+EXCLUDED=''
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     info "Checking if there are unowned files"
     FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} )
-    RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nouser -print 2>/dev/null)
+    if [ ! -z $EXCLUDED ]; then
+        RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
+    else
+        RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nouser -print 2>/dev/null)
+    fi
     if [ ! -z "$RESULT" ]; then
         crit "Some unowned files are present"
         FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
@@ -32,7 +37,11 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
+    if [ ! -z $EXCLUDED ]; then
+        RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
+    else
+        RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
+    fi
     if [ ! -z "$RESULT" ]; then
         warn "Applying chown on all unowned files in the system"
         df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER

bin/hardening/12.9_find_ungrouped_files.sh

@@ -15,12 +15,17 @@ HARDENING_LEVEL=2
 DESCRIPTION="Find un-grouped files and directories."
 
 GROUP='root'
+EXCLUDED=''
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     info "Checking if there are ungrouped files"
     FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} )
-    RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nogroup -print 2>/dev/null)
+    if [ ! -z $EXCLUDED ]; then
+        RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
+    else
+        RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nogroup -print 2>/dev/null)
+    fi
     if [ ! -z "$RESULT" ]; then
         crit "Some ungrouped files are present"
         FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
@@ -32,7 +37,11 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
+    if [ ! -z $EXCLUDED ]; then
+        RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
+    else
+        RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
+    fi
     if [ ! -z "$RESULT" ]; then
         warn "Applying chgrp on all ungrouped files in the system"
         df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp $GROUP

bin/hardening/13.12_users_valid_homedir.sh

@@ -24,7 +24,7 @@ audit () {
         USER=$(awk -F: {'print $1'} <<< $LINE)
         USERID=$(awk -F: {'print $2'} <<< $LINE)
         DIR=$(awk -F: {'print $3'} <<< $LINE)
-        if [ $USERID -ge 1000 -a ! -d "$DIR" -a $USER != "nfsnobody" -a $USER != "nobody" ]; then
+        if [ $USERID -ge 1000 -a ! -d "$DIR" -a $USER != "nfsnobody" -a $USER != "nobody" -a "$DIR" != "/nonexistent" ]; then
             crit "The home directory ($DIR) of user $USER does not exist."
             ERRORS=$((ERRORS+1))    
         fi

bin/hardening/4.2.3_install_syslog-ng.sh

@@ -0,0 +1,61 @@
+#!/bin/bash
+
+#
+# CIS Debian Hardening
+#
+
+#
+# 4.2.3 Ensure Syslog-ng is installed (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+HARDENING_LEVEL=3
+DESCRIPTION="Install syslog-ng to manage logs"
+
+PACKAGE='syslog-ng'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    is_pkg_installed $PACKAGE
+    if [ $FNRET != 0 ]; then
+        crit "$PACKAGE is not installed!"
+    else
+        ok "$PACKAGE is installed"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+        is_pkg_installed $PACKAGE
+        if [ $FNRET = 0 ]; then
+            ok "$PACKAGE is installed"
+        else
+            crit "$PACKAGE is absent, installing it"
+            apt_install $PACKAGE
+        fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/4.2.4_logs_permissions.sh

@@ -0,0 +1,64 @@
+#!/bin/bash
+
+#
+# CIS Debian Hardening
+#
+
+#
+# 4.2.4 Ensure permissions on all logfiles are configured (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+HARDENING_LEVEL=2
+DESCRIPTION="Check permissions on logs (other has no permissions on any files and group does not have write or execute permissions on any file)"
+
+DIR='/var/log'
+PERMISSIONS='640'
+OPTIONS=(-type f)
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS
+
+    if [ $FNRET = 0 ]; then
+        ok "Logs in $DIR have correct permissions"
+    else
+        crit "Some logs in $DIR permissions were not set to $PERMISSIONS"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS
+    if [ $FNRET = 0 ]; then
+        ok "Logs in $DIR have correct permissions"
+    else
+        info "fixing $DIR logs permissions to $PERMISSIONS"
+        find $DIR -type f -exec chmod 0$PERMISSIONS {} \;
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/5.2.17_sshd_login_grace_time.sh

@@ -0,0 +1,106 @@
+#!/bin/bash
+
+#
+# CIS Debian Hardening
+#
+
+#
+# 5.2.17 Ensure SSH LoginGraceTime is set to one minute or less (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+HARDENING_LEVEL=3
+DESCRIPTION="Set Login Grace Time for user login."
+
+PACKAGE='openssh-server'
+FILE='/etc/ssh/sshd_config'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    OPTIONS="LoginGraceTime=$SSHD_LOGIN_GRACE_TIME"
+    is_pkg_installed $PACKAGE
+    if [ $FNRET != 0 ]; then
+        crit "$PACKAGE is not installed!"
+    else
+        ok "$PACKAGE is installed"
+        for SSH_OPTION in $OPTIONS; do
+            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+            does_pattern_exist_in_file $FILE "$PATTERN"
+            if [ $FNRET = 0 ]; then
+                ok "$PATTERN is present in $FILE"
+            else
+                crit "$PATTERN is not present in $FILE"
+            fi
+        done
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    is_pkg_installed $PACKAGE
+    if [ $FNRET = 0 ]; then
+        ok "$PACKAGE is installed"
+    else
+        crit "$PACKAGE is absent, installing it"
+        apt_install $PACKAGE
+    fi
+    for SSH_OPTION in $OPTIONS; do
+            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+            does_pattern_exist_in_file $FILE "$PATTERN"
+            if [ $FNRET = 0 ]; then
+                ok "$PATTERN is present in $FILE"
+            else
+                warn "$PATTERN is not present in $FILE, adding it"
+                does_pattern_exist_in_file $FILE "^$SSH_PARAM"
+                if [ $FNRET != 0 ]; then
+                    add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
+                else
+                    info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
+                    replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                fi
+                /etc/init.d/ssh reload
+            fi
+    done
+}
+
+# This function will create the config file for this check with default values
+create_config() {
+    cat <<EOF
+status=audit
+# In seconds, value of LoginGraceTime
+# Settles sshd login grace time
+SSHD_LOGIN_GRACE_TIME=60
+EOF
+}
+
+# This function will check config parameters required
+check_config() {
+    if [ -z $SSHD_LOGIN_GRACE_TIME ]; then
+        crit "SSHD_LOGIN_GRACE_TIME is not set, please edit configuration file"
+        exit 128
+    fi
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh

@@ -0,0 +1,88 @@
+#!/bin/bash
+
+#
+# CIS Debian Hardening
+#
+
+#
+# 5.2.2 Ensure permissions on SSH private host key files are configured (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+HARDENING_LEVEL=1
+DESCRIPTION="Checking permissions and ownership to root 600 for ssh private keys. "
+
+DIR='/etc/ssh'
+PERMISSIONS='600'
+USER='root'
+GROUP='root'
+OPTIONS=(-xdev -type f -name "ssh_host_*_key")
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    have_files_in_dir_correct_ownership $DIR $USER $GROUP OPTIONS
+    if [ $FNRET = 0 ]; then
+        ok "SSH public keys in $DIR have correct ownership"
+    else
+        crit "Some $DIR SSH public keys ownership were not set to $USER:$GROUP"
+    fi
+    have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS
+    if [ $FNRET = 0 ]; then
+        ok "SSH public keys in $DIR have correct permissions"
+    else
+        crit "Some $DIR SSH public keys permissions were not set to $PERMISSIONS"
+    fi 
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+
+    have_files_in_dir_correct_ownership $DIR $USER $GROUP OPTIONS
+    if [ $FNRET = 0 ]; then
+        ok "SSH public keys in $DIR have correct ownership"
+    else
+        warn "fixing $DIR SSH public keys ownership to $USER:$GROUP"
+        find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chown root:root {} \;
+    fi
+    have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS
+    if [ $FNRET = 0 ]; then
+        ok "SSH public keys in $DIR have correct permissions"
+    else
+        info "fixing $DIR SSH public keys permissions to $PERMISSIONS"
+        find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chmod 0600 {} \;
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    does_user_exist $USER
+    if [ $FNRET != 0 ]; then
+        crit "$USER does not exist"
+        exit 128
+    fi
+    does_group_exist $GROUP
+    if [ $FNRET != 0 ]; then
+        crit "$GROUP does not exist"
+        exit 128
+    fi
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh

@@ -0,0 +1,88 @@
+#!/bin/bash
+
+#
+# CIS Debian Hardening
+#
+
+#
+# 5.2.3 Ensure permissions on SSH public host key files are configured (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+HARDENING_LEVEL=1
+DESCRIPTION="Checking permissions and ownership to root 644 for ssh public keys. "
+
+DIR='/etc/ssh'
+PERMISSIONS='644'
+USER='root'
+GROUP='root'
+OPTIONS=(-xdev -type f -name "ssh_host_*_key.pub")
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    have_files_in_dir_correct_ownership $DIR $USER $GROUP OPTIONS
+    if [ $FNRET = 0 ]; then
+        ok "SSH public keys in $DIR have correct ownership"
+    else
+        crit "Some $DIR SSH public keys ownership were not set to $USER:$GROUP"
+    fi
+    have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS
+    if [ $FNRET = 0 ]; then
+        ok "SSH public keys in $DIR have correct permissions"
+    else
+        crit "Some $DIR SSH public keys permissions were not set to $PERMISSIONS"
+    fi 
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+
+    have_files_in_dir_correct_ownership $DIR $USER $GROUP OPTIONS
+    if [ $FNRET = 0 ]; then
+        ok "SSH public keys in $DIR have correct ownership"
+    else
+        warn "fixing $DIR SSH public keys ownership to $USER:$GROUP"
+        find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chown root:root {} \;
+    fi
+    have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS
+    if [ $FNRET = 0 ]; then
+        ok "SSH public keys in $DIR have correct permissions"
+    else
+        info "fixing $DIR SSH public keys permissions to $PERMISSIONS"
+        find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chmod 0644 {} \;
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    does_user_exist $USER
+    if [ $FNRET != 0 ]; then
+        crit "$USER does not exist"
+        exit 128
+    fi
+    does_group_exist $GROUP
+    if [ $FNRET != 0 ]; then
+        crit "$GROUP does not exist"
+        exit 128
+    fi
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/99.3.1_acc_shadow_sha512.sh

@@ -31,6 +31,9 @@ audit () {
         passwd=$(echo "$line" | cut -d ":" -f 2)
         if [[ $passwd = '!' || $passwd = '*' ]]; then
             continue
+        elif [[ $passwd =~ ^!.*$ ]]; then
+            pw_found+="$user "
+            ok "User $user has a disabled password."
         # Check password against $6$<salt>$<encrypted>, see `man 3 crypt`
         elif [[ $passwd =~ ^\$6\$[a-zA-Z0-9./]{2,16}\$[a-zA-Z0-9./]{86}$ ]]; then
             pw_found+="$user "

debian/changelog

@@ -1,3 +1,41 @@
+cis-hardening (1.3-4) unstable; urgency=medium
+
+  * ADD(1.3.1): Install Ossec
+  * ADD(4.2.3): Syslog-ng install
+  * ADD(4.2.4): Logs permissions
+  * ADD(5.2.2, 5.2.3): SSH host keys permissions and ownership
+  * ADD(5.2.17): SSHD login grace time
+
+
+ -- Thibault AYANIDES <tayanide@ovhcloud.com>  Mon, 19 Oct 2020 16:31:48 +0200
+
+cis-hardening (1.3-3) unstable; urgency=medium
+
+  * changelog: update changelog
+  * IMP(12.8,12.9,12.10,12.11): be able to exclude some paths
+
+ -- Benjamin MONTHOUËL <benjamin.monthouel@ovhcloud.com>  Mon, 30 Mar 2020 19:12:03 +0200
+
+cis-hardening (1.3-2) unstable; urgency=medium
+
+  * IMP(test/13.12): ignore the phony '/nonexistent' home folder
+
+ -- Stéphane Lesimple <stephane.lesimple@corp.ovh.com>  Tue, 22 Oct 2019 15:15:34 +0200
+
+cis-hardening (1.3-1) unstable; urgency=medium
+
+  * Change of version numbering
+
+ -- Charles Herlin <charles.herlin@corp.ovh.com>  Wed, 28 Aug 2019 14:57:33 +0200
+
+cis-hardening (1.2-6) unstable; urgency=medium
+
+  * FIX(test/10.2): backup and restore /etc/passwd after test
+  * IMP(99.3.1): improve check with disabled passwords
+  * FIX(10.2): improve test to check multiple login shells
+
+ -- Charles Herlin <charles.herlin@corp.ovh.com>  Wed, 28 Aug 2019 12:34:52 +0200
+
 cis-hardening (1.2-5) unstable; urgency=medium
 
   * fix(99.4): do not stderr iptables warning on buster

lib/utils.sh

@@ -84,17 +84,57 @@ has_file_correct_ownership() {
     fi
 }
 
+have_files_in_dir_correct_ownership(){
+    local DIR=$1
+    local USER=$2
+    local GROUP=$3
+    local name=$4[@]
+    local OPTIONS=("${!name}")
+
+    local USERID=$(id -u $USER)
+    local GROUPID=$(getent group $GROUP | cut -d: -f3)
+
+    FNRET=0
+    OIFS="$IFS"
+    IFS=$'\n' # prevents word splitting
+    for owner in $("$SUDO_CMD find $DIR" "${OPTIONS[@]}" "-exec stat -c '%u %g' {} \;");
+    do
+    if [ "$owner" != "$USERID $GROUPID" ]; then
+        FNRET=1
+        break
+    fi
+    done
+    IFS="$OIFS"
+}
+
 has_file_correct_permissions() {
     local FILE=$1
     local PERMISSIONS=$2
     
-    if [ $($SUDO_CMD stat -L -c "%a" $1) = "$PERMISSIONS" ]; then
+    if [ $($SUDO_CMD stat -L -c "%a" $FILE) = "$PERMISSIONS" ]; then
         FNRET=0
     else
         FNRET=1
     fi 
 }
 
+have_files_in_dir_correct_permissions(){
+    local DIR=$1
+    local PERMISSIONS=$2
+    local name=$3[@]
+    local OPTIONS=("${!name}")
+    
+    FNRET=0
+    for perm in $("$SUDO_CMD find $DIR" "${OPTIONS[@]}" "-exec stat -L -c '%a' {} \;");
+    do
+    echo "$perm  ttt $PERMISSIONS"
+    if [ "$perm" != "$PERMISSIONS" ]; then
+        FNRET=1
+        break
+    fi
+    done
+}
+
 does_pattern_exist_in_file_nocase() {
     _does_pattern_exist_in_file "-Ei" $*
 }

tests/hardening/10.2_disable_system_accounts.sh

@@ -1,10 +1,19 @@
 # run-shellcheck
 test_audit() {
+    cp -a /etc/passwd /tmp/passwd.bak
+
     describe Running on blank host
-    register_test retvalshouldbe 0
+    register_test retvalshouldbe 1
-    dismiss_count_for_test
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    describe correcting situation
+    sed  -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    mv /tmp/passwd.bak /etc/passwd
 }

tests/hardening/4.2.3_install_syslog-ng.sh

@@ -0,0 +1,10 @@
+# run-shellcheck
+test_audit() {
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    dismiss_count_for_test
+    # shellcheck disable=2154
+    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    # TODO fill comprehensive tests
+}

tests/hardening/4.2.4_logs_permissions.sh

@@ -0,0 +1,10 @@
+# run-shellcheck
+test_audit() {
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    dismiss_count_for_test
+    # shellcheck disable=2154
+    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    # TODO fill comprehensive tests
+}

tests/hardening/5.2.17_sshd_login_grace_time.sh

@@ -0,0 +1,10 @@
+# run-shellcheck
+test_audit() {
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    dismiss_count_for_test
+    # shellcheck disable=2154
+    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    # TODO fill comprehensive tests
+}

tests/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh

@@ -0,0 +1,10 @@
+# run-shellcheck
+test_audit() {
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    dismiss_count_for_test
+    # shellcheck disable=2154
+    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    # TODO fill comprehensive tests
+}

tests/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh

@@ -0,0 +1,10 @@
+# run-shellcheck
+test_audit() {
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    dismiss_count_for_test
+    # shellcheck disable=2154
+    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    # TODO fill comprehensive tests
+}

tests/hardening/99.3.1_acc_shadow_sha512.sh

@@ -13,6 +13,12 @@ test_audit() {
     register_test contain "User secaudit has a password that is not SHA512 hashed"
     run unsecpasswd /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
+    sed -i 's/secaudit:mypassword/secaudit:!!/' /etc/shadow
+    describe Fail: Found disabled password
+    register_test retvalshouldbe 0
+    register_test contain "User secaudit has a disabled password"
+    run lockedpasswd /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
     mv /tmp/shadow.bak /etc/shadow
     chpasswd << EOF
 secaudit:mypassword