5.2.17_sshd_login_grace_time

I added two functions in utils that checks perms and ownership for file
resulting for a certain find. It takes parameters to filter the results
if needed.

bin/hardening/4.2.3_install_syslog-ng.sh

@@ -0,0 +1,61 @@
+#!/bin/bash
+
+#
+# CIS Debian Hardening
+#
+
+#
+# 4.2.3 Ensure Syslog-ng is installed (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+HARDENING_LEVEL=3
+DESCRIPTION="Install syslog-ng to manage logs"
+
+PACKAGE='syslog-ng'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    is_pkg_installed $PACKAGE
+    if [ $FNRET != 0 ]; then
+        crit "$PACKAGE is not installed!"
+    else
+        ok "$PACKAGE is installed"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+        is_pkg_installed $PACKAGE
+        if [ $FNRET = 0 ]; then
+            ok "$PACKAGE is installed"
+        else
+            crit "$PACKAGE is absent, installing it"
+            apt_install $PACKAGE
+        fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/4.2.4_logs_permissions.sh

@@ -0,0 +1,64 @@
+#!/bin/bash
+
+#
+# CIS Debian Hardening
+#
+
+#
+# 4.2.4 Ensure permissions on all logfiles are configured (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+HARDENING_LEVEL=2
+DESCRIPTION="Check permissions on logs (other has no permissions on any files and group does not have write or execute permissions on any file)"
+
+DIR='/var/log'
+PERMISSIONS='640'
+OPTIONS=(-type f)
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS
+
+    if [ $FNRET = 0 ]; then
+        ok "Logs in $DIR have correct permissions"
+    else
+        crit "Some logs in $DIR permissions were not set to $PERMISSIONS"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS
+    if [ $FNRET = 0 ]; then
+        ok "Logs in $DIR have correct permissions"
+    else
+        info "fixing $DIR logs permissions to $PERMISSIONS"
+        find $DIR -type f -exec chmod 0$PERMISSIONS {} \;
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/5.2.17_sshd_login_grace_time.sh

@@ -0,0 +1,106 @@
+#!/bin/bash
+
+#
+# CIS Debian Hardening
+#
+
+#
+# 5.2.17 Ensure SSH LoginGraceTime is set to one minute or less (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+HARDENING_LEVEL=3
+DESCRIPTION="Set Login Grace Time for user login."
+
+PACKAGE='openssh-server'
+FILE='/etc/ssh/sshd_config'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    OPTIONS="LoginGraceTime=$SSHD_LOGIN_GRACE_TIME"
+    is_pkg_installed $PACKAGE
+    if [ $FNRET != 0 ]; then
+        crit "$PACKAGE is not installed!"
+    else
+        ok "$PACKAGE is installed"
+        for SSH_OPTION in $OPTIONS; do
+            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+            does_pattern_exist_in_file $FILE "$PATTERN"
+            if [ $FNRET = 0 ]; then
+                ok "$PATTERN is present in $FILE"
+            else
+                crit "$PATTERN is not present in $FILE"
+            fi
+        done
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    is_pkg_installed $PACKAGE
+    if [ $FNRET = 0 ]; then
+        ok "$PACKAGE is installed"
+    else
+        crit "$PACKAGE is absent, installing it"
+        apt_install $PACKAGE
+    fi
+    for SSH_OPTION in $OPTIONS; do
+            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+            does_pattern_exist_in_file $FILE "$PATTERN"
+            if [ $FNRET = 0 ]; then
+                ok "$PATTERN is present in $FILE"
+            else
+                warn "$PATTERN is not present in $FILE, adding it"
+                does_pattern_exist_in_file $FILE "^$SSH_PARAM"
+                if [ $FNRET != 0 ]; then
+                    add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
+                else
+                    info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
+                    replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                fi
+                /etc/init.d/ssh reload
+            fi
+    done
+}
+
+# This function will create the config file for this check with default values
+create_config() {
+    cat <<EOF
+status=audit
+# In seconds, value of LoginGraceTime
+# Settles sshd login grace time
+SSHD_LOGIN_GRACE_TIME=60
+EOF
+}
+
+# This function will check config parameters required
+check_config() {
+    if [ -z $SSHD_LOGIN_GRACE_TIME ]; then
+        crit "SSHD_LOGIN_GRACE_TIME is not set, please edit configuration file"
+        exit 128
+    fi
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh

@@ -0,0 +1,88 @@
+#!/bin/bash
+
+#
+# CIS Debian Hardening
+#
+
+#
+# 5.2.2 Ensure permissions on SSH private host key files are configured (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+HARDENING_LEVEL=1
+DESCRIPTION="Checking permissions and ownership to root 600 for ssh private keys. "
+
+DIR='/etc/ssh'
+PERMISSIONS='600'
+USER='root'
+GROUP='root'
+OPTIONS=(-xdev -type f -name "ssh_host_*_key")
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    have_files_in_dir_correct_ownership $DIR $USER $GROUP OPTIONS
+    if [ $FNRET = 0 ]; then
+        ok "SSH public keys in $DIR have correct ownership"
+    else
+        crit "Some $DIR SSH public keys ownership were not set to $USER:$GROUP"
+    fi
+    have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS
+    if [ $FNRET = 0 ]; then
+        ok "SSH public keys in $DIR have correct permissions"
+    else
+        crit "Some $DIR SSH public keys permissions were not set to $PERMISSIONS"
+    fi 
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+
+    have_files_in_dir_correct_ownership $DIR $USER $GROUP OPTIONS
+    if [ $FNRET = 0 ]; then
+        ok "SSH public keys in $DIR have correct ownership"
+    else
+        warn "fixing $DIR SSH public keys ownership to $USER:$GROUP"
+        find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chown root:root {} \;
+    fi
+    have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS
+    if [ $FNRET = 0 ]; then
+        ok "SSH public keys in $DIR have correct permissions"
+    else
+        info "fixing $DIR SSH public keys permissions to $PERMISSIONS"
+        find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chmod 0600 {} \;
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    does_user_exist $USER
+    if [ $FNRET != 0 ]; then
+        crit "$USER does not exist"
+        exit 128
+    fi
+    does_group_exist $GROUP
+    if [ $FNRET != 0 ]; then
+        crit "$GROUP does not exist"
+        exit 128
+    fi
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh

@@ -0,0 +1,88 @@
+#!/bin/bash
+
+#
+# CIS Debian Hardening
+#
+
+#
+# 5.2.3 Ensure permissions on SSH public host key files are configured (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+HARDENING_LEVEL=1
+DESCRIPTION="Checking permissions and ownership to root 644 for ssh public keys. "
+
+DIR='/etc/ssh'
+PERMISSIONS='644'
+USER='root'
+GROUP='root'
+OPTIONS=(-xdev -type f -name "ssh_host_*_key.pub")
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    have_files_in_dir_correct_ownership $DIR $USER $GROUP OPTIONS
+    if [ $FNRET = 0 ]; then
+        ok "SSH public keys in $DIR have correct ownership"
+    else
+        crit "Some $DIR SSH public keys ownership were not set to $USER:$GROUP"
+    fi
+    have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS
+    if [ $FNRET = 0 ]; then
+        ok "SSH public keys in $DIR have correct permissions"
+    else
+        crit "Some $DIR SSH public keys permissions were not set to $PERMISSIONS"
+    fi 
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+
+    have_files_in_dir_correct_ownership $DIR $USER $GROUP OPTIONS
+    if [ $FNRET = 0 ]; then
+        ok "SSH public keys in $DIR have correct ownership"
+    else
+        warn "fixing $DIR SSH public keys ownership to $USER:$GROUP"
+        find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chown root:root {} \;
+    fi
+    have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS
+    if [ $FNRET = 0 ]; then
+        ok "SSH public keys in $DIR have correct permissions"
+    else
+        info "fixing $DIR SSH public keys permissions to $PERMISSIONS"
+        find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chmod 0644 {} \;
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    does_user_exist $USER
+    if [ $FNRET != 0 ]; then
+        crit "$USER does not exist"
+        exit 128
+    fi
+    does_group_exist $GROUP
+    if [ $FNRET != 0 ]; then
+        crit "$GROUP does not exist"
+        exit 128
+    fi
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

debian/changelog

@@ -1,3 +1,14 @@
+cis-hardening (1.3-4) unstable; urgency=medium
+
+  * ADD(1.3.1): Install Ossec
+  * ADD(4.2.3): Syslog-ng install
+  * ADD(4.2.4): Logs permissions
+  * ADD(5.2.2, 5.2.3): SSH host keys permissions and ownership
+  * ADD(5.2.17): SSHD login grace time
+
+
+ -- Thibault AYANIDES <tayanide@ovhcloud.com>  Mon, 19 Oct 2020 16:31:48 +0200
+
 cis-hardening (1.3-3) unstable; urgency=medium
 
   * changelog: update changelog

lib/utils.sh

@@ -84,17 +84,57 @@ has_file_correct_ownership() {
     fi
 }
 
+have_files_in_dir_correct_ownership(){
+    local DIR=$1
+    local USER=$2
+    local GROUP=$3
+    local name=$4[@]
+    local OPTIONS=("${!name}")
+
+    local USERID=$(id -u $USER)
+    local GROUPID=$(getent group $GROUP | cut -d: -f3)
+
+    FNRET=0
+    OIFS="$IFS"
+    IFS=$'\n' # prevents word splitting
+    for owner in $("$SUDO_CMD find $DIR" "${OPTIONS[@]}" "-exec stat -c '%u %g' {} \;");
+    do
+    if [ "$owner" != "$USERID $GROUPID" ]; then
+        FNRET=1
+        break
+    fi
+    done
+    IFS="$OIFS"
+}
+
 has_file_correct_permissions() {
     local FILE=$1
     local PERMISSIONS=$2
     
-    if [ $($SUDO_CMD stat -L -c "%a" $1) = "$PERMISSIONS" ]; then
+    if [ $($SUDO_CMD stat -L -c "%a" $FILE) = "$PERMISSIONS" ]; then
         FNRET=0
     else
         FNRET=1
     fi 
 }
 
+have_files_in_dir_correct_permissions(){
+    local DIR=$1
+    local PERMISSIONS=$2
+    local name=$3[@]
+    local OPTIONS=("${!name}")
+    
+    FNRET=0
+    for perm in $("$SUDO_CMD find $DIR" "${OPTIONS[@]}" "-exec stat -L -c '%a' {} \;");
+    do
+    echo "$perm  ttt $PERMISSIONS"
+    if [ "$perm" != "$PERMISSIONS" ]; then
+        FNRET=1
+        break
+    fi
+    done
+}
+
 does_pattern_exist_in_file_nocase() {
     _does_pattern_exist_in_file "-Ei" $*
 }

tests/hardening/4.2.3_install_syslog-ng.sh

@@ -0,0 +1,10 @@
+# run-shellcheck
+test_audit() {
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    dismiss_count_for_test
+    # shellcheck disable=2154
+    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    # TODO fill comprehensive tests
+}

tests/hardening/4.2.4_logs_permissions.sh

@@ -0,0 +1,10 @@
+# run-shellcheck
+test_audit() {
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    dismiss_count_for_test
+    # shellcheck disable=2154
+    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    # TODO fill comprehensive tests
+}

tests/hardening/5.2.17_sshd_login_grace_time.sh

@@ -0,0 +1,10 @@
+# run-shellcheck
+test_audit() {
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    dismiss_count_for_test
+    # shellcheck disable=2154
+    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    # TODO fill comprehensive tests
+}

tests/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh

@@ -0,0 +1,10 @@
+# run-shellcheck
+test_audit() {
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    dismiss_count_for_test
+    # shellcheck disable=2154
+    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    # TODO fill comprehensive tests
+}

tests/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh

@@ -0,0 +1,10 @@
+# run-shellcheck
+test_audit() {
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    dismiss_count_for_test
+    # shellcheck disable=2154
+    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    # TODO fill comprehensive tests
+}