elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2025-07-16 13:52:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: elie:v2.0-4
Branches Tags
elie:master elie:damcava35/deb12_scripts_2 elie:damcava35/update_lib elie:damcava35/new_scripts elie:damcava35/issue_249 elie:damcava35/drop_debian10 elie:damcava35/is_ip_v6_enabled elie:damcava35/issue_195 elie:damcava35/fix_only elie:damcava35/fix_packaging elie:damcava35/set_version elie:damcava35/test_pre_commit elie:dev/thibault.dewailly/deb12 elie:dependabot/github_actions/luizm/action-sh-checker-0.9.0 elie:dev/thibault.dewailly/set_hardening_level elie:dev/thibault.dewailly/syslogng_remotecheck
elie:latest elie:v4.1-5 elie:v4.1-4 elie:v4.1-3 elie:v4.1-2 elie:v4.1-1 elie:v4.0-1 elie:v3.8-1 elie:v3.7-1 elie:v3.6-1 elie:v3.5-1 elie:v3.4-1 elie:v3.3-1 elie:v3.2-2 elie:v3.2-1 elie:v3.2-0 elie:v3.1-6 elie:v3.1-5 elie:v3.1-4 elie:v3.1-3 elie:v3.1-2 elie:v3.1-1 elie:v3.1-0 elie:v3.0-1 elie:v3.0 elie:v2.1-6 elie:v2.1-5 elie:v2.1-4 elie:v2.1-3 elie:v2.1-2 elie:v2.1-1 elie:v2.0-6 elie:v2.0-5 elie:v2.0-4 elie:v1.3-4 elie:v1.3-3 elie:v1.3-2 elie:v1.3 elie:v1.2-1 elie:v1.1-1
...
compare: elie:v2.1-3
Branches Tags
elie:damcava35/deb12_scripts_2 elie:damcava35/update_lib elie:damcava35/new_scripts elie:master elie:damcava35/issue_249 elie:damcava35/drop_debian10 elie:damcava35/is_ip_v6_enabled elie:damcava35/issue_195 elie:damcava35/fix_only elie:damcava35/fix_packaging elie:damcava35/set_version elie:damcava35/test_pre_commit elie:dev/thibault.dewailly/deb12 elie:dependabot/github_actions/luizm/action-sh-checker-0.9.0 elie:dev/thibault.dewailly/set_hardening_level elie:dev/thibault.dewailly/syslogng_remotecheck
elie:latest elie:v4.1-5 elie:v4.1-4 elie:v4.1-3 elie:v4.1-2 elie:v4.1-1 elie:v4.0-1 elie:v3.8-1 elie:v3.7-1 elie:v3.6-1 elie:v3.5-1 elie:v3.4-1 elie:v3.3-1 elie:v3.2-2 elie:v3.2-1 elie:v3.2-0 elie:v3.1-6 elie:v3.1-5 elie:v3.1-4 elie:v3.1-3 elie:v3.1-2 elie:v3.1-1 elie:v3.1-0 elie:v3.0-1 elie:v3.0 elie:v2.1-6 elie:v2.1-5 elie:v2.1-4 elie:v2.1-3 elie:v2.1-2 elie:v2.1-1 elie:v2.0-6 elie:v2.0-5 elie:v2.0-4 elie:v1.3-4 elie:v1.3-3 elie:v1.3-2 elie:v1.3 elie:v1.2-1 elie:v1.1-1

31 Commits
v2.0-4 ... v2.1-3

Author SHA1 Message Date
Thibault Ayanides
9c3aa51982 Update changelog 2020-11-30 15:16:36 +01:00
Thibault Ayanides
b994ca11a7 FIX(main): fix small bug in main 
The bug (introduced in 2.1-2) leaded to an error in the test that evaluates forcedstatus
 2020-11-30 15:10:39 +01:00
Thibault Ayanides
f4e0aafacc IMP(5.2.3): fix possible permissions for 5.2.3 2020-11-30 14:27:20 +01:00
Thibault Ayanides
d40a85085d FIX: fix issue, we had to run audit twice 
First one as root to create conf files with good owner and permissions, and then with secaudit.
Now first run with --create-config-files-only and the normally with --audit.
 2020-11-20 10:05:14 +01:00
Thibault Ayanides
467e5f178c fixup! IMP(4.5): rename to 1.6.1.2 improve test 2020-11-17 13:02:02 +01:00
Thibault Ayanides
d244a2e810 fixup! IMP(4.5): rename to 1.6.1.2 improve test 2020-11-17 12:56:10 +01:00
Thibault Ayanides
84bff4ac88 fixup! Move to most recent docker image for buster 2020-11-16 17:07:08 +01:00
Thibault Ayanides
d640a467e2 fixup! IMP(4.1.x): add tests for each checks 2020-11-16 16:54:51 +01:00
Thibault Ayanides
9bfb7efca1 Update changelog 2020-11-16 16:39:47 +01:00
Thibault Ayanides
7b8cca20d6 FIX(4.1.1.2): fix auditd apply 2020-11-09 11:48:48 +01:00
Thibault Ayanides
a6de243808 Rename 6.1.2,6.1.3,6.1.4 to be CIS9 compliant 2020-11-09 09:00:34 +01:00
Thibault Ayanides
7e8c976722 Add disclaimer when checks don't require comprehensive checks 
modified:   tests/hardening/1.1.1.1_disable_freevxfs.sh
	modified:   tests/hardening/1.1.1.2_disable_jffs2.sh
	modified:   tests/hardening/1.1.1.3_disable_hfs.sh
	modified:   tests/hardening/1.1.1.4_disable_hfsplus.sh
	modified:   tests/hardening/1.1.1.5_disable_udf.sh
	modified:   tests/hardening/1.1.1.6_disable_cramfs.sh
	modified:   tests/hardening/1.1.1.7_disable_squashfs.sh
	modified:   tests/hardening/1.1.10_var_tmp_noexec.sh
	modified:   tests/hardening/1.1.11_var_log_partition.sh
	modified:   tests/hardening/1.1.12_var_log_audit_partition.sh
	modified:   tests/hardening/1.1.13_home_partition.sh
	modified:   tests/hardening/1.1.14_home_nodev.sh
	modified:   tests/hardening/1.1.18_removable_device_nodev.sh
	modified:   tests/hardening/1.1.19_removable_device_nosuid.sh
	modified:   tests/hardening/1.1.20_removable_device_noexec.sh
	modified:   tests/hardening/1.1.2_tmp_partition.sh
	modified:   tests/hardening/1.1.3_tmp_nodev.sh
	modified:   tests/hardening/1.1.4_tmp_nosuid.sh
	modified:   tests/hardening/1.1.5_tmp_noexec.sh
	modified:   tests/hardening/1.1.6_var_partition.sh
	modified:   tests/hardening/1.1.7_var_tmp_partition.sh
	modified:   tests/hardening/1.1.8_var_tmp_nodev.sh
	modified:   tests/hardening/1.1.9_var_tmp_nosuid.sh
	modified:   tests/hardening/1.8_install_updates.sh
	modified:   tests/hardening/2.2.10_disable_http_server.sh
	modified:   tests/hardening/2.2.11_disable_imap_pop.sh
	modified:   tests/hardening/2.2.12_disable_samba.sh
	modified:   tests/hardening/2.2.13_disable_http_proxy.sh
	modified:   tests/hardening/2.2.14_disable_snmp_server.sh
	modified:   tests/hardening/2.2.2_disable_xwindow_system.sh
	modified:   tests/hardening/2.2.3_disable_avahi_server.sh
	modified:   tests/hardening/2.2.4_disable_print_server.sh
	modified:   tests/hardening/2.2.5_disable_dhcp.sh
	modified:   tests/hardening/2.2.6_disable_ldap.sh
	modified:   tests/hardening/2.2.7_disable_nfs_rpc.sh
	modified:   tests/hardening/2.2.8_disable_dns_server.sh
	modified:   tests/hardening/2.2.9_disable_ftp.sh
	modified:   tests/hardening/2.3.1_disable_nis.sh
	modified:   tests/hardening/2.3.2_disable_rsh_client.sh
	modified:   tests/hardening/2.3.3_disable_talk_client.sh
	modified:   tests/hardening/2.3.4_telnet_client_not_installed.sh
	modified:   tests/hardening/2.3.5_ldap_client_not_installed.sh
 2020-11-06 16:20:10 +01:00
Thibault Ayanides
ffd5b28840 FIX: fix apt autoremove to be non interactive 
modified:   bin/hardening/2.2.10_disable_http_server.sh
	modified:   bin/hardening/2.2.11_disable_imap_pop.sh
	modified:   bin/hardening/2.2.12_disable_samba.sh
	modified:   bin/hardening/2.2.14_disable_snmp_server.sh
	modified:   bin/hardening/2.2.2_disable_xwindow_system.sh
	modified:   bin/hardening/2.2.3_disable_avahi_server.sh
	modified:   bin/hardening/2.2.4_disable_print_server.sh
	modified:   bin/hardening/2.2.5_disable_dhcp.sh
	modified:   bin/hardening/2.2.6_disable_ldap.sh
	modified:   bin/hardening/2.2.7_disable_nfs_rpc.sh
	modified:   bin/hardening/2.2.8_disable_dns_server.sh
	modified:   bin/hardening/2.2.9_disable_ftp.sh
	modified:   bin/hardening/2.3.1_disable_nis.sh
	modified:   bin/hardening/2.3.2_disable_rsh_client.sh
	modified:   bin/hardening/2.3.3_disable_talk_client.sh
	modified:   bin/hardening/2.3.4_telnet_client_not_installed.sh
	modified:   bin/hardening/2.3.5_ldap_client_not_installed.sh
 2020-11-06 14:51:26 +01:00
Thibault Ayanides
ce1e87b1a3 IMP(4.5): rename to 1.6.1.2 improve test 2020-11-06 11:09:22 +01:00
Thibault Ayanides
b5865947ba Move to most recent docker image for buster 2020-11-06 10:11:46 +01:00
Thibault Ayanides
ee4b2417c2 IMP(4.1.x): add tests for each checks 2020-11-02 15:47:27 +01:00
Thibault Ayanides
5568065c35 IMP(4.1.3): skip on docker (bootloader) 2020-11-02 15:46:45 +01:00
Thibault Ayanides
91a2824246 IMP(5.6): add test 2020-10-30 09:48:36 +01:00
Thibault Ayanides
47f8b7b677 IMP(5.4.4): add test 2020-10-30 09:48:27 +01:00
Thibault Ayanides
728011f846 IMP(5.4.3): add purposely failing test 2020-10-30 09:40:28 +01:00
Thibault Ayanides
17e43753b9 IMP(5.4.1.1-3): add tests and rename some variables 2020-10-30 09:39:42 +01:00
Thibault Ayanides
9aac4c3504 IMP(5.3.4): improve check 2020-10-29 16:47:34 +01:00
Thibault Ayanides
8af91dd6a8 IMP(5.3.1,5.3.2): add tests and upgrade PAM conf 2020-10-29 16:45:15 +01:00
Thibault Ayanides
feefee28e4 IMP(5.3.1): add test and config function for check 2020-10-29 15:35:56 +01:00
Thibault Ayanides
774af39a34 IMP(5.2.x): add tests and default_config 
I added tests from 5.2.4 to 5.2.19 and default_config files in the
checks. This checks concern sshd conf (ciphers, mac, rootlogin, ...)

	modifié :         bin/hardening/5.2.4_sshd_protocol.sh
	modifié :         bin/hardening/5.2.6_disable_x11_forwarding.sh
	modifié :         bin/hardening/5.2.7_sshd_maxauthtries.sh
	modifié :         bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh
	modifié :         bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh
	modifié :         bin/hardening/5.2.10_disable_root_login.sh
	modifié :         bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh
	modifié :         bin/hardening/5.2.12_disable_sshd_setenv.sh
	modifié :         bin/hardening/5.2.13_sshd_ciphers.sh
	modifié :         bin/hardening/5.2.16_sshd_idle_timeout.sh
	modifié :         bin/hardening/5.2.17_sshd_login_grace_time.sh
	modifié :         tests/hardening/5.2.4_sshd_protocol.sh
	modifié :         tests/hardening/5.2.5_sshd_loglevel.sh
	modifié :         tests/hardening/5.2.6_disable_x11_forwarding.sh
	modifié :         tests/hardening/5.2.7_sshd_maxauthtries.sh
	modifié :         tests/hardening/5.2.8_enable_sshd_ignorerhosts.sh
	modifié :         tests/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh
	modifié :         tests/hardening/5.2.10_disable_root_login.sh
	modifié :         tests/hardening/5.2.11_disable_sshd_permitemptypasswords.sh
	modifié :         tests/hardening/5.2.12_disable_sshd_setenv.sh
	modifié :         tests/hardening/5.2.13_sshd_ciphers.sh
	modifié :         tests/hardening/5.2.16_sshd_idle_timeout.sh
	modifié :         tests/hardening/5.2.17_sshd_login_grace_time.sh
	modifié :         tests/hardening/5.2.18_sshd_limit_access.sh
	modifié :         tests/hardening/5.2.19_ssh_banner.sh
 2020-10-29 11:18:31 +01:00
Thibault Ayanides
e288835381 Update changelog 2020-11-16 14:21:47 +01:00
Thibault Ayanides
fbd26ceefa Fix race condition on /etc/passwd, /etc/shadow and /etc/group 2020-11-16 14:09:12 +01:00
Thibault Ayanides
501ce8c651 IMP(5.2.3): 640 permission is now ok for the check 2020-11-16 14:08:42 +01:00
Thibault Ayanides
829ee8631f Revert to previous check (8.2.4 in old num) 2020-11-16 14:06:39 +01:00
Thibault Ayanides
6620a82f34 Update changelog 2020-11-12 10:17:32 +01:00
Thibault
3c7a03445c FIX(3.1.1): fix unbound variable issue 2020-11-12 10:15:41 +01:00
155 changed files with 1347 additions and 313 deletions
Expand all files Collapse all files

21
bin/hardening.sh
View File

@ -20,6 +20,7 @@ AUDIT=0
APPLY=0 APPLY=0
AUDIT_ALL=0 AUDIT_ALL=0
AUDIT_ALL_ENABLE_PASSED=0 AUDIT_ALL_ENABLE_PASSED=0
CREATE_CONFIG=0
ALLOW_SERVICE_LIST=0 ALLOW_SERVICE_LIST=0
SET_HARDENING_LEVEL=0 SET_HARDENING_LEVEL=0
SUDO_MODE='' SUDO_MODE=''
@ -76,6 +77,10 @@ $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
Modifies the policy to allow a certain kind of services on the machine, such Modifies the policy to allow a certain kind of services on the machine, such
as http, mail, etc. Can be specified multiple times to allow multiple services. as http, mail, etc. Can be specified multiple times to allow multiple services.
Use --allow-service-list to get a list of supported services. Use --allow-service-list to get a list of supported services.
--create-config-files-only
Create the config files in etc/conf.d
Must be run as root, before running the audit with user secaudit
OPTIONS: OPTIONS:
@ -126,6 +131,9 @@ while [[ $# > 0 ]]; do
--allow-service-list) --allow-service-list)
ALLOW_SERVICE_LIST=1 ALLOW_SERVICE_LIST=1
;; ;;
--create-config-files-only)
CREATE_CONFIG=1
;;
--allow-service) --allow-service)
ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2" ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2"
shift shift
@ -156,7 +164,7 @@ while [[ $# > 0 ]]; do
done done
# if no RUN_MODE was passed, usage and quit # if no RUN_MODE was passed, usage and quit
if [ "$AUDIT" -eq 0 -a "$AUDIT_ALL" -eq 0 -a "$AUDIT_ALL_ENABLE_PASSED" -eq 0 -a "$APPLY" -eq 0 ]; then if [ "$AUDIT" -eq 0 -a "$AUDIT_ALL" -eq 0 -a "$AUDIT_ALL_ENABLE_PASSED" -eq 0 -a "$APPLY" -eq 0 -a "$CREATE_CONFIG" -eq 0 ]; then
usage usage
fi fi
@ -210,6 +218,11 @@ if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then
exit 0 exit 0
fi fi
if [ $CREATE_CONFIG = 1 ] && [ "$EUID" -ne 0 ]; then
echo "For --create-config-files-only, please run as root"
exit 1
fi
# Parse every scripts and execute them in the required mode # Parse every scripts and execute them in the required mode
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
if [ ${#TEST_LIST[@]} -gt 0 ] ; then if [ ${#TEST_LIST[@]} -gt 0 ] ; then
@ -223,8 +236,10 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
fi fi
info "Treating $SCRIPT" info "Treating $SCRIPT"
if [ $CREATE_CONFIG = 1 ]; then
if [ $AUDIT = 1 ]; then debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only"
$SCRIPT --create-config-files-only $BATCH_MODE
elif [ $AUDIT = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE" debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
$SCRIPT --audit $SUDO_MODE $BATCH_MODE $SCRIPT --audit $SUDO_MODE $BATCH_MODE
elif [ $AUDIT_ALL = 1 ]; then elif [ $AUDIT_ALL = 1 ]; then

45
bin/hardening/4.5_enable_apparmor.sh → bin/hardening/1.6.2.1_enable_apparmor.sh
View File

@ -5,7 +5,7 @@
# #
# #
# 4.5 Activate AppArmor (Scored) # 1.6.2.1 Activate AppArmor (Scored)
# #
set -e # One error, it's over set -e # One error, it's over
@ -24,7 +24,25 @@ audit () {
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
fi fi
:
ERROR=0
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for line in $RESULT; do
if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
crit "$line is not configured"
ERROR=1
fi
done
IFS=$d_IFS
if [ $ERROR = 0 ]; then
ok "$PACKAGE is configured"
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
@ -35,7 +53,28 @@ apply () {
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
fi fi
:
ERROR=0
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for line in $RESULT; do
if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
crit "$line is not configured"
ERROR=1
fi
done
IFS=$d_IFS
if [ $ERROR = 1 ]; then
$SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor/" /etc/default/grub
$SUDO_CMD update-grub
else
ok "$PACKAGE is configured"
fi
} }
# This function will check config parameters required # This function will check config parameters required

2
bin/hardening/2.2.10_disable_http_server.sh
View File

@ -37,7 +37,7 @@ apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y apt-get purge $PACKAGE -y
apt-get autoremove apt-get autoremove -y
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi

2
bin/hardening/2.2.11_disable_imap_pop.sh
View File

@ -37,7 +37,7 @@ apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y apt-get purge $PACKAGE -y
apt-get autoremove apt-get autoremove -y
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi

2
bin/hardening/2.2.12_disable_samba.sh
View File

@ -43,7 +43,7 @@ apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y apt-get purge $PACKAGE -y
apt-get autoremove apt-get autoremove -y
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi

2
bin/hardening/2.2.14_disable_snmp_server.sh
View File

@ -36,7 +36,7 @@ apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y apt-get purge $PACKAGE -y
apt-get autoremove apt-get autoremove -y
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi

2
bin/hardening/2.2.2_disable_xwindow_system.sh
View File

@ -37,7 +37,7 @@ apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y apt-get purge $PACKAGE -y
apt-get autoremove apt-get autoremove -y
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi

2
bin/hardening/2.2.3_disable_avahi_server.sh
View File

@ -35,7 +35,7 @@ apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y apt-get purge $PACKAGE -y
apt-get autoremove apt-get autoremove -y
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi

2
bin/hardening/2.2.4_disable_print_server.sh
View File

@ -36,7 +36,7 @@ apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y apt-get purge $PACKAGE -y
apt-get autoremove apt-get autoremove -y
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi

2
bin/hardening/2.2.5_disable_dhcp.sh
View File

@ -36,7 +36,7 @@ apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y apt-get purge $PACKAGE -y
apt-get autoremove apt-get autoremove -y
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi

2
bin/hardening/2.2.6_disable_ldap.sh
View File

@ -36,7 +36,7 @@ apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y apt-get purge $PACKAGE -y
apt-get autoremove apt-get autoremove -y
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi

2
bin/hardening/2.2.7_disable_nfs_rpc.sh
View File

@ -36,7 +36,7 @@ apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y apt-get purge $PACKAGE -y
apt-get autoremove apt-get autoremove -y
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi

2
bin/hardening/2.2.8_disable_dns_server.sh
View File

@ -36,7 +36,7 @@ apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y apt-get purge $PACKAGE -y
apt-get autoremove apt-get autoremove -y
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi

2
bin/hardening/2.2.9_disable_ftp.sh
View File

@ -37,7 +37,7 @@ apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y apt-get purge $PACKAGE -y
apt-get autoremove apt-get autoremove -y
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi

2
bin/hardening/2.3.1_disable_nis.sh
View File

@ -33,7 +33,7 @@ apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y apt-get purge $PACKAGE -y
apt-get autoremove apt-get autoremove -y
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi

2
bin/hardening/2.3.2_disable_rsh_client.sh
View File

@ -36,7 +36,7 @@ apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, purging" warn "$PACKAGE is installed, purging"
apt-get purge $PACKAGE -y apt-get purge $PACKAGE -y
apt-get autoremove apt-get autoremove -y
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi

2
bin/hardening/2.3.3_disable_talk_client.sh
View File

@ -35,7 +35,7 @@ apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, purging" warn "$PACKAGE is installed, purging"
apt-get purge $PACKAGE -y apt-get purge $PACKAGE -y
apt-get autoremove apt-get autoremove -y
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi

2
bin/hardening/2.3.4_disable_telnet_client.sh
View File

@ -35,7 +35,7 @@ apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, purging" warn "$PACKAGE is installed, purging"
apt-get purge $PACKAGE -y apt-get purge $PACKAGE -y
apt-get autoremove apt-get autoremove -y
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi

2
bin/hardening/2.3.5_disable_ldap_client.sh
View File

@ -35,7 +35,7 @@ apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, purging" warn "$PACKAGE is installed, purging"
apt-get purge $PACKAGE -y apt-get purge $PACKAGE -y
apt-get autoremove apt-get autoremove -y
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi

28
bin/hardening/3.1.1_disable_ip_forwarding.sh
View File

@ -21,9 +21,9 @@ SYSCTL_EXP_RESULT=0
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
for SYSCTL_PARAM in $SYSCTL_PARAMS; do for SYSCTL_PARAM in $SYSCTL_PARAMS; do
does_sysctl_param_exists "net.ipv6" does_sysctl_param_exists "net.ipv6"
if [ $FNRET = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6 if [ $FNRET = 0 ] || [[ ! $SYSCTL_PARAM =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then elif [ $FNRET = 255 ]; then
@ -37,16 +37,18 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT for SYSCTL_PARAM in $SYSCTL_PARAMS; do
if [ $FNRET != 0 ]; then has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" if [ $FNRET != 0 ]; then
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
sysctl -w net.ipv4.route.flush=1 > /dev/null set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
elif [ $FNRET = 255 ]; then sysctl -w net.ipv4.route.flush=1 > /dev/null
warn "$SYSCTL_PARAM does not exist -- Typo?" elif [ $FNRET = 255 ]; then
else warn "$SYSCTL_PARAM does not exist -- Typo?"
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" else
fi ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
done
} }
# This function will check config parameters required # This function will check config parameters required

11
bin/hardening/4.1.1.2_halt_when_audit_log_full.sh
View File

@ -15,7 +15,7 @@ HARDENING_LEVEL=4
DESCRIPTION="Disable system on audit log full." DESCRIPTION="Disable system on audit log full."
FILE='/etc/audit/auditd.conf' FILE='/etc/audit/auditd.conf'
OPTIONS='space_left_action=email action_mail_acct=root admin_space_left_action=halt' OPTIONS=''
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
@ -75,6 +75,15 @@ check_config() {
: :
} }
create_config() {
cat << EOF
# shellcheck disable=2034
status=audit
# Put here the conf for auditd
OPTIONS='space_left_action=email action_mail_acct=root admin_space_left_action=halt'
EOF
}
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening . /etc/default/cis-hardening

2
bin/hardening/4.1.4_record_date_time_edit.sh
View File

@ -12,7 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
HARDENING_LEVEL=4 HARDENING_LEVEL=4
DESCRIPTION="Record events taht modify date and time information." DESCRIPTION="Record events that modify date and time information."
AUDIT_PARAMS='-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change AUDIT_PARAMS='-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change

135
bin/hardening/4.2.2.3_syslog_ng_logfiles_perm.sh
View File

@ -5,50 +5,113 @@
# #
# #
# 4.2.2.3 Ensure syslog-ng default file permissions configured (Scored) # 4.2.2.3 Create and Set Permissions on syslog-ng Log Files (Scored)
# #
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
HARDENING_LEVEL=3 # Note: this is not exacly the same check as the one described in CIS PDF
DESCRIPTION="Ensure logfile are created with root:640"
PATTERN='options[[:space:]]*{[[:alnum:] ()_;"\t]*perm\(0640\);' # shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Create and set permissions on syslog-ng logfiles."
PERMISSIONS=''
USER=''
GROUP=''
EXCEPTIONS=''
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
FOUND=0 FILES=$(grep "file(" "$SYSLOG_BASEDIR"/syslog-ng.conf | grep '"' | cut -d'"' -f 2)
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L $SYSLOG_BASEDIR/conf.d/ -type f)"
for FILE in $FILES; do for FILE in $FILES; do
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN" does_file_exist "$FILE"
if [ $FNRET = 0 ]; then if [ "$FNRET" != 0 ]; then
FOUND=1 warn "$FILE does not exist"
else
FOUND_EXC=0
if grep -q "$FILE" <(tr ' ' '\n' <<< "$EXCEPTIONS" | cut -d ":" -f 1); then
debug "$FILE is found in exceptions"
debug "Setting special user:group:perm"
FOUND_EXC=1
local user_bak="$USER"
local group_bak="$GROUP"
local perm_bak="$PERMISSIONS"
USER="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)"
GROUP="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)"
PERMISSIONS="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership ($USER:$GROUP)"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions ($PERMISSIONS)"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
if [ "$FOUND_EXC" = 1 ]; then
debug "Resetting user:group:perm"
USER="$user_bak"
GROUP="$group_bak"
PERMISSIONS="$perm_bak"
fi
fi fi
done done
if [ $FOUND = 1 ]; then
ok "$PATTERN is present in $FILES"
else
crit "$PATTERN is not present in $FILES"
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
FOUND=0
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L $SYSLOG_BASEDIR/conf.d/ -type f)"
for FILE in $FILES; do for FILE in $FILES; do
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN" does_file_exist "$FILE"
if [ $FNRET = 0 ]; then if [ "$FNRET" != 0 ]; then
FOUND=1 info "$FILE does not exist"
filedir=$(dirname "${FILE#/var/log/}")
if [ ! "$filedir" = "." ] && [ ! -d /var/log/"$filedir" ]; then
debug "Creating /var/log/$filedir for $FILE"
debug "mkdir -p /var/log/$filedir"
mkdir -p /var/log/"$filedir"
fi
touch "$FILE"
fi
FOUND_EXC=0
if grep "$FILE" <(tr ' ' '\n' <<< "$EXCEPTIONS" | cut -d ":" -f 1); then
debug "$FILE is found in exceptions"
debug "Setting special user:group:perm"
FOUND_EXC=1
local user_bak="$USER"
local group_bak="$GROUP"
local perm_bak="$PERMISSIONS"
USER="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)"
GROUP="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)"
PERMISSIONS="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
if [ "$FOUND_EXC" = 1 ]; then
debug "Resetting user:group:perm"
USER="$user_bak"
GROUP="$group_bak"
PERMISSIONS="$perm_bak"
fi fi
done done
if [ $FOUND = 1 ]; then
ok "$PATTERN is present in $FILES"
else
crit "$PATTERN is not present in $FILES, please set a remote host to send your logs"
fi
} }
# This function will create the config file for this check with default values # This function will create the config file for this check with default values
@ -56,12 +119,27 @@ create_config() {
cat <<EOF cat <<EOF
status=audit status=audit
SYSLOG_BASEDIR='/etc/syslog-ng' SYSLOG_BASEDIR='/etc/syslog-ng'
PERMISSIONS='640'
USER='root'
GROUP='adm'
# Put exceptions here with file:user:group:permissions
# example: /dev/null:root:root:666
EXCEPTIONS=''
EOF EOF
} }
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
: does_user_exist "$USER"
if [ "$FNRET" != 0 ]; then
crit "$USER does not exist"
exit 128
fi
does_group_exist $GROUP
if [ "$FNRET" != 0 ]; then
crit "$GROUP does not exist"
exit 128
fi
} }
# Source Root Dir Parameter # Source Root Dir Parameter
@ -75,8 +153,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=/opt/debian-cis/lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

11
bin/hardening/5.2.10_disable_root_login.sh
View File

@ -15,7 +15,7 @@ HARDENING_LEVEL=3
DESCRIPTION="Disable SSH Root Login." DESCRIPTION="Disable SSH Root Login."
PACKAGE='openssh-server' PACKAGE='openssh-server'
OPTIONS='PermitRootLogin=no' OPTIONS=''
FILE='/etc/ssh/sshd_config' FILE='/etc/ssh/sshd_config'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,15 @@ check_config() {
: :
} }
create_config() {
cat << EOF
# shellcheck disable=2034
status=audit
# Put here the root login boolean for ssh
OPTIONS='PermitRootLogin=no'
EOF
}
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening . /etc/default/cis-hardening

11
bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh
View File

@ -15,7 +15,7 @@ HARDENING_LEVEL=2
DESCRIPTION="Set SSH PermitEmptyPasswords to No in order to disallow SSH login to accounts with empty password strigs." DESCRIPTION="Set SSH PermitEmptyPasswords to No in order to disallow SSH login to accounts with empty password strigs."
PACKAGE='openssh-server' PACKAGE='openssh-server'
OPTIONS='PermitEmptyPasswords=no' OPTIONS=''
FILE='/etc/ssh/sshd_config' FILE='/etc/ssh/sshd_config'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,15 @@ check_config() {
: :
} }
create_config() {
cat << EOF
# shellcheck disable=2034
status=audit
# Put here the empty password boolean for ssh
OPTIONS='PermitEmptyPasswords=no'
EOF
}
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening . /etc/default/cis-hardening

11
bin/hardening/5.2.12_disable_sshd_setenv.sh
View File

@ -15,7 +15,7 @@ HARDENING_LEVEL=2
DESCRIPTION="Do not allow users to set environment options." DESCRIPTION="Do not allow users to set environment options."
PACKAGE='openssh-server' PACKAGE='openssh-server'
OPTIONS='PermitUserEnvironment=no' OPTIONS=''
FILE='/etc/ssh/sshd_config' FILE='/etc/ssh/sshd_config'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,15 @@ check_config() {
: :
} }
create_config() {
cat << EOF
# shellcheck disable=2034
status=audit
# Put here the permit user env boolean for ssh
OPTIONS='PermitUserEnvironment=no'
EOF
}
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening . /etc/default/cis-hardening

12
bin/hardening/5.2.13_sshd_ciphers.sh
View File

@ -15,7 +15,7 @@ HARDENING_LEVEL=2
DESCRIPTION="Use only approved ciphers in counter mode (ctr) or Galois counter mode (gcm)." DESCRIPTION="Use only approved ciphers in counter mode (ctr) or Galois counter mode (gcm)."
PACKAGE='openssh-server' PACKAGE='openssh-server'
OPTIONS='Ciphers=chacha20-poly1305@openssh\.com,aes256-gcm@openssh\.com,aes128-gcm@openssh\.com,aes256-ctr,aes192-ctr,aes128-ctr' OPTIONS=''
FILE='/etc/ssh/sshd_config' FILE='/etc/ssh/sshd_config'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,16 @@ check_config() {
: :
} }
# This function will create the config file for this check with default values
create_config() {
cat << EOF
# shellcheck disable=2034
status=audit
# Put here the ciphers
OPTIONS='Ciphers=chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
EOF
}
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening . /etc/default/cis-hardening

9
bin/hardening/5.2.16_sshd_idle_timeout.sh
View File

@ -16,11 +16,11 @@ HARDENING_LEVEL=3
DESCRIPTION="Set Idle Timeout Interval for user login." DESCRIPTION="Set Idle Timeout Interval for user login."
PACKAGE='openssh-server' PACKAGE='openssh-server'
OPTIONS=''
FILE='/etc/ssh/sshd_config' FILE='/etc/ssh/sshd_config'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
OPTIONS="ClientAliveInterval=$SSHD_TIMEOUT ClientAliveCountMax=0"
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!" crit "$PACKAGE is not installed!"
@ -76,16 +76,13 @@ create_config() {
status=audit status=audit
# In seconds, value of ClientAliveInterval, ClientAliveCountMax bedoing set to 0 # In seconds, value of ClientAliveInterval, ClientAliveCountMax bedoing set to 0
# Settles sshd idle timeout # Settles sshd idle timeout
SSHD_TIMEOUT=300 OPTIONS="ClientAliveInterval=300 ClientAliveCountMax=0"
EOF EOF
} }
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
if [ -z $SSHD_TIMEOUT ]; then :
crit "SSHD_TIMEOUT is not set, please edit configuration file"
exit 128
fi
} }
# Source Root Dir Parameter # Source Root Dir Parameter

9
bin/hardening/5.2.17_sshd_login_grace_time.sh
View File

@ -15,11 +15,11 @@ HARDENING_LEVEL=3
DESCRIPTION="Set Login Grace Time for user login." DESCRIPTION="Set Login Grace Time for user login."
PACKAGE='openssh-server' PACKAGE='openssh-server'
OPTIONS=''
FILE='/etc/ssh/sshd_config' FILE='/etc/ssh/sshd_config'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
OPTIONS="LoginGraceTime=$SSHD_LOGIN_GRACE_TIME"
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!" crit "$PACKAGE is not installed!"
@ -75,16 +75,13 @@ create_config() {
status=audit status=audit
# In seconds, value of LoginGraceTime # In seconds, value of LoginGraceTime
# Settles sshd login grace time # Settles sshd login grace time
SSHD_LOGIN_GRACE_TIME=60 OPTIONS="LoginGraceTime=60"
EOF EOF
} }
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
if [ -z $SSHD_LOGIN_GRACE_TIME ]; then :
crit "SSHD_LOGIN_GRACE_TIME is not set, please edit configuration file"
exit 128
fi
} }
# Source Root Dir Parameter # Source Root Dir Parameter

28
bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh
View File

@ -28,8 +28,18 @@ audit () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE permissions were set to $PERMISSIONS" ok "$FILE permissions were set to $PERMISSIONS"
else else
ERRORS=$((ERRORS+1)) has_file_correct_permissions $FILE 640
crit "$FILE permissions were not set to $PERMISSIONS" if [ $FNRET = 0 ]; then
ok "$FILE permissions were set to $PERMISSIONS"
else
has_file_correct_permissions $FILE 600
if [ $FNRET = 0 ]; then
ok "$FILE permissions were set to $PERMISSIONS"
else
ERRORS=$((ERRORS+1))
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi
fi fi
done done
@ -64,8 +74,18 @@ apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE permissions were set to $PERMISSIONS" ok "$FILE permissions were set to $PERMISSIONS"
else else
warn "fixing $DIR SSH public keys permissions to $USER:$GROUP" has_file_correct_permissions $FILE 640
chmod 0$PERMISSIONS $FILE if [ $FNRET = 0 ]; then
ok "$FILE permissions were set to $PERMISSIONS"
else
has_file_correct_permissions $FILE 600
if [ $FNRET = 0 ]; then
ok "$FILE permissions were set to $PERMISSIONS"
else
warn "fixing $DIR SSH public keys permissions to $USER:$GROUP"
chmod 0$PERMISSIONS $FILE
fi
fi
fi fi
done done

11
bin/hardening/5.2.4_sshd_protocol.sh
View File

@ -15,7 +15,7 @@ HARDENING_LEVEL=2
DESCRIPTION="Set secure shell (SSH) protocol to 2." DESCRIPTION="Set secure shell (SSH) protocol to 2."
PACKAGE='openssh-server' PACKAGE='openssh-server'
OPTIONS='Protocol=2' OPTIONS=''
FILE='/etc/ssh/sshd_config' FILE='/etc/ssh/sshd_config'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,15 @@ check_config() {
: :
} }
create_config() {
cat << EOF
# shellcheck disable=2034
status=audit
# Put here your protocol for ssh
OPTIONS='Protocol=2'
EOF
}
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening . /etc/default/cis-hardening

12
bin/hardening/5.2.6_disable_x11_forwarding.sh
View File

@ -15,7 +15,7 @@ HARDENING_LEVEL=2
DESCRIPTION="Disable SSH X11 forwarding." DESCRIPTION="Disable SSH X11 forwarding."
PACKAGE='openssh-server' PACKAGE='openssh-server'
OPTIONS='X11Forwarding=no' OPTIONS=''
FILE='/etc/ssh/sshd_config' FILE='/etc/ssh/sshd_config'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,16 @@ check_config() {
: :
} }
# This function will create the config file for this check with default values
create_config() {
cat << EOF
# shellcheck disable=2034
status=audit
# Put here the forwarding boolean for ssh
OPTIONS='X11Forwarding=no'
EOF
}
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening . /etc/default/cis-hardening

11
bin/hardening/5.2.7_sshd_maxauthtries.sh
View File

@ -15,7 +15,7 @@ HARDENING_LEVEL=2
DESCRIPTION="Set SSH MaxAuthTries to 4." DESCRIPTION="Set SSH MaxAuthTries to 4."
PACKAGE='openssh-server' PACKAGE='openssh-server'
OPTIONS='MaxAuthTries=4' OPTIONS=''
FILE='/etc/ssh/sshd_config' FILE='/etc/ssh/sshd_config'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,15 @@ check_config() {
: :
} }
create_config() {
cat << EOF
# shellcheck disable=2034
status=audit
# Put here the max auth tries for ssh
OPTIONS='MaxAuthTries=4'
EOF
}
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening . /etc/default/cis-hardening

10
bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh
View File

@ -15,7 +15,7 @@ HARDENING_LEVEL=2
DESCRIPTION="Set SSH IgnoreRhosts to Yes." DESCRIPTION="Set SSH IgnoreRhosts to Yes."
PACKAGE='openssh-server' PACKAGE='openssh-server'
OPTIONS='IgnoreRhosts=yes' OPTIONS=''
FILE='/etc/ssh/sshd_config' FILE='/etc/ssh/sshd_config'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,14 @@ check_config() {
: :
} }
create_config() {
cat << EOF
# shellcheck disable=2034
status=audit
# Put here the rhosts boolean for ssh
OPTIONS='IgnoreRhosts=yes'
EOF
}
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening . /etc/default/cis-hardening

11
bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh
View File

@ -15,7 +15,7 @@ HARDENING_LEVEL=2
DESCRIPTION="Set SSH HostbasedAUthentication to No." DESCRIPTION="Set SSH HostbasedAUthentication to No."
PACKAGE='openssh-server' PACKAGE='openssh-server'
OPTIONS='HostbasedAuthentication=no' OPTIONS=''
FILE='/etc/ssh/sshd_config' FILE='/etc/ssh/sshd_config'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,15 @@ check_config() {
: :
} }
create_config() {
cat << EOF
# shellcheck disable=2034
status=audit
# Put here the hostbase boolean for ssh
OPTIONS='HostbasedAuthentication=no'
EOF
}
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening . /etc/default/cis-hardening

48
bin/hardening/5.3.1_enable_pwquality.sh
View File

@ -16,11 +16,11 @@ DESCRIPTION="Set password creation requirement parameters using pam.cracklib."
PACKAGE='libpam-pwquality' PACKAGE='libpam-pwquality'
PATTERN_COMMON="pam_pwquality.so" PATTERN_COMMON='pam_pwquality.so'
FILE_COMMON="/etc/pam.d/common-password" FILE_COMMON='/etc/pam.d/common-password'
PATTERNS_QUALITY="" OPTIONS=''
FILE_QUALITY="/etc/security/pwquality.conf" FILE_QUALITY='/etc/security/pwquality.conf'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
@ -35,11 +35,12 @@ audit () {
else else
crit "$PATTERN_COMMON is not present in $FILE_COMMON" crit "$PATTERN_COMMON is not present in $FILE_COMMON"
fi fi
for PATTERN in $PATTERNS_QUALITY; do for PW_OPT in $OPTIONS; do
OPTION=$(cut -d = -f 1 <<< $PATTERN) PW_PARAM=$(echo $PW_OPT | cut -d= -f1)
PARAM=$(cut -d = -f 2 <<< $PATTERN) PW_VALUE=$(echo $PW_OPT | cut -d= -f2)
PATTERN="$OPTION *= *$PARAM" PATTERN="^$PW_PARAM[[:space:]]+=[[:space:]]+$PW_VALUE"
does_pattern_exist_in_file $FILE_QUALITY $PATTERN does_pattern_exist_in_file $FILE_QUALITY "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE_QUALITY" ok "$PATTERN is present in $FILE_QUALITY"
else else
@ -58,13 +59,32 @@ apply () {
crit "$PACKAGE is absent, installing it" crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE apt_install $PACKAGE
fi fi
does_pattern_exist_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE_COMMON $PATTERN_COMMON
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN_COMMON is present in $FILE_COMMON"
else else
crit "$PATTERN is not present in $FILE" warn "$PATTERN_COMMON is not present in $FILE_COMMON"
add_line_file_before_pattern $FILE "password requisite pam_cracklib.so retry=3 minlen=8 difok=3" "# pam-auth-update(8) for details." add_line_file_before_pattern $FILE_COMMON "password requisite pam_pwquality.so retry=3" "# pam-auth-update(8) for details."
fi fi
for PW_OPT in $OPTIONS; do
PW_PARAM=$(echo $PW_OPT | cut -d= -f1)
PW_VALUE=$(echo $PW_OPT | cut -d= -f2)
PATTERN="^$PW_PARAM[[:space:]]+=[[:space:]]+$PW_VALUE"
does_pattern_exist_in_file $FILE_QUALITY $PATTERN
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE_QUALITY"
else
warn "$PATTERN is not present in $FILE_QUALITY, adding it"
does_pattern_exist_in_file $FILE_QUALITY "^$PW_PARAM"
if [ $FNRET != 0 ]; then
add_end_of_file $FILE_QUALITY "$PW_PARAM = $PW_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE_QUALITY "^$PW_PARAM*.*" "$PW_PARAM = $PW_VALUE"
fi
fi
done
} }
# This function will create the config file for this check with default values # This function will create the config file for this check with default values
@ -72,7 +92,7 @@ create_config() {
cat <<EOF cat <<EOF
status=audit status=audit
# Put your custom configuration here # Put your custom configuration here
PATTERNS_QUALITY="^minlen=14 ^dcredit=-1 ^ucredit=-1 ^ocredit=-1 ^lcredit=-1" OPTIONS="minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1"
EOF EOF
} }

36
bin/hardening/5.3.2_enable_lockout_failed_password.sh
View File

@ -15,8 +15,10 @@ HARDENING_LEVEL=3
DESCRIPTION="Set lockout for failed password attemps." DESCRIPTION="Set lockout for failed password attemps."
PACKAGE='libpam-modules-bin' PACKAGE='libpam-modules-bin'
PATTERN='^auth[[:space:]]*required[[:space:]]*pam_tally[2]?.so' PATTERN_AUTH='^auth[[:space:]]*required[[:space:]]*pam_tally[2]?\.so'
FILE='/etc/pam.d/login' PATTERN_ACCOUNT='pam_tally[2]?\.so'
FILE_AUTH='/etc/pam.d/common-auth'
FILE_ACCOUNT='/etc/pam.d/common-account'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
@ -25,11 +27,17 @@ audit () {
crit "$PACKAGE is not installed!" crit "$PACKAGE is not installed!"
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
does_pattern_exist_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE_AUTH "$PATTERN_AUTH"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN_AUTH is present in $FILE_AUTH"
else else
crit "$PATTERN is not present in $FILE" crit "$PATTERN_AUTH is not present in $FILE_AUTH"
fi
does_pattern_exist_in_file $FILE_ACCOUNT "$PATTERN_ACCOUNT"
if [ $FNRET = 0 ]; then
ok "$PATTERN_ACCOUNT is present in $FILE_ACCOUNT"
else
crit "$PATTERN_ACCOUNT is not present in $FILE_ACCOUNT"
fi fi
fi fi
} }
@ -43,13 +51,21 @@ apply () {
crit "$PACKAGE is absent, installing it" crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE apt_install $PACKAGE
fi fi
does_pattern_exist_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE_AUTH "$PATTERN_AUTH"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN_AUTH is present in $FILE_AUTH"
else else
crit "$PATTERN is not present in $FILE" warn "$PATTERN_AUTH is not present in $FILE_AUTH, adding it"
add_line_file_before_pattern $FILE "auth required pam_tally.so onerr=fail deny=6 unlock_time=1800" "# Uncomment and edit \/etc\/security\/time.conf if you need to set" add_line_file_before_pattern $FILE_AUTH "auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details."
fi fi
does_pattern_exist_in_file $FILE_ACCOUNT "$PATTERN_ACCOUNT"
if [ $FNRET = 0 ]; then
ok "$PATTERN_ACCOUNT is present in $FILE_ACCOUNT"
else
warn "$PATTERN_ACCOUNT is not present in $FILE_ACCOUNT, adding it"
add_line_file_before_pattern $FILE_ACCOUNT "account required pam_tally.so" "# pam-auth-update(8) for details."
fi
} }
# This function will check config parameters required # This function will check config parameters required

6
bin/hardening/5.3.3_limit_password_reuse.sh
View File

@ -25,7 +25,7 @@ audit () {
crit "$PACKAGE is not installed!" crit "$PACKAGE is not installed!"
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
does_pattern_exist_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -43,11 +43,11 @@ apply () {
crit "$PACKAGE is absent, installing it" crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE apt_install $PACKAGE
fi fi
does_pattern_exist_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE" warn "$PATTERN is not present in $FILE, adding it"
add_line_file_before_pattern $FILE "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" "# pam-auth-update(8) for details." add_line_file_before_pattern $FILE "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" "# pam-auth-update(8) for details."
fi fi
} }

13
bin/hardening/5.3.4_acc_pam_sha512.sh
View File

@ -34,9 +34,20 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
: if $SUDO_CMD [ ! -r $CONF_FILE ]; then
crit "$CONF_FILE is not readable"
else
does_pattern_exist_in_file $CONF_FILE "$(sed 's/ /[[:space:]]+/g' <<< "$CONF_LINE")"
if [ "$FNRET" = 0 ]; then
ok "$CONF_LINE is present in $CONF_FILE"
else
warn "$CONF_LINE is not present in $CONF_FILE"
add_line_file_before_pattern $CONF_FILE "password [success=1 default=ignore] pam_unix.so sha512" "# pam-auth-update(8) for details."
fi
fi
} }
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
: :

36
bin/hardening/5.4.1.1_set_password_exp_days.sh
View File

@ -15,7 +15,7 @@ HARDENING_LEVEL=3
DESCRIPTION="Set password expiration days." DESCRIPTION="Set password expiration days."
PACKAGE='login' PACKAGE='login'
OPTIONS='PASS_MAX_DAYS=90' OPTIONS=''
FILE='/etc/login.defs' FILE='/etc/login.defs'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
@ -25,10 +25,10 @@ audit () {
crit "$PACKAGE is not installed!" crit "$PACKAGE is not installed!"
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do for SHADOW_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
@ -48,26 +48,36 @@ apply () {
crit "$PACKAGE is absent, installing it" crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE apt_install $PACKAGE
fi fi
for SSH_OPTION in $OPTIONS; do for SHADOW_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$SSH_PARAM" does_pattern_exist_in_file $FILE "^$SHADOW_PARAM"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" add_end_of_file $FILE "$SHADOW_PARAM $SHADOW_VALUE"
else else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" info "Parameter $SHADOW_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" replace_in_file $FILE "^$SHADOW_PARAM[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE"
fi fi
fi fi
done done
} }
# This function will create the config file for this check with default values
create_config() {
cat << EOF
# shellcheck disable=2034
status=audit
# Put here your protocol for shadow
OPTIONS='PASS_MAX_DAYS=90'
EOF
}
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
: :

36
bin/hardening/5.4.1.2_set_password_min_days_change.sh
View File

@ -15,7 +15,7 @@ HARDENING_LEVEL=3
DESCRIPTION="Set password change minimum number of days." DESCRIPTION="Set password change minimum number of days."
PACKAGE='login' PACKAGE='login'
OPTIONS='PASS_MIN_DAYS=7' OPTIONS=''
FILE='/etc/login.defs' FILE='/etc/login.defs'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
@ -25,10 +25,10 @@ audit () {
crit "$PACKAGE is not installed!" crit "$PACKAGE is not installed!"
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do for SHADOW_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
@ -48,26 +48,36 @@ apply () {
crit "$PACKAGE is absent, installing it" crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE apt_install $PACKAGE
fi fi
for SSH_OPTION in $OPTIONS; do for SHADOW_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$SSH_PARAM" does_pattern_exist_in_file $FILE "^$SHADOW_PARAM"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" add_end_of_file $FILE "$SHADOW_PARAM $SHADOW_VALUE"
else else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" info "Parameter $SHADOW_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" replace_in_file $FILE "^$SHADOW_PARAM[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE"
fi fi
fi fi
done done
} }
# This function will create the config file for this check with default values
create_config() {
cat << EOF
# shellcheck disable=2034
status=audit
# Put here your protocol for shadow
OPTIONS='PASS_MIN_DAYS=7'
EOF
}
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
: :

36
bin/hardening/5.4.1.3_set_password_exp_warning_days.sh
View File

@ -15,7 +15,7 @@ HARDENING_LEVEL=3
DESCRIPTION="Set password expiration warning days." DESCRIPTION="Set password expiration warning days."
PACKAGE='login' PACKAGE='login'
OPTIONS='PASS_WARN_AGE=7' OPTIONS=''
FILE='/etc/login.defs' FILE='/etc/login.defs'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
@ -25,10 +25,10 @@ audit () {
crit "$PACKAGE is not installed!" crit "$PACKAGE is not installed!"
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do for SHADOW_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
@ -48,21 +48,21 @@ apply () {
crit "$PACKAGE is absent, installing it" crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE apt_install $PACKAGE
fi fi
for SSH_OPTION in $OPTIONS; do for SHADOW_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$SSH_PARAM" does_pattern_exist_in_file $FILE "^$SHADOW_PARAM"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" add_end_of_file $FILE "$SHADOW_PARAM $SHADOW_VALUE"
else else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" info "Parameter $SHADOW_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" replace_in_file $FILE "^$SHADOW_PARAM[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE"
fi fi
fi fi
done done
@ -73,6 +73,16 @@ check_config() {
: :
} }
# This function will create the config file for this check with default values
create_config() {
cat << EOF
# shellcheck disable=2034
status=audit
# Put here your protocol for shadow
OPTIONS='PASS_WARN_AGE=7'
EOF
}
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening . /etc/default/cis-hardening

0
bin/hardening/6.1.2_etc_passwd_permissions.sh → bin/hardening/6.1.5_etc_passwd_permissions.sh
View File

0
bin/hardening/6.1.3_etc_shadow_permissions.sh → bin/hardening/6.1.6_etc_shadow_permissions.sh
View File

0
bin/hardening/6.1.4_etc_group_permissions.sh → bin/hardening/6.1.7_etc_group_permissions.sh
View File

4
bin/hardening/6.2.10_check_user_dot_file_perm.sh
View File

@ -18,7 +18,7 @@ ERRORS=0
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
debug "Working on $DIR" debug "Working on $DIR"
for FILE in $DIR/.[A-Za-z0-9]*; do for FILE in $DIR/.[A-Za-z0-9]*; do
if [ ! -h "$FILE" -a -f "$FILE" ]; then if [ ! -h "$FILE" -a -f "$FILE" ]; then
@ -42,7 +42,7 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
for FILE in $DIR/.[A-Za-z0-9]*; do for FILE in $DIR/.[A-Za-z0-9]*; do
if [ ! -h "$FILE" -a -f "$FILE" ]; then if [ ! -h "$FILE" -a -f "$FILE" ]; then
FILEPERM=$(ls -ld $FILE | cut -f1 -d" ") FILEPERM=$(ls -ld $FILE | cut -f1 -d" ")

2
bin/hardening/6.2.11_find_user_forward_files.sh
View File

@ -19,7 +19,7 @@ FILENAME='.forward'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
debug "Working on $DIR" debug "Working on $DIR"
for FILE in $DIR/$FILENAME; do for FILE in $DIR/$FILENAME; do
if [ ! -h "$FILE" -a -f "$FILE" ]; then if [ ! -h "$FILE" -a -f "$FILE" ]; then

2
bin/hardening/6.2.12_find_user_netrc_files.sh
View File

@ -19,7 +19,7 @@ FILENAME='.netrc'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
debug "Working on $DIR" debug "Working on $DIR"
for FILE in $DIR/$FILENAME; do for FILE in $DIR/$FILENAME; do
if [ ! -h "$FILE" -a -f "$FILE" ]; then if [ ! -h "$FILE" -a -f "$FILE" ]; then

2
bin/hardening/6.2.13_set_perm_on_user_netrc.sh
View File

@ -19,7 +19,7 @@ ERRORS=0
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
debug "Working on $DIR" debug "Working on $DIR"
for FILE in $DIR/.netrc; do for FILE in $DIR/.netrc; do
if [ ! -h "$FILE" -a -f "$FILE" ]; then if [ ! -h "$FILE" -a -f "$FILE" ]; then

2
bin/hardening/6.2.14_find_user_rhosts_files.sh
View File

@ -19,7 +19,7 @@ FILENAME=".rhosts"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
debug "Working on $DIR" debug "Working on $DIR"
for FILE in $DIR/$FILENAME; do for FILE in $DIR/$FILENAME; do
if [ ! -h "$FILE" -a -f "$FILE" ]; then if [ ! -h "$FILE" -a -f "$FILE" ]; then

2
bin/hardening/6.2.16_check_duplicate_uid.sh
View File

@ -21,7 +21,7 @@ ERRORS=0
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
RESULT=$(cut -f3 -d":" < /etc/passwd | sort -n | uniq -c | awk '{print $1":"$2}' ) RESULT=$(get_db passwd | cut -f3 -d":" | sort -n | uniq -c | awk '{print $1":"$2}' )
FOUND_EXCEPTIONS="" FOUND_EXCEPTIONS=""
for LINE in $RESULT; do for LINE in $RESULT; do
debug "Working on line $LINE" debug "Working on line $LINE"

2
bin/hardening/6.2.17_check_duplicate_gid.sh
View File

@ -20,7 +20,7 @@ ERRORS=0
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
RESULT=$(cut -f3 -d":" /etc/group | sort -n | uniq -c | awk '{print $1":"$2}' ) RESULT=$(get_db group | cut -f3 -d":" | sort -n | uniq -c | awk '{print $1":"$2}' )
for LINE in $RESULT; do for LINE in $RESULT; do
debug "Working on line $LINE" debug "Working on line $LINE"
OCC_NUMBER=$(awk -F: '{print $1}' <<< "$LINE") OCC_NUMBER=$(awk -F: '{print $1}' <<< "$LINE")

2
bin/hardening/6.2.18_check_duplicate_username.sh
View File

@ -18,7 +18,7 @@ ERRORS=0
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
RESULT=$(cat /etc/passwd | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} ) RESULT=$(get_db passwd | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
for LINE in $RESULT; do for LINE in $RESULT; do
debug "Working on line $LINE" debug "Working on line $LINE"
OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE) OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)

2
bin/hardening/6.2.19_check_duplicate_groupname.sh
View File

@ -18,7 +18,7 @@ ERRORS=0
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
RESULT=$(cat /etc/group | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} ) RESULT=$(get_db group | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
for LINE in $RESULT; do for LINE in $RESULT; do
debug "Working on line $LINE" debug "Working on line $LINE"
OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE) OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)

5
bin/hardening/6.2.1_remove_empty_password_field.sh
View File

@ -14,12 +14,11 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=1 HARDENING_LEVEL=1
DESCRIPTION="Ensure password fields are not empty in /etc/shadow." DESCRIPTION="Ensure password fields are not empty in /etc/shadow."
FILE='/etc/shadow'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
info "Checking if accounts have an empty password" info "Checking if accounts have an empty password"
RESULT=$($SUDO_CMD cat $FILE | awk -F: '($2 == "" ) { print $1 }') RESULT=$(get_db shadow | awk -F: '($2 == "" ) { print $1 }')
if [ ! -z "$RESULT" ]; then if [ ! -z "$RESULT" ]; then
crit "Some accounts have an empty password" crit "Some accounts have an empty password"
crit $RESULT crit $RESULT
@ -30,7 +29,7 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
RESULT=$(cat $FILE | awk -F: '($2 == "" ) { print $1 }') RESULT=$(get_db shadow | awk -F: '($2 == "" ) { print $1 }')
if [ ! -z "$RESULT" ]; then if [ ! -z "$RESULT" ]; then
warn "Some accounts have an empty password" warn "Some accounts have an empty password"
for ACCOUNT in $RESULT; do for ACCOUNT in $RESULT; do

2
bin/hardening/6.2.7_users_valid_homedir.sh
View File

@ -18,7 +18,7 @@ ERRORS=0
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
RESULT=$(cat /etc/passwd | awk -F: '{ print $1 ":" $3 ":" $6 }') RESULT=$(get_db passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
for LINE in $RESULT; do for LINE in $RESULT; do
debug "Working on $LINE" debug "Working on $LINE"
USER=$(awk -F: {'print $1'} <<< $LINE) USER=$(awk -F: {'print $1'} <<< $LINE)

4
bin/hardening/6.2.8_check_user_dir_perm.sh
View File

@ -18,7 +18,7 @@ ERRORS=0
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
for dir in $(cat /etc/passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do for dir in $(get_db passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
debug "Working on $dir" debug "Working on $dir"
debug "Exceptions : $EXCEPTIONS" debug "Exceptions : $EXCEPTIONS"
debug "echo \"$EXCEPTIONS\" | grep -q $dir" debug "echo \"$EXCEPTIONS\" | grep -q $dir"
@ -57,7 +57,7 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
for dir in $(cat /etc/passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do for dir in $(get_db passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
debug "Working on $dir" debug "Working on $dir"
debug "Exceptions : $EXCEPTIONS" debug "Exceptions : $EXCEPTIONS"
debug "echo \"$EXCEPTIONS\" | grep -q $dir" debug "echo \"$EXCEPTIONS\" | grep -q $dir"

2
bin/hardening/6.2.9_users_valid_homedir.sh
View File

@ -21,7 +21,7 @@ ERRORS=0
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
debug "Checking homedir exists" debug "Checking homedir exists"
RESULT=$(cat /etc/passwd | awk -F: '{ print $1 ":" $3 ":" $6 }') RESULT=$(get_db passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
for LINE in $RESULT; do for LINE in $RESULT; do
debug "Working on $LINE" debug "Working on $LINE"
USER=$(awk -F: {'print $1'} <<< $LINE) USER=$(awk -F: {'print $1'} <<< $LINE)

43
debian/changelog vendored
View File

@ -1,3 +1,46 @@
cis-hardening (2.1-3) unstable; urgency=medium
* Fix permissions on 5.2.3 (authorize 600)
* Fix minor bug with --create-config-files-only
-- Thibault Ayanides <tayanide@ovhcloud.com> Mon, 30 Nov 2020 15:14:17 +0100
cis-hardening (2.1-2) unstable; urgency=medium
* Add --create-config-files-only mode that only create config files without running audit
-- Thibault Ayanides <tayanide@ovhcloud.com> Mon, 23 Nov 2020 13:40:14 +0100
cis-hardening (2.1-1) stable; urgency=medium
* Move to most recent docker image for buster
* Rename 6.1.2,6.1.3,6.1.4 to be CIS9 compliant
* Rename 4.5 to 1.6.1.2 to be CIS9 compliant
* Fix apt autoremove to be non interactive
* Add disclaimer when checks don't require comprehensive checks
* Add comprehensive tests for 4.1.x
* Add comprehensive tests for 5.2.x
* Add comprehensive test for 5.3.x, add config function for the checks, upgrade PAM conf
* Add comprehensive tests for 5.4.1.x
* Add comprehensive tests for 5.4.3, 5.4.4
* Add comprehensive test for 5.6
* Skip 4.1.3 on docker (bootloader)
-- Thibault Ayanides <tayanide@ovhcloud.com> Fri, 13 Nov 2020 13:32:50 +0100
cis-hardening (2.0-6) unstable; urgency=medium
* Fix race condition issue with cat /etc/passwd, /etc/shadow, /etc/group
* Fix permissions in 5.2.3
* Revert 4.2.2.3 to old check (8.2.4)
-- Thibault Ayanides <tayanide@owhcloud.com> Mon, 16 Nov 2020 14:19:35 +0100
cis-hardening (2.0-5) unstable; urgency=medium
* Hotfix for 3.1.1 wich resulted to a fail check if ipv6 is disabled
-- Thibault Ayanides <tayanide@ovhcloud.com> Thu, 12 Nov 2020 10:15:46 +0100
cis-hardening (2.0-4) unstable; urgency=medium cis-hardening (2.0-4) unstable; urgency=medium
* Add deleted checks during renaming which should be here (3.2.6, 3.2.7, 6.2.7) * Add deleted checks during renaming which should be here (3.2.6, 3.2.7, 6.2.7)
* Delete 4.2.2, duplicate with 4.2.3 * Delete 4.2.2, duplicate with 4.2.3

11
lib/main.sh
View File

@ -32,6 +32,10 @@ while [[ $# > 0 ]]; do
info "Audit argument passed but script is disabled" info "Audit argument passed but script is disabled"
fi fi
;; ;;
--create-config-files-only)
debug "Create config files"
forcedstatus=createconfig
;;
--sudo) --sudo)
SUDO_CMD="sudo_wrapper" SUDO_CMD="sudo_wrapper"
;; ;;
@ -62,7 +66,14 @@ if ! [ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] ; then
else else
echo "status=audit" >> $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg echo "status=audit" >> $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
fi fi
fi fi
if [ "$forcedstatus" = "createconfig" ] ; then
debug "$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg has been created"
exit 0
fi
[ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg [ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
# Now check configured value for status, and potential cmdline parameter # Now check configured value for status, and potential cmdline parameter

5
lib/utils.sh
View File

@ -126,6 +126,11 @@ _does_pattern_exist_in_file() {
fi fi
} }
get_db() {
local DB="$1"
$SUDO_CMD getent --service files "$DB"
}
# Look for pattern in file that can spread over multiple lines # Look for pattern in file that can spread over multiple lines
# The func will remove commented lines (that begin with '#') # The func will remove commented lines (that begin with '#')
# and consider the file as one long line. # and consider the file as one long line.

11
tests/docker/Dockerfile.debian10_20181226 → tests/docker/Dockerfile.debian10
View File

@ -1,8 +1,13 @@
FROM debian:buster-20181226 FROM debian:buster
RUN groupadd -g 500 secaudit && useradd -u 500 -g 500 -s /bin/bash secaudit && mkdir -m 700 /home/secaudit && chown secaudit:secaudit /home/secaudit LABEL vendor="OVH"
LABEL project="debian-cis"
LABEL url="https://github.com/ovh/debian-cis"
LABEL description="This image is used to run tests"
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools RUN groupadd -g 500 secaudit && useradd -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools auditd
COPY --chown=500:500 . /opt/debian-cis/ COPY --chown=500:500 . /opt/debian-cis/

9
tests/docker/Dockerfile.debian8
View File

@ -1,8 +1,13 @@
FROM debian:jessie FROM debian:jessie
RUN groupadd -g 500 secaudit && useradd -u 500 -g 500 -s /bin/bash secaudit && mkdir -m 700 /home/secaudit && chown secaudit:secaudit /home/secaudit LABEL vendor="OVH"
LABEL project="debian-cis"
LABEL url="https://github.com/ovh/debian-cis"
LABEL description="This image is used to run tests"
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools RUN groupadd -g 500 secaudit && useradd -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools auditd
COPY --chown=500:500 . /opt/debian-cis/ COPY --chown=500:500 . /opt/debian-cis/

9
tests/docker/Dockerfile.debian9
View File

@ -1,8 +1,13 @@
FROM debian:stretch FROM debian:stretch
RUN groupadd -g 500 secaudit && useradd -u 500 -g 500 -s /bin/bash secaudit && mkdir -m 700 /home/secaudit && chown secaudit:secaudit /home/secaudit LABEL vendor="OVH"
LABEL project="debian-cis"
LABEL url="https://github.com/ovh/debian-cis"
LABEL description="This image is used to run tests"
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools RUN groupadd -g 500 secaudit && useradd -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools auditd
COPY --chown=500:500 . /opt/debian-cis/ COPY --chown=500:500 . /opt/debian-cis/

9
tests/hardening/1.1.1.1_disable_freevxfs.sh
View File

@ -8,7 +8,12 @@ test_audit() {
dismiss_count_for_test dismiss_count_for_test
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests
fi fi
##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
} }

9
tests/hardening/1.1.1.2_disable_jffs2.sh
View File

@ -8,7 +8,12 @@ test_audit() {
dismiss_count_for_test dismiss_count_for_test
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests
fi fi
##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
} }

9
tests/hardening/1.1.1.3_disable_hfs.sh
View File

@ -8,7 +8,12 @@ test_audit() {
dismiss_count_for_test dismiss_count_for_test
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests
fi fi
##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
} }

9
tests/hardening/1.1.1.4_disable_hfsplus.sh
View File

@ -8,7 +8,12 @@ test_audit() {
dismiss_count_for_test dismiss_count_for_test
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests
fi fi
##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
} }

10
tests/hardening/1.1.1.5_disable_udf.sh
View File

@ -8,7 +8,13 @@ test_audit() {
dismiss_count_for_test dismiss_count_for_test
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests
fi fi
##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
} }

9
tests/hardening/1.1.1.6_disable_cramfs.sh
View File

@ -8,7 +8,12 @@ test_audit() {
dismiss_count_for_test dismiss_count_for_test
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests
fi fi
##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
} }

10
tests/hardening/1.1.1.7_disable_squashfs.sh
View File

@ -8,7 +8,13 @@ test_audit() {
dismiss_count_for_test dismiss_count_for_test
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests
fi fi
##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
} }

7
tests/hardening/1.1.10_var_tmp_noexec.sh
View File

@ -6,5 +6,10 @@ test_audit() {
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests ##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
} }

7
tests/hardening/1.1.11_var_log_partition.sh
View File

@ -6,5 +6,10 @@ test_audit() {
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests ##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
} }

7
tests/hardening/1.1.12_var_log_audit_partition.sh
View File

@ -6,5 +6,10 @@ test_audit() {
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests ##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
} }

7
tests/hardening/1.1.13_home_partition.sh
View File

@ -6,5 +6,10 @@ test_audit() {
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests ##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
} }

7
tests/hardening/1.1.14_home_nodev.sh
View File

@ -6,5 +6,10 @@ test_audit() {
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests ##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
} }

7
tests/hardening/1.1.18_removable_device_nodev.sh
View File

@ -6,5 +6,10 @@ test_audit() {
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests ##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
} }

7
tests/hardening/1.1.19_removable_device_nosuid.sh
View File

@ -6,5 +6,10 @@ test_audit() {
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests ##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
} }

7
tests/hardening/1.1.20_removable_device_noexec.sh
View File

@ -6,5 +6,10 @@ test_audit() {
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests ##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
} }

7
tests/hardening/1.1.22_disable_automounting.sh
View File

@ -6,5 +6,10 @@ test_audit() {
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests ##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
} }

7
tests/hardening/1.1.2_tmp_partition.sh
View File

@ -6,5 +6,10 @@ test_audit() {
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests ##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
} }

7
tests/hardening/1.1.3_tmp_nodev.sh
View File

@ -6,5 +6,10 @@ test_audit() {
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests ##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
} }

7
tests/hardening/1.1.4_tmp_nosuid.sh
View File

@ -6,5 +6,10 @@ test_audit() {
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests ##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
} }

7
tests/hardening/1.1.5_tmp_noexec.sh
View File

@ -6,5 +6,10 @@ test_audit() {
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests ##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
} }

7
tests/hardening/1.1.6_var_partition.sh
View File

@ -6,5 +6,10 @@ test_audit() {
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests ##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
} }

7
tests/hardening/1.1.7_var_tmp_partition.sh
View File

@ -6,5 +6,10 @@ test_audit() {
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests ##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
} }

7
tests/hardening/1.1.8_var_tmp_nodev.sh
View File

@ -6,5 +6,10 @@ test_audit() {
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests ##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
} }

7
tests/hardening/1.1.9_var_tmp_nosuid.sh
View File

@ -6,5 +6,10 @@ test_audit() {
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests ##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
} }

7
tests/hardening/1.5.3_enable_randomized_vm_placement.sh
View File

@ -6,5 +6,10 @@ test_audit() {
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests ##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
} }

21
tests/hardening/1.6.2.1_enable_apparmor.sh Normal file
View File

@ -0,0 +1,21 @@
# run-shellcheck
test_audit() {
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "is configured"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
}

7
tests/hardening/1.8_install_updates.sh
View File

@ -6,5 +6,10 @@ test_audit() {
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests ##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
} }

7
tests/hardening/2.2.10_disable_http_server.sh
View File

@ -6,5 +6,10 @@ test_audit() {
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests ##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
} }

7
tests/hardening/2.2.11_disable_imap_pop.sh
View File

@ -6,5 +6,10 @@ test_audit() {
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests ##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
} }

7
tests/hardening/2.2.12_disable_samba.sh
View File

@ -6,5 +6,10 @@ test_audit() {
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests ##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
} }

7
tests/hardening/2.2.13_disable_http_proxy.sh
View File

@ -6,5 +6,10 @@ test_audit() {
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests ##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
} }

7
tests/hardening/2.2.14_disable_snmp_server.sh
View File

@ -6,5 +6,10 @@ test_audit() {
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests ##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
} }

7
tests/hardening/2.2.2_disable_xwindow_system.sh
View File

@ -6,5 +6,10 @@ test_audit() {
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests ##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
} }

7
tests/hardening/2.2.3_disable_avahi_server.sh
View File

@ -6,5 +6,10 @@ test_audit() {
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests ##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
} }

7
tests/hardening/2.2.4_disable_print_server.sh
View File

@ -6,5 +6,10 @@ test_audit() {
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests ##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
} }

7
tests/hardening/2.2.5_disable_dhcp.sh
View File

@ -6,5 +6,10 @@ test_audit() {
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests ##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
} }

Some files were not shown because too many files have changed in this diff Show More