elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2025-07-15 21:32:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: elie:v2.0-4
Branches Tags
elie:master elie:damcava35/deb12_scripts_2 elie:damcava35/update_lib elie:damcava35/new_scripts elie:damcava35/issue_249 elie:damcava35/drop_debian10 elie:damcava35/is_ip_v6_enabled elie:damcava35/issue_195 elie:damcava35/fix_only elie:damcava35/fix_packaging elie:damcava35/set_version elie:damcava35/test_pre_commit elie:dev/thibault.dewailly/deb12 elie:dependabot/github_actions/luizm/action-sh-checker-0.9.0 elie:dev/thibault.dewailly/set_hardening_level elie:dev/thibault.dewailly/syslogng_remotecheck
elie:latest elie:v4.1-5 elie:v4.1-4 elie:v4.1-3 elie:v4.1-2 elie:v4.1-1 elie:v4.0-1 elie:v3.8-1 elie:v3.7-1 elie:v3.6-1 elie:v3.5-1 elie:v3.4-1 elie:v3.3-1 elie:v3.2-2 elie:v3.2-1 elie:v3.2-0 elie:v3.1-6 elie:v3.1-5 elie:v3.1-4 elie:v3.1-3 elie:v3.1-2 elie:v3.1-1 elie:v3.1-0 elie:v3.0-1 elie:v3.0 elie:v2.1-6 elie:v2.1-5 elie:v2.1-4 elie:v2.1-3 elie:v2.1-2 elie:v2.1-1 elie:v2.0-6 elie:v2.0-5 elie:v2.0-4 elie:v1.3-4 elie:v1.3-3 elie:v1.3-2 elie:v1.3 elie:v1.2-1 elie:v1.1-1
...
compare: elie:v2.1-5
Branches Tags
elie:damcava35/deb12_scripts_2 elie:damcava35/update_lib elie:damcava35/new_scripts elie:master elie:damcava35/issue_249 elie:damcava35/drop_debian10 elie:damcava35/is_ip_v6_enabled elie:damcava35/issue_195 elie:damcava35/fix_only elie:damcava35/fix_packaging elie:damcava35/set_version elie:damcava35/test_pre_commit elie:dev/thibault.dewailly/deb12 elie:dependabot/github_actions/luizm/action-sh-checker-0.9.0 elie:dev/thibault.dewailly/set_hardening_level elie:dev/thibault.dewailly/syslogng_remotecheck
elie:latest elie:v4.1-5 elie:v4.1-4 elie:v4.1-3 elie:v4.1-2 elie:v4.1-1 elie:v4.0-1 elie:v3.8-1 elie:v3.7-1 elie:v3.6-1 elie:v3.5-1 elie:v3.4-1 elie:v3.3-1 elie:v3.2-2 elie:v3.2-1 elie:v3.2-0 elie:v3.1-6 elie:v3.1-5 elie:v3.1-4 elie:v3.1-3 elie:v3.1-2 elie:v3.1-1 elie:v3.1-0 elie:v3.0-1 elie:v3.0 elie:v2.1-6 elie:v2.1-5 elie:v2.1-4 elie:v2.1-3 elie:v2.1-2 elie:v2.1-1 elie:v2.0-6 elie:v2.0-5 elie:v2.0-4 elie:v1.3-4 elie:v1.3-3 elie:v1.3-2 elie:v1.3 elie:v1.2-1 elie:v1.1-1

64 Commits
v2.0-4 ... v2.1-5

Author SHA1 Message Date
Thibault Ayanides
3560f67e3f Update changelog 2020-12-14 16:56:09 +01:00
Thibault Ayanides
f4ba90352b IMP(shellcheck): replace ls parsing by stat 2020-12-14 16:14:37 +01:00
Thibault Ayanides
cdaee7786a IMP(shellcheck) refactor new line (SC1004) 2020-12-14 16:09:14 +01:00
Thibault Ayanides
13a070319b IMP(6.2.13): fix race condition 2020-12-14 15:11:33 +01:00
Thibault Ayanides
65bdb42eb3 IMP(shellcheck): replace ls by find (SC2045) 2020-12-14 15:08:18 +01:00
Thibault Ayanides
0c16e500f5 IMP(shellcheck): replace ls in loop by glob (SC2045) 2020-12-14 14:45:38 +01:00
Thibault Ayanides
fad8e8c1f1 IMP(shellcheck): disable quoting warning for find 2020-12-14 14:28:27 +01:00
Thibault Ayanides
2ab1bd50dc IMP(shellcheck): use $@ insetad of $* (SC2048) 2020-12-14 13:58:50 +01:00
Thibault Ayanides
db27cfc39c FIX: move shfmt to project root 2020-12-10 10:00:07 +01:00
Thibault Ayanides
dee0ebc821 IMP(shellcheck): quote variables 2020-12-10 09:50:33 +01:00
Thibault Ayanides
16cc2bef71 IMP(shellcheck): fix harmless warnings (SC2155) 2020-12-10 08:40:36 +01:00
Thibault Ayanides
b9e129d8fe IMP(shellcheck): disable sed replacement (SC2001) 
Shellcheck recommands to replace sed by shell expansions in 'simple' cases.
However, the replacement here is likely to lead to erros, so we disable this rule.
Moreover, it does'nt really add readability.
 2020-12-10 08:34:57 +01:00
Thibault Ayanides
36528b55e0 IMP(shellcheck): replace deprecated egrep (SC2196) 2020-12-10 08:20:26 +01:00
Thibault Ayanides
1c56bd9930 IMP(shellcheck): remove $() in if condition (SC2091) 2020-12-10 08:16:23 +01:00
Thibault Ayanides
99ac9339f4 IMP: change apt in apt-get 2020-12-07 17:16:19 +01:00
Thibault Ayanides
b09b75a51e IMP(shellcheck): quote variables (SC2086) 2020-12-07 17:11:32 +01:00
Thibault Ayanides
6826f377e6 IMP(shellcheck): quote variables (SC2086) 2020-12-07 16:49:11 +01:00
Thibault Ayanides
e2f7426664 IMP(shellcheck): quoting variables 2020-12-07 15:53:14 +01:00
Thibault Ayanides
ac66cdacd0 IMP(shellcheck): fix quote placement in awk (SC1083) 2020-12-07 15:01:22 +01:00
Thibault Ayanides
8012234096 IMP(shellcheck): fix harmless warnings 2020-12-07 14:53:10 +01:00
Thibault Ayanides
63835dd10c IMP(shellcheck): add curly bracket to var (SC1087) 2020-12-07 13:54:57 +01:00
Thibault Ayanides
ef800954f4 IMP(shellcheck): refactor continue (SC2104) 2020-12-07 13:32:14 +01:00
Thibault Ayanides
addd48c4dd IMP(shellcheck): add prefix to follow scripts (SC1090) 2020-12-07 13:26:51 +01:00
Thibault Ayanides
72bb3e2b84 IMP(shellcheck): replace -a in condition by && (SC2166) 2020-12-04 15:29:19 +01:00
Thibault Ayanides
d371b8d057 IMP(shellcheck): replace ! -z by -n (SC2236) 2020-12-04 15:14:18 +01:00
Thibault Ayanides
eaf56ca25e IMP(shellcheck): quote variables (SC2086) 2020-12-04 15:04:22 +01:00
Thibault Ayanides
106fa5fc8a Update changelog 2020-12-04 14:24:34 +01:00
Thibault Ayanides
3a342b784a IMP(shfmt): add shell formatter 2020-12-04 14:08:01 +01:00
Thibault Ayanides
bc1aa65b91 IMP(shellcheck): quote variable in tests (SC2086) 2020-11-30 13:05:41 +01:00
Thibault Ayanides
dba1dae963 IMP(shellcheck): quoting harmless variables (SC2086) 2020-11-27 09:29:11 +01:00
Thibault Ayanides
4add6ddc33 IMP(shellcheck): add prefix to define shell (SC2148) 2020-11-27 09:22:47 +01:00
Thibault Ayanides
c17d04ecc2 IMP(shellcheck): comply with shellcheck rules 
I added shellcheck prefixes to fix:
 * SC1091 (following sourced files)
 * SC2034 (unused variables)
 2020-11-27 09:18:00 +01:00
Thibault Ayanides
cccc0881e9 IMP(shellcheck): add run-shellcheck prefix 2020-11-23 17:10:37 +01:00
Thibault Ayanides
9c3aa51982 Update changelog 2020-11-30 15:16:36 +01:00
Thibault Ayanides
b994ca11a7 FIX(main): fix small bug in main 
The bug (introduced in 2.1-2) leaded to an error in the test that evaluates forcedstatus
 2020-11-30 15:10:39 +01:00
Thibault Ayanides
f4e0aafacc IMP(5.2.3): fix possible permissions for 5.2.3 2020-11-30 14:27:20 +01:00
Thibault Ayanides
d40a85085d FIX: fix issue, we had to run audit twice 
First one as root to create conf files with good owner and permissions, and then with secaudit.
Now first run with --create-config-files-only and the normally with --audit.
 2020-11-20 10:05:14 +01:00
Thibault Ayanides
467e5f178c fixup! IMP(4.5): rename to 1.6.1.2 improve test 2020-11-17 13:02:02 +01:00
Thibault Ayanides
d244a2e810 fixup! IMP(4.5): rename to 1.6.1.2 improve test 2020-11-17 12:56:10 +01:00
Thibault Ayanides
84bff4ac88 fixup! Move to most recent docker image for buster 2020-11-16 17:07:08 +01:00
Thibault Ayanides
d640a467e2 fixup! IMP(4.1.x): add tests for each checks 2020-11-16 16:54:51 +01:00
Thibault Ayanides
9bfb7efca1 Update changelog 2020-11-16 16:39:47 +01:00
Thibault Ayanides
7b8cca20d6 FIX(4.1.1.2): fix auditd apply 2020-11-09 11:48:48 +01:00
Thibault Ayanides
a6de243808 Rename 6.1.2,6.1.3,6.1.4 to be CIS9 compliant 2020-11-09 09:00:34 +01:00
Thibault Ayanides
7e8c976722 Add disclaimer when checks don't require comprehensive checks 
modified:   tests/hardening/1.1.1.1_disable_freevxfs.sh
	modified:   tests/hardening/1.1.1.2_disable_jffs2.sh
	modified:   tests/hardening/1.1.1.3_disable_hfs.sh
	modified:   tests/hardening/1.1.1.4_disable_hfsplus.sh
	modified:   tests/hardening/1.1.1.5_disable_udf.sh
	modified:   tests/hardening/1.1.1.6_disable_cramfs.sh
	modified:   tests/hardening/1.1.1.7_disable_squashfs.sh
	modified:   tests/hardening/1.1.10_var_tmp_noexec.sh
	modified:   tests/hardening/1.1.11_var_log_partition.sh
	modified:   tests/hardening/1.1.12_var_log_audit_partition.sh
	modified:   tests/hardening/1.1.13_home_partition.sh
	modified:   tests/hardening/1.1.14_home_nodev.sh
	modified:   tests/hardening/1.1.18_removable_device_nodev.sh
	modified:   tests/hardening/1.1.19_removable_device_nosuid.sh
	modified:   tests/hardening/1.1.20_removable_device_noexec.sh
	modified:   tests/hardening/1.1.2_tmp_partition.sh
	modified:   tests/hardening/1.1.3_tmp_nodev.sh
	modified:   tests/hardening/1.1.4_tmp_nosuid.sh
	modified:   tests/hardening/1.1.5_tmp_noexec.sh
	modified:   tests/hardening/1.1.6_var_partition.sh
	modified:   tests/hardening/1.1.7_var_tmp_partition.sh
	modified:   tests/hardening/1.1.8_var_tmp_nodev.sh
	modified:   tests/hardening/1.1.9_var_tmp_nosuid.sh
	modified:   tests/hardening/1.8_install_updates.sh
	modified:   tests/hardening/2.2.10_disable_http_server.sh
	modified:   tests/hardening/2.2.11_disable_imap_pop.sh
	modified:   tests/hardening/2.2.12_disable_samba.sh
	modified:   tests/hardening/2.2.13_disable_http_proxy.sh
	modified:   tests/hardening/2.2.14_disable_snmp_server.sh
	modified:   tests/hardening/2.2.2_disable_xwindow_system.sh
	modified:   tests/hardening/2.2.3_disable_avahi_server.sh
	modified:   tests/hardening/2.2.4_disable_print_server.sh
	modified:   tests/hardening/2.2.5_disable_dhcp.sh
	modified:   tests/hardening/2.2.6_disable_ldap.sh
	modified:   tests/hardening/2.2.7_disable_nfs_rpc.sh
	modified:   tests/hardening/2.2.8_disable_dns_server.sh
	modified:   tests/hardening/2.2.9_disable_ftp.sh
	modified:   tests/hardening/2.3.1_disable_nis.sh
	modified:   tests/hardening/2.3.2_disable_rsh_client.sh
	modified:   tests/hardening/2.3.3_disable_talk_client.sh
	modified:   tests/hardening/2.3.4_telnet_client_not_installed.sh
	modified:   tests/hardening/2.3.5_ldap_client_not_installed.sh
 2020-11-06 16:20:10 +01:00
Thibault Ayanides
ffd5b28840 FIX: fix apt autoremove to be non interactive 
modified:   bin/hardening/2.2.10_disable_http_server.sh
	modified:   bin/hardening/2.2.11_disable_imap_pop.sh
	modified:   bin/hardening/2.2.12_disable_samba.sh
	modified:   bin/hardening/2.2.14_disable_snmp_server.sh
	modified:   bin/hardening/2.2.2_disable_xwindow_system.sh
	modified:   bin/hardening/2.2.3_disable_avahi_server.sh
	modified:   bin/hardening/2.2.4_disable_print_server.sh
	modified:   bin/hardening/2.2.5_disable_dhcp.sh
	modified:   bin/hardening/2.2.6_disable_ldap.sh
	modified:   bin/hardening/2.2.7_disable_nfs_rpc.sh
	modified:   bin/hardening/2.2.8_disable_dns_server.sh
	modified:   bin/hardening/2.2.9_disable_ftp.sh
	modified:   bin/hardening/2.3.1_disable_nis.sh
	modified:   bin/hardening/2.3.2_disable_rsh_client.sh
	modified:   bin/hardening/2.3.3_disable_talk_client.sh
	modified:   bin/hardening/2.3.4_telnet_client_not_installed.sh
	modified:   bin/hardening/2.3.5_ldap_client_not_installed.sh
 2020-11-06 14:51:26 +01:00
Thibault Ayanides
ce1e87b1a3 IMP(4.5): rename to 1.6.1.2 improve test 2020-11-06 11:09:22 +01:00
Thibault Ayanides
b5865947ba Move to most recent docker image for buster 2020-11-06 10:11:46 +01:00
Thibault Ayanides
ee4b2417c2 IMP(4.1.x): add tests for each checks 2020-11-02 15:47:27 +01:00
Thibault Ayanides
5568065c35 IMP(4.1.3): skip on docker (bootloader) 2020-11-02 15:46:45 +01:00
Thibault Ayanides
91a2824246 IMP(5.6): add test 2020-10-30 09:48:36 +01:00
Thibault Ayanides
47f8b7b677 IMP(5.4.4): add test 2020-10-30 09:48:27 +01:00
Thibault Ayanides
728011f846 IMP(5.4.3): add purposely failing test 2020-10-30 09:40:28 +01:00
Thibault Ayanides
17e43753b9 IMP(5.4.1.1-3): add tests and rename some variables 2020-10-30 09:39:42 +01:00
Thibault Ayanides
9aac4c3504 IMP(5.3.4): improve check 2020-10-29 16:47:34 +01:00
Thibault Ayanides
8af91dd6a8 IMP(5.3.1,5.3.2): add tests and upgrade PAM conf 2020-10-29 16:45:15 +01:00
Thibault Ayanides
feefee28e4 IMP(5.3.1): add test and config function for check 2020-10-29 15:35:56 +01:00
Thibault Ayanides
774af39a34 IMP(5.2.x): add tests and default_config 
I added tests from 5.2.4 to 5.2.19 and default_config files in the
checks. This checks concern sshd conf (ciphers, mac, rootlogin, ...)

	modifié :         bin/hardening/5.2.4_sshd_protocol.sh
	modifié :         bin/hardening/5.2.6_disable_x11_forwarding.sh
	modifié :         bin/hardening/5.2.7_sshd_maxauthtries.sh
	modifié :         bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh
	modifié :         bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh
	modifié :         bin/hardening/5.2.10_disable_root_login.sh
	modifié :         bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh
	modifié :         bin/hardening/5.2.12_disable_sshd_setenv.sh
	modifié :         bin/hardening/5.2.13_sshd_ciphers.sh
	modifié :         bin/hardening/5.2.16_sshd_idle_timeout.sh
	modifié :         bin/hardening/5.2.17_sshd_login_grace_time.sh
	modifié :         tests/hardening/5.2.4_sshd_protocol.sh
	modifié :         tests/hardening/5.2.5_sshd_loglevel.sh
	modifié :         tests/hardening/5.2.6_disable_x11_forwarding.sh
	modifié :         tests/hardening/5.2.7_sshd_maxauthtries.sh
	modifié :         tests/hardening/5.2.8_enable_sshd_ignorerhosts.sh
	modifié :         tests/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh
	modifié :         tests/hardening/5.2.10_disable_root_login.sh
	modifié :         tests/hardening/5.2.11_disable_sshd_permitemptypasswords.sh
	modifié :         tests/hardening/5.2.12_disable_sshd_setenv.sh
	modifié :         tests/hardening/5.2.13_sshd_ciphers.sh
	modifié :         tests/hardening/5.2.16_sshd_idle_timeout.sh
	modifié :         tests/hardening/5.2.17_sshd_login_grace_time.sh
	modifié :         tests/hardening/5.2.18_sshd_limit_access.sh
	modifié :         tests/hardening/5.2.19_ssh_banner.sh
 2020-10-29 11:18:31 +01:00
Thibault Ayanides
e288835381 Update changelog 2020-11-16 14:21:47 +01:00
Thibault Ayanides
fbd26ceefa Fix race condition on /etc/passwd, /etc/shadow and /etc/group 2020-11-16 14:09:12 +01:00
Thibault Ayanides
501ce8c651 IMP(5.2.3): 640 permission is now ok for the check 2020-11-16 14:08:42 +01:00
Thibault Ayanides
829ee8631f Revert to previous check (8.2.4 in old num) 2020-11-16 14:06:39 +01:00
Thibault Ayanides
6620a82f34 Update changelog 2020-11-12 10:17:32 +01:00
Thibault
3c7a03445c FIX(3.1.1): fix unbound variable issue 2020-11-12 10:15:41 +01:00
432 changed files with 6653 additions and 4407 deletions
Expand all files Collapse all files

1
.gitignore vendored
View File

@ -0,0 +1 @@
tmp/shfmt

211
bin/hardening.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
@ -9,7 +10,7 @@
# Main script : Execute hardening considering configuration
#
LONG_SCRIPT_NAME=$(basename $0)
LONG_SCRIPT_NAME=$(basename "$0")
SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh}
DISABLED_CHECKS=0
PASSED_CHECKS=0
@ -20,13 +21,14 @@ AUDIT=0
APPLY=0
AUDIT_ALL=0
AUDIT_ALL_ENABLE_PASSED=0
CREATE_CONFIG=0
ALLOW_SERVICE_LIST=0
SET_HARDENING_LEVEL=0
SUDO_MODE=''
BATCH_MODE=''
usage() {
cat << EOF
cat <<EOF
$LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
--help -h
@ -76,6 +78,10 @@ $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
Modifies the policy to allow a certain kind of services on the machine, such
as http, mail, etc. Can be specified multiple times to allow multiple services.
Use --allow-service-list to get a list of supported services.
--create-config-files-only
Create the config files in etc/conf.d
Must be run as root, before running the audit with user secaudit
OPTIONS:
@ -108,190 +114,205 @@ fi
declare -a TEST_LIST ALLOWED_SERVICES_LIST
# Arguments parsing
while [[ $# > 0 ]]; do
while [[ $# -gt 0 ]]; do
ARG="$1"
case $ARG in
--audit)
AUDIT=1
--audit)
AUDIT=1
;;
--audit-all)
AUDIT_ALL=1
--audit-all)
AUDIT_ALL=1
;;
--audit-all-enable-passed)
AUDIT_ALL_ENABLE_PASSED=1
--audit-all-enable-passed)
AUDIT_ALL_ENABLE_PASSED=1
;;
--apply)
APPLY=1
--apply)
APPLY=1
;;
--allow-service-list)
ALLOW_SERVICE_LIST=1
--allow-service-list)
ALLOW_SERVICE_LIST=1
;;
--allow-service)
ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2"
shift
--create-config-files-only)
CREATE_CONFIG=1
;;
--set-hardening-level)
SET_HARDENING_LEVEL="$2"
shift
--allow-service)
ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2"
shift
;;
--only)
TEST_LIST[${#TEST_LIST[@]}]="$2"
shift
--set-hardening-level)
SET_HARDENING_LEVEL="$2"
shift
;;
--sudo)
SUDO_MODE='--sudo'
--only)
TEST_LIST[${#TEST_LIST[@]}]="$2"
shift
;;
--batch)
BATCH_MODE='--batch'
LOGLEVEL=ok
--sudo)
SUDO_MODE='--sudo'
;;
-h|--help)
usage
--batch)
BATCH_MODE='--batch'
LOGLEVEL=ok
;;
*)
usage
-h | --help)
usage
;;
*)
usage
;;
esac
shift
done
# if no RUN_MODE was passed, usage and quit
if [ "$AUDIT" -eq 0 -a "$AUDIT_ALL" -eq 0 -a "$AUDIT_ALL_ENABLE_PASSED" -eq 0 -a "$APPLY" -eq 0 ]; then
if [ "$AUDIT" -eq 0 ] && [ "$AUDIT_ALL" -eq 0 ] && [ "$AUDIT_ALL_ENABLE_PASSED" -eq 0 ] && [ "$APPLY" -eq 0 ] && [ "$CREATE_CONFIG" -eq 0 ]; then
usage
fi
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# shellcheck source=../lib/constants.sh
[ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
# shellcheck source=../etc/hardening.cfg
[ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
# shellcheck source=../lib/common.sh
[ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
# shellcheck source=../lib/utils.sh
[ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh
[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh
[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
if [ $BATCH_MODE ]; then MACHINE_LOG_LEVEL=3; fi
if [ "$BATCH_MODE" ]; then MACHINE_LOG_LEVEL=3; fi
# If --allow-service-list is specified, don't run anything, just list the supported services
if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then
if [ "$ALLOW_SERVICE_LIST" = 1 ]; then
declare -a HARDENING_EXCEPTIONS_LIST
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
template=$(grep "^HARDENING_EXCEPTION=" "$SCRIPT" | cut -d= -f2)
[ -n "$template" ] && HARDENING_EXCEPTIONS_LIST[${#HARDENING_EXCEPTIONS_LIST[@]}]="$template"
done
echo "Supported services are: "$(echo "${HARDENING_EXCEPTIONS_LIST[@]}" | tr " " "\n" | sort -u | tr "\n" " ")
echo "Supported services are:" "$(echo "${HARDENING_EXCEPTIONS_LIST[@]}" | tr " " "\n" | sort -u | tr "\n" " ")"
exit 0
fi
# If --set-hardening-level is specified, don't run anything, just apply config for each script
if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then
if ! grep -q "^[12345]$" <<< "$SET_HARDENING_LEVEL" ; then
if [ -n "$SET_HARDENING_LEVEL" ] && [ "$SET_HARDENING_LEVEL" != 0 ]; then
if ! grep -q "^[12345]$" <<<"$SET_HARDENING_LEVEL"; then
echo "Bad --set-hardening-level specified ('$SET_HARDENING_LEVEL'), expected 1 to 5"
exit 1
fi
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
SCRIPT_BASENAME=$(basename $SCRIPT .sh)
for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
SCRIPT_BASENAME=$(basename "$SCRIPT" .sh)
script_level=$(grep "^HARDENING_LEVEL=" "$SCRIPT" | cut -d= -f2)
if [ -z "$script_level" ] ; then
if [ -z "$script_level" ]; then
echo "The script $SCRIPT_BASENAME doesn't have a hardening level, configuration untouched for it"
continue
fi
wantedstatus=disabled
[ "$script_level" -le "$SET_HARDENING_LEVEL" ] && wantedstatus=enabled
sed -i -re "s/^status=.+/status=$wantedstatus/" $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
sed -i -re "s/^status=.+/status=$wantedstatus/" "$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
done
echo "Configuration modified to enable scripts for hardening level at or below $SET_HARDENING_LEVEL"
exit 0
fi
if [ "$CREATE_CONFIG" = 1 ] && [ "$EUID" -ne 0 ]; then
echo "For --create-config-files-only, please run as root"
exit 1
fi
# Parse every scripts and execute them in the required mode
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
if [ ${#TEST_LIST[@]} -gt 0 ] ; then
for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
if [ "${#TEST_LIST[@]}" -gt 0 ]; then
# --only X has been specified at least once, is this script in my list ?
SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<< "$(basename $SCRIPT)")
SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<< "$SCRIPT_PREFIX")
if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<< "${TEST_LIST[@]}"; then
SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename "$SCRIPT")")
# shellcheck disable=SC2001
SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX")
if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<<"${TEST_LIST[@]}"; then
# not in the list
continue
fi
fi
info "Treating $SCRIPT"
if [ $AUDIT = 1 ]; then
if [ "$CREATE_CONFIG" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only"
"$SCRIPT" --create-config-files-only "$BATCH_MODE"
elif [ "$AUDIT" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
$SCRIPT --audit $SUDO_MODE $BATCH_MODE
elif [ $AUDIT_ALL = 1 ]; then
"$SCRIPT" --audit "$SUDO_MODE" "$BATCH_MODE"
elif [ "$AUDIT_ALL" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE
elif [ $AUDIT_ALL_ENABLE_PASSED = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE" $BATCH_MODE
$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE
elif [ $APPLY = 1 ]; then
"$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
elif [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
"$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
elif [ "$APPLY" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT"
$SCRIPT
"$SCRIPT"
fi
SCRIPT_EXITCODE=$?
debug "Script $SCRIPT finished with exit code $SCRIPT_EXITCODE"
case $SCRIPT_EXITCODE in
0)
debug "$SCRIPT passed"
PASSED_CHECKS=$((PASSED_CHECKS+1))
if [ $AUDIT_ALL_ENABLE_PASSED = 1 ] ; then
SCRIPT_BASENAME=$(basename $SCRIPT .sh)
sed -i -re 's/^status=.+/status=enabled/' $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
fi
0)
debug "$SCRIPT passed"
PASSED_CHECKS=$((PASSED_CHECKS + 1))
if [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then
SCRIPT_BASENAME=$(basename "$SCRIPT" .sh)
sed -i -re 's/^status=.+/status=enabled/' "$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
fi
;;
1)
debug "$SCRIPT failed"
FAILED_CHECKS=$((FAILED_CHECKS+1))
1)
debug "$SCRIPT failed"
FAILED_CHECKS=$((FAILED_CHECKS + 1))
;;
2)
debug "$SCRIPT is disabled"
DISABLED_CHECKS=$((DISABLED_CHECKS+1))
2)
debug "$SCRIPT is disabled"
DISABLED_CHECKS=$((DISABLED_CHECKS + 1))
;;
esac
TOTAL_CHECKS=$((TOTAL_CHECKS+1))
TOTAL_CHECKS=$((TOTAL_CHECKS + 1))
done
TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS-DISABLED_CHECKS))
TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS - DISABLED_CHECKS))
if [ $BATCH_MODE ]; then
if [ "$BATCH_MODE" ]; then
BATCH_SUMMARY="AUDIT_SUMMARY "
BATCH_SUMMARY+="PASSED_CHECKS:${PASSED_CHECKS:-0} "
BATCH_SUMMARY+="RUN_CHECKS:${TOTAL_TREATED_CHECKS:-0} "
BATCH_SUMMARY+="TOTAL_CHECKS_AVAIL:${TOTAL_CHECKS:-0}"
if [ $TOTAL_TREATED_CHECKS != 0 ]; then
CONFORMITY_PERCENTAGE=$(bc -l <<< "scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:$(printf "%s" "$CONFORMITY_PERCENTAGE")"
else
BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0
fi
becho $BATCH_SUMMARY
becho "$BATCH_SUMMARY"
else
printf "%40s\n" "################### SUMMARY ###################"
printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"
printf "%30s %s\n" "Total Runned Checks :" "$TOTAL_TREATED_CHECKS"
printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
ENABLED_CHECKS_PERCENTAGE=$(bc -l <<< "scale=2; ($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100")
CONFORMITY_PERCENTAGE=$(bc -l <<< "scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
printf "%30s %s %%\n" "Enabled Checks Percentage :" "$ENABLED_CHECKS_PERCENTAGE"
if [ $TOTAL_TREATED_CHECKS != 0 ]; then
printf "%30s %s %%\n" "Conformity Percentage :" "$CONFORMITY_PERCENTAGE"
printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"
printf "%30s %s\n" "Total Runned Checks :" "$TOTAL_TREATED_CHECKS"
printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
ENABLED_CHECKS_PERCENTAGE=$(bc -l <<<"scale=2; ($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100")
CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
printf "%30s %s %%\n" "Enabled Checks Percentage :" "$ENABLED_CHECKS_PERCENTAGE"
if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
printf "%30s %s %%\n" "Conformity Percentage :" "$CONFORMITY_PERCENTAGE"
else
printf "%30s %s %%\n" "Conformity Percentage :" "N.A" # No check runned, avoid division by 0
printf "%30s %s %%\n" "Conformity Percentage :" "N.A" # No check runned, avoid division by 0
fi
fi

26
bin/hardening/1.1.1.1_disable_freevxfs.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,17 +12,18 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable mounting of freevxfs filesystems."
KERNEL_OPTION="CONFIG_VXFS_FS"
MODULE_NAME="freevxfs"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
else
ok "$KERNEL_OPTION is disabled"
@ -29,9 +31,9 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
is_kernel_option_enabled $KERNEL_OPTION
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
apply() {
is_kernel_option_enabled "$KERNEL_OPTION"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
else
ok "$KERNEL_OPTION is disabled, nothing to do"
@ -45,17 +47,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

26
bin/hardening/1.1.1.2_disable_jffs2.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,17 +12,18 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable mounting of jffs2 filesystems."
KERNEL_OPTION="CONFIG_JFFS2_FS"
MODULE_NAME="jffs2"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
else
ok "$KERNEL_OPTION is disabled"
@ -29,9 +31,9 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
is_kernel_option_enabled $KERNEL_OPTION
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
apply() {
is_kernel_option_enabled "$KERNEL_OPTION"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
else
ok "$KERNEL_OPTION is disabled, nothing to do"
@ -45,17 +47,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

26
bin/hardening/1.1.1.3_disable_hfs.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,17 +12,18 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable mounting of hfs filesystems."
KERNEL_OPTION="CONFIG_HFS_FS"
MODULE_FILE="hfs"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
else
ok "$KERNEL_OPTION is disabled"
@ -29,9 +31,9 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
is_kernel_option_enabled $KERNEL_OPTION
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
apply() {
is_kernel_option_enabled "$KERNEL_OPTION"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
else
ok "$KERNEL_OPTION is disabled, nothing to do"
@ -45,17 +47,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

26
bin/hardening/1.1.1.4_disable_hfsplus.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,17 +12,18 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable mounting of hfsplus filesystems."
KERNEL_OPTION="CONFIG_HFSPLUS_FS"
MODULE_FILE="hfsplus"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
else
ok "$KERNEL_OPTION is disabled"
@ -29,9 +31,9 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
is_kernel_option_enabled $KERNEL_OPTION
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
apply() {
is_kernel_option_enabled "$KERNEL_OPTION"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
else
ok "$KERNEL_OPTION is disabled, nothing to do"
@ -45,17 +47,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

26
bin/hardening/1.1.1.5_disable_udf.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,17 +12,18 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable mounting of udf filesystems."
KERNEL_OPTION="CONFIG_UDF_FS"
MODULE_FILE="udf"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
else
ok "$KERNEL_OPTION is disabled"
@ -29,9 +31,9 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
is_kernel_option_enabled $KERNEL_OPTION
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
apply() {
is_kernel_option_enabled "$KERNEL_OPTION"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
else
ok "$KERNEL_OPTION is disabled, nothing to do"
@ -45,17 +47,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

26
bin/hardening/1.1.1.6_disable_cramfs.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,17 +12,18 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable mounting of cramfs filesystems."
KERNEL_OPTION="CONFIG_CRAMFS"
MODULE_NAME="cramfs"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
else
ok "$KERNEL_OPTION is disabled"
@ -30,9 +32,9 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
is_kernel_option_enabled $KERNEL_OPTION
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
apply() {
is_kernel_option_enabled "$KERNEL_OPTION"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
else
ok "$KERNEL_OPTION is disabled, nothing to do"
@ -47,17 +49,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

26
bin/hardening/1.1.1.7_disable_squashfs.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,17 +12,18 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable mounting of squashfs filesytems."
KERNEL_OPTION="CONFIG_SQUASHFS"
MODULE_FILE="squashfs"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
else
ok "$KERNEL_OPTION is disabled"
@ -30,9 +32,9 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
is_kernel_option_enabled $KERNEL_OPTION
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
apply() {
is_kernel_option_enabled "$KERNEL_OPTION"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
else
ok "$KERNEL_OPTION is disabled, nothing to do"
@ -47,17 +49,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

47
bin/hardening/1.1.10_var_tmp_noexec.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,7 +12,9 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="/var/tmp partition with noexec option."
# Quick factoring as many script use the same logic
@ -19,47 +22,47 @@ PARTITION="/var/tmp"
OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
elif [ $FNRET = 3 ]; then
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
fi
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
@ -70,17 +73,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

27
bin/hardening/1.1.11_var_log_partition.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,24 +12,26 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="/var/log on separate partition."
# Quick factoring as many script use the same logic
PARTITION="/var/log"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
is_mounted "$PARTITION"
if [ $FNRET -gt 0 ]; then
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted"
FNRET=1
else
@ -38,14 +41,14 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
else
info "mounting $PARTITION"
mount $PARTITION
mount "$PARTITION"
fi
}
@ -57,17 +60,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

26
bin/hardening/1.1.12_var_log_audit_partition.sh
View File

@ -11,24 +11,26 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=4
# shellcheck disable=2034
DESCRIPTION="/var/log/audit on a separate partition."
# Quick factoring as many script use the same logic
PARTITION="/var/log/audit"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
is_mounted "$PARTITION"
if [ $FNRET -gt 0 ]; then
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted"
FNRET=1
else
@ -38,14 +40,14 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
else
info "mounting $PARTITION"
mount $PARTITION
mount "$PARTITION"
fi
}
@ -57,17 +59,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

27
bin/hardening/1.1.13_home_partition.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,24 +12,26 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="/home on a separate partition."
# Quick factoring as many script use the same logic
PARTITION="/home"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
is_mounted "$PARTITION"
if [ $FNRET -gt 0 ]; then
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted"
FNRET=1
else
@ -38,14 +41,14 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
else
info "mounting $PARTITION"
mount $PARTITION
mount "$PARTITION"
fi
}
@ -57,17 +60,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

41
bin/hardening/1.1.14_home_nodev.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,7 +12,9 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="/home partition with nodev option."
# Quick factoring as many script use the same logic
@ -19,23 +22,23 @@ PARTITION="/home"
OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
@ -46,19 +49,19 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
elif [ $FNRET = 3 ]; then
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
remount_partition "$PARTITION"
fi
}
@ -70,17 +73,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

35
bin/hardening/1.1.15_run_shm_nodev.sh
View File

@ -22,24 +22,24 @@ PARTITION="/run/shm"
OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
PARTITION=$(readlink -e "$PARTITION")
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
@ -50,19 +50,19 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
elif [ $FNRET = 3 ]; then
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
remount_partition "$PARTITION"
fi
}
@ -74,17 +74,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=/opt/debian-cis/lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

35
bin/hardening/1.1.16_run_shm_nosuid.sh
View File

@ -22,24 +22,24 @@ PARTITION="/run/shm"
OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
PARTITION=$(readlink -e "$PARTITION")
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
@ -50,19 +50,19 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
elif [ $FNRET = 3 ]; then
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
remount_partition "$PARTITION"
fi
}
@ -74,17 +74,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=/opt/debian-cis/lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

35
bin/hardening/1.1.17_run_shm_noexec.sh
View File

@ -22,24 +22,24 @@ PARTITION="/run/shm"
OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
PARTITION=$(readlink -e "$PARTITION")
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
@ -50,19 +50,19 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
elif [ $FNRET = 3 ]; then
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
remount_partition "$PARTITION"
fi
}
@ -74,17 +74,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=/opt/debian-cis/lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

29
bin/hardening/1.1.18_removable_device_nodev.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,7 +12,9 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="nodev option for removable media partitions."
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
@ -21,17 +24,17 @@ PARTITION="/media\S*"
OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying if there is $PARTITION like partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
if [ "$FNRET" -gt 0 ]; then
ok "There is no partition like $PARTITION"
FNRET=0
else
info "detected $PARTITION like"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
@ -41,12 +44,12 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 1 ]; then
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
add_option_to_fstab "$PARTITION" "$OPTION"
fi
}
@ -58,17 +61,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

29
bin/hardening/1.1.19_removable_device_nosuid.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,7 +12,9 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="nosuid option for removable media partitions."
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
@ -21,17 +24,17 @@ PARTITION="/media\S*"
OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying if there is $PARTITION like partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
if [ "$FNRET" -gt 0 ]; then
ok "There is no partition like $PARTITION"
FNRET=0
else
info "detected $PARTITION like"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
@ -41,12 +44,12 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 1 ]; then
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
add_option_to_fstab "$PARTITION" "$OPTION"
fi
}
@ -58,17 +61,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

29
bin/hardening/1.1.20_removable_device_noexec.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,7 +12,9 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="noexec option for removable media partitions."
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
@ -21,17 +24,17 @@ PARTITION="/media\S*"
OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying if there is $PARTITION like partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
if [ "$FNRET" -gt 0 ]; then
ok "There is no partition like $PARTITION"
FNRET=0
else
info "detected $PARTITION like"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
@ -41,12 +44,12 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 1 ]; then
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
add_option_to_fstab "$PARTITION" "$OPTION"
fi
}
@ -58,17 +61,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

33
bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,17 +12,21 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them."
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Checking if setuid is set on world writable Directories"
FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} )
RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
# shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
if [ -n "$RESULT" ]; then
crit "Some world writable directories are not on sticky bit mode!"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
# shellcheck disable=SC2001
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$RESULT" | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT"
else
ok "All world writable directories have a sticky bit"
@ -29,10 +34,10 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
apply() {
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
if [ -n "$RESULT" ]; then
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
else
ok "All world writable directories have a sticky bit, nothing to apply"
fi
@ -46,17 +51,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

27
bin/hardening/1.1.22_disable_automounting.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,16 +12,18 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable automounting of devices."
SERVICE_NAME="autofs"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Checking if $SERVICE_NAME is enabled"
is_service_enabled $SERVICE_NAME
if [ $FNRET = 0 ]; then
is_service_enabled "$SERVICE_NAME"
if [ "$FNRET" = 0 ]; then
crit "$SERVICE_NAME is enabled"
else
ok "$SERVICE_NAME is disabled"
@ -28,12 +31,12 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
info "Checking if $SERVICE_NAME is enabled"
is_service_enabled $SERVICE_NAME
if [ $FNRET = 0 ]; then
is_service_enabled "$SERVICE_NAME"
if [ "$FNRET" = 0 ]; then
info "Disabling $SERVICE_NAME"
update-rc.d $SERVICE_NAME remove > /dev/null 2>&1
update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
else
ok "$SERVICE_NAME is disabled"
fi
@ -46,17 +49,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

27
bin/hardening/1.1.2_tmp_partition.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,24 +12,26 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure /tmp is configured (Scored)"
# Quick factoring as many script use the same logic
PARTITION="/tmp"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
is_mounted "$PARTITION"
if [ $FNRET -gt 0 ]; then
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted"
FNRET=1
else
@ -38,14 +41,14 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
else
info "mounting $PARTITION"
mount $PARTITION
mount "$PARTITION"
fi
}
@ -57,17 +60,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

47
bin/hardening/1.1.3_tmp_nodev.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,7 +12,9 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="/tmp partition with nodev option."
# Quick factoring as many script use the same logic
@ -19,47 +22,47 @@ PARTITION="/tmp"
OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
elif [ $FNRET = 3 ]; then
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
fi
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
@ -70,17 +73,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

41
bin/hardening/1.1.4_tmp_nosuid.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,7 +12,9 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="/tmp partition with nosuid option."
# Quick factoring as many script use the same logic
@ -19,23 +22,23 @@ PARTITION="/tmp"
OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
@ -46,19 +49,19 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
elif [ $FNRET = 3 ]; then
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
remount_partition "$PARTITION"
fi
}
@ -70,17 +73,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

41
bin/hardening/1.1.5_tmp_noexec.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,7 +12,9 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="/tmp partition with noexec option."
# Quick factoring as many script use the same logic
@ -19,23 +22,23 @@ PARTITION="/tmp"
OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
@ -46,19 +49,19 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
elif [ $FNRET = 3 ]; then
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
remount_partition "$PARTITION"
fi
}
@ -70,17 +73,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

29
bin/hardening/1.1.6_var_partition.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,43 +12,45 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="/var on a separate partition."
# Quick factoring as many script use the same logic
PARTITION="/var"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
is_mounted "$PARTITION"
if [ $FNRET -gt 0 ]; then
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted"
FNRET=1
else
ok "$PARTITION is mounted"
fi
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
else
info "mounting $PARTITION"
mount $PARTITION
mount "$PARTITION"
fi
}
@ -59,17 +62,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

29
bin/hardening/1.1.7_var_tmp_partition.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,43 +12,45 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="/var/tmp on a separate partition."
# Quick factoring as many script use the same logic
PARTITION="/var/tmp"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
is_mounted "$PARTITION"
if [ $FNRET -gt 0 ]; then
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted"
FNRET=1
else
ok "$PARTITION is mounted"
fi
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
else
info "mounting $PARTITION"
mount $PARTITION
mount "$PARTITION"
fi
}
@ -59,17 +62,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

47
bin/hardening/1.1.8_var_tmp_nodev.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,7 +12,9 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="/var/tmp partition with nodev option."
# Quick factoring as many script use the same logic
@ -19,47 +22,47 @@ PARTITION="/var/tmp"
OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
elif [ $FNRET = 3 ]; then
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
fi
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
@ -70,17 +73,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

47
bin/hardening/1.1.9_var_tmp_nosuid.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,7 +12,9 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="/var/tmp partition with nosuid option."
# Quick factoring as many script use the same logic
@ -19,47 +22,47 @@ PARTITION="/var/tmp"
OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
elif [ $FNRET = 3 ]; then
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
fi
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
@ -70,17 +73,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

55
bin/hardening/1.4.1_bootloader_ownership.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,7 +12,9 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=1
# shellcheck disable=2034
DESCRIPTION="User and group root owner of grub bootloader config."
# Assertion : Grub Based.
@ -22,38 +25,38 @@ GROUP='root'
PERMISSIONS='400'
# This function will be called if the script status is on enabled / audit mode
audit () {
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
audit() {
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
apply() {
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
info "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE
chmod 0"$PERMISSIONS" "$FILE"
fi
}
@ -61,22 +64,22 @@ apply () {
check_config() {
is_pkg_installed "grub-pc"
if [ $FNRET != 0 ]; then
if [ "$FNRET" != 0 ]; then
warn "Grub is not installed, not handling configuration"
exit 128
fi
does_user_exist $USER
if [ $FNRET != 0 ]; then
does_user_exist "$USER"
if [ "$FNRET" != 0 ]; then
crit "$USER does not exist"
exit 128
fi
does_group_exist $GROUP
if [ $FNRET != 0 ]; then
does_group_exist "$GROUP"
if [ "$FNRET" != 0 ]; then
crit "$GROUP does not exist"
exit 128
fi
does_file_exist $FILE
if [ $FNRET != 0 ]; then
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
exit 128
fi
@ -84,17 +87,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

37
bin/hardening/1.4.2_bootloader_password.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,7 +12,9 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Setting bootloader password to secure boot parameters."
FILE='/boot/grub/grub.cfg'
@ -19,15 +22,15 @@ USER_PATTERN="^set superusers"
PWD_PATTERN="^password_pbkdf2"
# This function will be called if the script status is on enabled / audit mode
audit () {
does_pattern_exist_in_file $FILE "$USER_PATTERN"
if [ $FNRET != 0 ]; then
audit() {
does_pattern_exist_in_file "$FILE" "$USER_PATTERN"
if [ "$FNRET" != 0 ]; then
crit "$USER_PATTERN not present in $FILE"
else
ok "$USER_PATTERN is present in $FILE"
fi
does_pattern_exist_in_file $FILE "$PWD_PATTERN"
if [ $FNRET != 0 ]; then
does_pattern_exist_in_file "$FILE" "$PWD_PATTERN"
if [ "$FNRET" != 0 ]; then
crit "$PWD_PATTERN not present in $FILE"
else
ok "$PWD_PATTERN is present in $FILE"
@ -35,15 +38,15 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
does_pattern_exist_in_file $FILE "$USER_PATTERN"
if [ $FNRET != 0 ]; then
apply() {
does_pattern_exist_in_file "$FILE" "$USER_PATTERN"
if [ "$FNRET" != 0 ]; then
warn "$USER_PATTERN not present in $FILE, please configure password for grub"
else
ok "$USER_PATTERN is present in $FILE"
fi
does_pattern_exist_in_file $FILE "$PWD_PATTERN"
if [ $FNRET != 0 ]; then
does_pattern_exist_in_file "$FILE" "$PWD_PATTERN"
if [ "$FNRET" != 0 ]; then
warn "$PWD_PATTERN not present in $FILE, please configure password for grub"
else
ok "$PWD_PATTERN is present in $FILE"
@ -54,11 +57,11 @@ apply () {
# This function will check config parameters required
check_config() {
is_pkg_installed "grub-pc"
if [ $FNRET != 0 ]; then
if [ "$FNRET" != 0 ]; then
warn "grub-pc is not installed, not handling configuration"
exit 128
fi
if [ $FNRET != 0 ]; then
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
exit 128
fi
@ -66,17 +69,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

25
bin/hardening/1.4.3_root_password.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,16 +12,18 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Root password for single user mode."
FILE="/etc/shadow"
PATTERN="^root:[*\!]:"
# This function will be called if the script status is on enabled / audit mode
audit () {
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET != 1 ]; then
audit() {
does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 1 ]; then
crit "$PATTERN is present in $FILE"
else
ok "$PATTERN is not present in $FILE"
@ -28,9 +31,9 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET != 1 ]; then
apply() {
does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 1 ]; then
warn "$PATTERN is present in $FILE, please put a root password"
else
ok "$PATTERN is not present in $FILE"
@ -45,17 +48,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

43
bin/hardening/1.5.1_restrict_core_dumps.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,7 +12,9 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Restrict core dumps."
LIMIT_FILE='/etc/security/limits.conf'
@ -21,18 +24,18 @@ SYSCTL_PARAM='fs.suid_dumpable'
SYSCTL_EXP_RESULT=0
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
SEARCH_RES=0
LIMIT_FILES=""
if $SUDO_CMD [ -d $LIMIT_DIR ]; then
for file in $($SUDO_CMD ls $LIMIT_DIR/*.conf 2>/dev/null); do
if $SUDO_CMD [ -d "$LIMIT_DIR" ]; then
for file in $($SUDO_CMD ls "$LIMIT_DIR"/*.conf 2>/dev/null); do
LIMIT_FILES="$LIMIT_FILES $LIMIT_DIR/$file"
done
fi
debug "Files to search $LIMIT_FILE $LIMIT_FILES"
for file in $LIMIT_FILE $LIMIT_FILES; do
does_pattern_exist_in_file $file $LIMIT_PATTERN
if [ $FNRET != 0 ]; then
does_pattern_exist_in_file "$file" "$LIMIT_PATTERN"
if [ "$FNRET" != 0 ]; then
debug "$LIMIT_PATTERN not present in $file"
else
ok "$LIMIT_PATTERN present in $file"
@ -40,13 +43,13 @@ audit () {
break
fi
done
if [ $SEARCH_RES = 0 ]; then
if [ "$SEARCH_RES" = 0 ]; then
crit "$LIMIT_PATTERN is not present in $LIMIT_FILE $LIMIT_FILES"
fi
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ $FNRET != 0 ]; then
if [ "$FNRET" != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -54,23 +57,23 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN
if [ $FNRET != 0 ]; then
apply() {
does_pattern_exist_in_file "$LIMIT_FILE" "$LIMIT_PATTERN"
if [ "$FNRET" != 0 ]; then
warn "$LIMIT_PATTERN not present in $LIMIT_FILE, adding at the end of $LIMIT_FILE"
add_end_of_file $LIMIT_FILE "* hard core 0"
else
ok "$LIMIT_PATTERN present in $LIMIT_FILE"
fi
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ $FNRET != 0 ]; then
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
elif [ $FNRET = 255 ]; then
set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
fi
}
@ -81,17 +84,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

29
bin/hardening/1.5.2_enable_nx_support.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,7 +12,9 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Enable NoExecute/ExecuteDisable to prevent buffer overflow attacks."
PATTERN='NX[[:space:]]\(Execute[[:space:]]Disable\)[[:space:]]protection:[[:space:]]active'
@ -31,11 +34,11 @@ nx_supported_and_enabled() {
}
# This function will be called if the script status is on enabled / audit mode
audit () {
does_pattern_exist_in_dmesg $PATTERN
if [ $FNRET != 0 ]; then
audit() {
does_pattern_exist_in_dmesg "$PATTERN"
if [ "$FNRET" != 0 ]; then
nx_supported_and_enabled
if [ $FNRET != 0 ]; then
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
else
ok "NX is supported and enabled"
@ -46,11 +49,11 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
does_pattern_exist_in_dmesg $PATTERN
if [ $FNRET != 0 ]; then
apply() {
does_pattern_exist_in_dmesg "$PATTERN"
if [ "$FNRET" != 0 ]; then
nx_supported_and_enabled
if [ $FNRET != 0 ]; then
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
else
ok "NX is supported and enabled"
@ -67,17 +70,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

31
bin/hardening/1.5.3_enable_randomized_vm_placement.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,18 +12,20 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Enable Randomized Virtual Memory Region Placement to prevent memory page exploits."
SYSCTL_PARAM='kernel.randomize_va_space'
SYSCTL_EXP_RESULT=2
# This function will be called if the script status is on enabled / audit mode
audit () {
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
audit() {
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -30,12 +33,12 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
apply() {
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
elif [ $FNRET = 255 ]; then
set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -49,17 +52,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

27
bin/hardening/1.5.4_disable_prelink.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,15 +12,17 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable prelink to prevent libraries compromission."
PACKAGE='prelink'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!"
else
ok "$PACKAGE is absent"
@ -28,12 +31,12 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it"
/usr/sbin/prelink -ua
apt-get purge $PACKAGE -y
apt-get purge "$PACKAGE" -y
apt-get autoremove
else
ok "$PACKAGE is absent"
@ -48,17 +51,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

106
bin/hardening/1.6.2.1_enable_apparmor.sh Executable file
View File

@ -0,0 +1,106 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.6.2.1 Activate AppArmor (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Activate AppArmor to enforce permissions control."
PACKAGE='apparmor'
# This function will be called if the script status is on enabled / audit mode
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is absent!"
else
ok "$PACKAGE is installed"
fi
ERROR=0
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for line in $RESULT; do
if [[ ! "$line" =~ "apparmor=1" ]] || [[ ! "$line" =~ "security=apparmor" ]]; then
crit "$line is not configured"
ERROR=1
fi
done
IFS=$d_IFS
if [ "$ERROR" = 0 ]; then
ok "$PACKAGE is configured"
fi
}
# This function will be called if the script status is on enabled mode
apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed, please install $PACKAGE and configure it"
else
ok "$PACKAGE is installed"
fi
ERROR=0
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for line in $RESULT; do
if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
crit "$line is not configured"
ERROR=1
fi
done
IFS=$d_IFS
if [ $ERROR = 1 ]; then
$SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor/" /etc/default/grub
$SUDO_CMD update-grub
else
ok "$PACKAGE is configured"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

27
bin/hardening/1.7.1.1_remove_os_info_motd.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,16 +12,18 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Remove OS information from motd"
FILE='/etc/motd'
PATTERN='(\\v|\\r|\\m|\\s)'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
audit() {
does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
crit "$PATTERN is present in $FILE"
else
ok "$PATTERN is not present in $FILE"
@ -28,11 +31,11 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
apply() {
does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
warn "$PATTERN is present in $FILE"
delete_line_in_file $FILE $PATTERN
delete_line_in_file "$FILE" "$PATTERN"
else
ok "$PATTERN is not present in $FILE"
fi
@ -45,17 +48,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

25
bin/hardening/1.7.1.2_remove_os_info_issue.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,16 +12,18 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Remove OS information from Login Warning Banners."
FILE='/etc/issue'
PATTERN='(\\v|\\r|\\m|\\s)'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
audit() {
does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
crit "$PATTERN is present in $FILE"
else
ok "$PATTERN is not present in $FILE"
@ -28,11 +31,11 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
if [ "$FNRET" = 0 ]; then
warn "$PATTERN is present in $FILE"
delete_line_in_file $FILE $PATTERN
delete_line_in_file "$FILE" "$PATTERN"
else
ok "$PATTERN is not present in $FILE"
fi
@ -45,17 +48,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

27
bin/hardening/1.7.1.3_remove_os_info_issue_net.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,16 +12,18 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Remove OS information from remote Login Warning Banners."
FILE='/etc/issue.net'
PATTERN='(\\v|\\r|\\m|\\s)'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
audit() {
does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
crit "$PATTERN is present in $FILE"
else
ok "$PATTERN is not present in $FILE"
@ -28,11 +31,11 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
apply() {
does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
warn "$PATTERN is present in $FILE"
delete_line_in_file $FILE $PATTERN
delete_line_in_file "$FILE" "$PATTERN"
else
ok "$PATTERN is not present in $FILE"
fi
@ -45,17 +48,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

63
bin/hardening/1.7.1.4_motd_perms.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,7 +12,9 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Checking root ownership and 644 permissions on banner files: /etc/motd|issue|issue.net ."
PERMISSIONS='644'
@ -20,46 +23,46 @@ GROUP='root'
FILE='/etc/motd'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
audit() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
continue
fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
apply() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
touch $FILE
touch "$FILE"
fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE
chmod 0"$PERMISSIONS" "$FILE"
fi
}
@ -70,17 +73,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

63
bin/hardening/1.7.1.5_etc_issue_perms.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,7 +12,9 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Checking root ownership and 644 permissions on banner files: /etc/motd|issue|issue.net ."
PERMISSIONS='644'
@ -20,46 +23,46 @@ GROUP='root'
FILE='/etc/issue'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
audit() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
continue
fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
apply() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
touch $FILE
touch "$FILE"
fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE
chmod 0"$PERMISSIONS" "$FILE"
fi
}
@ -70,17 +73,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

63
bin/hardening/1.7.1.6_etc_issue_net_perms.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,7 +12,9 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Checking root ownership and 644 permissions on banner files: /etc/motd|issue|issue.net ."
PERMISSIONS='644'
@ -20,46 +23,46 @@ GROUP='root'
FILE='/etc/issue.net'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
audit() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
continue
fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
apply() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
touch $FILE
touch "$FILE"
fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE
chmod 0"$PERMISSIONS" "$FILE"
fi
}
@ -70,17 +73,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

17
bin/hardening/1.7.2_graphical_warning_banners.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,16 +12,18 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Set graphical warning banner."
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Not implemented yet"
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
info "Not implemented yet"
}
@ -31,17 +34,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

23
bin/hardening/1.8_install_updates.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,16 +12,18 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure updates, patches, and additional security software are installed (Not Scored)"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Checking if apt needs an update"
apt_update_if_needed
apt_update_if_needed
info "Fetching upgrades ..."
apt_check_updates "CIS_APT"
if [ $FNRET -gt 0 ]; then
if [ "$FNRET" -gt 0 ]; then
crit "$RESULT"
FNRET=1
else
@ -30,8 +33,8 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET -gt 0 ]; then
apply() {
if [ "$FNRET" -gt 0 ]; then
info "Applying Upgrades..."
DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' upgrade -y
else
@ -47,17 +50,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

27
bin/hardening/2.1.1_disable_xinetd.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,15 +12,17 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure xinetd is not enabled."
PACKAGE='xinetd'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed"
else
ok "$PACKAGE is absent"
@ -27,11 +30,11 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
warn "$PACKAGE is installed, purging"
apt-get purge $PACKAGE -y
apt-get purge "$PACKAGE" -y
apt-get autoremove
else
ok "$PACKAGE is absent"
@ -45,17 +48,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

27
bin/hardening/2.1.2_disable_bsd_inetd.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,16 +12,18 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure bsd-inetd is not enabled."
PACKAGES='openbsd-inetd inetutils-inetd'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed"
else
ok "$PACKAGE is absent"
@ -29,12 +32,12 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
warn "$PACKAGE is installed, purging"
apt-get purge $PACKAGE -y
apt-get purge "$PACKAGE" -y
apt-get autoremove
else
ok "$PACKAGE is absent"
@ -49,17 +52,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

27
bin/hardening/2.2.1.1_use_time_sync.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,28 +12,30 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure time synchronization is in use"
PACKAGES="ntp chrony"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
FOUND=false
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
ok "Time synchronization is available through $PACKAGE"
FOUND=true
fi
done
if [ "$FOUND" = false ]; then
if [ "$FOUND" = false ]; then
crit "None of the following time sync packages are installed: $PACKAGES"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
:
}
@ -43,14 +46,20 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r "$CIS_ROOT_DIR"/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

78
bin/hardening/2.2.1.2_configure_ntp.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,8 +12,11 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Configure Network Time Protocol (ntp). Check restrict parameters and ntp daemon runs ad unprivileged user."
# shellcheck disable=2034
HARDENING_EXCEPTION=ntp
PACKAGE='ntp'
@ -22,20 +26,20 @@ NTP_INIT_PATTERN='RUNASUSER=ntp'
NTP_INIT_FILE='/etc/init.d/ntp'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed, checking configuration"
does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN
if [ $FNRET != 0 ]; then
does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN"
if [ "$FNRET" != 0 ]; then
crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE"
else
ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
fi
does_pattern_exist_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN"
if [ $FNRET != 0 ]; then
does_pattern_exist_in_file "$NTP_INIT_FILE" "^$NTP_INIT_PATTERN"
if [ "$FNRET" != 0 ]; then
crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE"
else
ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
@ -44,31 +48,31 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE
info "Checking $PACKAGE configuration"
fi
does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN
if [ $FNRET != 0 ]; then
warn "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE, adding it"
backup_file $NTP_CONF_FILE
add_end_of_file $NTP_CONF_FILE "restrict -4 default kod notrap nomodify nopeer noquery"
else
ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
fi
does_pattern_exist_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN"
if [ $FNRET != 0 ]; then
warn "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE, adding it"
backup_file $NTP_INIT_FILE
add_line_file_before_pattern $NTP_INIT_FILE $NTP_INIT_PATTERN "^UGID"
else
ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
fi
apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
apt_install "$PACKAGE"
info "Checking $PACKAGE configuration"
fi
does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN"
if [ "$FNRET" != 0 ]; then
warn "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE, adding it"
backup_file "$NTP_CONF_FILE"
add_end_of_file "$NTP_CONF_FILE" "restrict -4 default kod notrap nomodify nopeer noquery"
else
ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
fi
does_pattern_exist_in_file "$NTP_INIT_FILE" "^$NTP_INIT_PATTERN"
if [ "$FNRET" != 0 ]; then
warn "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE, adding it"
backup_file "$NTP_INIT_FILE"
add_line_file_before_pattern "$NTP_INIT_FILE" "$NTP_INIT_PATTERN" "^UGID"
else
ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
fi
}
# This function will check config parameters required
@ -78,17 +82,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

26
bin/hardening/2.2.1.3_configure_chrony.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,8 +12,11 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Configure Network Time Protocol (ntp). Check restrict parameters and ntp daemon runs ad unprivileged user."
# shellcheck disable=2034
HARDENING_EXCEPTION=ntp
PACKAGE=chrony
@ -20,14 +24,14 @@ CONF_DEFAULT_PATTERN='^(server|pool)'
CONF_FILE='/etc/chrony/chrony.conf'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed, checking configuration"
does_pattern_exist_in_file $CONF_FILE $CONF_DEFAULT_PATTERN
if [ $FNRET != 0 ]; then
does_pattern_exist_in_file "$CONF_FILE" "$CONF_DEFAULT_PATTERN"
if [ "$FNRET" != 0 ]; then
crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE"
else
ok "$CONF_DEFAULT_PATTERN found in $CONF_FILE"
@ -36,7 +40,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
:
}
@ -47,17 +51,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

30
bin/hardening/2.2.10_disable_http_server.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,18 +12,21 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure HTTP server is not enabled."
# shellcheck disable=2034
HARDENING_EXCEPTION=http
# Based on aptitude search '~Phttpd'
PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!"
else
ok "$PACKAGE is absent"
@ -31,13 +35,13 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
apt-get purge "$PACKAGE" -y
apt-get autoremove -y
else
ok "$PACKAGE is absent"
fi
@ -51,17 +55,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

30
bin/hardening/2.2.11_disable_imap_pop.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,18 +12,21 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure IMAP and POP servers are not installed"
# shellcheck disable=2034
HARDENING_EXCEPTION=mail
# Based on aptitude search '~Pimap-server' and aptitude search '~Ppop3-server'
PACKAGES='citadel-server courier-imap cyrus-imapd-2.4 dovecot-imapd mailutils-imap4d courier-pop cyrus-pop3d-2.4 dovecot-pop3d heimdal-servers mailutils-pop3d popa3d solid-pop3d xmail'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!"
else
ok "$PACKAGE is absent"
@ -31,13 +35,13 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
apt-get purge "$PACKAGE" -y
apt-get autoremove -y
else
ok "$PACKAGE is absent"
fi
@ -51,17 +55,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

40
bin/hardening/2.2.12_disable_samba.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,25 +12,28 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure Samba is not enabled."
# shellcheck disable=2034
HARDENING_EXCEPTION=samba
PACKAGES='samba'
SERVICE='smbd'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!"
else
ok "$PACKAGE is absent"
fi
done
is_service_enabled $SERVICE
if [ $FNRET = 0 ]; then
is_service_enabled "$SERVICE"
if [ "$FNRET" = 0 ]; then
crit "Service $SERVICE is enabled!"
else
ok "Service $SERVICE is disabled"
@ -37,21 +41,21 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
apt-get purge "$PACKAGE" -y
apt-get autoremove -y
else
ok "$PACKAGE is absent"
fi
done
is_service_enabled $SERVICE
if [ $FNRET = 0 ]; then
is_service_enabled "$SERVICE"
if [ "$FNRET" = 0 ]; then
crit "Service $SERVICE is enabled!"
systemctl disable $SERVICE
systemctl disable "$SERVICE"
else
ok "Service $SERVICE is disabled"
fi
@ -64,17 +68,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

28
bin/hardening/2.2.13_disable_http_proxy.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,17 +12,20 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure HTTP-proxy is not enabled."
# shellcheck disable=2034
HARDENING_EXCEPTION=http
PACKAGES='squid3 squid'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!"
else
ok "$PACKAGE is absent"
@ -30,12 +34,12 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get purge "$PACKAGE" -y
apt-get autoremove
else
ok "$PACKAGE is absent"
@ -50,17 +54,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

30
bin/hardening/2.2.14_disable_snmp_server.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,17 +12,20 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Enure SNMP server is not enabled."
# shellcheck disable=2034
HARDENING_EXCEPTION=snmp
PACKAGES='snmpd'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!"
else
ok "$PACKAGE is absent"
@ -30,13 +34,13 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
apt-get purge "$PACKAGE" -y
apt-get autoremove -y
else
ok "$PACKAGE is absent"
fi
@ -50,17 +54,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

22
bin/hardening/2.2.15_mta_localhost.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,12 +12,15 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Configure Mail Transfert Agent for Local-Only Mode."
# shellcheck disable=2034
HARDENING_EXCEPTION=mail
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Checking netport ports opened"
RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || :
RESULT=${RESULT:-}
@ -25,7 +29,7 @@ audit () {
ok "Nothing listens on 25 port, probably unix socket configured"
else
info "Checking $RESULT"
if $(grep -q "127.0.0.1" <<< $RESULT); then
if grep -q "127.0.0.1" <<<"$RESULT"; then
ok "MTA is configured to localhost only"
else
crit "MTA listens worldwide"
@ -34,7 +38,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
info "Checking netport ports opened"
RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
RESULT=${RESULT:-}
@ -43,7 +47,7 @@ apply () {
ok "Nothing listens on 25 port, probably unix socket configured"
else
info "Checking $RESULT"
if $(grep -q "127.0.0.1" <<< $RESULT); then
if grep -q "127.0.0.1" <<<"$RESULT"; then
ok "MTA is configured to localhost only"
else
warn "MTA listens worldwide, correct this considering your MTA"
@ -59,17 +63,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

38
bin/hardening/2.2.16_disable_rsync.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,8 +12,11 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure rsync service is not enabled."
# shellcheck disable=2034
HARDENING_EXCEPTION=rsync
PACKAGE='rsync'
@ -21,14 +25,14 @@ RSYNC_DEFAULT_FILE='/etc/default/rsync'
RSYNC_DEFAULT_PATTERN_TO_SEARCH='RSYNC_ENABLE=true'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
ok "$PACKAGE is not installed"
else
ok "$PACKAGE is installed, checking configuration"
does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN"
if [ $FNRET != 0 ]; then
does_pattern_exist_in_file "$RSYNC_DEFAULT_FILE" "^$RSYNC_DEFAULT_PATTERN"
if [ "$FNRET" != 0 ]; then
crit "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE"
else
ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE"
@ -37,17 +41,17 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
ok "$PACKAGE is not installed"
else
ok "$PACKAGE is installed, checking configuration"
does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN"
if [ $FNRET != 0 ]; then
does_pattern_exist_in_file "$RSYNC_DEFAULT_FILE" "^$RSYNC_DEFAULT_PATTERN"
if [ "$FNRET" != 0 ]; then
warn "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE, adding it"
backup_file $RSYNC_DEFAULT_FILE
replace_in_file $RSYNC_DEFAULT_FILE $RSYNC_DEFAULT_PATTERN_TO_SEARCH $RSYNC_DEFAULT_PATTERN
backup_file "$RSYNC_DEFAULT_FILE"
replace_in_file "$RSYNC_DEFAULT_FILE" "$RSYNC_DEFAULT_PATTERN_TO_SEARCH" "$RSYNC_DEFAULT_PATTERN"
else
ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE"
fi
@ -61,17 +65,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

48
bin/hardening/2.2.18_disable_telnet_server.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# Legacy CIS Debian Hardening
#
@ -13,7 +14,9 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Ensure telnet server is not enabled. Recommended alternative : sshd (OpenSSH-server)."
# Based on aptitude search '~Ptelnet-server'
@ -22,17 +25,17 @@ FILE='/etc/inetd.conf'
PATTERN='^telnet'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
warn "$PACKAGE is installed, checking configuration"
does_file_exist $FILE
if [ $FNRET != 0 ]; then
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
crit "$PATTERN exists, $PACKAGE services are enabled!"
else
ok "$PATTERN is not present in $FILE"
@ -45,27 +48,28 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get purge "$PACKAGE" -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
does_file_exist $FILE
if [ $FNRET != 0 ]; then
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
# shellcheck disable=SC2001
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<<$PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" "$FILE"
else
ok "$PATTERN is not present in $FILE"
fi
@ -80,17 +84,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

30
bin/hardening/2.2.2_disable_xwindow_system.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,18 +12,21 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure the X Window system is not installed."
# shellcheck disable=2034
HARDENING_EXCEPTION=x11
# Based on aptitude search '~Pxserver'
PACKAGES='xserver-xorg-core xserver-xorg-core-dbg xserver-common xserver-xephyr xserver-xfbdev tightvncserver vnc4server fglrx-driver xvfb xserver-xorg-video-nvidia-legacy-173xx xserver-xorg-video-nvidia-legacy-96xx xnest'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!"
else
ok "$PACKAGE is absent"
@ -31,13 +35,13 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
apt-get purge "$PACKAGE" -y
apt-get autoremove -y
else
ok "$PACKAGE is absent"
fi
@ -51,17 +55,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

29
bin/hardening/2.2.3_disable_avahi_server.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,16 +12,18 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure Avahi server is not enabled."
PACKAGES='avahi-daemon libavahi-common-data libavahi-common3 libavahi-core7'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!"
else
ok "$PACKAGE is absent"
@ -29,13 +32,13 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
apt-get purge "$PACKAGE" -y
apt-get autoremove -y
else
ok "$PACKAGE is absent"
fi
@ -49,17 +52,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

30
bin/hardening/2.2.4_disable_print_server.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,17 +12,20 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure print server (Common Unix Print System) is not enabled."
# shellcheck disable=2034
HARDENING_EXCEPTION=cups
PACKAGES='libcups2 libcupscgi1 libcupsimage2 libcupsmime1 libcupsppdc1 cups-common cups-client cups-ppdc libcupsfilters1 cups-filters cups'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!"
else
ok "$PACKAGE is absent"
@ -30,13 +34,13 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
apt-get purge "$PACKAGE" -y
apt-get autoremove -y
else
ok "$PACKAGE is absent"
fi
@ -50,17 +54,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

30
bin/hardening/2.2.5_disable_dhcp.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,17 +12,20 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure DHCP server is not enabled."
# shellcheck disable=2034
HARDENING_EXCEPTION=dhcp
PACKAGES='udhcpd isc-dhcp-server'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!"
else
ok "$PACKAGE is absent"
@ -30,13 +34,13 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
apt-get purge "$PACKAGE" -y
apt-get autoremove -y
else
ok "$PACKAGE is absent"
fi
@ -50,17 +54,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

30
bin/hardening/2.2.6_disable_ldap.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,17 +12,20 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure LDAP is not enabled."
# shellcheck disable=2034
HARDENING_EXCEPTION=ldap
PACKAGES='slapd'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!"
else
ok "$PACKAGE is absent"
@ -30,13 +34,13 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
apt-get purge "$PACKAGE" -y
apt-get autoremove -y
else
ok "$PACKAGE is absent"
fi
@ -50,17 +54,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

30
bin/hardening/2.2.7_disable_nfs_rpc.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,17 +12,20 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure Network File System (nfs) and RPC are not enabled."
# shellcheck disable=2034
HARDENING_EXCEPTION=nfs
PACKAGES='rpcbind nfs-kernel-server'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!"
else
ok "$PACKAGE is absent"
@ -30,13 +34,13 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
apt-get purge "$PACKAGE" -y
apt-get autoremove -y
else
ok "$PACKAGE is absent"
fi
@ -50,17 +54,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

30
bin/hardening/2.2.8_disable_dns_server.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,17 +12,20 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure Domain Name System (dns) server is not enabled."
# shellcheck disable=2034
HARDENING_EXCEPTION=dns
PACKAGES='bind9 unbound'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!"
else
ok "$PACKAGE is absent"
@ -30,13 +34,13 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
apt-get purge "$PACKAGE" -y
apt-get autoremove -y
else
ok "$PACKAGE is absent"
fi
@ -50,17 +54,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

30
bin/hardening/2.2.9_disable_ftp.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,18 +12,21 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure File Transfer Protocol (ftp) is not enabled."
# shellcheck disable=2034
HARDENING_EXCEPTION=ftp
# Based on aptitude search '~Pftp-server'
PACKAGES='ftpd ftpd-ssl heimdal-servers inetutils-ftpd krb5-ftpd muddleftpd proftpd-basic pure-ftpd pure-ftpd-ldap pure-ftpd-mysql pure-ftpd-postgresql twoftpd-run vsftpd wzdftpd'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!"
else
ok "$PACKAGE is absent"
@ -31,13 +35,13 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
apt-get purge "$PACKAGE" -y
apt-get autoremove -y
else
ok "$PACKAGE is absent"
fi
@ -51,17 +55,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

29
bin/hardening/2.3.1_disable_nis.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,15 +12,17 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure that Network Information Service is not installed. Recommended alternative : LDAP."
PACKAGE='nis'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!"
else
ok "$PACKAGE is absent"
@ -28,12 +31,12 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
apt-get purge "$PACKAGE" -y
apt-get autoremove -y
else
ok "$PACKAGE is absent"
fi
@ -46,17 +49,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

33
bin/hardening/2.3.2_disable_rsh_client.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,17 +12,19 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Ensure rsh client is not installed, Recommended alternative : ssh."
# Based on aptitude search '~Prsh-client', exluding ssh-client OFC
PACKAGES='rsh-client rsh-redone-client heimdal-clients'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed"
else
ok "$PACKAGE is absent"
@ -30,13 +33,13 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
warn "$PACKAGE is installed, purging"
apt-get purge $PACKAGE -y
apt-get autoremove
apt-get purge "$PACKAGE" -y
apt-get autoremove -y
else
ok "$PACKAGE is absent"
fi
@ -50,17 +53,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

29
bin/hardening/2.3.3_disable_talk_client.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,16 +12,18 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Ensure talk client is not installed."
PACKAGES='talk inetutils-talk'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed"
else
ok "$PACKAGE is absent"
@ -29,13 +32,13 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
warn "$PACKAGE is installed, purging"
apt-get purge $PACKAGE -y
apt-get autoremove
apt-get purge "$PACKAGE" -y
apt-get autoremove -y
else
ok "$PACKAGE is absent"
fi
@ -49,17 +52,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

29
bin/hardening/2.3.4_disable_telnet_client.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,16 +12,18 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Ensure telnet client is not installed."
PACKAGES='telnet'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed"
else
ok "$PACKAGE is absent"
@ -29,13 +32,13 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
warn "$PACKAGE is installed, purging"
apt-get purge $PACKAGE -y
apt-get autoremove
apt-get purge "$PACKAGE" -y
apt-get autoremove -y
else
ok "$PACKAGE is absent"
fi
@ -49,17 +52,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

29
bin/hardening/2.3.5_disable_ldap_client.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,16 +12,18 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Ensure ldap client is not installed."
PACKAGES='ldap-utils'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed"
else
ok "$PACKAGE is absent"
@ -29,13 +32,13 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
warn "$PACKAGE is installed, purging"
apt-get purge $PACKAGE -y
apt-get autoremove
apt-get purge "$PACKAGE" -y
apt-get autoremove -y
else
ok "$PACKAGE is absent"
fi
@ -49,17 +52,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

50
bin/hardening/3.1.1_disable_ip_forwarding.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,22 +12,25 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
HARDENING_EXCEPTION=gw
# shellcheck disable=2034
DESCRIPTION="Disable IP forwarding."
SYSCTL_PARAMS='net.ipv4.ip_forward net.ipv6.conf.all.forwarding'
SYSCTL_EXP_RESULT=0
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for SYSCTL_PARAM in $SYSCTL_PARAMS; do
does_sysctl_param_exists "net.ipv6"
if [ $FNRET = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
does_sysctl_param_exists "net.ipv6"
if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_PARAM =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -36,17 +40,19 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
apply() {
for SYSCTL_PARAM in $SYSCTL_PARAMS; do
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
done
}
# This function will check config parameters required
@ -56,17 +62,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

41
bin/hardening/3.1.2_disable_send_packet_redirects.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,7 +12,9 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable send packet redirects to prevent malicious ICMP corruption."
#net.ipv4.conf.all.send_redirects = 0
@ -19,15 +22,15 @@ DESCRIPTION="Disable send packet redirects to prevent malicious ICMP corruption.
SYSCTL_PARAMS='net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -36,17 +39,17 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
elif [ $FNRET = 255 ]; then
set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -61,17 +64,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

43
bin/hardening/3.2.1_disable_source_routed_packets.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,23 +12,25 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable source routed packet acceptance."
# set in config file
SYSCTL_PARAMS=''
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
does_sysctl_param_exists "net.ipv6"
if [ $FNRET = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
if [ "$FNRET" = 0 ] || [[ ! "$SYSCTL_VALUES" =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -37,17 +40,17 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT value -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
elif [ $FNRET = 255 ]; then
set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -70,17 +73,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

45
bin/hardening/3.2.2_disable_icmp_redirect.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,24 +12,26 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable ICMP redirect acceptance to prevent routing table corruption."
# set in config file
SYSCTL_PARAMS=''
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
does_sysctl_param_exists "net.ipv6"
if [ $FNRET = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
if [ "$FNRET" = 0 ] || [[ ! "$SYSCTL_VALUES" =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -38,17 +41,17 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
elif [ $FNRET = 255 ]; then
set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -71,17 +74,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

41
bin/hardening/3.2.3_disable_secure_icmp_redirect.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,21 +12,23 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable secure ICMP redirect acceptance to prevent routing tables corruptions."
SYSCTL_PARAMS='net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -34,17 +37,17 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
elif [ $FNRET = 255 ]; then
set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -59,17 +62,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

41
bin/hardening/3.2.4_log_martian_packets.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,21 +12,23 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Log suspicious packets, like spoofed packets."
SYSCTL_PARAMS='net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -34,17 +37,17 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
elif [ $FNRET = 255 ]; then
set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -59,17 +62,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

41
bin/hardening/3.2.5_ignore_broadcast_requests.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,21 +12,23 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Ignore broadcast requests to prevent attacks such as Smurf attack."
SYSCTL_PARAMS='net.ipv4.icmp_echo_ignore_broadcasts=1'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist --Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -34,17 +37,17 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
elif [ $FNRET = 255 ]; then
set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -59,17 +62,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

43
bin/hardening/3.2.6_enable_bad_error_message_protection.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,21 +12,23 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Enable bad error message protection to prevent logfiles fillup."
SYSCTL_PARAMS='net.ipv4.icmp_ignore_bogus_error_responses=1'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -34,17 +37,17 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
elif [ $FNRET = 255 ]; then
set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -59,18 +62,20 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
fi

41
bin/hardening/3.2.7_enable_source_route_validation.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,21 +12,23 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Enable RFC-recommended source route validation."
SYSCTL_PARAMS='net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -34,17 +37,17 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
elif [ $FNRET = 255 ]; then
set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -59,17 +62,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

41
bin/hardening/3.2.8_enable_tcp_syn_cookies.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,21 +12,23 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Enable TCP-SYN cookie to prevent TCP-SYN flood attack."
SYSCTL_PARAMS='net.ipv4.tcp_syncookies=1'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -34,17 +37,17 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
elif [ $FNRET = 255 ]; then
set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -59,17 +62,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

45
bin/hardening/3.2.9_disable_ipv6_router_advertisement.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,25 +12,27 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable IPv6 router advertisements."
SYSCTL_PARAMS='net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
does_sysctl_param_exists "net.ipv6"
if [ $FNRET != 0 ]; then
if [ "$FNRET" != 0 ]; then
ok "ipv6 is disabled"
else
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -39,21 +42,21 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
does_sysctl_param_exists "net.ipv6"
if [ $FNRET != 0 ]; then
if [ "$FNRET" != 0 ]; then
ok "ipv6 is disabled"
else
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT, fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
elif [ $FNRET = 255 ]; then
set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -69,17 +72,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

35
bin/hardening/3.3.1_install_tcp_wrapper.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,15 +12,17 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Install TCP wrappers for simple access list management and standardized logging method for services."
PACKAGE='tcpd'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
@ -27,14 +30,14 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE
fi
apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
apt_install "$PACKAGE"
fi
}
# This function will check config parameters required
@ -44,17 +47,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

27
bin/hardening/3.3.2_hosts_allow.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,15 +12,17 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Create /etc/hosts.allow ."
FILE='/etc/hosts.allow'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
audit() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
else
ok "$FILE exist"
@ -27,11 +30,11 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
apply() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist, creating it"
touch $FILE
touch "$FILE"
warn "You may want to fill it with allowed networks"
else
ok "$FILE exist"
@ -45,17 +48,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

37
bin/hardening/3.3.3_hosts_deny.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,21 +12,23 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Create /etc/hosts.deny ."
FILE='/etc/hosts.deny'
PATTERN='ALL: ALL'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
audit() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
else
ok "$FILE exists, checking configuration"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET != 0 ]; then
does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in $FILE, we have to deny everything"
else
ok "$PATTERN is present in $FILE"
@ -34,18 +37,18 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
apply() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist, creating it"
touch $FILE
touch "$FILE"
else
ok "$FILE exists"
fi
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET != 0 ]; then
does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in $FILE, we have to deny everything"
add_end_of_file $FILE "$PATTERN"
add_end_of_file "$FILE" "$PATTERN"
warn "YOU MAY HAVE CUT YOUR ACCESS, CHECK BEFORE DISCONNECTING"
else
ok "$PATTERN is present in $FILE"
@ -59,17 +62,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

31
bin/hardening/3.3.4_hosts_allow_permissions.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,7 +12,9 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Check 644 permissions and root:root ownership on /hosts.allow ."
FILE='/etc/hosts.allow'
@ -20,15 +23,15 @@ USER='root'
GROUP='root'
# This function will be called if the script status is on enabled / audit mode
audit () {
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
audit() {
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
@ -36,13 +39,13 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
apply() {
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE
chmod 0"$PERMISSIONS" "$FILE"
fi
}
@ -53,17 +56,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

31
bin/hardening/3.3.5_hosts_deny_permissions.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,7 +12,9 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Check 644 permissions and root:root ownership on /etc/hosts.deny ."
FILE='/etc/hosts.deny'
@ -20,15 +23,15 @@ USER='root'
GROUP='root'
# This function will be called if the script status is on enabled / audit mode
audit () {
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
audit() {
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
@ -36,13 +39,13 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
apply() {
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE
chmod 0"$PERMISSIONS" "$FILE"
fi
}
@ -53,17 +56,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

17
bin/hardening/3.4.1_disable_dccp.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,16 +12,18 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable Datagram Congestion Control Protocol (DCCP)."
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Not implemented yet"
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
info "Not implemented yet"
}
@ -31,17 +34,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

17
bin/hardening/3.4.2_disable_sctp.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,16 +12,18 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable Stream Control Transmission Protocol (SCTP)."
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Not implemented yet"
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
info "Not implemented yet"
}
@ -31,17 +34,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

17
bin/hardening/3.4.3_disable_rds.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,16 +12,18 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable Reliable Datagram Sockets (RDS)."
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Not implemented yet"
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
info "Not implemented yet"
}
@ -31,17 +34,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

17
bin/hardening/3.4.4_disable_tipc.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,16 +12,18 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable Transperent Inter-Process Communication (TIPC)."
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Not implemented yet"
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
info "Not implemented yet"
}
@ -31,17 +34,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

22
bin/hardening/3.5.1.1_net_fw_default_policy_drop.sh
View File

@ -1,4 +1,5 @@
#!/bin/bash
# run-shellcheck
#
# OVH Security audit
@ -21,22 +22,22 @@ FW_CHAINS="INPUT FORWARD"
FW_POLICY="DROP"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
ipt=$($SUDO_CMD $PACKAGE -nL 2>/dev/null || true )
if [[ -z $ipt ]]; then
ipt=$($SUDO_CMD "$PACKAGE" -nL 2>/dev/null || true)
if [[ -z "$ipt" ]]; then
crit "Empty return from $PACKAGE command. Aborting..."
return
fi
for chain in $FW_CHAINS; do
regex="Chain $chain \(policy ([A-Z]+)\)"
# previous line will capture actual policy
if [[ $ipt =~ $regex ]]; then
if [[ "$ipt" =~ $regex ]]; then
actual_policy=${BASH_REMATCH[1]}
if [[ $actual_policy = "$FW_POLICY" ]]; then
if [[ "$actual_policy" = "$FW_POLICY" ]]; then
ok "Policy correctly set to $FW_POLICY for chain $chain"
else
crit "Policy set to $actual_policy for chain $chain, should be ${FW_POLICY}."
@ -49,7 +50,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
:
}
@ -60,17 +61,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=/opt/debian-cis/lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

37
bin/hardening/3.5_enable_firewall.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,18 +12,20 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Ensure firewall is active (iptables is installed, does not check for its configuration)."
# Quick note here : CIS recommends your iptables rules to be persistent.
# Quick note here : CIS recommends your iptables rules to be persistent.
# Do as you want, but this script does not handle this
PACKAGE='iptables'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
@ -30,14 +33,14 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE
fi
apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
apt_install "$PACKAGE"
fi
}
# This function will check config parameters required
@ -47,17 +50,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

24
bin/hardening/3.6_disable_wireless.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,16 +12,18 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Deactivate wireless interfaces."
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Not implemented yet"
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
info "Not implemented yet"
}
@ -31,28 +34,31 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
## Source Root Dir Parameter
#if [ ! -r /etc/default/cis-hardening ]; then
# echo "There is no /etc/default/cis-hardening file, cannot source CIS_ROOT_DIR variable, aborting"
# exit 128
#else
# shellcheck source=../../debian/default
# . /etc/default/cis-hardening
# if [ -z ${CIS_ROOT_DIR:-} ]; then
# echo "No CIS_ROOT_DIR variable, aborting"
# exit 128
# fi
#fi
#fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

43
bin/hardening/3.7_disable_ipv6.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,25 +12,27 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable IPv6."
SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
does_sysctl_param_exists "net.ipv6"
if [ $FNRET != 0 ]; then
if [ "$FNRET" != 0 ]; then
ok "ipv6 is disabled"
else
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -39,21 +42,21 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
does_sysctl_param_exists "net.ipv6"
if [ $FNRET != 0 ]; then
if [ "$FNRET" != 0 ]; then
ok "ipv6 is disabled"
else
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT value, fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
warn "you may want to reboot or sysctl -p a file including $SYSCTL_PARAMS"
elif [ $FNRET = 255 ]; then
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -69,17 +72,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

35
bin/hardening/4.1.1.1_audit_log_storage.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,7 +12,9 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=4
# shellcheck disable=2034
DESCRIPTION="Configure audit log storage size."
FILE='/etc/audit/auditd.conf'
@ -19,14 +22,14 @@ PATTERN='max_log_file'
VALUE=5
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
audit() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
else
ok "$FILE exists, checking configuration"
does_pattern_exist_in_file $FILE "^$PATTERN[[:space:]]"
if [ $FNRET != 0 ]; then
does_pattern_exist_in_file "$FILE" "^${PATTERN}[[:space:]]"
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in $FILE"
else
ok "$PATTERN is present in $FILE"
@ -35,18 +38,18 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
apply() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist, creating it"
touch $FILE
else
ok "$FILE exists"
fi
does_pattern_exist_in_file $FILE "^$PATTERN[[:space:]]"
if [ $FNRET != 0 ]; then
does_pattern_exist_in_file "$FILE" "^${PATTERN}[[:space:]]"
if [ "$FNRET" != 0 ]; then
warn "$PATTERN is not present in $FILE, adding it"
add_end_of_file $FILE "$PATTERN = $VALUE"
add_end_of_file "$FILE" "$PATTERN = $VALUE"
else
ok "$PATTERN is present in $FILE"
fi
@ -59,17 +62,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

74
bin/hardening/4.1.1.2_halt_when_audit_log_full.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,58 +12,60 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=4
# shellcheck disable=2034
DESCRIPTION="Disable system on audit log full."
FILE='/etc/audit/auditd.conf'
OPTIONS='space_left_action=email action_mail_acct=root admin_space_left_action=halt'
OPTIONS=''
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
audit() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
else
ok "$FILE exists, checking configuration"
for AUDIT_OPTION in $OPTIONS; do
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET != 0 ]; then
crit "$PATTERN is not present in $FILE"
else
ok "$PATTERN is present in $FILE"
fi
AUDIT_PARAM=$(echo "$AUDIT_OPTION" | cut -d= -f 1)
AUDIT_VALUE=$(echo "$AUDIT_OPTION" | cut -d= -f 2)
PATTERN="^${AUDIT_PARAM}[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in $FILE"
else
ok "$PATTERN is present in $FILE"
fi
done
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
apply() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist, creating it"
touch $FILE
else
ok "$FILE exists"
fi
for AUDIT_OPTION in $OPTIONS; do
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
AUDIT_PARAM=$(echo "$AUDIT_OPTION" | cut -d= -f 1)
AUDIT_VALUE=$(echo "$AUDIT_OPTION" | cut -d= -f 2)
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET != 0 ]; then
PATTERN="^${AUDIT_PARAM}[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 0 ]; then
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$AUDIT_PARAM"
if [ $FNRET != 0 ]; then
does_pattern_exist_in_file "$FILE" "^$AUDIT_PARAM"
if [ "$FNRET" != 0 ]; then
info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end"
add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE"
add_end_of_file "$FILE" "$AUDIT_PARAM = $AUDIT_VALUE"
else
info "Parameter $AUDIT_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$AUDIT_PARAM[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE"
replace_in_file "$FILE" "^${AUDIT_PARAM}[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE"
fi
else
ok "$PATTERN is present in $FILE"
@ -75,19 +78,30 @@ check_config() {
:
}
create_config() {
cat <<EOF
# shellcheck disable=2034
status=audit
# Put here the conf for auditd
OPTIONS='space_left_action=email action_mail_acct=root admin_space_left_action=halt'
EOF
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

63
bin/hardening/4.1.1.3_keep_all_audit_logs.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,58 +12,60 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=4
# shellcheck disable=2034
DESCRIPTION="Keep all auditing information."
FILE='/etc/audit/auditd.conf'
OPTIONS='max_log_file_action=keep_logs'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
audit() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
else
ok "$FILE exists, checking configuration"
for AUDIT_OPTION in $OPTIONS; do
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET != 0 ]; then
crit "$PATTERN is not present in $FILE"
else
ok "$PATTERN is present in $FILE"
fi
AUDIT_PARAM=$(echo "$AUDIT_OPTION" | cut -d= -f 1)
AUDIT_VALUE=$(echo "$AUDIT_OPTION" | cut -d= -f 2)
PATTERN="^${AUDIT_PARAM}[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in $FILE"
else
ok "$PATTERN is present in $FILE"
fi
done
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
apply() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist, creating it"
touch $FILE
else
ok "$FILE exists"
fi
for AUDIT_OPTION in $OPTIONS; do
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
AUDIT_PARAM=$(echo "$AUDIT_OPTION" | cut -d= -f 1)
AUDIT_VALUE=$(echo "$AUDIT_OPTION" | cut -d= -f 2)
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
PATTERN="^${AUDIT_PARAM}[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET != 0 ]; then
if [ "$FNRET" != 0 ]; then
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$AUDIT_PARAM"
if [ $FNRET != 0 ]; then
info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end"
add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE"
does_pattern_exist_in_file "$FILE" "^$AUDIT_PARAM"
if [ "$FNRET" != 0 ]; then
info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end"
add_end_of_file "$FILE" "$AUDIT_PARAM = $AUDIT_VALUE"
else
info "Parameter $AUDIT_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$AUDIT_PARAM[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE"
replace_in_file "$FILE" "^${AUDIT_PARAM}[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE"
fi
else
ok "$PATTERN is present in $FILE"
@ -77,17 +80,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

29
bin/hardening/4.1.10_record_dac_edit.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,7 +12,9 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=4
# shellcheck disable=2034
DESCRIPTION="Collect discretionary access control (DAC) permission modification events."
AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
@ -23,7 +26,7 @@ AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>
FILE='/etc/audit/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
@ -31,9 +34,9 @@ audit () {
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS
if [ $FNRET != 0 ]; then
if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
@ -43,15 +46,15 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE $AUDIT_VALUE
if [ $FNRET != 0 ]; then
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
eval $(pkill -HUP -P 1 auditd)
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
@ -65,17 +68,19 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

Some files were not shown because too many files have changed in this diff Show More