elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2025-07-16 22:02:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: elie:v2.1-1
Branches Tags
elie:master elie:damcava35/deb12_scripts_2 elie:damcava35/update_lib elie:damcava35/new_scripts elie:damcava35/issue_249 elie:damcava35/drop_debian10 elie:damcava35/is_ip_v6_enabled elie:damcava35/issue_195 elie:damcava35/fix_only elie:damcava35/fix_packaging elie:damcava35/set_version elie:damcava35/test_pre_commit elie:dev/thibault.dewailly/deb12 elie:dependabot/github_actions/luizm/action-sh-checker-0.9.0 elie:dev/thibault.dewailly/set_hardening_level elie:dev/thibault.dewailly/syslogng_remotecheck
elie:latest elie:v4.1-5 elie:v4.1-4 elie:v4.1-3 elie:v4.1-2 elie:v4.1-1 elie:v4.0-1 elie:v3.8-1 elie:v3.7-1 elie:v3.6-1 elie:v3.5-1 elie:v3.4-1 elie:v3.3-1 elie:v3.2-2 elie:v3.2-1 elie:v3.2-0 elie:v3.1-6 elie:v3.1-5 elie:v3.1-4 elie:v3.1-3 elie:v3.1-2 elie:v3.1-1 elie:v3.1-0 elie:v3.0-1 elie:v3.0 elie:v2.1-6 elie:v2.1-5 elie:v2.1-4 elie:v2.1-3 elie:v2.1-2 elie:v2.1-1 elie:v2.0-6 elie:v2.0-5 elie:v2.0-4 elie:v1.3-4 elie:v1.3-3 elie:v1.3-2 elie:v1.3 elie:v1.2-1 elie:v1.1-1
..
compare: elie:v2.1-4
Branches Tags
elie:damcava35/deb12_scripts_2 elie:damcava35/update_lib elie:damcava35/new_scripts elie:master elie:damcava35/issue_249 elie:damcava35/drop_debian10 elie:damcava35/is_ip_v6_enabled elie:damcava35/issue_195 elie:damcava35/fix_only elie:damcava35/fix_packaging elie:damcava35/set_version elie:damcava35/test_pre_commit elie:dev/thibault.dewailly/deb12 elie:dependabot/github_actions/luizm/action-sh-checker-0.9.0 elie:dev/thibault.dewailly/set_hardening_level elie:dev/thibault.dewailly/syslogng_remotecheck
elie:latest elie:v4.1-5 elie:v4.1-4 elie:v4.1-3 elie:v4.1-2 elie:v4.1-1 elie:v4.0-1 elie:v3.8-1 elie:v3.7-1 elie:v3.6-1 elie:v3.5-1 elie:v3.4-1 elie:v3.3-1 elie:v3.2-2 elie:v3.2-1 elie:v3.2-0 elie:v3.1-6 elie:v3.1-5 elie:v3.1-4 elie:v3.1-3 elie:v3.1-2 elie:v3.1-1 elie:v3.1-0 elie:v3.0-1 elie:v3.0 elie:v2.1-6 elie:v2.1-5 elie:v2.1-4 elie:v2.1-3 elie:v2.1-2 elie:v2.1-1 elie:v2.0-6 elie:v2.0-5 elie:v2.0-4 elie:v1.3-4 elie:v1.3-3 elie:v1.3-2 elie:v1.3 elie:v1.2-1 elie:v1.1-1

11 Commits
v2.1-1 ... v2.1-4

Author SHA1 Message Date
Thibault Ayanides
106fa5fc8a Update changelog 2020-12-04 14:24:34 +01:00
Thibault Ayanides
3a342b784a IMP(shfmt): add shell formatter 2020-12-04 14:08:01 +01:00
Thibault Ayanides
bc1aa65b91 IMP(shellcheck): quote variable in tests (SC2086) 2020-11-30 13:05:41 +01:00
Thibault Ayanides
dba1dae963 IMP(shellcheck): quoting harmless variables (SC2086) 2020-11-27 09:29:11 +01:00
Thibault Ayanides
4add6ddc33 IMP(shellcheck): add prefix to define shell (SC2148) 2020-11-27 09:22:47 +01:00
Thibault Ayanides
c17d04ecc2 IMP(shellcheck): comply with shellcheck rules 
I added shellcheck prefixes to fix:
 * SC1091 (following sourced files)
 * SC2034 (unused variables)
 2020-11-27 09:18:00 +01:00
Thibault Ayanides
cccc0881e9 IMP(shellcheck): add run-shellcheck prefix 2020-11-23 17:10:37 +01:00
Thibault Ayanides
9c3aa51982 Update changelog 2020-11-30 15:16:36 +01:00
Thibault Ayanides
b994ca11a7 FIX(main): fix small bug in main 
The bug (introduced in 2.1-2) leaded to an error in the test that evaluates forcedstatus
 2020-11-30 15:10:39 +01:00
Thibault Ayanides
f4e0aafacc IMP(5.2.3): fix possible permissions for 5.2.3 2020-11-30 14:27:20 +01:00
Thibault Ayanides
d40a85085d FIX: fix issue, we had to run audit twice 
First one as root to create conf files with good owner and permissions, and then with secaudit.
Now first run with --create-config-files-only and the normally with --audit.
 2020-11-20 10:05:14 +01:00
426 changed files with 4565 additions and 3384 deletions
Expand all files Collapse all files

1
.gitignore vendored
View File

@ -0,0 +1 @@
tmp/shfmt

160
bin/hardening.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com> # Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
@ -20,13 +21,14 @@ AUDIT=0
APPLY=0 APPLY=0
AUDIT_ALL=0 AUDIT_ALL=0
AUDIT_ALL_ENABLE_PASSED=0 AUDIT_ALL_ENABLE_PASSED=0
CREATE_CONFIG=0
ALLOW_SERVICE_LIST=0 ALLOW_SERVICE_LIST=0
SET_HARDENING_LEVEL=0 SET_HARDENING_LEVEL=0
SUDO_MODE='' SUDO_MODE=''
BATCH_MODE='' BATCH_MODE=''
usage() { usage() {
cat << EOF cat <<EOF
$LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of: $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
--help -h --help -h
@ -76,6 +78,10 @@ $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
Modifies the policy to allow a certain kind of services on the machine, such Modifies the policy to allow a certain kind of services on the machine, such
as http, mail, etc. Can be specified multiple times to allow multiple services. as http, mail, etc. Can be specified multiple times to allow multiple services.
Use --allow-service-list to get a list of supported services. Use --allow-service-list to get a list of supported services.
--create-config-files-only
Create the config files in etc/conf.d
Must be run as root, before running the audit with user secaudit
OPTIONS: OPTIONS:
@ -111,52 +117,55 @@ declare -a TEST_LIST ALLOWED_SERVICES_LIST
while [[ $# > 0 ]]; do while [[ $# > 0 ]]; do
ARG="$1" ARG="$1"
case $ARG in case $ARG in
--audit) --audit)
AUDIT=1 AUDIT=1
;; ;;
--audit-all) --audit-all)
AUDIT_ALL=1 AUDIT_ALL=1
;; ;;
--audit-all-enable-passed) --audit-all-enable-passed)
AUDIT_ALL_ENABLE_PASSED=1 AUDIT_ALL_ENABLE_PASSED=1
;; ;;
--apply) --apply)
APPLY=1 APPLY=1
;; ;;
--allow-service-list) --allow-service-list)
ALLOW_SERVICE_LIST=1 ALLOW_SERVICE_LIST=1
;; ;;
--allow-service) --create-config-files-only)
ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2" CREATE_CONFIG=1
shift
;; ;;
--set-hardening-level) --allow-service)
SET_HARDENING_LEVEL="$2" ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2"
shift shift
;; ;;
--only) --set-hardening-level)
TEST_LIST[${#TEST_LIST[@]}]="$2" SET_HARDENING_LEVEL="$2"
shift shift
;; ;;
--sudo) --only)
SUDO_MODE='--sudo' TEST_LIST[${#TEST_LIST[@]}]="$2"
shift
;; ;;
--batch) --sudo)
BATCH_MODE='--batch' SUDO_MODE='--sudo'
LOGLEVEL=ok
;; ;;
-h|--help) --batch)
usage BATCH_MODE='--batch'
LOGLEVEL=ok
;; ;;
*) -h | --help)
usage usage
;;
*)
usage
;; ;;
esac esac
shift shift
done done
# if no RUN_MODE was passed, usage and quit # if no RUN_MODE was passed, usage and quit
if [ "$AUDIT" -eq 0 -a "$AUDIT_ALL" -eq 0 -a "$AUDIT_ALL_ENABLE_PASSED" -eq 0 -a "$APPLY" -eq 0 ]; then if [ "$AUDIT" -eq 0 -a "$AUDIT_ALL" -eq 0 -a "$AUDIT_ALL_ENABLE_PASSED" -eq 0 -a "$APPLY" -eq 0 -a "$CREATE_CONFIG" -eq 0 ]; then
usage usage
fi fi
@ -165,20 +174,20 @@ if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh [ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh
[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg [ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh [ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh [ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
if [ $BATCH_MODE ]; then MACHINE_LOG_LEVEL=3; fi if [ $BATCH_MODE ]; then MACHINE_LOG_LEVEL=3; fi
# If --allow-service-list is specified, don't run anything, just list the supported services # If --allow-service-list is specified, don't run anything, just list the supported services
if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then if [ "$ALLOW_SERVICE_LIST" = 1 ]; then
declare -a HARDENING_EXCEPTIONS_LIST declare -a HARDENING_EXCEPTIONS_LIST
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
template=$(grep "^HARDENING_EXCEPTION=" "$SCRIPT" | cut -d= -f2) template=$(grep "^HARDENING_EXCEPTION=" "$SCRIPT" | cut -d= -f2)
@ -189,8 +198,8 @@ if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then
fi fi
# If --set-hardening-level is specified, don't run anything, just apply config for each script # If --set-hardening-level is specified, don't run anything, just apply config for each script
if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ]; then
if ! grep -q "^[12345]$" <<< "$SET_HARDENING_LEVEL" ; then if ! grep -q "^[12345]$" <<<"$SET_HARDENING_LEVEL"; then
echo "Bad --set-hardening-level specified ('$SET_HARDENING_LEVEL'), expected 1 to 5" echo "Bad --set-hardening-level specified ('$SET_HARDENING_LEVEL'), expected 1 to 5"
exit 1 exit 1
fi fi
@ -198,7 +207,7 @@ if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
SCRIPT_BASENAME=$(basename $SCRIPT .sh) SCRIPT_BASENAME=$(basename $SCRIPT .sh)
script_level=$(grep "^HARDENING_LEVEL=" "$SCRIPT" | cut -d= -f2) script_level=$(grep "^HARDENING_LEVEL=" "$SCRIPT" | cut -d= -f2)
if [ -z "$script_level" ] ; then if [ -z "$script_level" ]; then
echo "The script $SCRIPT_BASENAME doesn't have a hardening level, configuration untouched for it" echo "The script $SCRIPT_BASENAME doesn't have a hardening level, configuration untouched for it"
continue continue
fi fi
@ -210,21 +219,28 @@ if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then
exit 0 exit 0
fi fi
if [ $CREATE_CONFIG = 1 ] && [ "$EUID" -ne 0 ]; then
echo "For --create-config-files-only, please run as root"
exit 1
fi
# Parse every scripts and execute them in the required mode # Parse every scripts and execute them in the required mode
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
if [ ${#TEST_LIST[@]} -gt 0 ] ; then if [ ${#TEST_LIST[@]} -gt 0 ]; then
# --only X has been specified at least once, is this script in my list ? # --only X has been specified at least once, is this script in my list ?
SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<< "$(basename $SCRIPT)") SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename $SCRIPT)")
SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<< "$SCRIPT_PREFIX") SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX")
if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<< "${TEST_LIST[@]}"; then if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<<"${TEST_LIST[@]}"; then
# not in the list # not in the list
continue continue
fi fi
fi fi
info "Treating $SCRIPT" info "Treating $SCRIPT"
if [ $CREATE_CONFIG = 1 ]; then
if [ $AUDIT = 1 ]; then debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only"
$SCRIPT --create-config-files-only $BATCH_MODE
elif [ $AUDIT = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE" debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
$SCRIPT --audit $SUDO_MODE $BATCH_MODE $SCRIPT --audit $SUDO_MODE $BATCH_MODE
elif [ $AUDIT_ALL = 1 ]; then elif [ $AUDIT_ALL = 1 ]; then
@ -242,30 +258,30 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
debug "Script $SCRIPT finished with exit code $SCRIPT_EXITCODE" debug "Script $SCRIPT finished with exit code $SCRIPT_EXITCODE"
case $SCRIPT_EXITCODE in case $SCRIPT_EXITCODE in
0) 0)
debug "$SCRIPT passed" debug "$SCRIPT passed"
PASSED_CHECKS=$((PASSED_CHECKS+1)) PASSED_CHECKS=$((PASSED_CHECKS + 1))
if [ $AUDIT_ALL_ENABLE_PASSED = 1 ] ; then if [ $AUDIT_ALL_ENABLE_PASSED = 1 ]; then
SCRIPT_BASENAME=$(basename $SCRIPT .sh) SCRIPT_BASENAME=$(basename $SCRIPT .sh)
sed -i -re 's/^status=.+/status=enabled/' $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg sed -i -re 's/^status=.+/status=enabled/' $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg" info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
fi fi
;; ;;
1) 1)
debug "$SCRIPT failed" debug "$SCRIPT failed"
FAILED_CHECKS=$((FAILED_CHECKS+1)) FAILED_CHECKS=$((FAILED_CHECKS + 1))
;; ;;
2) 2)
debug "$SCRIPT is disabled" debug "$SCRIPT is disabled"
DISABLED_CHECKS=$((DISABLED_CHECKS+1)) DISABLED_CHECKS=$((DISABLED_CHECKS + 1))
;; ;;
esac esac
TOTAL_CHECKS=$((TOTAL_CHECKS+1)) TOTAL_CHECKS=$((TOTAL_CHECKS + 1))
done done
TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS-DISABLED_CHECKS)) TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS - DISABLED_CHECKS))
if [ $BATCH_MODE ]; then if [ $BATCH_MODE ]; then
BATCH_SUMMARY="AUDIT_SUMMARY " BATCH_SUMMARY="AUDIT_SUMMARY "
@ -273,7 +289,7 @@ if [ $BATCH_MODE ]; then
BATCH_SUMMARY+="RUN_CHECKS:${TOTAL_TREATED_CHECKS:-0} " BATCH_SUMMARY+="RUN_CHECKS:${TOTAL_TREATED_CHECKS:-0} "
BATCH_SUMMARY+="TOTAL_CHECKS_AVAIL:${TOTAL_CHECKS:-0}" BATCH_SUMMARY+="TOTAL_CHECKS_AVAIL:${TOTAL_CHECKS:-0}"
if [ $TOTAL_TREATED_CHECKS != 0 ]; then if [ $TOTAL_TREATED_CHECKS != 0 ]; then
CONFORMITY_PERCENTAGE=$(bc -l <<< "scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100") CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:$(printf "%s" "$CONFORMITY_PERCENTAGE")" BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:$(printf "%s" "$CONFORMITY_PERCENTAGE")"
else else
BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0 BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0
@ -281,17 +297,17 @@ if [ $BATCH_MODE ]; then
becho $BATCH_SUMMARY becho $BATCH_SUMMARY
else else
printf "%40s\n" "################### SUMMARY ###################" printf "%40s\n" "################### SUMMARY ###################"
printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS" printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"
printf "%30s %s\n" "Total Runned Checks :" "$TOTAL_TREATED_CHECKS" printf "%30s %s\n" "Total Runned Checks :" "$TOTAL_TREATED_CHECKS"
printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS" printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS" printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
ENABLED_CHECKS_PERCENTAGE=$(bc -l <<< "scale=2; ($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100") ENABLED_CHECKS_PERCENTAGE=$(bc -l <<<"scale=2; ($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100")
CONFORMITY_PERCENTAGE=$(bc -l <<< "scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100") CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
printf "%30s %s %%\n" "Enabled Checks Percentage :" "$ENABLED_CHECKS_PERCENTAGE" printf "%30s %s %%\n" "Enabled Checks Percentage :" "$ENABLED_CHECKS_PERCENTAGE"
if [ $TOTAL_TREATED_CHECKS != 0 ]; then if [ $TOTAL_TREATED_CHECKS != 0 ]; then
printf "%30s %s %%\n" "Conformity Percentage :" "$CONFORMITY_PERCENTAGE" printf "%30s %s %%\n" "Conformity Percentage :" "$CONFORMITY_PERCENTAGE"
else else
printf "%30s %s %%\n" "Conformity Percentage :" "N.A" # No check runned, avoid division by 0 printf "%30s %s %%\n" "Conformity Percentage :" "N.A" # No check runned, avoid division by 0
fi fi
fi fi

26
bin/hardening/1.1.1.1_disable_freevxfs.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,17 +12,18 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable mounting of freevxfs filesystems." DESCRIPTION="Disable mounting of freevxfs filesystems."
KERNEL_OPTION="CONFIG_VXFS_FS" KERNEL_OPTION="CONFIG_VXFS_FS"
MODULE_NAME="freevxfs" MODULE_NAME="freevxfs"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!" crit "$KERNEL_OPTION is enabled!"
else else
ok "$KERNEL_OPTION is disabled" ok "$KERNEL_OPTION is disabled"
@ -29,9 +31,9 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
is_kernel_option_enabled $KERNEL_OPTION is_kernel_option_enabled "$KERNEL_OPTION"
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
else else
ok "$KERNEL_OPTION is disabled, nothing to do" ok "$KERNEL_OPTION is disabled, nothing to do"
@ -45,17 +47,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

26
bin/hardening/1.1.1.2_disable_jffs2.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,17 +12,18 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable mounting of jffs2 filesystems." DESCRIPTION="Disable mounting of jffs2 filesystems."
KERNEL_OPTION="CONFIG_JFFS2_FS" KERNEL_OPTION="CONFIG_JFFS2_FS"
MODULE_NAME="jffs2" MODULE_NAME="jffs2"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!" crit "$KERNEL_OPTION is enabled!"
else else
ok "$KERNEL_OPTION is disabled" ok "$KERNEL_OPTION is disabled"
@ -29,9 +31,9 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
is_kernel_option_enabled $KERNEL_OPTION is_kernel_option_enabled "$KERNEL_OPTION"
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
else else
ok "$KERNEL_OPTION is disabled, nothing to do" ok "$KERNEL_OPTION is disabled, nothing to do"
@ -45,17 +47,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

26
bin/hardening/1.1.1.3_disable_hfs.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,17 +12,18 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable mounting of hfs filesystems." DESCRIPTION="Disable mounting of hfs filesystems."
KERNEL_OPTION="CONFIG_HFS_FS" KERNEL_OPTION="CONFIG_HFS_FS"
MODULE_FILE="hfs" MODULE_FILE="hfs"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!" crit "$KERNEL_OPTION is enabled!"
else else
ok "$KERNEL_OPTION is disabled" ok "$KERNEL_OPTION is disabled"
@ -29,9 +31,9 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
is_kernel_option_enabled $KERNEL_OPTION is_kernel_option_enabled "$KERNEL_OPTION"
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
else else
ok "$KERNEL_OPTION is disabled, nothing to do" ok "$KERNEL_OPTION is disabled, nothing to do"
@ -45,17 +47,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

26
bin/hardening/1.1.1.4_disable_hfsplus.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,17 +12,18 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable mounting of hfsplus filesystems." DESCRIPTION="Disable mounting of hfsplus filesystems."
KERNEL_OPTION="CONFIG_HFSPLUS_FS" KERNEL_OPTION="CONFIG_HFSPLUS_FS"
MODULE_FILE="hfsplus" MODULE_FILE="hfsplus"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!" crit "$KERNEL_OPTION is enabled!"
else else
ok "$KERNEL_OPTION is disabled" ok "$KERNEL_OPTION is disabled"
@ -29,9 +31,9 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
is_kernel_option_enabled $KERNEL_OPTION is_kernel_option_enabled "$KERNEL_OPTION"
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
else else
ok "$KERNEL_OPTION is disabled, nothing to do" ok "$KERNEL_OPTION is disabled, nothing to do"
@ -45,17 +47,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

26
bin/hardening/1.1.1.5_disable_udf.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,17 +12,18 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable mounting of udf filesystems." DESCRIPTION="Disable mounting of udf filesystems."
KERNEL_OPTION="CONFIG_UDF_FS" KERNEL_OPTION="CONFIG_UDF_FS"
MODULE_FILE="udf" MODULE_FILE="udf"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!" crit "$KERNEL_OPTION is enabled!"
else else
ok "$KERNEL_OPTION is disabled" ok "$KERNEL_OPTION is disabled"
@ -29,9 +31,9 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
is_kernel_option_enabled $KERNEL_OPTION is_kernel_option_enabled "$KERNEL_OPTION"
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
else else
ok "$KERNEL_OPTION is disabled, nothing to do" ok "$KERNEL_OPTION is disabled, nothing to do"
@ -45,17 +47,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

26
bin/hardening/1.1.1.6_disable_cramfs.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,17 +12,18 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable mounting of cramfs filesystems." DESCRIPTION="Disable mounting of cramfs filesystems."
KERNEL_OPTION="CONFIG_CRAMFS" KERNEL_OPTION="CONFIG_CRAMFS"
MODULE_NAME="cramfs" MODULE_NAME="cramfs"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!" crit "$KERNEL_OPTION is enabled!"
else else
ok "$KERNEL_OPTION is disabled" ok "$KERNEL_OPTION is disabled"
@ -30,9 +32,9 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
is_kernel_option_enabled $KERNEL_OPTION is_kernel_option_enabled "$KERNEL_OPTION"
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
else else
ok "$KERNEL_OPTION is disabled, nothing to do" ok "$KERNEL_OPTION is disabled, nothing to do"
@ -47,17 +49,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

26
bin/hardening/1.1.1.7_disable_squashfs.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,17 +12,18 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable mounting of squashfs filesytems." DESCRIPTION="Disable mounting of squashfs filesytems."
KERNEL_OPTION="CONFIG_SQUASHFS" KERNEL_OPTION="CONFIG_SQUASHFS"
MODULE_FILE="squashfs" MODULE_FILE="squashfs"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!" crit "$KERNEL_OPTION is enabled!"
else else
ok "$KERNEL_OPTION is disabled" ok "$KERNEL_OPTION is disabled"
@ -30,9 +32,9 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
is_kernel_option_enabled $KERNEL_OPTION is_kernel_option_enabled "$KERNEL_OPTION"
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
else else
ok "$KERNEL_OPTION is disabled, nothing to do" ok "$KERNEL_OPTION is disabled, nothing to do"
@ -47,17 +49,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

39
bin/hardening/1.1.10_var_tmp_noexec.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,7 +12,9 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="/var/tmp partition with noexec option." DESCRIPTION="/var/tmp partition with noexec option."
# Quick factoring as many script use the same logic # Quick factoring as many script use the same logic
@ -19,7 +22,7 @@ PARTITION="/var/tmp"
OPTION="noexec" OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
@ -28,38 +31,38 @@ audit () {
FNRET=2 FNRET=2
else else
ok "$PARTITION is a partition" ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION has_mount_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!" crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1 FNRET=1
else else
ok "$PARTITION has $OPTION in fstab" ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION has_mounted_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime" warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3 FNRET=3
else else
ok "$PARTITION mounted with $OPTION" ok "$PARTITION mounted with $OPTION"
fi fi
fi fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab" info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab" info "Remounting $PARTITION from fstab"
remount_partition $PARTITION remount_partition "$PARTITION"
elif [ $FNRET = 3 ]; then elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab" info "Remounting $PARTITION from fstab"
remount_partition $PARTITION remount_partition "$PARTITION"
fi fi
} }
# This function will check config parameters required # This function will check config parameters required
@ -70,17 +73,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

23
bin/hardening/1.1.11_var_log_partition.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,14 +12,16 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="/var/log on separate partition." DESCRIPTION="/var/log on separate partition."
# Quick factoring as many script use the same logic # Quick factoring as many script use the same logic
PARTITION="/var/log" PARTITION="/var/log"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
@ -38,14 +41,14 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
else else
info "mounting $PARTITION" info "mounting $PARTITION"
mount $PARTITION mount "$PARTITION"
fi fi
} }
@ -57,17 +60,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

22
bin/hardening/1.1.12_var_log_audit_partition.sh
View File

@ -11,14 +11,16 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=4 HARDENING_LEVEL=4
# shellcheck disable=2034
DESCRIPTION="/var/log/audit on a separate partition." DESCRIPTION="/var/log/audit on a separate partition."
# Quick factoring as many script use the same logic # Quick factoring as many script use the same logic
PARTITION="/var/log/audit" PARTITION="/var/log/audit"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
@ -38,14 +40,14 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
else else
info "mounting $PARTITION" info "mounting $PARTITION"
mount $PARTITION mount "$PARTITION"
fi fi
} }
@ -57,17 +59,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

23
bin/hardening/1.1.13_home_partition.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,14 +12,16 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="/home on a separate partition." DESCRIPTION="/home on a separate partition."
# Quick factoring as many script use the same logic # Quick factoring as many script use the same logic
PARTITION="/home" PARTITION="/home"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
@ -38,14 +41,14 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
else else
info "mounting $PARTITION" info "mounting $PARTITION"
mount $PARTITION mount "$PARTITION"
fi fi
} }
@ -57,17 +60,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

33
bin/hardening/1.1.14_home_nodev.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,7 +12,9 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="/home partition with nodev option." DESCRIPTION="/home partition with nodev option."
# Quick factoring as many script use the same logic # Quick factoring as many script use the same logic
@ -19,7 +22,7 @@ PARTITION="/home"
OPTION="nodev" OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
@ -28,13 +31,13 @@ audit () {
FNRET=2 FNRET=2
else else
ok "$PARTITION is a partition" ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION has_mount_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!" crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1 FNRET=1
else else
ok "$PARTITION has $OPTION in fstab" ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION has_mounted_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime" warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3 FNRET=3
@ -46,19 +49,19 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab" info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab" info "Remounting $PARTITION from fstab"
remount_partition $PARTITION remount_partition "$PARTITION"
elif [ $FNRET = 3 ]; then elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab" info "Remounting $PARTITION from fstab"
remount_partition $PARTITION remount_partition "$PARTITION"
fi fi
} }
@ -70,17 +73,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

27
bin/hardening/1.1.15_run_shm_nodev.sh
View File

@ -22,7 +22,7 @@ PARTITION="/run/shm"
OPTION="nodev" OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
PARTITION=$(readlink -e "$PARTITION") PARTITION=$(readlink -e "$PARTITION")
FNRET=0 FNRET=0
@ -32,13 +32,13 @@ audit () {
FNRET=2 FNRET=2
else else
ok "$PARTITION is a partition" ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION has_mount_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!" crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1 FNRET=1
else else
ok "$PARTITION has $OPTION in fstab" ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION has_mounted_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime" warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3 FNRET=3
@ -50,19 +50,19 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab" info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab" info "Remounting $PARTITION from fstab"
remount_partition $PARTITION remount_partition "$PARTITION"
elif [ $FNRET = 3 ]; then elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab" info "Remounting $PARTITION from fstab"
remount_partition $PARTITION remount_partition "$PARTITION"
fi fi
} }
@ -74,17 +74,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=/opt/debian-cis/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

27
bin/hardening/1.1.16_run_shm_nosuid.sh
View File

@ -22,7 +22,7 @@ PARTITION="/run/shm"
OPTION="nosuid" OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
PARTITION=$(readlink -e "$PARTITION") PARTITION=$(readlink -e "$PARTITION")
FNRET=0 FNRET=0
@ -32,13 +32,13 @@ audit () {
FNRET=2 FNRET=2
else else
ok "$PARTITION is a partition" ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION has_mount_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!" crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1 FNRET=1
else else
ok "$PARTITION has $OPTION in fstab" ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION has_mounted_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime" warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3 FNRET=3
@ -50,19 +50,19 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab" info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab" info "Remounting $PARTITION from fstab"
remount_partition $PARTITION remount_partition "$PARTITION"
elif [ $FNRET = 3 ]; then elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab" info "Remounting $PARTITION from fstab"
remount_partition $PARTITION remount_partition "$PARTITION"
fi fi
} }
@ -74,17 +74,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=/opt/debian-cis/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

27
bin/hardening/1.1.17_run_shm_noexec.sh
View File

@ -22,7 +22,7 @@ PARTITION="/run/shm"
OPTION="noexec" OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
PARTITION=$(readlink -e "$PARTITION") PARTITION=$(readlink -e "$PARTITION")
FNRET=0 FNRET=0
@ -32,13 +32,13 @@ audit () {
FNRET=2 FNRET=2
else else
ok "$PARTITION is a partition" ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION has_mount_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!" crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1 FNRET=1
else else
ok "$PARTITION has $OPTION in fstab" ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION has_mounted_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime" warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3 FNRET=3
@ -50,19 +50,19 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab" info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab" info "Remounting $PARTITION from fstab"
remount_partition $PARTITION remount_partition "$PARTITION"
elif [ $FNRET = 3 ]; then elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab" info "Remounting $PARTITION from fstab"
remount_partition $PARTITION remount_partition "$PARTITION"
fi fi
} }
@ -74,17 +74,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=/opt/debian-cis/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

23
bin/hardening/1.1.18_removable_device_nodev.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,7 +12,9 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="nodev option for removable media partitions." DESCRIPTION="nodev option for removable media partitions."
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive # Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
@ -21,7 +24,7 @@ PARTITION="/media\S*"
OPTION="nodev" OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Verifying if there is $PARTITION like partition" info "Verifying if there is $PARTITION like partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
@ -30,7 +33,7 @@ audit () {
FNRET=0 FNRET=0
else else
info "detected $PARTITION like" info "detected $PARTITION like"
has_mount_option $PARTITION $OPTION has_mount_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!" crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1 FNRET=1
@ -41,10 +44,10 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ $FNRET = 1 ]; then elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab" info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION add_option_to_fstab $PARTITION $OPTION
fi fi
@ -58,17 +61,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

23
bin/hardening/1.1.19_removable_device_nosuid.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,7 +12,9 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="nosuid option for removable media partitions." DESCRIPTION="nosuid option for removable media partitions."
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive # Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
@ -21,7 +24,7 @@ PARTITION="/media\S*"
OPTION="nosuid" OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Verifying if there is $PARTITION like partition" info "Verifying if there is $PARTITION like partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
@ -30,7 +33,7 @@ audit () {
FNRET=0 FNRET=0
else else
info "detected $PARTITION like" info "detected $PARTITION like"
has_mount_option $PARTITION $OPTION has_mount_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!" crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1 FNRET=1
@ -41,10 +44,10 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ $FNRET = 1 ]; then elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab" info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION add_option_to_fstab $PARTITION $OPTION
fi fi
@ -58,17 +61,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

23
bin/hardening/1.1.20_removable_device_noexec.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,7 +12,9 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="noexec option for removable media partitions." DESCRIPTION="noexec option for removable media partitions."
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive # Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
@ -21,7 +24,7 @@ PARTITION="/media\S*"
OPTION="noexec" OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Verifying if there is $PARTITION like partition" info "Verifying if there is $PARTITION like partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
@ -30,7 +33,7 @@ audit () {
FNRET=0 FNRET=0
else else
info "detected $PARTITION like" info "detected $PARTITION like"
has_mount_option $PARTITION $OPTION has_mount_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!" crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1 FNRET=1
@ -41,10 +44,10 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ $FNRET = 1 ]; then elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab" info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION add_option_to_fstab $PARTITION $OPTION
fi fi
@ -58,17 +61,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

23
bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,17 +12,19 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them." DESCRIPTION="Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them."
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Checking if setuid is set on world writable Directories" info "Checking if setuid is set on world writable Directories"
FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} ) FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'})
RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then if [ ! -z "$RESULT" ]; then
crit "Some world writable directories are not on sticky bit mode!" crit "Some world writable directories are not on sticky bit mode!"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT" crit "$FORMATTED_RESULT"
else else
ok "All world writable directories have a sticky bit" ok "All world writable directories have a sticky bit"
@ -29,7 +32,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then if [ ! -z "$RESULT" ]; then
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
@ -46,17 +49,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

27
bin/hardening/1.1.22_disable_automounting.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,16 +12,18 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable automounting of devices." DESCRIPTION="Disable automounting of devices."
SERVICE_NAME="autofs" SERVICE_NAME="autofs"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Checking if $SERVICE_NAME is enabled" info "Checking if $SERVICE_NAME is enabled"
is_service_enabled $SERVICE_NAME is_service_enabled "$SERVICE_NAME"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$SERVICE_NAME is enabled" crit "$SERVICE_NAME is enabled"
else else
ok "$SERVICE_NAME is disabled" ok "$SERVICE_NAME is disabled"
@ -28,12 +31,12 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
info "Checking if $SERVICE_NAME is enabled" info "Checking if $SERVICE_NAME is enabled"
is_service_enabled $SERVICE_NAME is_service_enabled "$SERVICE_NAME"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
info "Disabling $SERVICE_NAME" info "Disabling $SERVICE_NAME"
update-rc.d $SERVICE_NAME remove > /dev/null 2>&1 update-rc.d $SERVICE_NAME remove >/dev/null 2>&1
else else
ok "$SERVICE_NAME is disabled" ok "$SERVICE_NAME is disabled"
fi fi
@ -46,17 +49,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

23
bin/hardening/1.1.2_tmp_partition.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,14 +12,16 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure /tmp is configured (Scored)" DESCRIPTION="Ensure /tmp is configured (Scored)"
# Quick factoring as many script use the same logic # Quick factoring as many script use the same logic
PARTITION="/tmp" PARTITION="/tmp"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
@ -38,14 +41,14 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
else else
info "mounting $PARTITION" info "mounting $PARTITION"
mount $PARTITION mount "$PARTITION"
fi fi
} }
@ -57,17 +60,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

39
bin/hardening/1.1.3_tmp_nodev.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,7 +12,9 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="/tmp partition with nodev option." DESCRIPTION="/tmp partition with nodev option."
# Quick factoring as many script use the same logic # Quick factoring as many script use the same logic
@ -19,7 +22,7 @@ PARTITION="/tmp"
OPTION="nodev" OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
@ -28,38 +31,38 @@ audit () {
FNRET=2 FNRET=2
else else
ok "$PARTITION is a partition" ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION has_mount_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!" crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1 FNRET=1
else else
ok "$PARTITION has $OPTION in fstab" ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION has_mounted_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime" warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3 FNRET=3
else else
ok "$PARTITION mounted with $OPTION" ok "$PARTITION mounted with $OPTION"
fi fi
fi fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab" info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab" info "Remounting $PARTITION from fstab"
remount_partition $PARTITION remount_partition "$PARTITION"
elif [ $FNRET = 3 ]; then elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab" info "Remounting $PARTITION from fstab"
remount_partition $PARTITION remount_partition "$PARTITION"
fi fi
} }
# This function will check config parameters required # This function will check config parameters required
@ -70,17 +73,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

33
bin/hardening/1.1.4_tmp_nosuid.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,7 +12,9 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="/tmp partition with nosuid option." DESCRIPTION="/tmp partition with nosuid option."
# Quick factoring as many script use the same logic # Quick factoring as many script use the same logic
@ -19,7 +22,7 @@ PARTITION="/tmp"
OPTION="nosuid" OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
@ -28,13 +31,13 @@ audit () {
FNRET=2 FNRET=2
else else
ok "$PARTITION is a partition" ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION has_mount_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!" crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1 FNRET=1
else else
ok "$PARTITION has $OPTION in fstab" ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION has_mounted_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime" warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3 FNRET=3
@ -46,19 +49,19 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab" info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab" info "Remounting $PARTITION from fstab"
remount_partition $PARTITION remount_partition "$PARTITION"
elif [ $FNRET = 3 ]; then elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab" info "Remounting $PARTITION from fstab"
remount_partition $PARTITION remount_partition "$PARTITION"
fi fi
} }
@ -70,17 +73,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

33
bin/hardening/1.1.5_tmp_noexec.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,7 +12,9 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="/tmp partition with noexec option." DESCRIPTION="/tmp partition with noexec option."
# Quick factoring as many script use the same logic # Quick factoring as many script use the same logic
@ -19,7 +22,7 @@ PARTITION="/tmp"
OPTION="noexec" OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
@ -28,13 +31,13 @@ audit () {
FNRET=2 FNRET=2
else else
ok "$PARTITION is a partition" ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION has_mount_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!" crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1 FNRET=1
else else
ok "$PARTITION has $OPTION in fstab" ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION has_mounted_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime" warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3 FNRET=3
@ -46,19 +49,19 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab" info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab" info "Remounting $PARTITION from fstab"
remount_partition $PARTITION remount_partition "$PARTITION"
elif [ $FNRET = 3 ]; then elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab" info "Remounting $PARTITION from fstab"
remount_partition $PARTITION remount_partition "$PARTITION"
fi fi
} }
@ -70,17 +73,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

25
bin/hardening/1.1.6_var_partition.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,14 +12,16 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="/var on a separate partition." DESCRIPTION="/var on a separate partition."
# Quick factoring as many script use the same logic # Quick factoring as many script use the same logic
PARTITION="/var" PARTITION="/var"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
@ -35,19 +38,19 @@ audit () {
ok "$PARTITION is mounted" ok "$PARTITION is mounted"
fi fi
fi fi
: :
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
else else
info "mounting $PARTITION" info "mounting $PARTITION"
mount $PARTITION mount "$PARTITION"
fi fi
} }
@ -59,17 +62,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

25
bin/hardening/1.1.7_var_tmp_partition.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,14 +12,16 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="/var/tmp on a separate partition." DESCRIPTION="/var/tmp on a separate partition."
# Quick factoring as many script use the same logic # Quick factoring as many script use the same logic
PARTITION="/var/tmp" PARTITION="/var/tmp"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
@ -35,19 +38,19 @@ audit () {
ok "$PARTITION is mounted" ok "$PARTITION is mounted"
fi fi
fi fi
: :
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
else else
info "mounting $PARTITION" info "mounting $PARTITION"
mount $PARTITION mount "$PARTITION"
fi fi
} }
@ -59,17 +62,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

39
bin/hardening/1.1.8_var_tmp_nodev.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,7 +12,9 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="/var/tmp partition with nodev option." DESCRIPTION="/var/tmp partition with nodev option."
# Quick factoring as many script use the same logic # Quick factoring as many script use the same logic
@ -19,7 +22,7 @@ PARTITION="/var/tmp"
OPTION="nodev" OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
@ -28,38 +31,38 @@ audit () {
FNRET=2 FNRET=2
else else
ok "$PARTITION is a partition" ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION has_mount_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!" crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1 FNRET=1
else else
ok "$PARTITION has $OPTION in fstab" ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION has_mounted_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime" warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3 FNRET=3
else else
ok "$PARTITION mounted with $OPTION" ok "$PARTITION mounted with $OPTION"
fi fi
fi fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab" info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab" info "Remounting $PARTITION from fstab"
remount_partition $PARTITION remount_partition "$PARTITION"
elif [ $FNRET = 3 ]; then elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab" info "Remounting $PARTITION from fstab"
remount_partition $PARTITION remount_partition "$PARTITION"
fi fi
} }
# This function will check config parameters required # This function will check config parameters required
@ -70,17 +73,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

39
bin/hardening/1.1.9_var_tmp_nosuid.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,7 +12,9 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="/var/tmp partition with nosuid option." DESCRIPTION="/var/tmp partition with nosuid option."
# Quick factoring as many script use the same logic # Quick factoring as many script use the same logic
@ -19,7 +22,7 @@ PARTITION="/var/tmp"
OPTION="nosuid" OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
@ -28,38 +31,38 @@ audit () {
FNRET=2 FNRET=2
else else
ok "$PARTITION is a partition" ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION has_mount_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!" crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1 FNRET=1
else else
ok "$PARTITION has $OPTION in fstab" ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION has_mounted_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime" warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3 FNRET=3
else else
ok "$PARTITION mounted with $OPTION" ok "$PARTITION mounted with $OPTION"
fi fi
fi fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab" info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab" info "Remounting $PARTITION from fstab"
remount_partition $PARTITION remount_partition "$PARTITION"
elif [ $FNRET = 3 ]; then elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab" info "Remounting $PARTITION from fstab"
remount_partition $PARTITION remount_partition "$PARTITION"
fi fi
} }
# This function will check config parameters required # This function will check config parameters required
@ -70,17 +73,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

47
bin/hardening/1.4.1_bootloader_ownership.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,7 +12,9 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=1 HARDENING_LEVEL=1
# shellcheck disable=2034
DESCRIPTION="User and group root owner of grub bootloader config." DESCRIPTION="User and group root owner of grub bootloader config."
# Assertion : Grub Based. # Assertion : Grub Based.
@ -22,38 +25,38 @@ GROUP='root'
PERMISSIONS='400' PERMISSIONS='400'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
has_file_correct_ownership $FILE $USER $GROUP has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
crit "$FILE ownership was not set to $USER:$GROUP" crit "$FILE ownership was not set to $USER:$GROUP"
fi fi
has_file_correct_permissions $FILE $PERMISSIONS has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
crit "$FILE permissions were not set to $PERMISSIONS" crit "$FILE permissions were not set to $PERMISSIONS"
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
has_file_correct_ownership $FILE $USER $GROUP has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
info "fixing $FILE ownership to $USER:$GROUP" info "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE chown $USER:$GROUP $FILE
fi fi
has_file_correct_permissions $FILE $PERMISSIONS has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
info "fixing $FILE permissions to $PERMISSIONS" info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE chmod 0"$PERMISSIONS" "$FILE"
fi fi
} }
@ -61,22 +64,22 @@ apply () {
check_config() { check_config() {
is_pkg_installed "grub-pc" is_pkg_installed "grub-pc"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "Grub is not installed, not handling configuration" warn "Grub is not installed, not handling configuration"
exit 128 exit 128
fi fi
does_user_exist $USER does_user_exist $USER
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$USER does not exist" crit "$USER does not exist"
exit 128 exit 128
fi fi
does_group_exist $GROUP does_group_exist $GROUP
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$GROUP does not exist" crit "$GROUP does not exist"
exit 128 exit 128
fi fi
does_file_exist $FILE does_file_exist $FILE
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
exit 128 exit 128
fi fi
@ -84,17 +87,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

29
bin/hardening/1.4.2_bootloader_password.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,7 +12,9 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Setting bootloader password to secure boot parameters." DESCRIPTION="Setting bootloader password to secure boot parameters."
FILE='/boot/grub/grub.cfg' FILE='/boot/grub/grub.cfg'
@ -19,15 +22,15 @@ USER_PATTERN="^set superusers"
PWD_PATTERN="^password_pbkdf2" PWD_PATTERN="^password_pbkdf2"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
does_pattern_exist_in_file $FILE "$USER_PATTERN" does_pattern_exist_in_file $FILE "$USER_PATTERN"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$USER_PATTERN not present in $FILE" crit "$USER_PATTERN not present in $FILE"
else else
ok "$USER_PATTERN is present in $FILE" ok "$USER_PATTERN is present in $FILE"
fi fi
does_pattern_exist_in_file $FILE "$PWD_PATTERN" does_pattern_exist_in_file $FILE "$PWD_PATTERN"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PWD_PATTERN not present in $FILE" crit "$PWD_PATTERN not present in $FILE"
else else
ok "$PWD_PATTERN is present in $FILE" ok "$PWD_PATTERN is present in $FILE"
@ -35,15 +38,15 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
does_pattern_exist_in_file $FILE "$USER_PATTERN" does_pattern_exist_in_file $FILE "$USER_PATTERN"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$USER_PATTERN not present in $FILE, please configure password for grub" warn "$USER_PATTERN not present in $FILE, please configure password for grub"
else else
ok "$USER_PATTERN is present in $FILE" ok "$USER_PATTERN is present in $FILE"
fi fi
does_pattern_exist_in_file $FILE "$PWD_PATTERN" does_pattern_exist_in_file $FILE "$PWD_PATTERN"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$PWD_PATTERN not present in $FILE, please configure password for grub" warn "$PWD_PATTERN not present in $FILE, please configure password for grub"
else else
ok "$PWD_PATTERN is present in $FILE" ok "$PWD_PATTERN is present in $FILE"
@ -54,11 +57,11 @@ apply () {
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
is_pkg_installed "grub-pc" is_pkg_installed "grub-pc"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "grub-pc is not installed, not handling configuration" warn "grub-pc is not installed, not handling configuration"
exit 128 exit 128
fi fi
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
exit 128 exit 128
fi fi
@ -66,17 +69,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

21
bin/hardening/1.4.3_root_password.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,16 +12,18 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Root password for single user mode." DESCRIPTION="Root password for single user mode."
FILE="/etc/shadow" FILE="/etc/shadow"
PATTERN="^root:[*\!]:" PATTERN="^root:[*\!]:"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
does_pattern_exist_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET != 1 ]; then if [ "$FNRET" != 1 ]; then
crit "$PATTERN is present in $FILE" crit "$PATTERN is present in $FILE"
else else
ok "$PATTERN is not present in $FILE" ok "$PATTERN is not present in $FILE"
@ -28,9 +31,9 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
does_pattern_exist_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET != 1 ]; then if [ "$FNRET" != 1 ]; then
warn "$PATTERN is present in $FILE, please put a root password" warn "$PATTERN is present in $FILE, please put a root password"
else else
ok "$PATTERN is not present in $FILE" ok "$PATTERN is not present in $FILE"
@ -45,17 +48,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

31
bin/hardening/1.5.1_restrict_core_dumps.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,7 +12,9 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Restrict core dumps." DESCRIPTION="Restrict core dumps."
LIMIT_FILE='/etc/security/limits.conf' LIMIT_FILE='/etc/security/limits.conf'
@ -21,7 +24,7 @@ SYSCTL_PARAM='fs.suid_dumpable'
SYSCTL_EXP_RESULT=0 SYSCTL_EXP_RESULT=0
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
SEARCH_RES=0 SEARCH_RES=0
LIMIT_FILES="" LIMIT_FILES=""
if $SUDO_CMD [ -d $LIMIT_DIR ]; then if $SUDO_CMD [ -d $LIMIT_DIR ]; then
@ -32,7 +35,7 @@ audit () {
debug "Files to search $LIMIT_FILE $LIMIT_FILES" debug "Files to search $LIMIT_FILE $LIMIT_FILES"
for file in $LIMIT_FILE $LIMIT_FILES; do for file in $LIMIT_FILE $LIMIT_FILES; do
does_pattern_exist_in_file $file $LIMIT_PATTERN does_pattern_exist_in_file $file $LIMIT_PATTERN
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
debug "$LIMIT_PATTERN not present in $file" debug "$LIMIT_PATTERN not present in $file"
else else
ok "$LIMIT_PATTERN present in $file" ok "$LIMIT_PATTERN present in $file"
@ -44,9 +47,9 @@ audit () {
crit "$LIMIT_PATTERN is not present in $LIMIT_FILE $LIMIT_FILES" crit "$LIMIT_PATTERN is not present in $LIMIT_FILE $LIMIT_FILES"
fi fi
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -54,23 +57,23 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$LIMIT_PATTERN not present in $LIMIT_FILE, adding at the end of $LIMIT_FILE" warn "$LIMIT_PATTERN not present in $LIMIT_FILE, adding at the end of $LIMIT_FILE"
add_end_of_file $LIMIT_FILE "* hard core 0" add_end_of_file $LIMIT_FILE "* hard core 0"
else else
ok "$LIMIT_PATTERN present in $LIMIT_FILE" ok "$LIMIT_PATTERN present in $LIMIT_FILE"
fi fi
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
elif [ $FNRET = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi fi
} }
@ -81,17 +84,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

25
bin/hardening/1.5.2_enable_nx_support.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,7 +12,9 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Enable NoExecute/ExecuteDisable to prevent buffer overflow attacks." DESCRIPTION="Enable NoExecute/ExecuteDisable to prevent buffer overflow attacks."
PATTERN='NX[[:space:]]\(Execute[[:space:]]Disable\)[[:space:]]protection:[[:space:]]active' PATTERN='NX[[:space:]]\(Execute[[:space:]]Disable\)[[:space:]]protection:[[:space:]]active'
@ -31,11 +34,11 @@ nx_supported_and_enabled() {
} }
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
does_pattern_exist_in_dmesg $PATTERN does_pattern_exist_in_dmesg $PATTERN
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
nx_supported_and_enabled nx_supported_and_enabled
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled" crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
else else
ok "NX is supported and enabled" ok "NX is supported and enabled"
@ -46,11 +49,11 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
does_pattern_exist_in_dmesg $PATTERN does_pattern_exist_in_dmesg $PATTERN
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
nx_supported_and_enabled nx_supported_and_enabled
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled" crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
else else
ok "NX is supported and enabled" ok "NX is supported and enabled"
@ -67,17 +70,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

29
bin/hardening/1.5.3_enable_randomized_vm_placement.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,18 +12,20 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Enable Randomized Virtual Memory Region Placement to prevent memory page exploits." DESCRIPTION="Enable Randomized Virtual Memory Region Placement to prevent memory page exploits."
SYSCTL_PARAM='kernel.randomize_va_space' SYSCTL_PARAM='kernel.randomize_va_space'
SYSCTL_EXP_RESULT=2 SYSCTL_EXP_RESULT=2
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -30,12 +33,12 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
elif [ $FNRET = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -49,17 +52,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

27
bin/hardening/1.5.4_disable_prelink.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,15 +12,17 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable prelink to prevent libraries compromission." DESCRIPTION="Disable prelink to prevent libraries compromission."
PACKAGE='prelink' PACKAGE='prelink'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!" crit "$PACKAGE is installed!"
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -28,12 +31,12 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
/usr/sbin/prelink -ua /usr/sbin/prelink -ua
apt-get purge $PACKAGE -y apt-get purge "$PACKAGE" -y
apt-get autoremove apt-get autoremove
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -48,17 +51,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

33
bin/hardening/1.6.2.1_enable_apparmor.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,15 +12,17 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Activate AppArmor to enforce permissions control." DESCRIPTION="Activate AppArmor to enforce permissions control."
PACKAGE='apparmor' PACKAGE='apparmor'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is absent!" crit "$PACKAGE is absent!"
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
@ -27,7 +30,7 @@ audit () {
ERROR=0 ERROR=0
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg) RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
# define custom IFS and save default one # define custom IFS and save default one
d_IFS=$IFS d_IFS=$IFS
c_IFS=$'\n' c_IFS=$'\n'
@ -41,14 +44,14 @@ audit () {
IFS=$d_IFS IFS=$d_IFS
if [ $ERROR = 0 ]; then if [ $ERROR = 0 ]; then
ok "$PACKAGE is configured" ok "$PACKAGE is configured"
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed, please install $PACKAGE and configure it" crit "$PACKAGE is not installed, please install $PACKAGE and configure it"
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
@ -56,7 +59,7 @@ apply () {
ERROR=0 ERROR=0
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg) RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
# define custom IFS and save default one # define custom IFS and save default one
d_IFS=$IFS d_IFS=$IFS
c_IFS=$'\n' c_IFS=$'\n'
@ -68,7 +71,7 @@ apply () {
fi fi
done done
IFS=$d_IFS IFS=$d_IFS
if [ $ERROR = 1 ]; then if [ $ERROR = 1 ]; then
$SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor/" /etc/default/grub $SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor/" /etc/default/grub
$SUDO_CMD update-grub $SUDO_CMD update-grub
@ -84,17 +87,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

21
bin/hardening/1.7.1.1_remove_os_info_motd.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,16 +12,18 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Remove OS information from motd" DESCRIPTION="Remove OS information from motd"
FILE='/etc/motd' FILE='/etc/motd'
PATTERN='(\\v|\\r|\\m|\\s)' PATTERN='(\\v|\\r|\\m|\\s)'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PATTERN is present in $FILE" crit "$PATTERN is present in $FILE"
else else
ok "$PATTERN is not present in $FILE" ok "$PATTERN is not present in $FILE"
@ -28,9 +31,9 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
warn "$PATTERN is present in $FILE" warn "$PATTERN is present in $FILE"
delete_line_in_file $FILE $PATTERN delete_line_in_file $FILE $PATTERN
else else
@ -45,17 +48,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

21
bin/hardening/1.7.1.2_remove_os_info_issue.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,16 +12,18 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Remove OS information from Login Warning Banners." DESCRIPTION="Remove OS information from Login Warning Banners."
FILE='/etc/issue' FILE='/etc/issue'
PATTERN='(\\v|\\r|\\m|\\s)' PATTERN='(\\v|\\r|\\m|\\s)'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PATTERN is present in $FILE" crit "$PATTERN is present in $FILE"
else else
ok "$PATTERN is not present in $FILE" ok "$PATTERN is not present in $FILE"
@ -28,9 +31,9 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
warn "$PATTERN is present in $FILE" warn "$PATTERN is present in $FILE"
delete_line_in_file $FILE $PATTERN delete_line_in_file $FILE $PATTERN
else else
@ -45,17 +48,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

21
bin/hardening/1.7.1.3_remove_os_info_issue_net.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,16 +12,18 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Remove OS information from remote Login Warning Banners." DESCRIPTION="Remove OS information from remote Login Warning Banners."
FILE='/etc/issue.net' FILE='/etc/issue.net'
PATTERN='(\\v|\\r|\\m|\\s)' PATTERN='(\\v|\\r|\\m|\\s)'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PATTERN is present in $FILE" crit "$PATTERN is present in $FILE"
else else
ok "$PATTERN is not present in $FILE" ok "$PATTERN is not present in $FILE"
@ -28,9 +31,9 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
warn "$PATTERN is present in $FILE" warn "$PATTERN is present in $FILE"
delete_line_in_file $FILE $PATTERN delete_line_in_file $FILE $PATTERN
else else
@ -45,17 +48,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

39
bin/hardening/1.7.1.4_motd_perms.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,7 +12,9 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Checking root ownership and 644 permissions on banner files: /etc/motd|issue|issue.net ." DESCRIPTION="Checking root ownership and 644 permissions on banner files: /etc/motd|issue|issue.net ."
PERMISSIONS='644' PERMISSIONS='644'
@ -20,20 +23,20 @@ GROUP='root'
FILE='/etc/motd' FILE='/etc/motd'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
does_file_exist $FILE does_file_exist $FILE
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
continue continue
fi fi
has_file_correct_ownership $FILE $USER $GROUP has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
crit "$FILE ownership was not set to $USER:$GROUP" crit "$FILE ownership was not set to $USER:$GROUP"
fi fi
has_file_correct_permissions $FILE $PERMISSIONS has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
crit "$FILE permissions were not set to $PERMISSIONS" crit "$FILE permissions were not set to $PERMISSIONS"
@ -41,25 +44,25 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
does_file_exist $FILE does_file_exist $FILE
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
info "$FILE does not exist" info "$FILE does not exist"
touch $FILE touch $FILE
fi fi
has_file_correct_ownership $FILE $USER $GROUP has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
warn "fixing $FILE ownership to $USER:$GROUP" warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE chown $USER:$GROUP $FILE
fi fi
has_file_correct_permissions $FILE $PERMISSIONS has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
info "fixing $FILE permissions to $PERMISSIONS" info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE chmod 0"$PERMISSIONS" "$FILE"
fi fi
} }
@ -70,17 +73,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

39
bin/hardening/1.7.1.5_etc_issue_perms.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,7 +12,9 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Checking root ownership and 644 permissions on banner files: /etc/motd|issue|issue.net ." DESCRIPTION="Checking root ownership and 644 permissions on banner files: /etc/motd|issue|issue.net ."
PERMISSIONS='644' PERMISSIONS='644'
@ -20,20 +23,20 @@ GROUP='root'
FILE='/etc/issue' FILE='/etc/issue'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
does_file_exist $FILE does_file_exist $FILE
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
continue continue
fi fi
has_file_correct_ownership $FILE $USER $GROUP has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
crit "$FILE ownership was not set to $USER:$GROUP" crit "$FILE ownership was not set to $USER:$GROUP"
fi fi
has_file_correct_permissions $FILE $PERMISSIONS has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
crit "$FILE permissions were not set to $PERMISSIONS" crit "$FILE permissions were not set to $PERMISSIONS"
@ -41,25 +44,25 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
does_file_exist $FILE does_file_exist $FILE
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
info "$FILE does not exist" info "$FILE does not exist"
touch $FILE touch $FILE
fi fi
has_file_correct_ownership $FILE $USER $GROUP has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
warn "fixing $FILE ownership to $USER:$GROUP" warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE chown $USER:$GROUP $FILE
fi fi
has_file_correct_permissions $FILE $PERMISSIONS has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
info "fixing $FILE permissions to $PERMISSIONS" info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE chmod 0"$PERMISSIONS" "$FILE"
fi fi
} }
@ -70,17 +73,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

39
bin/hardening/1.7.1.6_etc_issue_net_perms.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,7 +12,9 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Checking root ownership and 644 permissions on banner files: /etc/motd|issue|issue.net ." DESCRIPTION="Checking root ownership and 644 permissions on banner files: /etc/motd|issue|issue.net ."
PERMISSIONS='644' PERMISSIONS='644'
@ -20,20 +23,20 @@ GROUP='root'
FILE='/etc/issue.net' FILE='/etc/issue.net'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
does_file_exist $FILE does_file_exist $FILE
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
continue continue
fi fi
has_file_correct_ownership $FILE $USER $GROUP has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
crit "$FILE ownership was not set to $USER:$GROUP" crit "$FILE ownership was not set to $USER:$GROUP"
fi fi
has_file_correct_permissions $FILE $PERMISSIONS has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
crit "$FILE permissions were not set to $PERMISSIONS" crit "$FILE permissions were not set to $PERMISSIONS"
@ -41,25 +44,25 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
does_file_exist $FILE does_file_exist $FILE
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
info "$FILE does not exist" info "$FILE does not exist"
touch $FILE touch $FILE
fi fi
has_file_correct_ownership $FILE $USER $GROUP has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
warn "fixing $FILE ownership to $USER:$GROUP" warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE chown $USER:$GROUP $FILE
fi fi
has_file_correct_permissions $FILE $PERMISSIONS has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
info "fixing $FILE permissions to $PERMISSIONS" info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE chmod 0"$PERMISSIONS" "$FILE"
fi fi
} }
@ -70,17 +73,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

17
bin/hardening/1.7.2_graphical_warning_banners.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,16 +12,18 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Set graphical warning banner." DESCRIPTION="Set graphical warning banner."
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Not implemented yet" info "Not implemented yet"
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
info "Not implemented yet" info "Not implemented yet"
} }
@ -31,17 +34,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

21
bin/hardening/1.8_install_updates.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,13 +12,15 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure updates, patches, and additional security software are installed (Not Scored)" DESCRIPTION="Ensure updates, patches, and additional security software are installed (Not Scored)"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Checking if apt needs an update" info "Checking if apt needs an update"
apt_update_if_needed apt_update_if_needed
info "Fetching upgrades ..." info "Fetching upgrades ..."
apt_check_updates "CIS_APT" apt_check_updates "CIS_APT"
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
@ -30,8 +33,8 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
info "Applying Upgrades..." info "Applying Upgrades..."
DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' upgrade -y DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' upgrade -y
else else
@ -47,17 +50,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

27
bin/hardening/2.1.1_disable_xinetd.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,15 +12,17 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure xinetd is not enabled." DESCRIPTION="Ensure xinetd is not enabled."
PACKAGE='xinetd' PACKAGE='xinetd'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed" crit "$PACKAGE is installed"
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -27,11 +30,11 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
warn "$PACKAGE is installed, purging" warn "$PACKAGE is installed, purging"
apt-get purge $PACKAGE -y apt-get purge "$PACKAGE" -y
apt-get autoremove apt-get autoremove
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -45,17 +48,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

27
bin/hardening/2.1.2_disable_bsd_inetd.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,16 +12,18 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure bsd-inetd is not enabled." DESCRIPTION="Ensure bsd-inetd is not enabled."
PACKAGES='openbsd-inetd inetutils-inetd' PACKAGES='openbsd-inetd inetutils-inetd'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed" crit "$PACKAGE is installed"
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -29,12 +32,12 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
warn "$PACKAGE is installed, purging" warn "$PACKAGE is installed, purging"
apt-get purge $PACKAGE -y apt-get purge "$PACKAGE" -y
apt-get autoremove apt-get autoremove
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -49,17 +52,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

27
bin/hardening/2.2.1.1_use_time_sync.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,28 +12,30 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure time synchronization is in use" DESCRIPTION="Ensure time synchronization is in use"
PACKAGES="ntp chrony" PACKAGES="ntp chrony"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
FOUND=false FOUND=false
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "Time synchronization is available through $PACKAGE" ok "Time synchronization is available through $PACKAGE"
FOUND=true FOUND=true
fi fi
done done
if [ "$FOUND" = false ]; then if [ "$FOUND" = false ]; then
crit "None of the following time sync packages are installed: $PACKAGES" crit "None of the following time sync packages are installed: $PACKAGES"
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
: :
} }
@ -43,14 +46,20 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r "$CIS_ROOT_DIR"/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

74
bin/hardening/2.2.1.2_configure_ntp.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,8 +12,11 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Configure Network Time Protocol (ntp). Check restrict parameters and ntp daemon runs ad unprivileged user." DESCRIPTION="Configure Network Time Protocol (ntp). Check restrict parameters and ntp daemon runs ad unprivileged user."
# shellcheck disable=2034
HARDENING_EXCEPTION=ntp HARDENING_EXCEPTION=ntp
PACKAGE='ntp' PACKAGE='ntp'
@ -22,20 +26,20 @@ NTP_INIT_PATTERN='RUNASUSER=ntp'
NTP_INIT_FILE='/etc/init.d/ntp' NTP_INIT_FILE='/etc/init.d/ntp'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!" crit "$PACKAGE is not installed!"
else else
ok "$PACKAGE is installed, checking configuration" ok "$PACKAGE is installed, checking configuration"
does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE" crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE"
else else
ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE" ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
fi fi
does_pattern_exist_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN" does_pattern_exist_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE" crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE"
else else
ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE" ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
@ -44,31 +48,31 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
else else
crit "$PACKAGE is absent, installing it" crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE apt_install $PACKAGE
info "Checking $PACKAGE configuration" info "Checking $PACKAGE configuration"
fi fi
does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE, adding it" warn "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE, adding it"
backup_file $NTP_CONF_FILE backup_file $NTP_CONF_FILE
add_end_of_file $NTP_CONF_FILE "restrict -4 default kod notrap nomodify nopeer noquery" add_end_of_file $NTP_CONF_FILE "restrict -4 default kod notrap nomodify nopeer noquery"
else else
ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE" ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
fi fi
does_pattern_exist_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN" does_pattern_exist_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE, adding it" warn "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE, adding it"
backup_file $NTP_INIT_FILE backup_file $NTP_INIT_FILE
add_line_file_before_pattern $NTP_INIT_FILE $NTP_INIT_PATTERN "^UGID" add_line_file_before_pattern $NTP_INIT_FILE $NTP_INIT_PATTERN "^UGID"
else else
ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE" ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
fi fi
} }
# This function will check config parameters required # This function will check config parameters required
@ -78,17 +82,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

24
bin/hardening/2.2.1.3_configure_chrony.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,8 +12,11 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Configure Network Time Protocol (ntp). Check restrict parameters and ntp daemon runs ad unprivileged user." DESCRIPTION="Configure Network Time Protocol (ntp). Check restrict parameters and ntp daemon runs ad unprivileged user."
# shellcheck disable=2034
HARDENING_EXCEPTION=ntp HARDENING_EXCEPTION=ntp
PACKAGE=chrony PACKAGE=chrony
@ -20,14 +24,14 @@ CONF_DEFAULT_PATTERN='^(server|pool)'
CONF_FILE='/etc/chrony/chrony.conf' CONF_FILE='/etc/chrony/chrony.conf'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!" crit "$PACKAGE is not installed!"
else else
ok "$PACKAGE is installed, checking configuration" ok "$PACKAGE is installed, checking configuration"
does_pattern_exist_in_file $CONF_FILE $CONF_DEFAULT_PATTERN does_pattern_exist_in_file $CONF_FILE $CONF_DEFAULT_PATTERN
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE" crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE"
else else
ok "$CONF_DEFAULT_PATTERN found in $CONF_FILE" ok "$CONF_DEFAULT_PATTERN found in $CONF_FILE"
@ -36,7 +40,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
: :
} }
@ -47,17 +51,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

28
bin/hardening/2.2.10_disable_http_server.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,18 +12,21 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure HTTP server is not enabled." DESCRIPTION="Ensure HTTP server is not enabled."
# shellcheck disable=2034
HARDENING_EXCEPTION=http HARDENING_EXCEPTION=http
# Based on aptitude search '~Phttpd' # Based on aptitude search '~Phttpd'
PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd' PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!" crit "$PACKAGE is installed!"
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -31,12 +35,12 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y apt-get purge "$PACKAGE" -y
apt-get autoremove -y apt-get autoremove -y
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -51,17 +55,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

28
bin/hardening/2.2.11_disable_imap_pop.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,18 +12,21 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure IMAP and POP servers are not installed" DESCRIPTION="Ensure IMAP and POP servers are not installed"
# shellcheck disable=2034
HARDENING_EXCEPTION=mail HARDENING_EXCEPTION=mail
# Based on aptitude search '~Pimap-server' and aptitude search '~Ppop3-server' # Based on aptitude search '~Pimap-server' and aptitude search '~Ppop3-server'
PACKAGES='citadel-server courier-imap cyrus-imapd-2.4 dovecot-imapd mailutils-imap4d courier-pop cyrus-pop3d-2.4 dovecot-pop3d heimdal-servers mailutils-pop3d popa3d solid-pop3d xmail' PACKAGES='citadel-server courier-imap cyrus-imapd-2.4 dovecot-imapd mailutils-imap4d courier-pop cyrus-pop3d-2.4 dovecot-pop3d heimdal-servers mailutils-pop3d popa3d solid-pop3d xmail'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!" crit "$PACKAGE is installed!"
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -31,12 +35,12 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y apt-get purge "$PACKAGE" -y
apt-get autoremove -y apt-get autoremove -y
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -51,17 +55,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

32
bin/hardening/2.2.12_disable_samba.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,25 +12,28 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure Samba is not enabled." DESCRIPTION="Ensure Samba is not enabled."
# shellcheck disable=2034
HARDENING_EXCEPTION=samba HARDENING_EXCEPTION=samba
PACKAGES='samba' PACKAGES='samba'
SERVICE='smbd' SERVICE='smbd'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!" crit "$PACKAGE is installed!"
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi
done done
is_service_enabled $SERVICE is_service_enabled $SERVICE
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "Service $SERVICE is enabled!" crit "Service $SERVICE is enabled!"
else else
ok "Service $SERVICE is disabled" ok "Service $SERVICE is disabled"
@ -37,19 +41,19 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y apt-get purge "$PACKAGE" -y
apt-get autoremove -y apt-get autoremove -y
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi
done done
is_service_enabled $SERVICE is_service_enabled $SERVICE
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "Service $SERVICE is enabled!" crit "Service $SERVICE is enabled!"
systemctl disable $SERVICE systemctl disable $SERVICE
else else
@ -64,17 +68,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

28
bin/hardening/2.2.13_disable_http_proxy.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,17 +12,20 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure HTTP-proxy is not enabled." DESCRIPTION="Ensure HTTP-proxy is not enabled."
# shellcheck disable=2034
HARDENING_EXCEPTION=http HARDENING_EXCEPTION=http
PACKAGES='squid3 squid' PACKAGES='squid3 squid'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!" crit "$PACKAGE is installed!"
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -30,12 +34,12 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y apt-get purge "$PACKAGE" -y
apt-get autoremove apt-get autoremove
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -50,17 +54,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

28
bin/hardening/2.2.14_disable_snmp_server.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,17 +12,20 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Enure SNMP server is not enabled." DESCRIPTION="Enure SNMP server is not enabled."
# shellcheck disable=2034
HARDENING_EXCEPTION=snmp HARDENING_EXCEPTION=snmp
PACKAGES='snmpd' PACKAGES='snmpd'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!" crit "$PACKAGE is installed!"
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -30,12 +34,12 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y apt-get purge "$PACKAGE" -y
apt-get autoremove -y apt-get autoremove -y
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -50,17 +54,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

22
bin/hardening/2.2.15_mta_localhost.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,12 +12,15 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Configure Mail Transfert Agent for Local-Only Mode." DESCRIPTION="Configure Mail Transfert Agent for Local-Only Mode."
# shellcheck disable=2034
HARDENING_EXCEPTION=mail HARDENING_EXCEPTION=mail
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Checking netport ports opened" info "Checking netport ports opened"
RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || : RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || :
RESULT=${RESULT:-} RESULT=${RESULT:-}
@ -25,7 +29,7 @@ audit () {
ok "Nothing listens on 25 port, probably unix socket configured" ok "Nothing listens on 25 port, probably unix socket configured"
else else
info "Checking $RESULT" info "Checking $RESULT"
if $(grep -q "127.0.0.1" <<< $RESULT); then if $(grep -q "127.0.0.1" <<<$RESULT); then
ok "MTA is configured to localhost only" ok "MTA is configured to localhost only"
else else
crit "MTA listens worldwide" crit "MTA listens worldwide"
@ -34,7 +38,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
info "Checking netport ports opened" info "Checking netport ports opened"
RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || : RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
RESULT=${RESULT:-} RESULT=${RESULT:-}
@ -43,7 +47,7 @@ apply () {
ok "Nothing listens on 25 port, probably unix socket configured" ok "Nothing listens on 25 port, probably unix socket configured"
else else
info "Checking $RESULT" info "Checking $RESULT"
if $(grep -q "127.0.0.1" <<< $RESULT); then if $(grep -q "127.0.0.1" <<<$RESULT); then
ok "MTA is configured to localhost only" ok "MTA is configured to localhost only"
else else
warn "MTA listens worldwide, correct this considering your MTA" warn "MTA listens worldwide, correct this considering your MTA"
@ -59,17 +63,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

30
bin/hardening/2.2.16_disable_rsync.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,8 +12,11 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure rsync service is not enabled." DESCRIPTION="Ensure rsync service is not enabled."
# shellcheck disable=2034
HARDENING_EXCEPTION=rsync HARDENING_EXCEPTION=rsync
PACKAGE='rsync' PACKAGE='rsync'
@ -21,14 +25,14 @@ RSYNC_DEFAULT_FILE='/etc/default/rsync'
RSYNC_DEFAULT_PATTERN_TO_SEARCH='RSYNC_ENABLE=true' RSYNC_DEFAULT_PATTERN_TO_SEARCH='RSYNC_ENABLE=true'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
ok "$PACKAGE is not installed" ok "$PACKAGE is not installed"
else else
ok "$PACKAGE is installed, checking configuration" ok "$PACKAGE is installed, checking configuration"
does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN" does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE" crit "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE"
else else
ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE" ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE"
@ -37,14 +41,14 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
ok "$PACKAGE is not installed" ok "$PACKAGE is not installed"
else else
ok "$PACKAGE is installed, checking configuration" ok "$PACKAGE is installed, checking configuration"
does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN" does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE, adding it" warn "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE, adding it"
backup_file $RSYNC_DEFAULT_FILE backup_file $RSYNC_DEFAULT_FILE
replace_in_file $RSYNC_DEFAULT_FILE $RSYNC_DEFAULT_PATTERN_TO_SEARCH $RSYNC_DEFAULT_PATTERN replace_in_file $RSYNC_DEFAULT_FILE $RSYNC_DEFAULT_PATTERN_TO_SEARCH $RSYNC_DEFAULT_PATTERN
@ -61,17 +65,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

37
bin/hardening/2.2.18_disable_telnet_server.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# Legacy CIS Debian Hardening # Legacy CIS Debian Hardening
# #
@ -13,7 +14,9 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Ensure telnet server is not enabled. Recommended alternative : sshd (OpenSSH-server)." DESCRIPTION="Ensure telnet server is not enabled. Recommended alternative : sshd (OpenSSH-server)."
# Based on aptitude search '~Ptelnet-server' # Based on aptitude search '~Ptelnet-server'
@ -22,17 +25,17 @@ FILE='/etc/inetd.conf'
PATTERN='^telnet' PATTERN='^telnet'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
warn "$PACKAGE is installed, checking configuration" warn "$PACKAGE is installed, checking configuration"
does_file_exist $FILE does_file_exist $FILE
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
ok "$FILE does not exist" ok "$FILE does not exist"
else else
does_pattern_exist_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PATTERN exists, $PACKAGE services are enabled!" crit "$PATTERN exists, $PACKAGE services are enabled!"
else else
ok "$PATTERN is not present in $FILE" ok "$PATTERN is not present in $FILE"
@ -45,26 +48,26 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y apt-get purge "$PACKAGE" -y
apt-get autoremove apt-get autoremove
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi
does_file_exist $FILE does_file_exist $FILE
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
ok "$FILE does not exist" ok "$FILE does not exist"
else else
info "$FILE exists, checking patterns" info "$FILE exists, checking patterns"
does_pattern_exist_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
warn "$PATTERN is present in $FILE, purging it" warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<<$PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else else
ok "$PATTERN is not present in $FILE" ok "$PATTERN is not present in $FILE"
@ -80,17 +83,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

28
bin/hardening/2.2.2_disable_xwindow_system.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,18 +12,21 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure the X Window system is not installed." DESCRIPTION="Ensure the X Window system is not installed."
# shellcheck disable=2034
HARDENING_EXCEPTION=x11 HARDENING_EXCEPTION=x11
# Based on aptitude search '~Pxserver' # Based on aptitude search '~Pxserver'
PACKAGES='xserver-xorg-core xserver-xorg-core-dbg xserver-common xserver-xephyr xserver-xfbdev tightvncserver vnc4server fglrx-driver xvfb xserver-xorg-video-nvidia-legacy-173xx xserver-xorg-video-nvidia-legacy-96xx xnest' PACKAGES='xserver-xorg-core xserver-xorg-core-dbg xserver-common xserver-xephyr xserver-xfbdev tightvncserver vnc4server fglrx-driver xvfb xserver-xorg-video-nvidia-legacy-173xx xserver-xorg-video-nvidia-legacy-96xx xnest'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!" crit "$PACKAGE is installed!"
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -31,12 +35,12 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y apt-get purge "$PACKAGE" -y
apt-get autoremove -y apt-get autoremove -y
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -51,17 +55,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

27
bin/hardening/2.2.3_disable_avahi_server.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,16 +12,18 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure Avahi server is not enabled." DESCRIPTION="Ensure Avahi server is not enabled."
PACKAGES='avahi-daemon libavahi-common-data libavahi-common3 libavahi-core7' PACKAGES='avahi-daemon libavahi-common-data libavahi-common3 libavahi-core7'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!" crit "$PACKAGE is installed!"
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -29,12 +32,12 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y apt-get purge "$PACKAGE" -y
apt-get autoremove -y apt-get autoremove -y
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -49,17 +52,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

28
bin/hardening/2.2.4_disable_print_server.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,17 +12,20 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure print server (Common Unix Print System) is not enabled." DESCRIPTION="Ensure print server (Common Unix Print System) is not enabled."
# shellcheck disable=2034
HARDENING_EXCEPTION=cups HARDENING_EXCEPTION=cups
PACKAGES='libcups2 libcupscgi1 libcupsimage2 libcupsmime1 libcupsppdc1 cups-common cups-client cups-ppdc libcupsfilters1 cups-filters cups' PACKAGES='libcups2 libcupscgi1 libcupsimage2 libcupsmime1 libcupsppdc1 cups-common cups-client cups-ppdc libcupsfilters1 cups-filters cups'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!" crit "$PACKAGE is installed!"
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -30,12 +34,12 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y apt-get purge "$PACKAGE" -y
apt-get autoremove -y apt-get autoremove -y
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -50,17 +54,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

28
bin/hardening/2.2.5_disable_dhcp.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,17 +12,20 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure DHCP server is not enabled." DESCRIPTION="Ensure DHCP server is not enabled."
# shellcheck disable=2034
HARDENING_EXCEPTION=dhcp HARDENING_EXCEPTION=dhcp
PACKAGES='udhcpd isc-dhcp-server' PACKAGES='udhcpd isc-dhcp-server'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!" crit "$PACKAGE is installed!"
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -30,12 +34,12 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y apt-get purge "$PACKAGE" -y
apt-get autoremove -y apt-get autoremove -y
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -50,17 +54,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

28
bin/hardening/2.2.6_disable_ldap.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,17 +12,20 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure LDAP is not enabled." DESCRIPTION="Ensure LDAP is not enabled."
# shellcheck disable=2034
HARDENING_EXCEPTION=ldap HARDENING_EXCEPTION=ldap
PACKAGES='slapd' PACKAGES='slapd'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!" crit "$PACKAGE is installed!"
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -30,12 +34,12 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y apt-get purge "$PACKAGE" -y
apt-get autoremove -y apt-get autoremove -y
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -50,17 +54,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

28
bin/hardening/2.2.7_disable_nfs_rpc.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,17 +12,20 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure Network File System (nfs) and RPC are not enabled." DESCRIPTION="Ensure Network File System (nfs) and RPC are not enabled."
# shellcheck disable=2034
HARDENING_EXCEPTION=nfs HARDENING_EXCEPTION=nfs
PACKAGES='rpcbind nfs-kernel-server' PACKAGES='rpcbind nfs-kernel-server'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!" crit "$PACKAGE is installed!"
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -30,12 +34,12 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y apt-get purge "$PACKAGE" -y
apt-get autoremove -y apt-get autoremove -y
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -50,17 +54,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

28
bin/hardening/2.2.8_disable_dns_server.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,17 +12,20 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure Domain Name System (dns) server is not enabled." DESCRIPTION="Ensure Domain Name System (dns) server is not enabled."
# shellcheck disable=2034
HARDENING_EXCEPTION=dns HARDENING_EXCEPTION=dns
PACKAGES='bind9 unbound' PACKAGES='bind9 unbound'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!" crit "$PACKAGE is installed!"
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -30,12 +34,12 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y apt-get purge "$PACKAGE" -y
apt-get autoremove -y apt-get autoremove -y
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -50,17 +54,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

28
bin/hardening/2.2.9_disable_ftp.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,18 +12,21 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure File Transfer Protocol (ftp) is not enabled." DESCRIPTION="Ensure File Transfer Protocol (ftp) is not enabled."
# shellcheck disable=2034
HARDENING_EXCEPTION=ftp HARDENING_EXCEPTION=ftp
# Based on aptitude search '~Pftp-server' # Based on aptitude search '~Pftp-server'
PACKAGES='ftpd ftpd-ssl heimdal-servers inetutils-ftpd krb5-ftpd muddleftpd proftpd-basic pure-ftpd pure-ftpd-ldap pure-ftpd-mysql pure-ftpd-postgresql twoftpd-run vsftpd wzdftpd' PACKAGES='ftpd ftpd-ssl heimdal-servers inetutils-ftpd krb5-ftpd muddleftpd proftpd-basic pure-ftpd pure-ftpd-ldap pure-ftpd-mysql pure-ftpd-postgresql twoftpd-run vsftpd wzdftpd'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!" crit "$PACKAGE is installed!"
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -31,12 +35,12 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y apt-get purge "$PACKAGE" -y
apt-get autoremove -y apt-get autoremove -y
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -51,17 +55,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

27
bin/hardening/2.3.1_disable_nis.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,15 +12,17 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure that Network Information Service is not installed. Recommended alternative : LDAP." DESCRIPTION="Ensure that Network Information Service is not installed. Recommended alternative : LDAP."
PACKAGE='nis' PACKAGE='nis'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!" crit "$PACKAGE is installed!"
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -28,11 +31,11 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y apt-get purge "$PACKAGE" -y
apt-get autoremove -y apt-get autoremove -y
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -46,17 +49,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

31
bin/hardening/2.3.2_disable_rsh_client.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,17 +12,19 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Ensure rsh client is not installed, Recommended alternative : ssh." DESCRIPTION="Ensure rsh client is not installed, Recommended alternative : ssh."
# Based on aptitude search '~Prsh-client', exluding ssh-client OFC # Based on aptitude search '~Prsh-client', exluding ssh-client OFC
PACKAGES='rsh-client rsh-redone-client heimdal-clients' PACKAGES='rsh-client rsh-redone-client heimdal-clients'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed" crit "$PACKAGE is installed"
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -30,12 +33,12 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
warn "$PACKAGE is installed, purging" warn "$PACKAGE is installed, purging"
apt-get purge $PACKAGE -y apt-get purge "$PACKAGE" -y
apt-get autoremove -y apt-get autoremove -y
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -50,17 +53,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

27
bin/hardening/2.3.3_disable_talk_client.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,16 +12,18 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Ensure talk client is not installed." DESCRIPTION="Ensure talk client is not installed."
PACKAGES='talk inetutils-talk' PACKAGES='talk inetutils-talk'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed" crit "$PACKAGE is installed"
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -29,12 +32,12 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
warn "$PACKAGE is installed, purging" warn "$PACKAGE is installed, purging"
apt-get purge $PACKAGE -y apt-get purge "$PACKAGE" -y
apt-get autoremove -y apt-get autoremove -y
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -49,17 +52,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

27
bin/hardening/2.3.4_disable_telnet_client.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,16 +12,18 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Ensure telnet client is not installed." DESCRIPTION="Ensure telnet client is not installed."
PACKAGES='telnet' PACKAGES='telnet'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed" crit "$PACKAGE is installed"
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -29,12 +32,12 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
warn "$PACKAGE is installed, purging" warn "$PACKAGE is installed, purging"
apt-get purge $PACKAGE -y apt-get purge "$PACKAGE" -y
apt-get autoremove -y apt-get autoremove -y
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -49,17 +52,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

27
bin/hardening/2.3.5_disable_ldap_client.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,16 +12,18 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Ensure ldap client is not installed." DESCRIPTION="Ensure ldap client is not installed."
PACKAGES='ldap-utils' PACKAGES='ldap-utils'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed" crit "$PACKAGE is installed"
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -29,12 +32,12 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
warn "$PACKAGE is installed, purging" warn "$PACKAGE is installed, purging"
apt-get purge $PACKAGE -y apt-get purge "$PACKAGE" -y
apt-get autoremove -y apt-get autoremove -y
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
@ -49,17 +52,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

33
bin/hardening/3.1.1_disable_ip_forwarding.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,22 +12,24 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
HARDENING_EXCEPTION=gw HARDENING_EXCEPTION=gw
# shellcheck disable=2034
DESCRIPTION="Disable IP forwarding." DESCRIPTION="Disable IP forwarding."
SYSCTL_PARAMS='net.ipv4.ip_forward net.ipv6.conf.all.forwarding' SYSCTL_PARAMS='net.ipv4.ip_forward net.ipv6.conf.all.forwarding'
SYSCTL_EXP_RESULT=0 SYSCTL_EXP_RESULT=0
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for SYSCTL_PARAM in $SYSCTL_PARAMS; do for SYSCTL_PARAM in $SYSCTL_PARAMS; do
does_sysctl_param_exists "net.ipv6" does_sysctl_param_exists "net.ipv6"
if [ $FNRET = 0 ] || [[ ! $SYSCTL_PARAM =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6 if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_PARAM =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -36,14 +39,14 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for SYSCTL_PARAM in $SYSCTL_PARAMS; do for SYSCTL_PARAM in $SYSCTL_PARAMS; do
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ $FNRET = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -58,17 +61,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

31
bin/hardening/3.1.2_disable_send_packet_redirects.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,7 +12,9 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable send packet redirects to prevent malicious ICMP corruption." DESCRIPTION="Disable send packet redirects to prevent malicious ICMP corruption."
#net.ipv4.conf.all.send_redirects = 0 #net.ipv4.conf.all.send_redirects = 0
@ -19,15 +22,15 @@ DESCRIPTION="Disable send packet redirects to prevent malicious ICMP corruption.
SYSCTL_PARAMS='net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0' SYSCTL_PARAMS='net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -36,17 +39,17 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ $FNRET = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -61,17 +64,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

33
bin/hardening/3.2.1_disable_source_routed_packets.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,23 +12,25 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable source routed packet acceptance." DESCRIPTION="Disable source routed packet acceptance."
# set in config file # set in config file
SYSCTL_PARAMS='' SYSCTL_PARAMS=''
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
does_sysctl_param_exists "net.ipv6" does_sysctl_param_exists "net.ipv6"
if [ $FNRET = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6 if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -37,17 +40,17 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT value -- Fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT value -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ $FNRET = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -70,17 +73,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

35
bin/hardening/3.2.2_disable_icmp_redirect.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,24 +12,26 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable ICMP redirect acceptance to prevent routing table corruption." DESCRIPTION="Disable ICMP redirect acceptance to prevent routing table corruption."
# set in config file # set in config file
SYSCTL_PARAMS='' SYSCTL_PARAMS=''
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
does_sysctl_param_exists "net.ipv6" does_sysctl_param_exists "net.ipv6"
if [ $FNRET = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6 if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -38,17 +41,17 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ $FNRET = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -71,17 +74,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

31
bin/hardening/3.2.3_disable_secure_icmp_redirect.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,21 +12,23 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable secure ICMP redirect acceptance to prevent routing tables corruptions." DESCRIPTION="Disable secure ICMP redirect acceptance to prevent routing tables corruptions."
SYSCTL_PARAMS='net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0' SYSCTL_PARAMS='net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -34,17 +37,17 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ $FNRET = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -59,17 +62,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

31
bin/hardening/3.2.4_log_martian_packets.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,21 +12,23 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Log suspicious packets, like spoofed packets." DESCRIPTION="Log suspicious packets, like spoofed packets."
SYSCTL_PARAMS='net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1' SYSCTL_PARAMS='net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -34,17 +37,17 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ $FNRET = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -59,17 +62,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

31
bin/hardening/3.2.5_ignore_broadcast_requests.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,21 +12,23 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Ignore broadcast requests to prevent attacks such as Smurf attack." DESCRIPTION="Ignore broadcast requests to prevent attacks such as Smurf attack."
SYSCTL_PARAMS='net.ipv4.icmp_echo_ignore_broadcasts=1' SYSCTL_PARAMS='net.ipv4.icmp_echo_ignore_broadcasts=1'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist --Typo?" warn "$SYSCTL_PARAM does not exist --Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -34,17 +37,17 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ $FNRET = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -59,17 +62,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

33
bin/hardening/3.2.6_enable_bad_error_message_protection.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,21 +12,23 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Enable bad error message protection to prevent logfiles fillup." DESCRIPTION="Enable bad error message protection to prevent logfiles fillup."
SYSCTL_PARAMS='net.ipv4.icmp_ignore_bogus_error_responses=1' SYSCTL_PARAMS='net.ipv4.icmp_ignore_bogus_error_responses=1'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -34,17 +37,17 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ $FNRET = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -59,18 +62,20 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

31
bin/hardening/3.2.7_enable_source_route_validation.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,21 +12,23 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Enable RFC-recommended source route validation." DESCRIPTION="Enable RFC-recommended source route validation."
SYSCTL_PARAMS='net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1' SYSCTL_PARAMS='net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -34,17 +37,17 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ $FNRET = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -59,17 +62,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

31
bin/hardening/3.2.8_enable_tcp_syn_cookies.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,21 +12,23 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Enable TCP-SYN cookie to prevent TCP-SYN flood attack." DESCRIPTION="Enable TCP-SYN cookie to prevent TCP-SYN flood attack."
SYSCTL_PARAMS='net.ipv4.tcp_syncookies=1' SYSCTL_PARAMS='net.ipv4.tcp_syncookies=1'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -34,17 +37,17 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ $FNRET = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -59,17 +62,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

35
bin/hardening/3.2.9_disable_ipv6_router_advertisement.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,25 +12,27 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable IPv6 router advertisements." DESCRIPTION="Disable IPv6 router advertisements."
SYSCTL_PARAMS='net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0' SYSCTL_PARAMS='net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
does_sysctl_param_exists "net.ipv6" does_sysctl_param_exists "net.ipv6"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
ok "ipv6 is disabled" ok "ipv6 is disabled"
else else
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -39,21 +42,21 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
does_sysctl_param_exists "net.ipv6" does_sysctl_param_exists "net.ipv6"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
ok "ipv6 is disabled" ok "ipv6 is disabled"
else else
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT, fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT, fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ $FNRET = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -69,17 +72,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

35
bin/hardening/3.3.1_install_tcp_wrapper.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,15 +12,17 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Install TCP wrappers for simple access list management and standardized logging method for services." DESCRIPTION="Install TCP wrappers for simple access list management and standardized logging method for services."
PACKAGE='tcpd' PACKAGE='tcpd'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!" crit "$PACKAGE is not installed!"
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
@ -27,14 +30,14 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
else else
crit "$PACKAGE is absent, installing it" crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE apt_install $PACKAGE
fi fi
} }
# This function will check config parameters required # This function will check config parameters required
@ -44,17 +47,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

21
bin/hardening/3.3.2_hosts_allow.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,15 +12,17 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Create /etc/hosts.allow ." DESCRIPTION="Create /etc/hosts.allow ."
FILE='/etc/hosts.allow' FILE='/etc/hosts.allow'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
does_file_exist $FILE does_file_exist $FILE
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
else else
ok "$FILE exist" ok "$FILE exist"
@ -27,9 +30,9 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
does_file_exist $FILE does_file_exist $FILE
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist, creating it" warn "$FILE does not exist, creating it"
touch $FILE touch $FILE
warn "You may want to fill it with allowed networks" warn "You may want to fill it with allowed networks"
@ -45,17 +48,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

25
bin/hardening/3.3.3_hosts_deny.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,21 +12,23 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Create /etc/hosts.deny ." DESCRIPTION="Create /etc/hosts.deny ."
FILE='/etc/hosts.deny' FILE='/etc/hosts.deny'
PATTERN='ALL: ALL' PATTERN='ALL: ALL'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
does_file_exist $FILE does_file_exist $FILE
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
else else
ok "$FILE exists, checking configuration" ok "$FILE exists, checking configuration"
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in $FILE, we have to deny everything" crit "$PATTERN is not present in $FILE, we have to deny everything"
else else
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
@ -34,16 +37,16 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
does_file_exist $FILE does_file_exist $FILE
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist, creating it" warn "$FILE does not exist, creating it"
touch $FILE touch $FILE
else else
ok "$FILE exists" ok "$FILE exists"
fi fi
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in $FILE, we have to deny everything" crit "$PATTERN is not present in $FILE, we have to deny everything"
add_end_of_file $FILE "$PATTERN" add_end_of_file $FILE "$PATTERN"
warn "YOU MAY HAVE CUT YOUR ACCESS, CHECK BEFORE DISCONNECTING" warn "YOU MAY HAVE CUT YOUR ACCESS, CHECK BEFORE DISCONNECTING"
@ -59,17 +62,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

31
bin/hardening/3.3.4_hosts_allow_permissions.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,7 +12,9 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Check 644 permissions and root:root ownership on /hosts.allow ." DESCRIPTION="Check 644 permissions and root:root ownership on /hosts.allow ."
FILE='/etc/hosts.allow' FILE='/etc/hosts.allow'
@ -20,15 +23,15 @@ USER='root'
GROUP='root' GROUP='root'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
has_file_correct_permissions $FILE $PERMISSIONS has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
crit "$FILE permissions were not set to $PERMISSIONS" crit "$FILE permissions were not set to $PERMISSIONS"
fi fi
has_file_correct_ownership $FILE $USER $GROUP has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
crit "$FILE ownership was not set to $USER:$GROUP" crit "$FILE ownership was not set to $USER:$GROUP"
@ -36,13 +39,13 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
has_file_correct_permissions $FILE $PERMISSIONS has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
info "fixing $FILE permissions to $PERMISSIONS" info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE chmod 0"$PERMISSIONS" "$FILE"
fi fi
} }
@ -53,17 +56,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

31
bin/hardening/3.3.5_hosts_deny_permissions.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,7 +12,9 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Check 644 permissions and root:root ownership on /etc/hosts.deny ." DESCRIPTION="Check 644 permissions and root:root ownership on /etc/hosts.deny ."
FILE='/etc/hosts.deny' FILE='/etc/hosts.deny'
@ -20,15 +23,15 @@ USER='root'
GROUP='root' GROUP='root'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
has_file_correct_permissions $FILE $PERMISSIONS has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
crit "$FILE permissions were not set to $PERMISSIONS" crit "$FILE permissions were not set to $PERMISSIONS"
fi fi
has_file_correct_ownership $FILE $USER $GROUP has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
crit "$FILE ownership was not set to $USER:$GROUP" crit "$FILE ownership was not set to $USER:$GROUP"
@ -36,13 +39,13 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
has_file_correct_permissions $FILE $PERMISSIONS has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
info "fixing $FILE permissions to $PERMISSIONS" info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE chmod 0"$PERMISSIONS" "$FILE"
fi fi
} }
@ -53,17 +56,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

17
bin/hardening/3.4.1_disable_dccp.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,16 +12,18 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable Datagram Congestion Control Protocol (DCCP)." DESCRIPTION="Disable Datagram Congestion Control Protocol (DCCP)."
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Not implemented yet" info "Not implemented yet"
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
info "Not implemented yet" info "Not implemented yet"
} }
@ -31,17 +34,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

17
bin/hardening/3.4.2_disable_sctp.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,16 +12,18 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable Stream Control Transmission Protocol (SCTP)." DESCRIPTION="Disable Stream Control Transmission Protocol (SCTP)."
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Not implemented yet" info "Not implemented yet"
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
info "Not implemented yet" info "Not implemented yet"
} }
@ -31,17 +34,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

17
bin/hardening/3.4.3_disable_rds.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,16 +12,18 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable Reliable Datagram Sockets (RDS)." DESCRIPTION="Disable Reliable Datagram Sockets (RDS)."
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Not implemented yet" info "Not implemented yet"
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
info "Not implemented yet" info "Not implemented yet"
} }
@ -31,17 +34,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

17
bin/hardening/3.4.4_disable_tipc.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,16 +12,18 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable Transperent Inter-Process Communication (TIPC)." DESCRIPTION="Disable Transperent Inter-Process Communication (TIPC)."
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Not implemented yet" info "Not implemented yet"
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
info "Not implemented yet" info "Not implemented yet"
} }
@ -31,17 +34,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

16
bin/hardening/3.5.1.1_net_fw_default_policy_drop.sh
View File

@ -1,4 +1,5 @@
#!/bin/bash #!/bin/bash
# run-shellcheck # run-shellcheck
# #
# OVH Security audit # OVH Security audit
@ -21,12 +22,12 @@ FW_CHAINS="INPUT FORWARD"
FW_POLICY="DROP" FW_POLICY="DROP"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!" crit "$PACKAGE is not installed!"
else else
ipt=$($SUDO_CMD $PACKAGE -nL 2>/dev/null || true ) ipt=$($SUDO_CMD $PACKAGE -nL 2>/dev/null || true)
if [[ -z $ipt ]]; then if [[ -z $ipt ]]; then
crit "Empty return from $PACKAGE command. Aborting..." crit "Empty return from $PACKAGE command. Aborting..."
return return
@ -49,7 +50,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
: :
} }
@ -60,17 +61,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=/opt/debian-cis/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

37
bin/hardening/3.5_enable_firewall.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,18 +12,20 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Ensure firewall is active (iptables is installed, does not check for its configuration)." DESCRIPTION="Ensure firewall is active (iptables is installed, does not check for its configuration)."
# Quick note here : CIS recommends your iptables rules to be persistent. # Quick note here : CIS recommends your iptables rules to be persistent.
# Do as you want, but this script does not handle this # Do as you want, but this script does not handle this
PACKAGE='iptables' PACKAGE='iptables'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!" crit "$PACKAGE is not installed!"
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
@ -30,14 +33,14 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
is_pkg_installed $PACKAGE is_pkg_installed "$PACKAGE"
if [ $FNRET = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
else else
crit "$PACKAGE is absent, installing it" crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE apt_install $PACKAGE
fi fi
} }
# This function will check config parameters required # This function will check config parameters required
@ -47,17 +50,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

24
bin/hardening/3.6_disable_wireless.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,16 +12,18 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Deactivate wireless interfaces." DESCRIPTION="Deactivate wireless interfaces."
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Not implemented yet" info "Not implemented yet"
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
info "Not implemented yet" info "Not implemented yet"
} }
@ -31,28 +34,31 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
## Source Root Dir Parameter ## Source Root Dir Parameter
#if [ ! -r /etc/default/cis-hardening ]; then #if [ ! -r /etc/default/cis-hardening ]; then
# echo "There is no /etc/default/cis-hardening file, cannot source CIS_ROOT_DIR variable, aborting" # echo "There is no /etc/default/cis-hardening file, cannot source CIS_ROOT_DIR variable, aborting"
# exit 128 # exit 128
#else #else
# shellcheck source=../../debian/default
# . /etc/default/cis-hardening # . /etc/default/cis-hardening
# if [ -z ${CIS_ROOT_DIR:-} ]; then # if [ -z ${CIS_ROOT_DIR:-} ]; then
# echo "No CIS_ROOT_DIR variable, aborting" # echo "No CIS_ROOT_DIR variable, aborting"
# exit 128 # exit 128
# fi # fi
#fi #fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

33
bin/hardening/3.7_disable_ipv6.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,25 +12,27 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable IPv6." DESCRIPTION="Disable IPv6."
SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1' SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
does_sysctl_param_exists "net.ipv6" does_sysctl_param_exists "net.ipv6"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
ok "ipv6 is disabled" ok "ipv6 is disabled"
else else
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -39,21 +42,21 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
does_sysctl_param_exists "net.ipv6" does_sysctl_param_exists "net.ipv6"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
ok "ipv6 is disabled" ok "ipv6 is disabled"
else else
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT value, fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT value, fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
warn "you may want to reboot or sysctl -p a file including $SYSCTL_PARAMS" warn "you may want to reboot or sysctl -p a file including $SYSCTL_PARAMS"
elif [ $FNRET = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -69,17 +72,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

25
bin/hardening/4.1.1.1_audit_log_storage.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,7 +12,9 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=4 HARDENING_LEVEL=4
# shellcheck disable=2034
DESCRIPTION="Configure audit log storage size." DESCRIPTION="Configure audit log storage size."
FILE='/etc/audit/auditd.conf' FILE='/etc/audit/auditd.conf'
@ -19,14 +22,14 @@ PATTERN='max_log_file'
VALUE=5 VALUE=5
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
does_file_exist $FILE does_file_exist $FILE
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
else else
ok "$FILE exists, checking configuration" ok "$FILE exists, checking configuration"
does_pattern_exist_in_file $FILE "^$PATTERN[[:space:]]" does_pattern_exist_in_file $FILE "^$PATTERN[[:space:]]"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in $FILE" crit "$PATTERN is not present in $FILE"
else else
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
@ -35,16 +38,16 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
does_file_exist $FILE does_file_exist $FILE
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist, creating it" warn "$FILE does not exist, creating it"
touch $FILE touch $FILE
else else
ok "$FILE exists" ok "$FILE exists"
fi fi
does_pattern_exist_in_file $FILE "^$PATTERN[[:space:]]" does_pattern_exist_in_file $FILE "^$PATTERN[[:space:]]"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
add_end_of_file $FILE "$PATTERN = $VALUE" add_end_of_file $FILE "$PATTERN = $VALUE"
else else
@ -59,17 +62,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

47
bin/hardening/4.1.1.2_halt_when_audit_log_full.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,38 +12,40 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=4 HARDENING_LEVEL=4
# shellcheck disable=2034
DESCRIPTION="Disable system on audit log full." DESCRIPTION="Disable system on audit log full."
FILE='/etc/audit/auditd.conf' FILE='/etc/audit/auditd.conf'
OPTIONS='' OPTIONS=''
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
does_file_exist $FILE does_file_exist $FILE
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
else else
ok "$FILE exists, checking configuration" ok "$FILE exists, checking configuration"
for AUDIT_OPTION in $OPTIONS; do for AUDIT_OPTION in $OPTIONS; do
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE" debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in $FILE" crit "$PATTERN is not present in $FILE"
else else
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
fi fi
done done
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
does_file_exist $FILE does_file_exist $FILE
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist, creating it" warn "$FILE does not exist, creating it"
touch $FILE touch $FILE
else else
@ -54,10 +57,10 @@ apply () {
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE" debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$AUDIT_PARAM" does_pattern_exist_in_file $FILE "^$AUDIT_PARAM"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end" info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end"
add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE" add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE"
else else
@ -76,7 +79,7 @@ check_config() {
} }
create_config() { create_config() {
cat << EOF cat <<EOF
# shellcheck disable=2034 # shellcheck disable=2034
status=audit status=audit
# Put here the conf for auditd # Put here the conf for auditd
@ -86,17 +89,19 @@ EOF
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

47
bin/hardening/4.1.1.3_keep_all_audit_logs.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,38 +12,40 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=4 HARDENING_LEVEL=4
# shellcheck disable=2034
DESCRIPTION="Keep all auditing information." DESCRIPTION="Keep all auditing information."
FILE='/etc/audit/auditd.conf' FILE='/etc/audit/auditd.conf'
OPTIONS='max_log_file_action=keep_logs' OPTIONS='max_log_file_action=keep_logs'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
does_file_exist $FILE does_file_exist $FILE
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
else else
ok "$FILE exists, checking configuration" ok "$FILE exists, checking configuration"
for AUDIT_OPTION in $OPTIONS; do for AUDIT_OPTION in $OPTIONS; do
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE" debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in $FILE" crit "$PATTERN is not present in $FILE"
else else
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
fi fi
done done
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
does_file_exist $FILE does_file_exist $FILE
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist, creating it" warn "$FILE does not exist, creating it"
touch $FILE touch $FILE
else else
@ -54,11 +57,11 @@ apply () {
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE" debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$AUDIT_PARAM" does_pattern_exist_in_file $FILE "^$AUDIT_PARAM"
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end" info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end"
add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE" add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE"
else else
info "Parameter $AUDIT_PARAM is present but with the wrong value -- Fixing" info "Parameter $AUDIT_PARAM is present but with the wrong value -- Fixing"
@ -77,17 +80,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

21
bin/hardening/4.1.10_record_dac_edit.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,7 +12,9 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=4 HARDENING_LEVEL=4
# shellcheck disable=2034
DESCRIPTION="Collect discretionary access control (DAC) permission modification events." DESCRIPTION="Collect discretionary access control (DAC) permission modification events."
AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
@ -23,7 +26,7 @@ AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>
FILE='/etc/audit/audit.rules' FILE='/etc/audit/audit.rules'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
# define custom IFS and save default one # define custom IFS and save default one
d_IFS=$IFS d_IFS=$IFS
c_IFS=$'\n' c_IFS=$'\n'
@ -33,7 +36,7 @@ audit () {
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file $FILE $AUDIT_VALUE
IFS=$c_IFS IFS=$c_IFS
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
@ -43,12 +46,12 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file $FILE $AUDIT_VALUE
if [ $FNRET != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file $FILE $AUDIT_VALUE
eval $(pkill -HUP -P 1 auditd) eval $(pkill -HUP -P 1 auditd)
@ -65,17 +68,19 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

Some files were not shown because too many files have changed in this diff Show More