elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2025-07-16 13:52:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: elie:v2.1-4
Branches Tags
elie:master elie:damcava35/deb12_scripts_2 elie:damcava35/update_lib elie:damcava35/new_scripts elie:damcava35/issue_249 elie:damcava35/drop_debian10 elie:damcava35/is_ip_v6_enabled elie:damcava35/issue_195 elie:damcava35/fix_only elie:damcava35/fix_packaging elie:damcava35/set_version elie:damcava35/test_pre_commit elie:dev/thibault.dewailly/deb12 elie:dependabot/github_actions/luizm/action-sh-checker-0.9.0 elie:dev/thibault.dewailly/set_hardening_level elie:dev/thibault.dewailly/syslogng_remotecheck
elie:latest elie:v4.1-5 elie:v4.1-4 elie:v4.1-3 elie:v4.1-2 elie:v4.1-1 elie:v4.0-1 elie:v3.8-1 elie:v3.7-1 elie:v3.6-1 elie:v3.5-1 elie:v3.4-1 elie:v3.3-1 elie:v3.2-2 elie:v3.2-1 elie:v3.2-0 elie:v3.1-6 elie:v3.1-5 elie:v3.1-4 elie:v3.1-3 elie:v3.1-2 elie:v3.1-1 elie:v3.1-0 elie:v3.0-1 elie:v3.0 elie:v2.1-6 elie:v2.1-5 elie:v2.1-4 elie:v2.1-3 elie:v2.1-2 elie:v2.1-1 elie:v2.0-6 elie:v2.0-5 elie:v2.0-4 elie:v1.3-4 elie:v1.3-3 elie:v1.3-2 elie:v1.3 elie:v1.2-1 elie:v1.1-1
...
compare: elie:v2.1-5
Branches Tags
elie:damcava35/deb12_scripts_2 elie:damcava35/update_lib elie:damcava35/new_scripts elie:master elie:damcava35/issue_249 elie:damcava35/drop_debian10 elie:damcava35/is_ip_v6_enabled elie:damcava35/issue_195 elie:damcava35/fix_only elie:damcava35/fix_packaging elie:damcava35/set_version elie:damcava35/test_pre_commit elie:dev/thibault.dewailly/deb12 elie:dependabot/github_actions/luizm/action-sh-checker-0.9.0 elie:dev/thibault.dewailly/set_hardening_level elie:dev/thibault.dewailly/syslogng_remotecheck
elie:latest elie:v4.1-5 elie:v4.1-4 elie:v4.1-3 elie:v4.1-2 elie:v4.1-1 elie:v4.0-1 elie:v3.8-1 elie:v3.7-1 elie:v3.6-1 elie:v3.5-1 elie:v3.4-1 elie:v3.3-1 elie:v3.2-2 elie:v3.2-1 elie:v3.2-0 elie:v3.1-6 elie:v3.1-5 elie:v3.1-4 elie:v3.1-3 elie:v3.1-2 elie:v3.1-1 elie:v3.1-0 elie:v3.0-1 elie:v3.0 elie:v2.1-6 elie:v2.1-5 elie:v2.1-4 elie:v2.1-3 elie:v2.1-2 elie:v2.1-1 elie:v2.0-6 elie:v2.0-5 elie:v2.0-4 elie:v1.3-4 elie:v1.3-3 elie:v1.3-2 elie:v1.3 elie:v1.2-1 elie:v1.1-1

26 Commits
v2.1-4 ... v2.1-5

Author SHA1 Message Date
Thibault Ayanides
3560f67e3f Update changelog 2020-12-14 16:56:09 +01:00
Thibault Ayanides
f4ba90352b IMP(shellcheck): replace ls parsing by stat 2020-12-14 16:14:37 +01:00
Thibault Ayanides
cdaee7786a IMP(shellcheck) refactor new line (SC1004) 2020-12-14 16:09:14 +01:00
Thibault Ayanides
13a070319b IMP(6.2.13): fix race condition 2020-12-14 15:11:33 +01:00
Thibault Ayanides
65bdb42eb3 IMP(shellcheck): replace ls by find (SC2045) 2020-12-14 15:08:18 +01:00
Thibault Ayanides
0c16e500f5 IMP(shellcheck): replace ls in loop by glob (SC2045) 2020-12-14 14:45:38 +01:00
Thibault Ayanides
fad8e8c1f1 IMP(shellcheck): disable quoting warning for find 2020-12-14 14:28:27 +01:00
Thibault Ayanides
2ab1bd50dc IMP(shellcheck): use $@ insetad of $* (SC2048) 2020-12-14 13:58:50 +01:00
Thibault Ayanides
db27cfc39c FIX: move shfmt to project root 2020-12-10 10:00:07 +01:00
Thibault Ayanides
dee0ebc821 IMP(shellcheck): quote variables 2020-12-10 09:50:33 +01:00
Thibault Ayanides
16cc2bef71 IMP(shellcheck): fix harmless warnings (SC2155) 2020-12-10 08:40:36 +01:00
Thibault Ayanides
b9e129d8fe IMP(shellcheck): disable sed replacement (SC2001) 
Shellcheck recommands to replace sed by shell expansions in 'simple' cases.
However, the replacement here is likely to lead to erros, so we disable this rule.
Moreover, it does'nt really add readability.
 2020-12-10 08:34:57 +01:00
Thibault Ayanides
36528b55e0 IMP(shellcheck): replace deprecated egrep (SC2196) 2020-12-10 08:20:26 +01:00
Thibault Ayanides
1c56bd9930 IMP(shellcheck): remove $() in if condition (SC2091) 2020-12-10 08:16:23 +01:00
Thibault Ayanides
99ac9339f4 IMP: change apt in apt-get 2020-12-07 17:16:19 +01:00
Thibault Ayanides
b09b75a51e IMP(shellcheck): quote variables (SC2086) 2020-12-07 17:11:32 +01:00
Thibault Ayanides
6826f377e6 IMP(shellcheck): quote variables (SC2086) 2020-12-07 16:49:11 +01:00
Thibault Ayanides
e2f7426664 IMP(shellcheck): quoting variables 2020-12-07 15:53:14 +01:00
Thibault Ayanides
ac66cdacd0 IMP(shellcheck): fix quote placement in awk (SC1083) 2020-12-07 15:01:22 +01:00
Thibault Ayanides
8012234096 IMP(shellcheck): fix harmless warnings 2020-12-07 14:53:10 +01:00
Thibault Ayanides
63835dd10c IMP(shellcheck): add curly bracket to var (SC1087) 2020-12-07 13:54:57 +01:00
Thibault Ayanides
ef800954f4 IMP(shellcheck): refactor continue (SC2104) 2020-12-07 13:32:14 +01:00
Thibault Ayanides
addd48c4dd IMP(shellcheck): add prefix to follow scripts (SC1090) 2020-12-07 13:26:51 +01:00
Thibault Ayanides
72bb3e2b84 IMP(shellcheck): replace -a in condition by && (SC2166) 2020-12-04 15:29:19 +01:00
Thibault Ayanides
d371b8d057 IMP(shellcheck): replace ! -z by -n (SC2236) 2020-12-04 15:14:18 +01:00
Thibault Ayanides
eaf56ca25e IMP(shellcheck): quote variables (SC2086) 2020-12-04 15:04:22 +01:00
182 changed files with 1192 additions and 1112 deletions
Expand all files Collapse all files

79
bin/hardening.sh
View File

@ -10,7 +10,7 @@
# Main script : Execute hardening considering configuration # Main script : Execute hardening considering configuration
# #
LONG_SCRIPT_NAME=$(basename $0) LONG_SCRIPT_NAME=$(basename "$0")
SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh} SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh}
DISABLED_CHECKS=0 DISABLED_CHECKS=0
PASSED_CHECKS=0 PASSED_CHECKS=0
@ -114,7 +114,7 @@ fi
declare -a TEST_LIST ALLOWED_SERVICES_LIST declare -a TEST_LIST ALLOWED_SERVICES_LIST
# Arguments parsing # Arguments parsing
while [[ $# > 0 ]]; do while [[ $# -gt 0 ]]; do
ARG="$1" ARG="$1"
case $ARG in case $ARG in
--audit) --audit)
@ -165,12 +165,13 @@ while [[ $# > 0 ]]; do
done done
# if no RUN_MODE was passed, usage and quit # if no RUN_MODE was passed, usage and quit
if [ "$AUDIT" -eq 0 -a "$AUDIT_ALL" -eq 0 -a "$AUDIT_ALL_ENABLE_PASSED" -eq 0 -a "$APPLY" -eq 0 -a "$CREATE_CONFIG" -eq 0 ]; then if [ "$AUDIT" -eq 0 ] && [ "$AUDIT_ALL" -eq 0 ] && [ "$AUDIT_ALL_ENABLE_PASSED" -eq 0 ] && [ "$APPLY" -eq 0 ] && [ "$CREATE_CONFIG" -eq 0 ]; then
usage usage
fi fi
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
@ -178,34 +179,37 @@ if [ -z "$CIS_ROOT_DIR" ]; then
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# shellcheck source=../lib/constants.sh
[ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
# shellcheck source=../etc/hardening.cfg
[ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
# shellcheck source=../lib/common.sh
[ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
# shellcheck source=../lib/utils.sh
[ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh
[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh if [ "$BATCH_MODE" ]; then MACHINE_LOG_LEVEL=3; fi
[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
if [ $BATCH_MODE ]; then MACHINE_LOG_LEVEL=3; fi
# If --allow-service-list is specified, don't run anything, just list the supported services # If --allow-service-list is specified, don't run anything, just list the supported services
if [ "$ALLOW_SERVICE_LIST" = 1 ]; then if [ "$ALLOW_SERVICE_LIST" = 1 ]; then
declare -a HARDENING_EXCEPTIONS_LIST declare -a HARDENING_EXCEPTIONS_LIST
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
template=$(grep "^HARDENING_EXCEPTION=" "$SCRIPT" | cut -d= -f2) template=$(grep "^HARDENING_EXCEPTION=" "$SCRIPT" | cut -d= -f2)
[ -n "$template" ] && HARDENING_EXCEPTIONS_LIST[${#HARDENING_EXCEPTIONS_LIST[@]}]="$template" [ -n "$template" ] && HARDENING_EXCEPTIONS_LIST[${#HARDENING_EXCEPTIONS_LIST[@]}]="$template"
done done
echo "Supported services are: "$(echo "${HARDENING_EXCEPTIONS_LIST[@]}" | tr " " "\n" | sort -u | tr "\n" " ") echo "Supported services are:" "$(echo "${HARDENING_EXCEPTIONS_LIST[@]}" | tr " " "\n" | sort -u | tr "\n" " ")"
exit 0 exit 0
fi fi
# If --set-hardening-level is specified, don't run anything, just apply config for each script # If --set-hardening-level is specified, don't run anything, just apply config for each script
if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ]; then if [ -n "$SET_HARDENING_LEVEL" ] && [ "$SET_HARDENING_LEVEL" != 0 ]; then
if ! grep -q "^[12345]$" <<<"$SET_HARDENING_LEVEL"; then if ! grep -q "^[12345]$" <<<"$SET_HARDENING_LEVEL"; then
echo "Bad --set-hardening-level specified ('$SET_HARDENING_LEVEL'), expected 1 to 5" echo "Bad --set-hardening-level specified ('$SET_HARDENING_LEVEL'), expected 1 to 5"
exit 1 exit 1
fi fi
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
SCRIPT_BASENAME=$(basename $SCRIPT .sh) SCRIPT_BASENAME=$(basename "$SCRIPT" .sh)
script_level=$(grep "^HARDENING_LEVEL=" "$SCRIPT" | cut -d= -f2) script_level=$(grep "^HARDENING_LEVEL=" "$SCRIPT" | cut -d= -f2)
if [ -z "$script_level" ]; then if [ -z "$script_level" ]; then
echo "The script $SCRIPT_BASENAME doesn't have a hardening level, configuration untouched for it" echo "The script $SCRIPT_BASENAME doesn't have a hardening level, configuration untouched for it"
@ -213,22 +217,23 @@ if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ]; then
fi fi
wantedstatus=disabled wantedstatus=disabled
[ "$script_level" -le "$SET_HARDENING_LEVEL" ] && wantedstatus=enabled [ "$script_level" -le "$SET_HARDENING_LEVEL" ] && wantedstatus=enabled
sed -i -re "s/^status=.+/status=$wantedstatus/" $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg sed -i -re "s/^status=.+/status=$wantedstatus/" "$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
done done
echo "Configuration modified to enable scripts for hardening level at or below $SET_HARDENING_LEVEL" echo "Configuration modified to enable scripts for hardening level at or below $SET_HARDENING_LEVEL"
exit 0 exit 0
fi fi
if [ $CREATE_CONFIG = 1 ] && [ "$EUID" -ne 0 ]; then if [ "$CREATE_CONFIG" = 1 ] && [ "$EUID" -ne 0 ]; then
echo "For --create-config-files-only, please run as root" echo "For --create-config-files-only, please run as root"
exit 1 exit 1
fi fi
# Parse every scripts and execute them in the required mode # Parse every scripts and execute them in the required mode
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
if [ ${#TEST_LIST[@]} -gt 0 ]; then if [ "${#TEST_LIST[@]}" -gt 0 ]; then
# --only X has been specified at least once, is this script in my list ? # --only X has been specified at least once, is this script in my list ?
SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename $SCRIPT)") SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename "$SCRIPT")")
# shellcheck disable=SC2001
SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX") SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX")
if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<<"${TEST_LIST[@]}"; then if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<<"${TEST_LIST[@]}"; then
# not in the list # not in the list
@ -237,21 +242,21 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
fi fi
info "Treating $SCRIPT" info "Treating $SCRIPT"
if [ $CREATE_CONFIG = 1 ]; then if [ "$CREATE_CONFIG" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only" debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only"
$SCRIPT --create-config-files-only $BATCH_MODE "$SCRIPT" --create-config-files-only "$BATCH_MODE"
elif [ $AUDIT = 1 ]; then elif [ "$AUDIT" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE" debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
$SCRIPT --audit $SUDO_MODE $BATCH_MODE "$SCRIPT" --audit "$SUDO_MODE" "$BATCH_MODE"
elif [ $AUDIT_ALL = 1 ]; then elif [ "$AUDIT_ALL" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE" debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
elif [ $AUDIT_ALL_ENABLE_PASSED = 1 ]; then elif [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE" $BATCH_MODE debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
elif [ $APPLY = 1 ]; then elif [ "$APPLY" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT" debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT"
$SCRIPT "$SCRIPT"
fi fi
SCRIPT_EXITCODE=$? SCRIPT_EXITCODE=$?
@ -261,9 +266,9 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
0) 0)
debug "$SCRIPT passed" debug "$SCRIPT passed"
PASSED_CHECKS=$((PASSED_CHECKS + 1)) PASSED_CHECKS=$((PASSED_CHECKS + 1))
if [ $AUDIT_ALL_ENABLE_PASSED = 1 ]; then if [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then
SCRIPT_BASENAME=$(basename $SCRIPT .sh) SCRIPT_BASENAME=$(basename "$SCRIPT" .sh)
sed -i -re 's/^status=.+/status=enabled/' $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg sed -i -re 's/^status=.+/status=enabled/' "$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg" info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
fi fi
;; ;;
@ -283,18 +288,18 @@ done
TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS - DISABLED_CHECKS)) TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS - DISABLED_CHECKS))
if [ $BATCH_MODE ]; then if [ "$BATCH_MODE" ]; then
BATCH_SUMMARY="AUDIT_SUMMARY " BATCH_SUMMARY="AUDIT_SUMMARY "
BATCH_SUMMARY+="PASSED_CHECKS:${PASSED_CHECKS:-0} " BATCH_SUMMARY+="PASSED_CHECKS:${PASSED_CHECKS:-0} "
BATCH_SUMMARY+="RUN_CHECKS:${TOTAL_TREATED_CHECKS:-0} " BATCH_SUMMARY+="RUN_CHECKS:${TOTAL_TREATED_CHECKS:-0} "
BATCH_SUMMARY+="TOTAL_CHECKS_AVAIL:${TOTAL_CHECKS:-0}" BATCH_SUMMARY+="TOTAL_CHECKS_AVAIL:${TOTAL_CHECKS:-0}"
if [ $TOTAL_TREATED_CHECKS != 0 ]; then if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100") CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:$(printf "%s" "$CONFORMITY_PERCENTAGE")" BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:$(printf "%s" "$CONFORMITY_PERCENTAGE")"
else else
BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0 BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0
fi fi
becho $BATCH_SUMMARY becho "$BATCH_SUMMARY"
else else
printf "%40s\n" "################### SUMMARY ###################" printf "%40s\n" "################### SUMMARY ###################"
printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS" printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"
@ -305,7 +310,7 @@ else
ENABLED_CHECKS_PERCENTAGE=$(bc -l <<<"scale=2; ($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100") ENABLED_CHECKS_PERCENTAGE=$(bc -l <<<"scale=2; ($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100")
CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100") CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
printf "%30s %s %%\n" "Enabled Checks Percentage :" "$ENABLED_CHECKS_PERCENTAGE" printf "%30s %s %%\n" "Enabled Checks Percentage :" "$ENABLED_CHECKS_PERCENTAGE"
if [ $TOTAL_TREATED_CHECKS != 0 ]; then if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
printf "%30s %s %%\n" "Conformity Percentage :" "$CONFORMITY_PERCENTAGE" printf "%30s %s %%\n" "Conformity Percentage :" "$CONFORMITY_PERCENTAGE"
else else
printf "%30s %s %%\n" "Conformity Percentage :" "N.A" # No check runned, avoid division by 0 printf "%30s %s %%\n" "Conformity Percentage :" "N.A" # No check runned, avoid division by 0

2
bin/hardening/1.1.1.3_disable_hfs.sh
View File

@ -22,7 +22,7 @@ MODULE_FILE="hfs"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!" crit "$KERNEL_OPTION is enabled!"
else else

2
bin/hardening/1.1.1.4_disable_hfsplus.sh
View File

@ -22,7 +22,7 @@ MODULE_FILE="hfsplus"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!" crit "$KERNEL_OPTION is enabled!"
else else

2
bin/hardening/1.1.1.5_disable_udf.sh
View File

@ -22,7 +22,7 @@ MODULE_FILE="udf"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!" crit "$KERNEL_OPTION is enabled!"
else else

2
bin/hardening/1.1.1.7_disable_squashfs.sh
View File

@ -22,7 +22,7 @@ MODULE_FILE="squashfs"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!" crit "$KERNEL_OPTION is enabled!"
else else

8
bin/hardening/1.1.10_var_tmp_noexec.sh
View File

@ -26,19 +26,19 @@ audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition" crit "$PARTITION is not a partition"
FNRET=2 FNRET=2
else else
ok "$PARTITION is a partition" ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION" has_mount_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!" crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1 FNRET=1
else else
ok "$PARTITION has $OPTION in fstab" ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION" has_mounted_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime" warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3 FNRET=3
else else
@ -56,7 +56,7 @@ apply() {
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab" info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab" info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION" remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then elif [ "$FNRET" = 3 ]; then

4
bin/hardening/1.1.11_var_log_partition.sh
View File

@ -25,13 +25,13 @@ audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition" crit "$PARTITION is not a partition"
FNRET=2 FNRET=2
else else
ok "$PARTITION is a partition" ok "$PARTITION is a partition"
is_mounted "$PARTITION" is_mounted "$PARTITION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted" warn "$PARTITION is not mounted"
FNRET=1 FNRET=1
else else

4
bin/hardening/1.1.12_var_log_audit_partition.sh
View File

@ -24,13 +24,13 @@ audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition" crit "$PARTITION is not a partition"
FNRET=2 FNRET=2
else else
ok "$PARTITION is a partition" ok "$PARTITION is a partition"
is_mounted "$PARTITION" is_mounted "$PARTITION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted" warn "$PARTITION is not mounted"
FNRET=1 FNRET=1
else else

4
bin/hardening/1.1.13_home_partition.sh
View File

@ -25,13 +25,13 @@ audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition" crit "$PARTITION is not a partition"
FNRET=2 FNRET=2
else else
ok "$PARTITION is a partition" ok "$PARTITION is a partition"
is_mounted "$PARTITION" is_mounted "$PARTITION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted" warn "$PARTITION is not mounted"
FNRET=1 FNRET=1
else else

8
bin/hardening/1.1.14_home_nodev.sh
View File

@ -26,19 +26,19 @@ audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition" crit "$PARTITION is not a partition"
FNRET=2 FNRET=2
else else
ok "$PARTITION is a partition" ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION" has_mount_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!" crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1 FNRET=1
else else
ok "$PARTITION has $OPTION in fstab" ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION" has_mounted_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime" warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3 FNRET=3
else else
@ -56,7 +56,7 @@ apply() {
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab" info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab" info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION" remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then elif [ "$FNRET" = 3 ]; then

8
bin/hardening/1.1.15_run_shm_nodev.sh
View File

@ -27,19 +27,19 @@ audit() {
PARTITION=$(readlink -e "$PARTITION") PARTITION=$(readlink -e "$PARTITION")
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition" crit "$PARTITION is not a partition"
FNRET=2 FNRET=2
else else
ok "$PARTITION is a partition" ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION" has_mount_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!" crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1 FNRET=1
else else
ok "$PARTITION has $OPTION in fstab" ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION" has_mounted_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime" warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3 FNRET=3
else else
@ -57,7 +57,7 @@ apply() {
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab" info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab" info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION" remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then elif [ "$FNRET" = 3 ]; then

8
bin/hardening/1.1.16_run_shm_nosuid.sh
View File

@ -27,19 +27,19 @@ audit() {
PARTITION=$(readlink -e "$PARTITION") PARTITION=$(readlink -e "$PARTITION")
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition" crit "$PARTITION is not a partition"
FNRET=2 FNRET=2
else else
ok "$PARTITION is a partition" ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION" has_mount_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!" crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1 FNRET=1
else else
ok "$PARTITION has $OPTION in fstab" ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION" has_mounted_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime" warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3 FNRET=3
else else
@ -57,7 +57,7 @@ apply() {
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab" info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab" info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION" remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then elif [ "$FNRET" = 3 ]; then

8
bin/hardening/1.1.17_run_shm_noexec.sh
View File

@ -27,19 +27,19 @@ audit() {
PARTITION=$(readlink -e "$PARTITION") PARTITION=$(readlink -e "$PARTITION")
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition" crit "$PARTITION is not a partition"
FNRET=2 FNRET=2
else else
ok "$PARTITION is a partition" ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION" has_mount_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!" crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1 FNRET=1
else else
ok "$PARTITION has $OPTION in fstab" ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION" has_mounted_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime" warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3 FNRET=3
else else
@ -57,7 +57,7 @@ apply() {
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab" info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab" info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION" remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then elif [ "$FNRET" = 3 ]; then

6
bin/hardening/1.1.18_removable_device_nodev.sh
View File

@ -28,13 +28,13 @@ audit() {
info "Verifying if there is $PARTITION like partition" info "Verifying if there is $PARTITION like partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
ok "There is no partition like $PARTITION" ok "There is no partition like $PARTITION"
FNRET=0 FNRET=0
else else
info "detected $PARTITION like" info "detected $PARTITION like"
has_mount_option "$PARTITION" "$OPTION" has_mount_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!" crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1 FNRET=1
else else
@ -49,7 +49,7 @@ apply() {
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ "$FNRET" = 1 ]; then elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab" info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION add_option_to_fstab "$PARTITION" "$OPTION"
fi fi
} }

6
bin/hardening/1.1.19_removable_device_nosuid.sh
View File

@ -28,13 +28,13 @@ audit() {
info "Verifying if there is $PARTITION like partition" info "Verifying if there is $PARTITION like partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
ok "There is no partition like $PARTITION" ok "There is no partition like $PARTITION"
FNRET=0 FNRET=0
else else
info "detected $PARTITION like" info "detected $PARTITION like"
has_mount_option "$PARTITION" "$OPTION" has_mount_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!" crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1 FNRET=1
else else
@ -49,7 +49,7 @@ apply() {
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ "$FNRET" = 1 ]; then elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab" info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION add_option_to_fstab "$PARTITION" "$OPTION"
fi fi
} }

6
bin/hardening/1.1.20_removable_device_noexec.sh
View File

@ -28,13 +28,13 @@ audit() {
info "Verifying if there is $PARTITION like partition" info "Verifying if there is $PARTITION like partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
ok "There is no partition like $PARTITION" ok "There is no partition like $PARTITION"
FNRET=0 FNRET=0
else else
info "detected $PARTITION like" info "detected $PARTITION like"
has_mount_option "$PARTITION" "$OPTION" has_mount_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!" crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1 FNRET=1
else else
@ -49,7 +49,7 @@ apply() {
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ "$FNRET" = 1 ]; then elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab" info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION add_option_to_fstab "$PARTITION" "$OPTION"
fi fi
} }

14
bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh
View File

@ -20,11 +20,13 @@ DESCRIPTION="Set sticky bit on world writable directories to prevent users from
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
info "Checking if setuid is set on world writable Directories" info "Checking if setuid is set on world writable Directories"
FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'}) FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
# shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then if [ -n "$RESULT" ]; then
crit "Some world writable directories are not on sticky bit mode!" crit "Some world writable directories are not on sticky bit mode!"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ') # shellcheck disable=SC2001
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$RESULT" | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT" crit "$FORMATTED_RESULT"
else else
ok "All world writable directories have a sticky bit" ok "All world writable directories have a sticky bit"
@ -33,9 +35,9 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then if [ -n "$RESULT" ]; then
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
else else
ok "All world writable directories have a sticky bit, nothing to apply" ok "All world writable directories have a sticky bit, nothing to apply"
fi fi

2
bin/hardening/1.1.22_disable_automounting.sh
View File

@ -36,7 +36,7 @@ apply() {
is_service_enabled "$SERVICE_NAME" is_service_enabled "$SERVICE_NAME"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
info "Disabling $SERVICE_NAME" info "Disabling $SERVICE_NAME"
update-rc.d $SERVICE_NAME remove >/dev/null 2>&1 update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
else else
ok "$SERVICE_NAME is disabled" ok "$SERVICE_NAME is disabled"
fi fi

4
bin/hardening/1.1.2_tmp_partition.sh
View File

@ -25,13 +25,13 @@ audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition" crit "$PARTITION is not a partition"
FNRET=2 FNRET=2
else else
ok "$PARTITION is a partition" ok "$PARTITION is a partition"
is_mounted "$PARTITION" is_mounted "$PARTITION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted" warn "$PARTITION is not mounted"
FNRET=1 FNRET=1
else else

8
bin/hardening/1.1.3_tmp_nodev.sh
View File

@ -26,19 +26,19 @@ audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition" crit "$PARTITION is not a partition"
FNRET=2 FNRET=2
else else
ok "$PARTITION is a partition" ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION" has_mount_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!" crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1 FNRET=1
else else
ok "$PARTITION has $OPTION in fstab" ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION" has_mounted_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime" warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3 FNRET=3
else else
@ -56,7 +56,7 @@ apply() {
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab" info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab" info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION" remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then elif [ "$FNRET" = 3 ]; then

8
bin/hardening/1.1.4_tmp_nosuid.sh
View File

@ -26,19 +26,19 @@ audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition" crit "$PARTITION is not a partition"
FNRET=2 FNRET=2
else else
ok "$PARTITION is a partition" ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION" has_mount_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!" crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1 FNRET=1
else else
ok "$PARTITION has $OPTION in fstab" ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION" has_mounted_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime" warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3 FNRET=3
else else
@ -56,7 +56,7 @@ apply() {
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab" info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab" info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION" remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then elif [ "$FNRET" = 3 ]; then

8
bin/hardening/1.1.5_tmp_noexec.sh
View File

@ -26,19 +26,19 @@ audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition" crit "$PARTITION is not a partition"
FNRET=2 FNRET=2
else else
ok "$PARTITION is a partition" ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION" has_mount_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!" crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1 FNRET=1
else else
ok "$PARTITION has $OPTION in fstab" ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION" has_mounted_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime" warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3 FNRET=3
else else
@ -56,7 +56,7 @@ apply() {
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab" info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab" info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION" remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then elif [ "$FNRET" = 3 ]; then

4
bin/hardening/1.1.6_var_partition.sh
View File

@ -25,13 +25,13 @@ audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition" crit "$PARTITION is not a partition"
FNRET=2 FNRET=2
else else
ok "$PARTITION is a partition" ok "$PARTITION is a partition"
is_mounted "$PARTITION" is_mounted "$PARTITION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted" warn "$PARTITION is not mounted"
FNRET=1 FNRET=1
else else

4
bin/hardening/1.1.7_var_tmp_partition.sh
View File

@ -25,13 +25,13 @@ audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition" crit "$PARTITION is not a partition"
FNRET=2 FNRET=2
else else
ok "$PARTITION is a partition" ok "$PARTITION is a partition"
is_mounted "$PARTITION" is_mounted "$PARTITION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted" warn "$PARTITION is not mounted"
FNRET=1 FNRET=1
else else

8
bin/hardening/1.1.8_var_tmp_nodev.sh
View File

@ -26,19 +26,19 @@ audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition" crit "$PARTITION is not a partition"
FNRET=2 FNRET=2
else else
ok "$PARTITION is a partition" ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION" has_mount_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!" crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1 FNRET=1
else else
ok "$PARTITION has $OPTION in fstab" ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION" has_mounted_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime" warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3 FNRET=3
else else
@ -56,7 +56,7 @@ apply() {
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab" info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab" info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION" remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then elif [ "$FNRET" = 3 ]; then

8
bin/hardening/1.1.9_var_tmp_nosuid.sh
View File

@ -26,19 +26,19 @@ audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition" crit "$PARTITION is not a partition"
FNRET=2 FNRET=2
else else
ok "$PARTITION is a partition" ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION" has_mount_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!" crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1 FNRET=1
else else
ok "$PARTITION has $OPTION in fstab" ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION" has_mounted_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime" warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3 FNRET=3
else else
@ -56,7 +56,7 @@ apply() {
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab" info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab" info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION" remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then elif [ "$FNRET" = 3 ]; then

8
bin/hardening/1.4.1_bootloader_ownership.sh
View File

@ -48,7 +48,7 @@ apply() {
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
info "fixing $FILE ownership to $USER:$GROUP" info "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE chown "$USER":"$GROUP" "$FILE"
fi fi
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
@ -68,17 +68,17 @@ check_config() {
warn "Grub is not installed, not handling configuration" warn "Grub is not installed, not handling configuration"
exit 128 exit 128
fi fi
does_user_exist $USER does_user_exist "$USER"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$USER does not exist" crit "$USER does not exist"
exit 128 exit 128
fi fi
does_group_exist $GROUP does_group_exist "$GROUP"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$GROUP does not exist" crit "$GROUP does not exist"
exit 128 exit 128
fi fi
does_file_exist $FILE does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
exit 128 exit 128

8
bin/hardening/1.4.2_bootloader_password.sh
View File

@ -23,13 +23,13 @@ PWD_PATTERN="^password_pbkdf2"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
does_pattern_exist_in_file $FILE "$USER_PATTERN" does_pattern_exist_in_file "$FILE" "$USER_PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$USER_PATTERN not present in $FILE" crit "$USER_PATTERN not present in $FILE"
else else
ok "$USER_PATTERN is present in $FILE" ok "$USER_PATTERN is present in $FILE"
fi fi
does_pattern_exist_in_file $FILE "$PWD_PATTERN" does_pattern_exist_in_file "$FILE" "$PWD_PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PWD_PATTERN not present in $FILE" crit "$PWD_PATTERN not present in $FILE"
else else
@ -39,13 +39,13 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
does_pattern_exist_in_file $FILE "$USER_PATTERN" does_pattern_exist_in_file "$FILE" "$USER_PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$USER_PATTERN not present in $FILE, please configure password for grub" warn "$USER_PATTERN not present in $FILE, please configure password for grub"
else else
ok "$USER_PATTERN is present in $FILE" ok "$USER_PATTERN is present in $FILE"
fi fi
does_pattern_exist_in_file $FILE "$PWD_PATTERN" does_pattern_exist_in_file "$FILE" "$PWD_PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$PWD_PATTERN not present in $FILE, please configure password for grub" warn "$PWD_PATTERN not present in $FILE, please configure password for grub"
else else

4
bin/hardening/1.4.3_root_password.sh
View File

@ -22,7 +22,7 @@ PATTERN="^root:[*\!]:"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
does_pattern_exist_in_file $FILE $PATTERN does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 1 ]; then if [ "$FNRET" != 1 ]; then
crit "$PATTERN is present in $FILE" crit "$PATTERN is present in $FILE"
else else
@ -32,7 +32,7 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
does_pattern_exist_in_file $FILE $PATTERN does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 1 ]; then if [ "$FNRET" != 1 ]; then
warn "$PATTERN is present in $FILE, please put a root password" warn "$PATTERN is present in $FILE, please put a root password"
else else

12
bin/hardening/1.5.1_restrict_core_dumps.sh
View File

@ -27,14 +27,14 @@ SYSCTL_EXP_RESULT=0
audit() { audit() {
SEARCH_RES=0 SEARCH_RES=0
LIMIT_FILES="" LIMIT_FILES=""
if $SUDO_CMD [ -d $LIMIT_DIR ]; then if $SUDO_CMD [ -d "$LIMIT_DIR" ]; then
for file in $($SUDO_CMD ls $LIMIT_DIR/*.conf 2>/dev/null); do for file in $($SUDO_CMD ls "$LIMIT_DIR"/*.conf 2>/dev/null); do
LIMIT_FILES="$LIMIT_FILES $LIMIT_DIR/$file" LIMIT_FILES="$LIMIT_FILES $LIMIT_DIR/$file"
done done
fi fi
debug "Files to search $LIMIT_FILE $LIMIT_FILES" debug "Files to search $LIMIT_FILE $LIMIT_FILES"
for file in $LIMIT_FILE $LIMIT_FILES; do for file in $LIMIT_FILE $LIMIT_FILES; do
does_pattern_exist_in_file $file $LIMIT_PATTERN does_pattern_exist_in_file "$file" "$LIMIT_PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
debug "$LIMIT_PATTERN not present in $file" debug "$LIMIT_PATTERN not present in $file"
else else
@ -43,7 +43,7 @@ audit() {
break break
fi fi
done done
if [ $SEARCH_RES = 0 ]; then if [ "$SEARCH_RES" = 0 ]; then
crit "$LIMIT_PATTERN is not present in $LIMIT_FILE $LIMIT_FILES" crit "$LIMIT_PATTERN is not present in $LIMIT_FILE $LIMIT_FILES"
fi fi
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
@ -58,7 +58,7 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN does_pattern_exist_in_file "$LIMIT_FILE" "$LIMIT_PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$LIMIT_PATTERN not present in $LIMIT_FILE, adding at the end of $LIMIT_FILE" warn "$LIMIT_PATTERN not present in $LIMIT_FILE, adding at the end of $LIMIT_FILE"
add_end_of_file $LIMIT_FILE "* hard core 0" add_end_of_file $LIMIT_FILE "* hard core 0"
@ -68,7 +68,7 @@ apply() {
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
elif [ "$FNRET" = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else

4
bin/hardening/1.5.2_enable_nx_support.sh
View File

@ -35,7 +35,7 @@ nx_supported_and_enabled() {
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
does_pattern_exist_in_dmesg $PATTERN does_pattern_exist_in_dmesg "$PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
nx_supported_and_enabled nx_supported_and_enabled
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
@ -50,7 +50,7 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
does_pattern_exist_in_dmesg $PATTERN does_pattern_exist_in_dmesg "$PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
nx_supported_and_enabled nx_supported_and_enabled
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then

2
bin/hardening/1.5.3_enable_randomized_vm_placement.sh
View File

@ -37,7 +37,7 @@ apply() {
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
elif [ "$FNRET" = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else

4
bin/hardening/1.6.2.1_enable_apparmor.sh
View File

@ -36,13 +36,13 @@ audit() {
c_IFS=$'\n' c_IFS=$'\n'
IFS=$c_IFS IFS=$c_IFS
for line in $RESULT; do for line in $RESULT; do
if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then if [[ ! "$line" =~ "apparmor=1" ]] || [[ ! "$line" =~ "security=apparmor" ]]; then
crit "$line is not configured" crit "$line is not configured"
ERROR=1 ERROR=1
fi fi
done done
IFS=$d_IFS IFS=$d_IFS
if [ $ERROR = 0 ]; then if [ "$ERROR" = 0 ]; then
ok "$PACKAGE is configured" ok "$PACKAGE is configured"
fi fi

6
bin/hardening/1.7.1.1_remove_os_info_motd.sh
View File

@ -22,7 +22,7 @@ PATTERN='(\\v|\\r|\\m|\\s)'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PATTERN is present in $FILE" crit "$PATTERN is present in $FILE"
else else
@ -32,10 +32,10 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
warn "$PATTERN is present in $FILE" warn "$PATTERN is present in $FILE"
delete_line_in_file $FILE $PATTERN delete_line_in_file "$FILE" "$PATTERN"
else else
ok "$PATTERN is not present in $FILE" ok "$PATTERN is not present in $FILE"
fi fi

4
bin/hardening/1.7.1.2_remove_os_info_issue.sh
View File

@ -22,7 +22,7 @@ PATTERN='(\\v|\\r|\\m|\\s)'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PATTERN is present in $FILE" crit "$PATTERN is present in $FILE"
else else
@ -35,7 +35,7 @@ apply() {
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
warn "$PATTERN is present in $FILE" warn "$PATTERN is present in $FILE"
delete_line_in_file $FILE $PATTERN delete_line_in_file "$FILE" "$PATTERN"
else else
ok "$PATTERN is not present in $FILE" ok "$PATTERN is not present in $FILE"
fi fi

6
bin/hardening/1.7.1.3_remove_os_info_issue_net.sh
View File

@ -22,7 +22,7 @@ PATTERN='(\\v|\\r|\\m|\\s)'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PATTERN is present in $FILE" crit "$PATTERN is present in $FILE"
else else
@ -32,10 +32,10 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
warn "$PATTERN is present in $FILE" warn "$PATTERN is present in $FILE"
delete_line_in_file $FILE $PATTERN delete_line_in_file "$FILE" "$PATTERN"
else else
ok "$PATTERN is not present in $FILE" ok "$PATTERN is not present in $FILE"
fi fi

12
bin/hardening/1.7.1.4_motd_perms.sh
View File

@ -24,11 +24,10 @@ FILE='/etc/motd'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
does_file_exist $FILE does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
continue else
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
@ -41,21 +40,22 @@ audit() {
else else
crit "$FILE permissions were not set to $PERMISSIONS" crit "$FILE permissions were not set to $PERMISSIONS"
fi fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
does_file_exist $FILE does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
info "$FILE does not exist" info "$FILE does not exist"
touch $FILE touch "$FILE"
fi fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
warn "fixing $FILE ownership to $USER:$GROUP" warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE chown "$USER":"$GROUP" "$FILE"
fi fi
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then

12
bin/hardening/1.7.1.5_etc_issue_perms.sh
View File

@ -24,11 +24,10 @@ FILE='/etc/issue'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
does_file_exist $FILE does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
continue else
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
@ -41,21 +40,22 @@ audit() {
else else
crit "$FILE permissions were not set to $PERMISSIONS" crit "$FILE permissions were not set to $PERMISSIONS"
fi fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
does_file_exist $FILE does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
info "$FILE does not exist" info "$FILE does not exist"
touch $FILE touch "$FILE"
fi fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
warn "fixing $FILE ownership to $USER:$GROUP" warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE chown "$USER":"$GROUP" "$FILE"
fi fi
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then

12
bin/hardening/1.7.1.6_etc_issue_net_perms.sh
View File

@ -24,11 +24,10 @@ FILE='/etc/issue.net'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
does_file_exist $FILE does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
continue else
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
@ -41,21 +40,22 @@ audit() {
else else
crit "$FILE permissions were not set to $PERMISSIONS" crit "$FILE permissions were not set to $PERMISSIONS"
fi fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
does_file_exist $FILE does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
info "$FILE does not exist" info "$FILE does not exist"
touch $FILE touch "$FILE"
fi fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
warn "fixing $FILE ownership to $USER:$GROUP" warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE chown "$USER":"$GROUP" "$FILE"
fi fi
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then

4
bin/hardening/1.8_install_updates.sh
View File

@ -23,7 +23,7 @@ audit() {
apt_update_if_needed apt_update_if_needed
info "Fetching upgrades ..." info "Fetching upgrades ..."
apt_check_updates "CIS_APT" apt_check_updates "CIS_APT"
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
crit "$RESULT" crit "$RESULT"
FNRET=1 FNRET=1
else else
@ -34,7 +34,7 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
if [ $FNRET -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
info "Applying Upgrades..." info "Applying Upgrades..."
DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' upgrade -y DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' upgrade -y
else else

18
bin/hardening/2.2.1.2_configure_ntp.sh
View File

@ -32,13 +32,13 @@ audit() {
crit "$PACKAGE is not installed!" crit "$PACKAGE is not installed!"
else else
ok "$PACKAGE is installed, checking configuration" ok "$PACKAGE is installed, checking configuration"
does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE" crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE"
else else
ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE" ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
fi fi
does_pattern_exist_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN" does_pattern_exist_in_file "$NTP_INIT_FILE" "^$NTP_INIT_PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE" crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE"
else else
@ -54,22 +54,22 @@ apply() {
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
else else
crit "$PACKAGE is absent, installing it" crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE apt_install "$PACKAGE"
info "Checking $PACKAGE configuration" info "Checking $PACKAGE configuration"
fi fi
does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE, adding it" warn "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE, adding it"
backup_file $NTP_CONF_FILE backup_file "$NTP_CONF_FILE"
add_end_of_file $NTP_CONF_FILE "restrict -4 default kod notrap nomodify nopeer noquery" add_end_of_file "$NTP_CONF_FILE" "restrict -4 default kod notrap nomodify nopeer noquery"
else else
ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE" ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
fi fi
does_pattern_exist_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN" does_pattern_exist_in_file "$NTP_INIT_FILE" "^$NTP_INIT_PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE, adding it" warn "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE, adding it"
backup_file $NTP_INIT_FILE backup_file "$NTP_INIT_FILE"
add_line_file_before_pattern $NTP_INIT_FILE $NTP_INIT_PATTERN "^UGID" add_line_file_before_pattern "$NTP_INIT_FILE" "$NTP_INIT_PATTERN" "^UGID"
else else
ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE" ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
fi fi

2
bin/hardening/2.2.1.3_configure_chrony.sh
View File

@ -30,7 +30,7 @@ audit() {
crit "$PACKAGE is not installed!" crit "$PACKAGE is not installed!"
else else
ok "$PACKAGE is installed, checking configuration" ok "$PACKAGE is installed, checking configuration"
does_pattern_exist_in_file $CONF_FILE $CONF_DEFAULT_PATTERN does_pattern_exist_in_file "$CONF_FILE" "$CONF_DEFAULT_PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE" crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE"
else else

6
bin/hardening/2.2.12_disable_samba.sh
View File

@ -32,7 +32,7 @@ audit() {
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi
done done
is_service_enabled $SERVICE is_service_enabled "$SERVICE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "Service $SERVICE is enabled!" crit "Service $SERVICE is enabled!"
else else
@ -52,10 +52,10 @@ apply() {
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi
done done
is_service_enabled $SERVICE is_service_enabled "$SERVICE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "Service $SERVICE is enabled!" crit "Service $SERVICE is enabled!"
systemctl disable $SERVICE systemctl disable "$SERVICE"
else else
ok "Service $SERVICE is disabled" ok "Service $SERVICE is disabled"
fi fi

4
bin/hardening/2.2.15_mta_localhost.sh
View File

@ -29,7 +29,7 @@ audit() {
ok "Nothing listens on 25 port, probably unix socket configured" ok "Nothing listens on 25 port, probably unix socket configured"
else else
info "Checking $RESULT" info "Checking $RESULT"
if $(grep -q "127.0.0.1" <<<$RESULT); then if grep -q "127.0.0.1" <<<"$RESULT"; then
ok "MTA is configured to localhost only" ok "MTA is configured to localhost only"
else else
crit "MTA listens worldwide" crit "MTA listens worldwide"
@ -47,7 +47,7 @@ apply() {
ok "Nothing listens on 25 port, probably unix socket configured" ok "Nothing listens on 25 port, probably unix socket configured"
else else
info "Checking $RESULT" info "Checking $RESULT"
if $(grep -q "127.0.0.1" <<<$RESULT); then if grep -q "127.0.0.1" <<<"$RESULT"; then
ok "MTA is configured to localhost only" ok "MTA is configured to localhost only"
else else
warn "MTA listens worldwide, correct this considering your MTA" warn "MTA listens worldwide, correct this considering your MTA"

8
bin/hardening/2.2.16_disable_rsync.sh
View File

@ -31,7 +31,7 @@ audit() {
ok "$PACKAGE is not installed" ok "$PACKAGE is not installed"
else else
ok "$PACKAGE is installed, checking configuration" ok "$PACKAGE is installed, checking configuration"
does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN" does_pattern_exist_in_file "$RSYNC_DEFAULT_FILE" "^$RSYNC_DEFAULT_PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE" crit "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE"
else else
@ -47,11 +47,11 @@ apply() {
ok "$PACKAGE is not installed" ok "$PACKAGE is not installed"
else else
ok "$PACKAGE is installed, checking configuration" ok "$PACKAGE is installed, checking configuration"
does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN" does_pattern_exist_in_file "$RSYNC_DEFAULT_FILE" "^$RSYNC_DEFAULT_PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE, adding it" warn "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE, adding it"
backup_file $RSYNC_DEFAULT_FILE backup_file "$RSYNC_DEFAULT_FILE"
replace_in_file $RSYNC_DEFAULT_FILE $RSYNC_DEFAULT_PATTERN_TO_SEARCH $RSYNC_DEFAULT_PATTERN replace_in_file "$RSYNC_DEFAULT_FILE" "$RSYNC_DEFAULT_PATTERN_TO_SEARCH" "$RSYNC_DEFAULT_PATTERN"
else else
ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE" ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE"
fi fi

11
bin/hardening/2.2.18_disable_telnet_server.sh
View File

@ -30,11 +30,11 @@ audit() {
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
warn "$PACKAGE is installed, checking configuration" warn "$PACKAGE is installed, checking configuration"
does_file_exist $FILE does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
ok "$FILE does not exist" ok "$FILE does not exist"
else else
does_pattern_exist_in_file $FILE $PATTERN does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PATTERN exists, $PACKAGE services are enabled!" crit "$PATTERN exists, $PACKAGE services are enabled!"
else else
@ -58,17 +58,18 @@ apply() {
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi
does_file_exist $FILE does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
ok "$FILE does not exist" ok "$FILE does not exist"
else else
info "$FILE exists, checking patterns" info "$FILE exists, checking patterns"
does_pattern_exist_in_file $FILE $PATTERN does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
warn "$PATTERN is present in $FILE, purging it" warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE backup_file $FILE
# shellcheck disable=SC2001
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<<$PATTERN) ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<<$PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE sed -ie "s/$ESCAPED_PATTERN/#&/g" "$FILE"
else else
ok "$PATTERN is not present in $FILE" ok "$PATTERN is not present in $FILE"
fi fi

3
bin/hardening/3.1.1_disable_ip_forwarding.sh
View File

@ -14,6 +14,7 @@ set -u # One variable unset, it's over
# shellcheck disable=2034 # shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
HARDENING_EXCEPTION=gw HARDENING_EXCEPTION=gw
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Disable IP forwarding." DESCRIPTION="Disable IP forwarding."
@ -44,7 +45,7 @@ apply() {
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
sysctl -w net.ipv4.route.flush=1 >/dev/null sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"

10
bin/hardening/3.1.2_disable_send_packet_redirects.sh
View File

@ -24,8 +24,8 @@ SYSCTL_PARAMS='net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_red
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
@ -41,13 +41,13 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
sysctl -w net.ipv4.route.flush=1 >/dev/null sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"

12
bin/hardening/3.2.1_disable_source_routed_packets.sh
View File

@ -23,9 +23,9 @@ SYSCTL_PARAMS=''
audit() { audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
does_sysctl_param_exists "net.ipv6" does_sysctl_param_exists "net.ipv6"
if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6 if [ "$FNRET" = 0 ] || [[ ! "$SYSCTL_VALUES" =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
@ -42,13 +42,13 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT value -- Fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT value -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
sysctl -w net.ipv4.route.flush=1 >/dev/null sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"

12
bin/hardening/3.2.2_disable_icmp_redirect.sh
View File

@ -23,9 +23,9 @@ SYSCTL_PARAMS=''
audit() { audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
does_sysctl_param_exists "net.ipv6" does_sysctl_param_exists "net.ipv6"
if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6 if [ "$FNRET" = 0 ] || [[ ! "$SYSCTL_VALUES" =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
@ -43,13 +43,13 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
sysctl -w net.ipv4.route.flush=1 >/dev/null sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"

10
bin/hardening/3.2.3_disable_secure_icmp_redirect.sh
View File

@ -22,8 +22,8 @@ SYSCTL_PARAMS='net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
@ -39,13 +39,13 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
sysctl -w net.ipv4.route.flush=1 >/dev/null sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"

10
bin/hardening/3.2.4_log_martian_packets.sh
View File

@ -22,8 +22,8 @@ SYSCTL_PARAMS='net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martia
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
@ -39,13 +39,13 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
sysctl -w net.ipv4.route.flush=1 >/dev/null sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"

10
bin/hardening/3.2.5_ignore_broadcast_requests.sh
View File

@ -22,8 +22,8 @@ SYSCTL_PARAMS='net.ipv4.icmp_echo_ignore_broadcasts=1'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
@ -39,13 +39,13 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
sysctl -w net.ipv4.route.flush=1 >/dev/null sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"

10
bin/hardening/3.2.6_enable_bad_error_message_protection.sh
View File

@ -22,8 +22,8 @@ SYSCTL_PARAMS='net.ipv4.icmp_ignore_bogus_error_responses=1'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
@ -39,13 +39,13 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
sysctl -w net.ipv4.route.flush=1 >/dev/null sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"

10
bin/hardening/3.2.7_enable_source_route_validation.sh
View File

@ -22,8 +22,8 @@ SYSCTL_PARAMS='net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
@ -39,13 +39,13 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
sysctl -w net.ipv4.route.flush=1 >/dev/null sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"

10
bin/hardening/3.2.8_enable_tcp_syn_cookies.sh
View File

@ -22,8 +22,8 @@ SYSCTL_PARAMS='net.ipv4.tcp_syncookies=1'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
@ -39,13 +39,13 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
sysctl -w net.ipv4.route.flush=1 >/dev/null sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"

10
bin/hardening/3.2.9_disable_ipv6_router_advertisement.sh
View File

@ -26,8 +26,8 @@ audit() {
ok "ipv6 is disabled" ok "ipv6 is disabled"
else else
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
@ -48,13 +48,13 @@ apply() {
ok "ipv6 is disabled" ok "ipv6 is disabled"
else else
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT, fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT, fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
sysctl -w net.ipv4.route.flush=1 >/dev/null sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"

2
bin/hardening/3.3.1_install_tcp_wrapper.sh
View File

@ -36,7 +36,7 @@ apply() {
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
else else
crit "$PACKAGE is absent, installing it" crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE apt_install "$PACKAGE"
fi fi
} }

6
bin/hardening/3.3.2_hosts_allow.sh
View File

@ -21,7 +21,7 @@ FILE='/etc/hosts.allow'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
does_file_exist $FILE does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
else else
@ -31,10 +31,10 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
does_file_exist $FILE does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist, creating it" warn "$FILE does not exist, creating it"
touch $FILE touch "$FILE"
warn "You may want to fill it with allowed networks" warn "You may want to fill it with allowed networks"
else else
ok "$FILE exist" ok "$FILE exist"

12
bin/hardening/3.3.3_hosts_deny.sh
View File

@ -22,12 +22,12 @@ PATTERN='ALL: ALL'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
does_file_exist $FILE does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
else else
ok "$FILE exists, checking configuration" ok "$FILE exists, checking configuration"
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in $FILE, we have to deny everything" crit "$PATTERN is not present in $FILE, we have to deny everything"
else else
@ -38,17 +38,17 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
does_file_exist $FILE does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist, creating it" warn "$FILE does not exist, creating it"
touch $FILE touch "$FILE"
else else
ok "$FILE exists" ok "$FILE exists"
fi fi
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in $FILE, we have to deny everything" crit "$PATTERN is not present in $FILE, we have to deny everything"
add_end_of_file $FILE "$PATTERN" add_end_of_file "$FILE" "$PATTERN"
warn "YOU MAY HAVE CUT YOUR ACCESS, CHECK BEFORE DISCONNECTING" warn "YOU MAY HAVE CUT YOUR ACCESS, CHECK BEFORE DISCONNECTING"
else else
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"

8
bin/hardening/3.5.1.1_net_fw_default_policy_drop.sh
View File

@ -27,17 +27,17 @@ audit() {
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!" crit "$PACKAGE is not installed!"
else else
ipt=$($SUDO_CMD $PACKAGE -nL 2>/dev/null || true) ipt=$($SUDO_CMD "$PACKAGE" -nL 2>/dev/null || true)
if [[ -z $ipt ]]; then if [[ -z "$ipt" ]]; then
crit "Empty return from $PACKAGE command. Aborting..." crit "Empty return from $PACKAGE command. Aborting..."
return return
fi fi
for chain in $FW_CHAINS; do for chain in $FW_CHAINS; do
regex="Chain $chain \(policy ([A-Z]+)\)" regex="Chain $chain \(policy ([A-Z]+)\)"
# previous line will capture actual policy # previous line will capture actual policy
if [[ $ipt =~ $regex ]]; then if [[ "$ipt" =~ $regex ]]; then
actual_policy=${BASH_REMATCH[1]} actual_policy=${BASH_REMATCH[1]}
if [[ $actual_policy = "$FW_POLICY" ]]; then if [[ "$actual_policy" = "$FW_POLICY" ]]; then
ok "Policy correctly set to $FW_POLICY for chain $chain" ok "Policy correctly set to $FW_POLICY for chain $chain"
else else
crit "Policy set to $actual_policy for chain $chain, should be ${FW_POLICY}." crit "Policy set to $actual_policy for chain $chain, should be ${FW_POLICY}."

2
bin/hardening/3.5_enable_firewall.sh
View File

@ -39,7 +39,7 @@ apply() {
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
else else
crit "$PACKAGE is absent, installing it" crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE apt_install "$PACKAGE"
fi fi
} }

10
bin/hardening/3.7_disable_ipv6.sh
View File

@ -26,8 +26,8 @@ audit() {
ok "ipv6 is disabled" ok "ipv6 is disabled"
else else
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
@ -48,13 +48,13 @@ apply() {
ok "ipv6 is disabled" ok "ipv6 is disabled"
else else
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT value, fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT value, fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
warn "you may want to reboot or sysctl -p a file including $SYSCTL_PARAMS" warn "you may want to reboot or sysctl -p a file including $SYSCTL_PARAMS"
elif [ "$FNRET" = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"

10
bin/hardening/4.1.1.1_audit_log_storage.sh
View File

@ -23,12 +23,12 @@ VALUE=5
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
does_file_exist $FILE does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
else else
ok "$FILE exists, checking configuration" ok "$FILE exists, checking configuration"
does_pattern_exist_in_file $FILE "^$PATTERN[[:space:]]" does_pattern_exist_in_file "$FILE" "^${PATTERN}[[:space:]]"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in $FILE" crit "$PATTERN is not present in $FILE"
else else
@ -39,17 +39,17 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
does_file_exist $FILE does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist, creating it" warn "$FILE does not exist, creating it"
touch $FILE touch $FILE
else else
ok "$FILE exists" ok "$FILE exists"
fi fi
does_pattern_exist_in_file $FILE "^$PATTERN[[:space:]]" does_pattern_exist_in_file "$FILE" "^${PATTERN}[[:space:]]"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
add_end_of_file $FILE "$PATTERN = $VALUE" add_end_of_file "$FILE" "$PATTERN = $VALUE"
else else
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
fi fi

26
bin/hardening/4.1.1.2_halt_when_audit_log_full.sh
View File

@ -22,17 +22,17 @@ OPTIONS=''
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
does_file_exist $FILE does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
else else
ok "$FILE exists, checking configuration" ok "$FILE exists, checking configuration"
for AUDIT_OPTION in $OPTIONS; do for AUDIT_OPTION in $OPTIONS; do
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) AUDIT_PARAM=$(echo "$AUDIT_OPTION" | cut -d= -f 1)
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) AUDIT_VALUE=$(echo "$AUDIT_OPTION" | cut -d= -f 2)
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" PATTERN="^${AUDIT_PARAM}[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE" debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in $FILE" crit "$PATTERN is not present in $FILE"
else else
@ -44,7 +44,7 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
does_file_exist $FILE does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist, creating it" warn "$FILE does not exist, creating it"
touch $FILE touch $FILE
@ -52,20 +52,20 @@ apply() {
ok "$FILE exists" ok "$FILE exists"
fi fi
for AUDIT_OPTION in $OPTIONS; do for AUDIT_OPTION in $OPTIONS; do
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) AUDIT_PARAM=$(echo "$AUDIT_OPTION" | cut -d= -f 1)
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) AUDIT_VALUE=$(echo "$AUDIT_OPTION" | cut -d= -f 2)
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE" debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" PATTERN="^${AUDIT_PARAM}[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$AUDIT_PARAM" does_pattern_exist_in_file "$FILE" "^$AUDIT_PARAM"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end" info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end"
add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE" add_end_of_file "$FILE" "$AUDIT_PARAM = $AUDIT_VALUE"
else else
info "Parameter $AUDIT_PARAM is present but with the wrong value -- Fixing" info "Parameter $AUDIT_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$AUDIT_PARAM[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE" replace_in_file "$FILE" "^${AUDIT_PARAM}[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE"
fi fi
else else
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"

24
bin/hardening/4.1.1.3_keep_all_audit_logs.sh
View File

@ -22,17 +22,17 @@ OPTIONS='max_log_file_action=keep_logs'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
does_file_exist $FILE does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
else else
ok "$FILE exists, checking configuration" ok "$FILE exists, checking configuration"
for AUDIT_OPTION in $OPTIONS; do for AUDIT_OPTION in $OPTIONS; do
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) AUDIT_PARAM=$(echo "$AUDIT_OPTION" | cut -d= -f 1)
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) AUDIT_VALUE=$(echo "$AUDIT_OPTION" | cut -d= -f 2)
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" PATTERN="^${AUDIT_PARAM}[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE" debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in $FILE" crit "$PATTERN is not present in $FILE"
else else
@ -44,7 +44,7 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
does_file_exist $FILE does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist, creating it" warn "$FILE does not exist, creating it"
touch $FILE touch $FILE
@ -52,20 +52,20 @@ apply() {
ok "$FILE exists" ok "$FILE exists"
fi fi
for AUDIT_OPTION in $OPTIONS; do for AUDIT_OPTION in $OPTIONS; do
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) AUDIT_PARAM=$(echo "$AUDIT_OPTION" | cut -d= -f 1)
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) AUDIT_VALUE=$(echo "$AUDIT_OPTION" | cut -d= -f 2)
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE" debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" PATTERN="^${AUDIT_PARAM}[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$AUDIT_PARAM" does_pattern_exist_in_file "$FILE" "^$AUDIT_PARAM"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end" info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end"
add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE" add_end_of_file "$FILE" "$AUDIT_PARAM = $AUDIT_VALUE"
else else
info "Parameter $AUDIT_PARAM is present but with the wrong value -- Fixing" info "Parameter $AUDIT_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$AUDIT_PARAM[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE" replace_in_file "$FILE" "^${AUDIT_PARAM}[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE"
fi fi
else else
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"

8
bin/hardening/4.1.10_record_dac_edit.sh
View File

@ -34,7 +34,7 @@ audit() {
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
@ -50,11 +50,11 @@ apply() {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file "$FILE" "$AUDIT_VALUE"
eval $(pkill -HUP -P 1 auditd) eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi

8
bin/hardening/4.1.11_record_failed_access_file.sh
View File

@ -32,7 +32,7 @@ audit() {
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
@ -48,11 +48,11 @@ apply() {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file "$FILE" "$AUDIT_VALUE"
eval $(pkill -HUP -P 1 auditd) eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi

13
bin/hardening/4.1.12_record_privileged_commands.sh
View File

@ -19,9 +19,8 @@ DESCRIPTION="Collect use of privileged commands."
# Find all files with setuid or setgid set # Find all files with setuid or setgid set
SUDO_CMD='sudo -n' SUDO_CMD='sudo -n'
AUDIT_PARAMS=$($SUDO_CMD find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print \ AUDIT_PARAMS=$($SUDO_CMD find / -xdev \( -perm -4000 -o -perm -2000 \) -type f |
"-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 \ awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }')
-k privileged" }')
FILE='/etc/audit/audit.rules' FILE='/etc/audit/audit.rules'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
@ -33,7 +32,7 @@ audit() {
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
@ -49,11 +48,11 @@ apply() {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file "$FILE" "$AUDIT_VALUE"
eval $(pkill -HUP -P 1 auditd) eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi

8
bin/hardening/4.1.13_record_successful_mount.sh
View File

@ -30,7 +30,7 @@ audit() {
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
@ -46,11 +46,11 @@ apply() {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file "$FILE" "$AUDIT_VALUE"
eval $(pkill -HUP -P 1 auditd) eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi

8
bin/hardening/4.1.14_record_file_deletions.sh
View File

@ -30,7 +30,7 @@ audit() {
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
@ -46,11 +46,11 @@ apply() {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file "$FILE" "$AUDIT_VALUE"
eval $(pkill -HUP -P 1 auditd) eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi

8
bin/hardening/4.1.15_record_sudoers_edit.sh
View File

@ -30,7 +30,7 @@ audit() {
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
@ -46,11 +46,11 @@ apply() {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file "$FILE" "$AUDIT_VALUE"
eval $(pkill -HUP -P 1 auditd) eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi

8
bin/hardening/4.1.16_record_sudo_usage.sh
View File

@ -29,7 +29,7 @@ audit() {
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
@ -45,11 +45,11 @@ apply() {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file "$FILE" "$AUDIT_VALUE"
eval $(pkill -HUP -P 1 auditd) eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi

8
bin/hardening/4.1.17_record_kernel_modules.sh
View File

@ -32,7 +32,7 @@ audit() {
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
@ -48,11 +48,11 @@ apply() {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file "$FILE" "$AUDIT_VALUE"
eval $(pkill -HUP -P 1 auditd) eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi

8
bin/hardening/4.1.18_freeze_auditd_conf.sh
View File

@ -29,7 +29,7 @@ audit() {
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
@ -45,11 +45,11 @@ apply() {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file "$FILE" "$AUDIT_VALUE"
eval $(pkill -HUP -P 1 auditd) eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi

6
bin/hardening/4.1.2_enable_auditd.sh
View File

@ -43,15 +43,15 @@ apply() {
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
else else
warn "$PACKAGE is absent, installing it" warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE apt_install "$PACKAGE"
fi fi
is_service_enabled "$SERVICE_NAME" is_service_enabled "$SERVICE_NAME"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$SERVICE_NAME is enabled" ok "$SERVICE_NAME is enabled"
else else
warn "$SERVICE_NAME is not enabled, enabling it" warn "$SERVICE_NAME is not enabled, enabling it"
update-rc.d $SERVICE_NAME remove >/dev/null 2>&1 update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
update-rc.d $SERVICE_NAME defaults >/dev/null 2>&1 update-rc.d "$SERVICE_NAME" defaults >/dev/null 2>&1
fi fi
} }

24
bin/hardening/4.1.3_audit_bootloader.sh
View File

@ -22,17 +22,17 @@ OPTIONS='GRUB_CMDLINE_LINUX="audit=1"'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
does_file_exist $FILE does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
else else
ok "$FILE exists, checking configuration" ok "$FILE exists, checking configuration"
for GRUB_OPTION in $OPTIONS; do for GRUB_OPTION in $OPTIONS; do
GRUB_PARAM=$(echo $GRUB_OPTION | cut -d= -f 1) GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
GRUB_VALUE=$(echo $GRUB_OPTION | cut -d= -f 2,3) GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
PATTERN="^$GRUB_PARAM=$GRUB_VALUE" PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
debug "$GRUB_PARAM should be set to $GRUB_VALUE" debug "$GRUB_PARAM should be set to $GRUB_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in $FILE" crit "$PATTERN is not present in $FILE"
else else
@ -44,28 +44,28 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
does_file_exist $FILE does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist, creating it" warn "$FILE does not exist, creating it"
touch $FILE touch "$FILE"
else else
ok "$FILE exists" ok "$FILE exists"
fi fi
for GRUB_OPTION in $OPTIONS; do for GRUB_OPTION in $OPTIONS; do
GRUB_PARAM=$(echo $GRUB_OPTION | cut -d= -f 1) GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
GRUB_VALUE=$(echo $GRUB_OPTION | cut -d= -f 2,3) GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
debug "$GRUB_PARAM should be set to $GRUB_VALUE" debug "$GRUB_PARAM should be set to $GRUB_VALUE"
PATTERN="^$GRUB_PARAM=$GRUB_VALUE" PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$GRUB_PARAM" does_pattern_exist_in_file "$FILE" "^$GRUB_PARAM"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
info "Parameter $GRUB_PARAM seems absent from $FILE, adding at the end" info "Parameter $GRUB_PARAM seems absent from $FILE, adding at the end"
add_end_of_file $FILE "$GRUB_PARAM = $GRUB_VALUE" add_end_of_file "$FILE" "$GRUB_PARAM = $GRUB_VALUE"
else else
info "Parameter $GRUB_PARAM is present but with the wrong value -- Fixing" info "Parameter $GRUB_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$GRUB_PARAM=.*" "$GRUB_PARAM=$GRUB_VALUE" replace_in_file "$FILE" "^$GRUB_PARAM=.*" "$GRUB_PARAM=$GRUB_VALUE"
fi fi
else else
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"

8
bin/hardening/4.1.4_record_date_time_edit.sh
View File

@ -33,7 +33,7 @@ audit() {
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
@ -49,11 +49,11 @@ apply() {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file "$FILE" "$AUDIT_VALUE"
eval $(pkill -HUP -P 1 auditd) eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi

8
bin/hardening/4.1.5_record_user_group_edit.sh
View File

@ -33,7 +33,7 @@ audit() {
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
@ -49,11 +49,11 @@ apply() {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file "$FILE" "$AUDIT_VALUE"
eval $(pkill -HUP -P 1 auditd) eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi

8
bin/hardening/4.1.6_record_network_edit.sh
View File

@ -34,7 +34,7 @@ audit() {
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
@ -50,11 +50,11 @@ apply() {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file "$FILE" "$AUDIT_VALUE"
eval $(pkill -HUP -P 1 auditd) eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi

8
bin/hardening/4.1.7_record_mac_edit.sh
View File

@ -29,7 +29,7 @@ audit() {
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
@ -45,11 +45,11 @@ apply() {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file "$FILE" "$AUDIT_VALUE"
eval $(pkill -HUP -P 1 auditd) eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi

8
bin/hardening/4.1.8_record_login_logout.sh
View File

@ -31,7 +31,7 @@ audit() {
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
@ -47,11 +47,11 @@ apply() {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file "$FILE" "$AUDIT_VALUE"
eval $(pkill -HUP -P 1 auditd) eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi

8
bin/hardening/4.1.9_record_session_init.sh
View File

@ -31,7 +31,7 @@ audit() {
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
@ -47,11 +47,11 @@ apply() {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file "$FILE" "$AUDIT_VALUE"
eval $(pkill -HUP -P 1 auditd) eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi

4
bin/hardening/4.2.2.1_enable_syslog-ng.sh
View File

@ -36,8 +36,8 @@ apply() {
is_service_enabled "$SERVICE_NAME" is_service_enabled "$SERVICE_NAME"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
info "Enabling $SERVICE_NAME" info "Enabling $SERVICE_NAME"
update-rc.d $SERVICE_NAME remove >/dev/null 2>&1 update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
update-rc.d $SERVICE_NAME defaults >/dev/null 2>&1 update-rc.d "$SERVICE_NAME" defaults >/dev/null 2>&1
else else
ok "$SERVICE_NAME is enabled" ok "$SERVICE_NAME is enabled"
fi fi

1
bin/hardening/4.2.2.2_configure_syslog-ng.sh
View File

@ -17,6 +17,7 @@ HARDENING_LEVEL=3
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Configure /etc/syslog-ng/syslog-ng.conf ." DESCRIPTION="Configure /etc/syslog-ng/syslog-ng.conf ."
# shellcheck disable=2034
SERVICE_NAME="syslog-ng" SERVICE_NAME="syslog-ng"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode

2
bin/hardening/4.2.2.3_syslog_ng_logfiles_perm.sh
View File

@ -136,7 +136,7 @@ check_config() {
crit "$USER does not exist" crit "$USER does not exist"
exit 128 exit 128
fi fi
does_group_exist $GROUP does_group_exist "$GROUP"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$GROUP does not exist" crit "$GROUP does not exist"
exit 128 exit 128

8
bin/hardening/4.2.2.4_syslog-ng_remote_host.sh
View File

@ -22,7 +22,7 @@ PATTERN='destination[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
FOUND=0 FOUND=0
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L $SYSLOG_BASEDIR/conf.d/ -type f)" FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
for FILE in $FILES; do for FILE in $FILES; do
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN" does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -30,7 +30,7 @@ audit() {
fi fi
done done
if [ $FOUND = 1 ]; then if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES" ok "$PATTERN is present in $FILES"
else else
crit "$PATTERN is not present in $FILES" crit "$PATTERN is not present in $FILES"
@ -40,14 +40,14 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
FOUND=0 FOUND=0
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L $SYSLOG_BASEDIR/conf.d/ -type f)" FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
for FILE in $FILES; do for FILE in $FILES; do
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN" does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
FOUND=1 FOUND=1
fi fi
done done
if [ $FOUND = 1 ]; then if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES" ok "$PATTERN is present in $FILES"
else else
crit "$PATTERN is not present in $FILES, please set a remote host to send your logs" crit "$PATTERN is not present in $FILES, please set a remote host to send your logs"

2
bin/hardening/4.2.3_install_syslog-ng.sh
View File

@ -37,7 +37,7 @@ apply() {
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
else else
crit "$PACKAGE is absent, installing it" crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE apt_install "$PACKAGE"
fi fi
} }

6
bin/hardening/4.2.4_logs_permissions.sh
View File

@ -33,7 +33,7 @@ audit() {
fi fi
done done
if [ $ERRORS = 0 ]; then if [ "$ERRORS" = 0 ]; then
ok "Logs in $DIR have correct permissions" ok "Logs in $DIR have correct permissions"
fi fi
} }
@ -46,12 +46,12 @@ apply() {
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE permissions were set to $PERMISSIONS" ok "$FILE permissions were set to $PERMISSIONS"
else else
warn "fixing $DIRlogs ownership to $PERMISSIONS" warn "fixing $DIR logs ownership to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE" chmod 0"$PERMISSIONS" "$FILE"
fi fi
done done
if [ $ERRORS = 0 ]; then if [ "$ERRORS" = 0 ]; then
ok "Logs in $DIR have correct permissions" ok "Logs in $DIR have correct permissions"
fi fi
} }

1
bin/hardening/4.3_configure_logrotate.sh
View File

@ -16,6 +16,7 @@ HARDENING_LEVEL=3
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Configure logrotate to prevent logfile from growing unmanageable." DESCRIPTION="Configure logrotate to prevent logfile from growing unmanageable."
# shellcheck disable=2034
SERVICE_NAME="syslog-ng" SERVICE_NAME="syslog-ng"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode

6
bin/hardening/5.1.1_enable_cron.sh
View File

@ -43,12 +43,12 @@ apply() {
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
else else
crit "$PACKAGE is absent, installing it" crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE apt_install "$PACKAGE"
is_service_enabled "$SERVICE_NAME" is_service_enabled "$SERVICE_NAME"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
info "Enabling $SERVICE_NAME" info "Enabling $SERVICE_NAME"
update-rc.d $SERVICE_NAME remove >/dev/null 2>&1 update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
update-rc.d $SERVICE_NAME defaults >/dev/null 2>&1 update-rc.d "$SERVICE_NAME" defaults >/dev/null 2>&1
else else
ok "$SERVICE_NAME is enabled" ok "$SERVICE_NAME is enabled"
fi fi

10
bin/hardening/5.1.2_crontab_perm_ownership.sh
View File

@ -40,17 +40,17 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
does_file_exist $FILE does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
info "$FILE does not exist" info "$FILE does not exist"
touch $FILE touch "$FILE"
fi fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
warn "fixing $FILE ownership to $USER:$GROUP" warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE chown "$USER":"$GROUP" "$FILE"
fi fi
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -63,12 +63,12 @@ apply() {
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
does_user_exist $USER does_user_exist "$USER"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$USER does not exist" crit "$USER does not exist"
exit 128 exit 128
fi fi
does_group_exist $GROUP does_group_exist "$GROUP"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$GROUP does not exist" crit "$GROUP does not exist"
exit 128 exit 128

10
bin/hardening/5.1.3_cron_hourly_perm_ownership.sh
View File

@ -40,17 +40,17 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
does_file_exist $FILE does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
info "$FILE does not exist" info "$FILE does not exist"
touch $FILE touch "$FILE"
fi fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
warn "fixing $FILE ownership to $USER:$GROUP" warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE chown "$USER":"$GROUP" "$FILE"
fi fi
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -63,12 +63,12 @@ apply() {
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
does_user_exist $USER does_user_exist "$USER"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$USER does not exist" crit "$USER does not exist"
exit 128 exit 128
fi fi
does_group_exist $GROUP does_group_exist "$GROUP"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$GROUP does not exist" crit "$GROUP does not exist"
exit 128 exit 128

10
bin/hardening/5.1.4_cron_daily_perm_ownership.sh
View File

@ -40,17 +40,17 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
does_file_exist $FILE does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
info "$FILE does not exist" info "$FILE does not exist"
touch $FILE touch "$FILE"
fi fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
warn "fixing $FILE ownership to $USER:$GROUP" warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE chown "$USER":"$GROUP" "$FILE"
fi fi
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -63,12 +63,12 @@ apply() {
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
does_user_exist $USER does_user_exist "$USER"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$USER does not exist" crit "$USER does not exist"
exit 128 exit 128
fi fi
does_group_exist $GROUP does_group_exist "$GROUP"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$GROUP does not exist" crit "$GROUP does not exist"
exit 128 exit 128

10
bin/hardening/5.1.5_cron_weekly_perm_ownership.sh
View File

@ -40,17 +40,17 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
does_file_exist $FILE does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
info "$FILE does not exist" info "$FILE does not exist"
touch $FILE touch "$FILE"
fi fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
warn "fixing $FILE ownership to $USER:$GROUP" warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE chown "$USER":"$GROUP" "$FILE"
fi fi
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -63,12 +63,12 @@ apply() {
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
does_user_exist $USER does_user_exist "$USER"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$USER does not exist" crit "$USER does not exist"
exit 128 exit 128
fi fi
does_group_exist $GROUP does_group_exist "$GROUP"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$GROUP does not exist" crit "$GROUP does not exist"
exit 128 exit 128

10
bin/hardening/5.1.6_cron_monthly_perm_ownership.sh
View File

@ -40,17 +40,17 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
does_file_exist $FILE does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
info "$FILE does not exist" info "$FILE does not exist"
touch $FILE touch "$FILE"
fi fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
warn "fixing $FILE ownership to $USER:$GROUP" warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE chown "$USER":"$GROUP" "$FILE"
fi fi
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -63,12 +63,12 @@ apply() {
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
does_user_exist $USER does_user_exist "$USER"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$USER does not exist" crit "$USER does not exist"
exit 128 exit 128
fi fi
does_group_exist $GROUP does_group_exist "$GROUP"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$GROUP does not exist" crit "$GROUP does not exist"
exit 128 exit 128

10
bin/hardening/5.1.7_cron_d_perm_ownership.sh
View File

@ -40,17 +40,17 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
does_file_exist $FILE does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
info "$FILE does not exist" info "$FILE does not exist"
touch $FILE touch "$FILE"
fi fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
warn "fixing $FILE ownership to $USER:$GROUP" warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE chown "$USER":"$GROUP" "$FILE"
fi fi
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -63,12 +63,12 @@ apply() {
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
does_user_exist $USER does_user_exist "$USER"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$USER does not exist" crit "$USER does not exist"
exit 128 exit 128
fi fi
does_group_exist $GROUP does_group_exist "$GROUP"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$GROUP does not exist" crit "$GROUP does not exist"
exit 128 exit 128

18
bin/hardening/5.1.8_cron_users.sh
View File

@ -26,7 +26,7 @@ GROUP='root'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
for FILE in $FILES_ABSENT; do for FILE in $FILES_ABSENT; do
does_file_exist $FILE does_file_exist "$FILE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$FILE exists" crit "$FILE exists"
else else
@ -34,7 +34,7 @@ audit() {
fi fi
done done
for FILE in $FILES_PRESENT; do for FILE in $FILES_PRESENT; do
does_file_exist $FILE does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE is absent" crit "$FILE is absent"
else else
@ -57,26 +57,26 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
for FILE in $FILES_ABSENT; do for FILE in $FILES_ABSENT; do
does_file_exist $FILE does_file_exist "$FILE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
warn "$FILE exists" warn "$FILE exists"
rm $FILE rm "$FILE"
else else
ok "$FILE is absent" ok "$FILE is absent"
fi fi
done done
for FILE in $FILES_PRESENT; do for FILE in $FILES_PRESENT; do
does_file_exist $FILE does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$FILE is absent" warn "$FILE is absent"
touch $FILE touch "$FILE"
fi fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
warn "fixing $FILE ownership to $USER:$GROUP" warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE chown "$USER":"$GROUP" "$FILE"
fi fi
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -90,12 +90,12 @@ apply() {
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
does_user_exist $USER does_user_exist "$USER"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$USER does not exist" crit "$USER does not exist"
exit 128 exit 128
fi fi
does_group_exist $GROUP does_group_exist "$GROUP"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$GROUP does not exist" crit "$GROUP does not exist"
exit 128 exit 128

24
bin/hardening/5.2.10_disable_root_login.sh
View File

@ -29,10 +29,10 @@ audit() {
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -49,23 +49,23 @@ apply() {
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
else else
crit "$PACKAGE is absent, installing it" crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE apt_install "$PACKAGE"
fi fi
for SSH_OPTION in $OPTIONS; do for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$SSH_PARAM" does_pattern_exist_in_file "$FILE" "^$SSH_PARAM"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi fi
/etc/init.d/ssh reload /etc/init.d/ssh reload
fi fi

24
bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh
View File

@ -29,10 +29,10 @@ audit() {
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -49,23 +49,23 @@ apply() {
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
else else
crit "$PACKAGE is absent, installing it" crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE apt_install "$PACKAGE"
fi fi
for SSH_OPTION in $OPTIONS; do for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$SSH_PARAM" does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi fi
/etc/init.d/ssh reload /etc/init.d/ssh reload
fi fi

Some files were not shown because too many files have changed in this diff Show More