elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2025-07-16 13:52:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: elie:v3.0-1
Branches Tags
elie:master elie:damcava35/deb12_scripts_2 elie:damcava35/update_lib elie:damcava35/new_scripts elie:damcava35/issue_249 elie:damcava35/drop_debian10 elie:damcava35/is_ip_v6_enabled elie:damcava35/issue_195 elie:damcava35/fix_only elie:damcava35/fix_packaging elie:damcava35/set_version elie:damcava35/test_pre_commit elie:dev/thibault.dewailly/deb12 elie:dependabot/github_actions/luizm/action-sh-checker-0.9.0 elie:dev/thibault.dewailly/set_hardening_level elie:dev/thibault.dewailly/syslogng_remotecheck
elie:latest elie:v4.1-5 elie:v4.1-4 elie:v4.1-3 elie:v4.1-2 elie:v4.1-1 elie:v4.0-1 elie:v3.8-1 elie:v3.7-1 elie:v3.6-1 elie:v3.5-1 elie:v3.4-1 elie:v3.3-1 elie:v3.2-2 elie:v3.2-1 elie:v3.2-0 elie:v3.1-6 elie:v3.1-5 elie:v3.1-4 elie:v3.1-3 elie:v3.1-2 elie:v3.1-1 elie:v3.1-0 elie:v3.0-1 elie:v3.0 elie:v2.1-6 elie:v2.1-5 elie:v2.1-4 elie:v2.1-3 elie:v2.1-2 elie:v2.1-1 elie:v2.0-6 elie:v2.0-5 elie:v2.0-4 elie:v1.3-4 elie:v1.3-3 elie:v1.3-2 elie:v1.3 elie:v1.2-1 elie:v1.1-1
...
compare: elie:v4.0-1
Branches Tags
elie:damcava35/deb12_scripts_2 elie:damcava35/update_lib elie:damcava35/new_scripts elie:master elie:damcava35/issue_249 elie:damcava35/drop_debian10 elie:damcava35/is_ip_v6_enabled elie:damcava35/issue_195 elie:damcava35/fix_only elie:damcava35/fix_packaging elie:damcava35/set_version elie:damcava35/test_pre_commit elie:dev/thibault.dewailly/deb12 elie:dependabot/github_actions/luizm/action-sh-checker-0.9.0 elie:dev/thibault.dewailly/set_hardening_level elie:dev/thibault.dewailly/syslogng_remotecheck
elie:latest elie:v4.1-5 elie:v4.1-4 elie:v4.1-3 elie:v4.1-2 elie:v4.1-1 elie:v4.0-1 elie:v3.8-1 elie:v3.7-1 elie:v3.6-1 elie:v3.5-1 elie:v3.4-1 elie:v3.3-1 elie:v3.2-2 elie:v3.2-1 elie:v3.2-0 elie:v3.1-6 elie:v3.1-5 elie:v3.1-4 elie:v3.1-3 elie:v3.1-2 elie:v3.1-1 elie:v3.1-0 elie:v3.0-1 elie:v3.0 elie:v2.1-6 elie:v2.1-5 elie:v2.1-4 elie:v2.1-3 elie:v2.1-2 elie:v2.1-1 elie:v2.0-6 elie:v2.0-5 elie:v2.0-4 elie:v1.3-4 elie:v1.3-3 elie:v1.3-2 elie:v1.3 elie:v1.2-1 elie:v1.1-1

99 Commits
v3.0-1 ... v4.0-1

Author SHA1 Message Date
thibault.dewailly
bc98bedf73 bump to 4.0-1 2023-07-10 07:21:13 +00:00
Stéphane Lesimple
873ef8827d fix: 99.1.3_acc_sudoers_no_all: fix a race condition (#186) 
On systems where /etc/sudoers.d might be updated often by some automated means, this
check might raise a critical when a previously present file (during the ls) is no longer
present (during its attempted read), so before raising a critical, re-check that it
does exists first.
 2023-07-03 17:05:45 +02:00
GoldenKiwi
bd27cd0dae fix: change auditd file rule remediation (#179) 
Fixes #165
 2023-05-05 12:32:22 +02:00
GoldenKiwi
f28ffc244c fix: correct debian package compression override (#181) 2023-05-02 18:06:59 +02:00
GoldenKiwi
19ce790a27 fix: ensure mountpoints are properly detected (#177) 
Fixes #155
When real entries are present in fstab, system startup or runtime mountpoints are now properly detected
Add a supplementary check in case of partition not present in fstab
 2023-05-02 18:01:53 +02:00
GoldenKiwi
47cf86237b fix: correct search in 5.4.5_default_timeout in apply mode (#178) 
fixes #116
 2023-05-02 17:57:35 +02:00
GoldenKiwi
ccd9c1a7aa fix: force xz compression during .deb build (#180) 
zst compression is only available on Debian 12, since the release is built on Ubuntu latest, this was breaking release.
Fixes #175
 2023-05-02 15:24:32 +02:00
GoldenKiwi
04457e7df2 feat: official Debian 11 compatibility (#176) 
Introduce Debian 11 compatibility
Based on CIS_Debian_Linux_11_Benchmark_v1.0.0

After review, here are the notable changes :
 - Harden /var/log more (noexec,nodev,nosuid)
 - Harden /var/log/audit more (noexec,nodev,nosuid)
 - Harden /home more (nosuid)
 - Disable cramfs
 - Fix 5.3.4_acc_pam_sha512.sh
 - Deprecate Debian 9 and remove useless docker images

NB : more audit log rules have been introduced and will be inserted in the checks later
Fix #158
 2023-05-02 14:16:19 +02:00
dependabot[bot]
05521d5961 Bump luizm/action-sh-checker from 0.5.0 to 0.7.0 (#171) 
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.5.0 to 0.7.0.
- [Release notes](https://github.com/luizm/action-sh-checker/releases)
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.5.0...v0.7.0)

---
updated-dependencies:
- dependency-name: luizm/action-sh-checker
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-04-26 10:20:11 +02:00
thibault.dewailly
06525f06f9 bump to 3.8-1 2023-03-23 10:03:37 +00:00
dependabot[bot]
d5c1c63971 Bump luizm/action-sh-checker from 0.4.0 to 0.5.0 (#161) 
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.4.0 to 0.5.0.
- [Release notes](https://github.com/luizm/action-sh-checker/releases)
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.4.0...v0.5.0)

---
updated-dependencies:
- dependency-name: luizm/action-sh-checker
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2023-03-23 10:56:12 +01:00
dependabot[bot]
7d93ddeb86 Bump metcalfc/changelog-generator from 3.0.0 to 4.1.0 (#169) 
Bumps [metcalfc/changelog-generator](https://github.com/metcalfc/changelog-generator) from 3.0.0 to 4.1.0.
- [Release notes](https://github.com/metcalfc/changelog-generator/releases)
- [Changelog](https://github.com/metcalfc/changelog-generator/blob/main/release-notes.png)
- [Commits](https://github.com/metcalfc/changelog-generator/compare/v3.0.0...v4.1.0)

---
updated-dependencies:
- dependency-name: metcalfc/changelog-generator
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2023-03-23 10:50:46 +01:00
dependabot[bot]
a35ecab377 Bump dev-drprasad/delete-tag-and-release from 0.2.0 to 0.2.1 (#170) 
Bumps [dev-drprasad/delete-tag-and-release](https://github.com/dev-drprasad/delete-tag-and-release) from 0.2.0 to 0.2.1.
- [Release notes](https://github.com/dev-drprasad/delete-tag-and-release/releases)
- [Commits](https://github.com/dev-drprasad/delete-tag-and-release/compare/v0.2.0...v0.2.1)

---
updated-dependencies:
- dependency-name: dev-drprasad/delete-tag-and-release
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-03-23 10:47:09 +01:00
Stéphane Lesimple
dc952b90df fix: timeout of 99.1.3 (#168) 
The 99.1.3_acc_sudoers_no_all.sh script can sometimes timeout
on servers where /etc/sudoers.d/ has thousands of files.
This patch makes it run roughly 5x faster, as tested on a
server with 1500 files in sudoers.d/.

Closes #167.

Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>

Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>
 2022-12-22 09:47:35 +01:00
Tarik Megzari
82a217032d fix(6.2.9): Start from UID 1000 for home ownership check (#164) 
Rename 6.2.3 and 6.2.9 checks to be more accurate
Remove home existence check from 6.2.9 as it's handled by 6.2.3
Update tests accordingly
Fixes #163

Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
 2022-09-30 10:28:48 +02:00
ymartin-ovh
e478a89bad bump to 3.7-1 (#160) 2022-07-04 15:37:08 +02:00
ymartin-ovh
371c23cd52 feat: add FIND_IGNORE_NOSUCHFILE_ERR flag (#159) 
This flag can be used to prevent find-related checks to fail because one part of filesystem disappear (ie. ephemeral directories or files)
 2022-07-04 14:29:25 +02:00
Tarik Megzari
ea8334d516 bump to 3.6-1 (#157) 
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
 2022-06-27 12:13:01 +02:00
dependabot[bot]
987bb9c975 Bump luizm/action-sh-checker from 0.3.0 to 0.4.0 (#154) 
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.3.0 to 0.4.0.
- [Release notes](https://github.com/luizm/action-sh-checker/releases)
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.3.0...v0.4.0)

---
updated-dependencies:
- dependency-name: luizm/action-sh-checker
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-06-26 16:58:46 +02:00
dependabot[bot]
3031bb55d1 Bump actions-ecosystem/action-get-latest-tag from 1.5.0 to 1.6.0 (#153) 
Bumps [actions-ecosystem/action-get-latest-tag](https://github.com/actions-ecosystem/action-get-latest-tag) from 1.5.0 to 1.6.0.
- [Release notes](https://github.com/actions-ecosystem/action-get-latest-tag/releases)
- [Commits](https://github.com/actions-ecosystem/action-get-latest-tag/compare/v1.5.0...v1.6.0)

---
updated-dependencies:
- dependency-name: actions-ecosystem/action-get-latest-tag
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
 2022-06-24 17:55:26 +02:00
ymartin-ovh
66ccc6316a feat: Filter the filesystem to check when the list is built. (#156) 
* feat: Attempt to filter-out filesystem that match exclusion regex.
 2022-06-24 17:45:47 +02:00
Tarik Megzari
7a3145d7f1 bump to 3.5-1 (#152) 
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
 2022-03-23 18:40:25 +01:00
GoldenKiwi
5c072668d5 fix: add 10s wait timeout on iptables command (#151) 
When the tested server has its iptables heavily manipulated (e.g Kubernetes)
The lock aquirement can sometimes fail, hence generating false positives
The command will retry 10 times with a 1 second interval
 2022-03-23 16:56:38 +01:00
GoldenKiwi
d1bd1eb2e7 bump to 3.4-1 (#150) 2022-03-18 16:49:25 +01:00
GoldenKiwi
ad5c71c3ce fix: allow passwd-, group- and shadow- debian default permissions (#149) 2022-03-18 16:41:49 +01:00
dependabot[bot]
33964c0a3d Bump EndBug/add-and-commit from 8.0.2 to 9 (#148) 
Bumps [EndBug/add-and-commit](https://github.com/EndBug/add-and-commit) from 8.0.2 to 9.
- [Release notes](https://github.com/EndBug/add-and-commit/releases)
- [Changelog](https://github.com/EndBug/add-and-commit/blob/main/CHANGELOG.md)
- [Commits](https://github.com/EndBug/add-and-commit/compare/v8.0.2...v9)

---
updated-dependencies:
- dependency-name: EndBug/add-and-commit
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-03-14 15:36:48 +01:00
Tarik Megzari
8320d0eecc CI: Fix release action (#147) 
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
 2022-03-03 12:02:12 +01:00
Tarik Megzari
a0d33ab158 Update changelog for release 3.3-1 (#146) 
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
 2022-03-03 10:26:42 +01:00
Jan Schmidle
a6a22084e1 missing shadowtools backup files is ok (#132) 
* missing shadowtools backup files is ok

* update corresponding test cases
 2022-03-02 18:05:37 +01:00
Tarik Megzari
b962155a3c fix: Avoid find failures on too many files (#144) 
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2022-03-02 17:49:28 +01:00
dependabot[bot]
20bf51f65b Bump actions/checkout from 2 to 3 (#145) 
Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-03-02 00:14:50 +01:00
dependabot[bot]
adfe28470a Bump metcalfc/changelog-generator from 1.0.0 to 3.0.0 (#133) 
Bumps [metcalfc/changelog-generator](https://github.com/metcalfc/changelog-generator) from 1.0.0 to 3.0.0.
- [Release notes](https://github.com/metcalfc/changelog-generator/releases)
- [Changelog](https://github.com/metcalfc/changelog-generator/blob/main/release-notes.png)
- [Commits](https://github.com/metcalfc/changelog-generator/compare/v1.0.0...v3.0.0)

---
updated-dependencies:
- dependency-name: metcalfc/changelog-generator
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-03-01 23:48:57 +01:00
dependabot[bot]
c94ee10afe Bump EndBug/add-and-commit from 7 to 8.0.2 (#142) 
Bumps [EndBug/add-and-commit](https://github.com/EndBug/add-and-commit) from 7 to 8.0.2.
- [Release notes](https://github.com/EndBug/add-and-commit/releases)
- [Changelog](https://github.com/EndBug/add-and-commit/blob/main/CHANGELOG.md)
- [Commits](https://github.com/EndBug/add-and-commit/compare/v7...v8.0.2)

---
updated-dependencies:
- dependency-name: EndBug/add-and-commit
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-03-01 20:39:39 +01:00
dependabot[bot]
453a72b8c8 Bump actions-ecosystem/action-get-latest-tag from 1.4.1 to 1.5.0 (#143) 
Bumps [actions-ecosystem/action-get-latest-tag](https://github.com/actions-ecosystem/action-get-latest-tag) from 1.4.1 to 1.5.0.
- [Release notes](https://github.com/actions-ecosystem/action-get-latest-tag/releases)
- [Commits](https://github.com/actions-ecosystem/action-get-latest-tag/compare/v1.4.1...v1.5.0)

---
updated-dependencies:
- dependency-name: actions-ecosystem/action-get-latest-tag
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-03-01 20:28:33 +01:00
Tarik Megzari
bb03764918 fix: Catch unexpected failures (#140) 
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
 2022-01-31 15:38:38 +01:00
Tarik Megzari
17d272420a feat: Dissociate iptables pkg name from command (#137) 
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
 2021-12-27 15:40:55 +01:00
Tarik Megzari
f1c1517bd2 Update changelog for release 3.2-2 (#135) 
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
 2021-12-13 16:06:57 +01:00
tdenof
1341622335 Fix empty fstab test (#134) 
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Co-authored-by: Thibault Dewailly <thibault.dewailly@corp.ovh.com>
 2021-12-08 08:42:22 +01:00
thibault.dewailly
c8fcfed248 Update changelog for release 3.2-1 2021-12-01 11:04:56 +00:00
Sebastien BLAISOT
97914976c8 Skip NTP and Chrony config check if they are not installed (#120) 
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-12-01 10:49:08 +01:00
Sebastien BLAISOT
66c8ccf495 Fix 3.4.2 audit rule (#123) 
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-12-01 10:23:11 +01:00
Sebastien BLAISOT
b53bf1795c Fix grub detection (#119) 
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-12-01 08:58:32 +01:00
Sebastien BLAISOT
1a874b2b35 Allow grub.cfg permission to be 600 (#121) 
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-11-30 18:47:19 +01:00
Sebastien BLAISOT
7266ec7cb4 Honor --set-log-level parameter (#127) 
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-11-30 18:42:33 +01:00
Jan Schmidle
8f855ac159 fix: kernel module detection (#129) 
* fix: add filter to hfs

* fix is_kernel_option_enabled check

as the module in question could have dependencies which have been blacklisted as well we need to make sure that the comparison only checks for the module in question - the last line in the output.

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-10-20 14:51:29 +02:00
Sebastien BLAISOT
ad192c9457 Add silent mode and json summary (#128) 
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-10-20 13:22:59 +02:00
Sebastien BLAISOT
3d2d97a727 FIX(1.7.1.4): don't abort script in case of unconfined processes (#130) 2021-10-20 13:14:36 +02:00
Sebastien BLAISOT
6e2fb1570c FIX(2.2.1.4): Validate debian default ntp config (#118) 2021-10-15 16:19:51 +02:00
dependabot[bot]
faf5b155e5 Bump metcalfc/changelog-generator from v0.4.4 to v1.0.0 (#81) 
Bumps [metcalfc/changelog-generator](https://github.com/metcalfc/changelog-generator) from v0.4.4 to v1.0.0.
- [Release notes](https://github.com/metcalfc/changelog-generator/releases)
- [Changelog](https://github.com/metcalfc/changelog-generator/blob/main/release-notes.png)
- [Commits](https://github.com/metcalfc/changelog-generator/compare/v0.4.4...e5306b306fa2e34f05258789e0e5c526c1bd4352)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Thibault Ayanides <thibault.ayanides@ovhcloud.com>
 2021-08-10 13:57:13 +02:00
dependabot[bot]
43887d4165 Bump luizm/action-sh-checker from 0.1.13 to 0.3.0 (#111) 
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.1.13 to 0.3.0.
- [Release notes](https://github.com/luizm/action-sh-checker/releases)
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.1.13...v0.3.0)

---
updated-dependencies:
- dependency-name: luizm/action-sh-checker
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2021-08-10 13:47:31 +02:00
dependabot[bot]
499ebf2f9b Bump dev-drprasad/delete-tag-and-release from v0.1.3 to v0.2.0 (#72) 
Bumps [dev-drprasad/delete-tag-and-release](https://github.com/dev-drprasad/delete-tag-and-release) from v0.1.3 to v0.2.0.
- [Release notes](https://github.com/dev-drprasad/delete-tag-and-release/releases)
- [Commits](https://github.com/dev-drprasad/delete-tag-and-release/compare/v0.1.3...085c6969f18bad0de1b9f3fe6692a3cd01f64fe5)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Thibault Ayanides <thibault.ayanides@ovhcloud.com>
 2021-08-10 10:39:53 +02:00
Thibault Ayanides
afed5a9dce 99.5.4.5.2: fix bug where sha512 option rounds provoke KO (#112) 2021-08-10 10:30:35 +02:00
dependabot[bot]
01c3d1b98c Bump luizm/action-sh-checker from v0.1.12 to v0.1.13 (#73) 
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from v0.1.12 to v0.1.13.
- [Release notes](https://github.com/luizm/action-sh-checker/releases)
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.1.12...164368daf52a9126460854f9c0de00abc079a350)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Thibault Ayanides <thibault.ayanides@ovhcloud.com>
 2021-08-10 09:43:59 +02:00
dependabot[bot]
25e899168f Bump actions-ecosystem/action-get-latest-tag from 1 to 1.4.1 (#101) 
Bumps [actions-ecosystem/action-get-latest-tag](https://github.com/actions-ecosystem/action-get-latest-tag) from 1 to 1.4.1.
- [Release notes](https://github.com/actions-ecosystem/action-get-latest-tag/releases)
- [Commits](https://github.com/actions-ecosystem/action-get-latest-tag/compare/v1...v1.4.1)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Thibault Ayanides <thibault.ayanides@ovhcloud.com>
 2021-08-10 09:36:28 +02:00
Thibault Ayanides
9a2e3a0e0d Fix 5.4.5 pattern search (#108) 
fix #107
 2021-08-09 10:49:56 +02:00
Thibault Ayanides
334d743125 fix EXCEPTIONS management (#104) 
* FIX(1.1.21, 6.1.10) fix EXCEPTIONS management
* Update changelog
* Refactor test for 6.1.10-14
 2021-06-02 13:47:19 +02:00
Thibault Ayanides
4ed8adf790 Update changelog (#103) 2021-05-28 15:06:48 +02:00
Thibault Ayanides
f4328deeb2 Fix unbound variable (#102) 2021-05-28 15:00:58 +02:00
Thibault Ayanides
29505255ff Update changelog (#99) 2021-05-07 09:16:15 +02:00
Thibault Ayanides
9e6c9a0d8a Accept lower values (#95) 
* IMP(5.2.23): accept lower value as valid

* IMP(5.2.7): accept lower value as valid
 2021-04-27 16:04:13 +02:00
Thibault Ayanides
1cade2e375 FIX(2.2.1.2): custom func not working for systemd (#90) 
fix #87
 2021-04-27 13:49:05 +02:00
Thibault Ayanides
fc8a2b2561 FIX: add commands to sudoers (#91) 2021-04-27 13:31:59 +02:00
Thibault Ayanides
cadc25c28c Dir exceptions (#96) 
* IMP(1.1.21): add EXCEPTIONS
* IMP(6.1.10): add EXCEPTIONS
 2021-04-26 17:05:22 +02:00
Thibault Ayanides
8c6c9a7571 IMP(tests): checks that stderr is empty 
Fix #97
 2021-04-26 17:01:19 +02:00
Thibault Ayanides
dd41988933 Update changelog 2021-04-13 11:00:29 +02:00
Thibault Ayanides
f6c6e6a0a8 FIX(4.1.11): add SUDO to find suid files 2021-04-13 11:00:29 +02:00
Thibault Ayanides
d26ad48416 Update changelog 2021-04-02 09:25:41 +02:00
Thibault Ayanides
d110a2aa19 Ignore case for sshd conf 
fix #85
 2021-04-02 09:25:41 +02:00
Thibault Ayanides
cbd81b8ab2 Update changelog (#82) 2021-03-26 12:16:50 +01:00
Thibault Ayanides
1c51e4cec4 Check that package are installed before launching check (#69) 
* FIX(1.6.1,1.7.1.x): check if apparmor and grub is installed

* FIX(2.2.15): check package install

* FIX(4.2.x): check package install

* FIX(5.1.x): check crontab files exist

* FIX(5.2.1): check package install

* FIX(99.3.3.x): check conf file exist

* Remove useless SUDO_CMD

* Deal with non existant /run/shm

* Replace exit code 128 by exit code 2

fix #65

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-03-25 14:01:57 +01:00
Thibault Ayanides
f8ac58700d FIX(4.1.1.4): bad pattern (#67) 
fix #61
 2021-03-25 13:50:08 +01:00
Thibault Ayanides
1c1393c7e3 Fix div function to manage 0 on numerator (#79) 
fix #77

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-03-23 08:36:36 +01:00
Thibault Ayanides
c50f200c5c FIX(5.4.5.2): explicit sha512 
fix #74
 2021-03-22 15:22:50 +01:00
Simão Gomes Viana
c0ecc9cd6f README: fix spelling and spacing in first line 2021-03-19 08:36:31 +01:00
Thibault Ayanides
fb5be208ef Update changelog 2021-03-15 08:25:26 +01:00
jeremydenoun
b44fb47c3a add log details to be more comprehensive (#49) 
Co-authored-by: Jeremy Denoun <jeremy.denoun@iguanesolutions.com>
 2021-02-17 12:04:11 +01:00
jeremydenoun
84ac4db90f fix incorrect path from ls (#45) 
Co-authored-by: Jeremy Denoun <jeremy.denoun@iguanesolutions.com>
 2021-02-17 12:00:13 +01:00
Thibault Ayanides
40fb536d4e Add missing HARDENING_LEVEL (#44) 
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-02-17 11:51:51 +01:00
Thibault Ayanides
d1b371f410 Add is_ipv6_disabled (#57) 
Modify some checks to make it pass when ipv6 is diabled

fix #50

	modified:   bin/hardening/3.1.1_disable_ipv6.sh
	modified:   bin/hardening/3.3.1_disable_source_routed_packets.sh
	modified:   bin/hardening/3.3.9_disable_ipv6_router_advertisement.sh
	modified:   lib/utils.sh

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-02-17 11:45:20 +01:00
Thibault Ayanides
6ab1cab3ce IMP(5.1.8): allow more restrictive permissions (#59) 
fix #52

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-02-17 11:40:31 +01:00
Thibault Ayanides
1a7dd5893a Use pam_faillock instead of pam_tally for bullseye (#56) 
Fix #55
See https://github.com/linux-pam/linux-pam/releases/tag/v1.4.0
pam_tally is deprecated and replaced by pam_faillock

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-02-17 11:36:58 +01:00
Thibault Ayanides
fa111bc0d0 Update mac and kex to match debian10 CIS (#60) 
fix #53

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-02-17 11:31:22 +01:00
Thibault Ayanides
460843ffb3 Fix #51 (#58) 2021-02-17 11:19:38 +01:00
jeremydenoun
896d277d95 fix #46 bug (#47) 
Co-authored-by: Jeremy Denoun <jeremy.denoun@iguanesolutions.com>
 2021-02-11 14:00:18 +01:00
Thibault Ayanides
6ae05f3fa2 Add dealing with debian 11 
* ADD: add dockerfile for debian11
* FIX: fix crontab file not found on debian11 blank
* Add workflow for debian11
* FIX: fix debian version func to manage debian11
* Add dealing with unsupported version and distro
* Add 99.99 check that check if distro version is supported
* Use global var for debian major and distro

fix #26
 2021-02-08 13:54:24 +01:00
Thibault Ayanides
449c695415 IMP: improve partition detection in container 
fix #27
 2021-02-08 09:07:09 +01:00
dependabot[bot]
2d6550fb13 Bump dev-drprasad/delete-tag-and-release from v0.1.2 to v0.1.3 (#41) 
Bumps [dev-drprasad/delete-tag-and-release](https://github.com/dev-drprasad/delete-tag-and-release) from v0.1.2 to v0.1.3.
- [Release notes](https://github.com/dev-drprasad/delete-tag-and-release/releases)
- [Commits](https://github.com/dev-drprasad/delete-tag-and-release/compare/v0.1.2...3c280cb168f9f46f0036f47c7f57bba2ec18f61c)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2021-02-04 16:23:41 +01:00
jeremydenoun
0b6ea0d97e IMP: add multiple Improvements 
* add new kernel module detection (enable & listing)  with detection of monolithic kernel
* change way to detect if file system type is disabled
* add global IS_CONTAINER variable
* disable test for 3.4.x to be consistent with others
* add cli options to override configuration loglevel
 2021-02-04 16:21:49 +01:00
dependabot[bot]
ec9e2addc2 Bump luizm/action-sh-checker from v0.1.10 to v0.1.12 
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from v0.1.10 to v0.1.12.
- [Release notes](https://github.com/luizm/action-sh-checker/releases)
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.1.10...442951059cb22d260c6e69309ae59cb7bb2334b8)

Signed-off-by: dependabot[bot] <support@github.com>
 2021-02-01 13:08:50 +01:00
Thibault Ayanides
ed1baa724e IMP: mark some checks as useless 2021-01-25 13:02:52 +01:00
Thibault Ayanides
bd4ddfc398 ADD(3.4.x): add checks and tests 2021-01-25 13:02:52 +01:00
Thibault Ayanides
5a72d986ea IMP(3.1-3.x): add comprehensive tests 2021-01-25 13:02:52 +01:00
Thibault Ayanides
c51513e083 IMP(1.8.1.4-6): add comprehensive tests 2021-01-25 13:02:52 +01:00
Thibault Ayanides
6127f2fe67 IMP(4.2.2.x): improve dealing with default conf 
The default for journald is Compress=yes and ForwardToSyslog=yes
So we check that Compress=no and ForwardToSyslog=no are not in the conf file.
 2021-01-25 13:02:52 +01:00
Thibault Serti
6efefa07ac Update shellcheck workflow 
fix #34
 2021-01-22 14:45:01 +01:00
jeremydenoun
dce926a536 Add default variable to avoid unbound variable 
Co-authored-by: Jeremy Denoun <jeremy.denoun@iguanesolutions.com>
 2021-01-22 10:02:44 +01:00
jeremydenoun
0edb837f80 Remove bc dependency 
Co-authored-by: Jeremy Denoun <jeremy.denoun@iguanesolutions.com>
 2021-01-22 09:31:53 +01:00
jeremydenoun
1c2e171655 Fix ovh/debian-cis:#25 (#28) 
Co-authored-by: Jeremy Denoun <jeremy.denoun@iguanesolutions.com>
 2021-01-21 16:01:34 +01:00
dependabot[bot]
4a652a94c6 Bump EndBug/add-and-commit from v6 to v7 
Bumps [EndBug/add-and-commit](https://github.com/EndBug/add-and-commit) from v6 to v7.
- [Release notes](https://github.com/EndBug/add-and-commit/releases)
- [Changelog](https://github.com/EndBug/add-and-commit/blob/master/CHANGELOG.md)
- [Commits](https://github.com/EndBug/add-and-commit/compare/v6...b3c7c1e078a023d75fb0bd326e02962575ce0519)

Signed-off-by: dependabot[bot] <support@github.com>
 2021-01-18 15:52:46 +01:00
228 changed files with 4496 additions and 1351 deletions
Expand all files Collapse all files

4
.github/workflows/compile-manual.yml vendored
View File

@ -7,10 +7,10 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Produce debian man
run: 'docker run --rm --volume "`pwd`:/data" --user `id -u`:`id -g` pandoc/latex:2.6 MANUAL.md -s -t man > debian/cis-hardening.8'
- uses: EndBug/add-and-commit@v6
- uses: EndBug/add-and-commit@v9
with:
add: 'debian/cis-hardening.8'
message: 'Regenerate man pages (Github action)'

16
.github/workflows/functionnal-tests.yml vendored
View File

@ -4,17 +4,17 @@ on:
- pull_request
- push
jobs:
functionnal-tests-docker-debian9:
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v2
- name: Run the tests debian9
run: ./tests/docker_build_and_run_tests.sh debian9
functionnal-tests-docker-debian10:
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Run the tests debian10
run: ./tests/docker_build_and_run_tests.sh debian10
functionnal-tests-docker-debian11:
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v3
- name: Run the tests debian11
run: ./tests/docker_build_and_run_tests.sh debian11

8
.github/workflows/pre-release.yml vendored
View File

@ -11,7 +11,7 @@ jobs:
steps:
# CHECKOUT CODE
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v3
# BUILD THE .DEB PACKAGE
- name: Build
run: |
@ -21,7 +21,7 @@ jobs:
find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
# DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
- name: Delete the tag latest and the release latest
uses: dev-drprasad/delete-tag-and-release@v0.1.2
uses: dev-drprasad/delete-tag-and-release@v0.2.1
with:
delete_release: true
tag_name: latest
@ -29,12 +29,12 @@ jobs:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# GET LATEST VERSION TAG
- name: Get latest version tag
uses: actions-ecosystem/action-get-latest-tag@v1
uses: actions-ecosystem/action-get-latest-tag@v1.6.0
id: get-latest-tag
# GENERATE CHANGELOG CORRESPONDING TO COMMIT BETWEEN HEAD AND COMPUTED LAST TAG
- name: Generate changelog
id: changelog
uses: metcalfc/changelog-generator@v0.4.4
uses: metcalfc/changelog-generator@v4.1.0
with:
myToken: ${{ secrets.GITHUB_TOKEN }}
head-ref: ${{ github.sha }}

15
.github/workflows/shellcheck_and_shellfmt.yml vendored
View File

@ -4,19 +4,26 @@ on:
- push
- pull_request
jobs:
sh-checker:
shellfmt:
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Run the sh-checker
uses: luizm/action-sh-checker@v0.1.10
uses: luizm/action-sh-checker@v0.7.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Optional if sh_checker_comment is false.
SHELLCHECK_OPTS: --color=always --shell=bash -x --source-path=SCRIPTDIR # Optional: exclude some shellcheck warnings.
SHFMT_OPTS: -l -i 4 -w # Optional: pass arguments to shfmt.
with:
sh_checker_shellcheck_disable: true
sh_checker_comment: true
sh_checker_exclude: |
src/
debian/postrm
shellcheck:
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v3
- name: Run shellcheck
run: ./shellcheck/docker_build_and_run_shellcheck.sh

6
.github/workflows/tagged-release.yml vendored
View File

@ -7,8 +7,6 @@ on:
jobs:
build:
name: Create Release
# only runs on master
if: github.event.base_ref == 'refs/heads/master'
runs-on: ubuntu-latest
steps:
# GET VERSION TAG
@ -17,7 +15,7 @@ jobs:
run: echo ::set-output name=tag::${GITHUB_REF#refs/*/}
# CHECKOUT CODE
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v3
with:
ref: ${{ steps.vars.outputs.tag }}
# GENERATE CHANGELOG CORRESPONDING TO ENTRY IN DEBIAN/CHANGELOG
@ -35,7 +33,7 @@ jobs:
find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
# DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
- name: Delete the tag latest and the release latest
uses: dev-drprasad/delete-tag-and-release@v0.1.2
uses: dev-drprasad/delete-tag-and-release@v0.2.1
with:
delete_release: true
tag_name: latest

9
MANUAL.md
View File

@ -115,11 +115,20 @@ will create a timestamped backup in this directory.
the -n option instructs sudo not to prompt for a password.
Finally note that `--sudo` mode only works for audit mode.
`--set-log-level=level`
: This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug.
Default value is : info
`--batch`
: While performing system audit, this option sets LOGLEVEL to 'ok' and
captures all output to print only one line once the check is done, formatted like :
OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
`--allow-unsupported-distribution`
Must be specified manually in the command line to allow the run on non compatible
version or distribution. If you want to mute the warning change the LOGLEVEL
in /etc/hardening.cfg
# AUTHORS

18
README.md
View File

@ -1,7 +1,4 @@
# :lock: CIS Debian 9/10 Hardening
:tada: **News**: this projet is back in the game and is from now on maintained. Be free to use and to
report issues if you find any !
# :lock: CIS Debian 10/11 Hardening
<p align="center">
@ -16,7 +13,7 @@ report issues if you find any !
![License](https://img.shields.io/github/license/ovh/debian-cis)
---
Modular Debian 9/10 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
Modular Debian 10/11 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
recommendations. We use it at [OVHcloud](https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
```console
@ -44,7 +41,7 @@ hardening [INFO] Treating /opt/cis-hardening/bin/hardening/6.2.19_check_duplicat
$ git clone https://github.com/ovh/debian-cis.git && cd debian-cis
$ cp debian/default /etc/default/cis-hardening
$ sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
$ bin/hardening/1.1_install_updates.sh --audit-all
$ bin/hardening/1.1.1.1_disable_freevxfs.sh --audit-all
hardening [INFO] Treating /opt/cis-hardening/bin/hardening/1.1.1.1_disable_freevxfs.sh
1.1.1.1_disable_freevxfs [INFO] Working on 1.1.1.1_disable_freevxfs
1.1.1.1_disable_freevxfs [INFO] [DESCRIPTION] Disable mounting of freevxfs filesystems.
@ -117,9 +114,16 @@ to allow a certain kind of services on the machine, such as http, mail, etc.
Can be specified multiple times to allow multiple services.
Use --allow-service-list to get a list of supported services.
``--set-log-level <level>``: This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug.
Default value is : info
``--create-config-files-only``: create the config files in etc/conf.d. Must be run as root,
before running the audit with user secaudit, to have the rights setup well on the conf files.
``--allow-unsupported-distribution``: must be specified manually in the command line to allow
the run on non compatible version or distribution. If you want to mute the warning change the
LOGLEVEL in /etc/hardening.cfg
## :computer: Hacking
**Getting the source**
@ -165,7 +169,7 @@ Functional tests are available. They are to be run in a Docker environment.
$ ./tests/docker_build_and_run_tests.sh <target> [name of test script...]
```
With `target` being like `debian9` or `debian10`.
With `target` being like `debian10` or `debian11`.
Running without script arguments will run all tests in `./tests/hardening/` directory.
Or you can specify one or several test script to be run.

100
bin/hardening.sh
View File

@ -26,6 +26,9 @@ ALLOW_SERVICE_LIST=0
SET_HARDENING_LEVEL=0
SUDO_MODE=''
BATCH_MODE=''
SUMMARY_JSON=''
ASK_LOGLEVEL=''
ALLOW_UNSUPPORTED_DISTRIBUTION=0
usage() {
cat <<EOF
@ -98,11 +101,24 @@ OPTIONS:
the '-n' option instructs sudo not to prompt for a password.
Finally note that '--sudo' mode only works for audit mode.
--set-log-level <level>
This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug or silent.
Default value is : info
--summary-json
While performing system audit, this option sets LOGLEVEL to silent and
only output a json summary at the end
--batch
While performing system audit, this option sets LOGLEVEL to 'ok' and
captures all output to print only one line once the check is done, formatted like :
OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
--allow-unsupported-distribution
Must be specified manually in the command line to allow the run on non compatible
version or distribution. If you want to mute the warning change the LOGLEVEL
in /etc/hardening.cfg
EOF
exit 0
}
@ -143,6 +159,10 @@ while [[ $# -gt 0 ]]; do
SET_HARDENING_LEVEL="$2"
shift
;;
--set-log-level)
ASK_LOGLEVEL=$2
shift
;;
--only)
TEST_LIST[${#TEST_LIST[@]}]="$2"
shift
@ -150,9 +170,16 @@ while [[ $# -gt 0 ]]; do
--sudo)
SUDO_MODE='--sudo'
;;
--summary-json)
SUMMARY_JSON='--summary-json'
ASK_LOGLEVEL=silent
;;
--batch)
BATCH_MODE='--batch'
LOGLEVEL=ok
ASK_LOGLEVEL=ok
;;
--allow-unsupported-distribution)
ALLOW_UNSUPPORTED_DISTRIBUTION=1
;;
-h | --help)
usage
@ -179,16 +206,53 @@ if [ -z "$CIS_ROOT_DIR" ]; then
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# shellcheck source=../lib/constants.sh
[ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
# shellcheck source=../etc/hardening.cfg
[ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
if [ "$ASK_LOGLEVEL" ]; then LOGLEVEL=$ASK_LOGLEVEL; fi
# shellcheck source=../lib/common.sh
[ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
# shellcheck source=../lib/utils.sh
[ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh
# shellcheck source=../lib/constants.sh
[ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
if [ "$BATCH_MODE" ]; then MACHINE_LOG_LEVEL=3; fi
# If we're on a unsupported platform and there is no flag --allow-unsupported-distribution
# print warning, otherwise quit
if [ "$DISTRIBUTION" != "debian" ]; then
echo "Your distribution has been identified as $DISTRIBUTION which is not debian"
if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
echo "Exiting now"
exit 100
elif [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ] && [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then
echo "Be aware that the result given by this set of scripts can give you a false feedback of security on unsupported distributions !"
echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
fi
else
if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
echo "Your debian version is too recent and is not supported yet because there is no official CIS PDF for this version yet."
if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
echo "Exiting now"
exit 100
elif [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ] && [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then
echo "Be aware that the result given by this set of scripts can give you a false feedback of security on unsupported distributions !"
echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
fi
elif [ "$DEB_MAJ_VER" -lt "$SMALLEST_SUPPORTED_DEBIAN_VERSION" ]; then
echo "Your debian version is deprecated and is no more maintained. Please upgrade to a supported version."
if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
echo "Exiting now"
exit 100
elif [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ] && [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then
echo "Be aware that the result given by this set of scripts can give you a false feedback of security on unsupported distributions, especially on deprecated ones !"
echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
fi
fi
fi
# If --allow-service-list is specified, don't run anything, just list the supported services
if [ "$ALLOW_SERVICE_LIST" = 1 ]; then
@ -244,19 +308,19 @@ for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
info "Treating $SCRIPT"
if [ "$CREATE_CONFIG" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only"
"$SCRIPT" --create-config-files-only "$BATCH_MODE"
LOGLEVEL=$LOGLEVEL "$SCRIPT" --create-config-files-only "$BATCH_MODE"
elif [ "$AUDIT" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
"$SCRIPT" --audit "$SUDO_MODE" "$BATCH_MODE"
LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit "$SUDO_MODE" "$BATCH_MODE"
elif [ "$AUDIT_ALL" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
"$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
elif [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
"$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
elif [ "$APPLY" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT"
"$SCRIPT"
LOGLEVEL=$LOGLEVEL "$SCRIPT"
fi
SCRIPT_EXITCODE=$?
@ -294,12 +358,24 @@ if [ "$BATCH_MODE" ]; then
BATCH_SUMMARY+="RUN_CHECKS:${TOTAL_TREATED_CHECKS:-0} "
BATCH_SUMMARY+="TOTAL_CHECKS_AVAIL:${TOTAL_CHECKS:-0}"
if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
CONFORMITY_PERCENTAGE=$(div $((PASSED_CHECKS * 100)) $TOTAL_TREATED_CHECKS)
BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:$(printf "%s" "$CONFORMITY_PERCENTAGE")"
else
BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0
fi
becho "$BATCH_SUMMARY"
elif [ "$SUMMARY_JSON" ]; then
if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
CONFORMITY_PERCENTAGE=$(div $((PASSED_CHECKS * 100)) $TOTAL_TREATED_CHECKS)
else
CONFORMITY_PERCENTAGE=0 # No check runned, avoid division by 0
fi
printf '{'
printf '"available_checks": %s, ' "$TOTAL_CHECKS"
printf '"run_checks": %s, ' "$TOTAL_TREATED_CHECKS"
printf '"passed_checks": %s, ' "$PASSED_CHECKS"
printf '"conformity_percentage": %s' "$CONFORMITY_PERCENTAGE"
printf '}\n'
else
printf "%40s\n" "################### SUMMARY ###################"
printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"
@ -307,8 +383,8 @@ else
printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
ENABLED_CHECKS_PERCENTAGE=$(bc -l <<<"scale=2; ($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100")
CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
ENABLED_CHECKS_PERCENTAGE=$(div $((TOTAL_TREATED_CHECKS * 100)) $TOTAL_CHECKS)
CONFORMITY_PERCENTAGE=$(div $((PASSED_CHECKS * 100)) $TOTAL_TREATED_CHECKS)
printf "%30s %s %%\n" "Enabled Checks Percentage :" "$ENABLED_CHECKS_PERCENTAGE"
if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
printf "%30s %s %%\n" "Conformity Percentage :" "$CONFORMITY_PERCENTAGE"

28
bin/hardening/1.1.1.1_disable_freevxfs.sh
View File

@ -17,28 +17,36 @@ HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable mounting of freevxfs filesystems."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_VXFS_FS"
MODULE_NAME="freevxfs"
# This function will be called if the script status is on enabled / audit mode
audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
if [ "$IS_CONTAINER" -eq 1 ]; then
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!"
else
ok "$KERNEL_OPTION is disabled"
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
ok "$MODULE_NAME is disabled"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
is_kernel_option_enabled "$KERNEL_OPTION"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
if [ "$IS_CONTAINER" -eq 1 ]; then
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!"
else
ok "$KERNEL_OPTION is disabled, nothing to do"
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi
}

28
bin/hardening/1.1.1.2_disable_jffs2.sh
View File

@ -17,28 +17,36 @@ HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable mounting of jffs2 filesystems."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_JFFS2_FS"
MODULE_NAME="jffs2"
# This function will be called if the script status is on enabled / audit mode
audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
if [ "$IS_CONTAINER" -eq 1 ]; then
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!"
else
ok "$KERNEL_OPTION is disabled"
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
ok "$MODULE_NAME is disabled"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
is_kernel_option_enabled "$KERNEL_OPTION"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
if [ "$IS_CONTAINER" -eq 1 ]; then
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!"
else
ok "$KERNEL_OPTION is disabled, nothing to do"
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi
}

30
bin/hardening/1.1.1.3_disable_hfs.sh
View File

@ -17,28 +17,36 @@ HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable mounting of hfs filesystems."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_HFS_FS"
MODULE_FILE="hfs"
MODULE_NAME="hfs"
# This function will be called if the script status is on enabled / audit mode
audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
if [ "$IS_CONTAINER" -eq 1 ]; then
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!"
else
ok "$KERNEL_OPTION is disabled"
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
ok "$MODULE_NAME is disabled"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
is_kernel_option_enabled "$KERNEL_OPTION"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
if [ "$IS_CONTAINER" -eq 1 ]; then
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!"
else
ok "$KERNEL_OPTION is disabled, nothing to do"
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi
}

30
bin/hardening/1.1.1.4_disable_hfsplus.sh
View File

@ -17,28 +17,36 @@ HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable mounting of hfsplus filesystems."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_HFSPLUS_FS"
MODULE_FILE="hfsplus"
MODULE_NAME="hfsplus"
# This function will be called if the script status is on enabled / audit mode
audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
if [ "$IS_CONTAINER" -eq 1 ]; then
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!"
else
ok "$KERNEL_OPTION is disabled"
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
ok "$MODULE_NAME is disabled"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
is_kernel_option_enabled "$KERNEL_OPTION"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
if [ "$IS_CONTAINER" -eq 1 ]; then
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!"
else
ok "$KERNEL_OPTION is disabled, nothing to do"
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi
}

32
bin/hardening/1.1.1.5_disable_squashfs.sh
View File

@ -17,31 +17,37 @@ HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable mounting of squashfs filesytems."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_SQUASHFS"
MODULE_FILE="squashfs"
MODULE_NAME="squashfs"
# This function will be called if the script status is on enabled / audit mode
audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
if [ "$IS_CONTAINER" -eq 1 ]; then
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!"
else
ok "$KERNEL_OPTION is disabled"
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
ok "$MODULE_NAME is disabled"
fi
fi
:
}
# This function will be called if the script status is on enabled mode
apply() {
is_kernel_option_enabled "$KERNEL_OPTION"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
if [ "$IS_CONTAINER" -eq 1 ]; then
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!"
else
ok "$KERNEL_OPTION is disabled, nothing to do"
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi
:
}
# This function will check config parameters required

30
bin/hardening/1.1.1.6_disable_udf.sh
View File

@ -17,28 +17,36 @@ HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable mounting of udf filesystems."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_UDF_FS"
MODULE_FILE="udf"
MODULE_NAME="udf"
# This function will be called if the script status is on enabled / audit mode
audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
if [ "$IS_CONTAINER" -eq 1 ]; then
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!"
else
ok "$KERNEL_OPTION is disabled"
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
ok "$MODULE_NAME is disabled"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
is_kernel_option_enabled "$KERNEL_OPTION"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
if [ "$IS_CONTAINER" -eq 1 ]; then
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!"
else
ok "$KERNEL_OPTION is disabled, nothing to do"
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi
}

1
bin/hardening/1.1.1.7_restrict_fat.sh
View File

@ -24,6 +24,7 @@ MODULE_FILE="vfat"
# This function will be called if the script status is on enabled / audit mode
audit() {
# TODO check if uefi enabled if yes check if only boot partition use FAT
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"

76
bin/hardening/1.1.1.8_disable_cramfs.sh Executable file
View File

@ -0,0 +1,76 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.1.1 Ensure Mounting of cramfs filesystems is disabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable mounting of cramfs filesystems."
KERNEL_OPTION="CONFIG_CRAMFS"
MODULE_NAME="cramfs"
# This function will be called if the script status is on enabled / audit mode
audit() {
if [ "$IS_CONTAINER" -eq 1 ]; then
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
ok "$MODULE_NAME is disabled"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$IS_CONTAINER" -eq 1 ]; then
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

92
bin/hardening/1.1.11.1_var_log_noexec.sh Executable file
View File

@ -0,0 +1,92 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.11.1 Ensure noexec option set on /var/log partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="/var/log partition with noexec option."
# Quick factoring as many script use the same logic
PARTITION="/var/log"
OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

92
bin/hardening/1.1.11.2_var_log_nosuid.sh Executable file
View File

@ -0,0 +1,92 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.11.2 Ensure nosuid option set on /var/log partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="/var/log partition with nosuid option."
# Quick factoring as many script use the same logic
PARTITION="/var/log"
OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

92
bin/hardening/1.1.11.3_var_log_nodev.sh Executable file
View File

@ -0,0 +1,92 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.11.3 ensure nodev option set on /var/log partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="/var/log partition with nodev option."
# Quick factoring as many script use the same logic
PARTITION="/var/log"
OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

92
bin/hardening/1.1.12.1_var_log_audit_noexec.sh Executable file
View File

@ -0,0 +1,92 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.12.1 Ensure noexec option set on /var/log/audit partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="/var/log/audit partition with noexec option."
# Quick factoring as many script use the same logic
PARTITION="/var/log/audit"
OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

92
bin/hardening/1.1.12.2_var_log_audit_nosuid.sh Executable file
View File

@ -0,0 +1,92 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.12.2 Ensure nosuid option set on /var/log/audit partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="/var/log/audit partition with nosuid option."
# Quick factoring as many script use the same logic
PARTITION="/var/log/audit"
OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

92
bin/hardening/1.1.12.3_var_log_audit_nodev.sh Executable file
View File

@ -0,0 +1,92 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.12.3 Ensure nodev option set on /var/log/audit partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="/var/log/audit partition with nodev option."
# Quick factoring as many script use the same logic
PARTITION="/var/log/audit"
OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

92
bin/hardening/1.1.14.1_home_nosuid.sh Executable file
View File

@ -0,0 +1,92 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.14.1 Ensure nosuid option set on /home partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="/home partition with nosuid option."
# Quick factoring as many script use the same logic
PARTITION="/home"
OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

6
bin/hardening/1.1.15_run_shm_nodev.sh
View File

@ -24,7 +24,11 @@ OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
PARTITION=$(readlink -e "$PARTITION")
if [ -e "$PARTITION" ]; then
PARTITION=$(readlink -e "$PARTITION")
else
PARTITION="/dev/shm"
fi
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then

6
bin/hardening/1.1.16_run_shm_nosuid.sh
View File

@ -24,7 +24,11 @@ OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
PARTITION=$(readlink -e "$PARTITION")
if [ -e "$PARTITION" ]; then
PARTITION=$(readlink -e "$PARTITION")
else
PARTITION="/dev/shm"
fi
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then

6
bin/hardening/1.1.17_run_shm_noexec.sh
View File

@ -24,7 +24,11 @@ OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
PARTITION=$(readlink -e "$PARTITION")
if [ -e "$PARTITION" ]; then
PARTITION=$(readlink -e "$PARTITION")
else
PARTITION="/dev/shm"
fi
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then

37
bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh
View File

@ -17,12 +17,32 @@ HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them."
EXCEPTIONS=''
# find emits following error if directory or file disappear during
# tree traversal: find: /tmp/xxx: No such file or directory
FIND_IGNORE_NOSUCHFILE_ERR=false
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Checking if setuid is set on world writable Directories"
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
# shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
if [ -n "$EXCEPTIONS" ]; then
# maybe EXCEPTIONS allow us to filter out some FS
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCEPTIONS")
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
else
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
fi
if [ -n "$RESULT" ]; then
crit "Some world writable directories are not on sticky bit mode!"
# shellcheck disable=SC2001
@ -35,9 +55,16 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
if [ -n "$EXCEPTIONS" ]; then
# shellcheck disable=SC2086
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCEPTIONS" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex "$EXCEPTIONS" -print 2>/dev/null)
else
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
fi
if [ -n "$RESULT" ]; then
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
warn "Setting sticky bit on world writable directories"
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d -perm -0002 2>/dev/null | xargs chmod a+t
else
ok "All world writable directories have a sticky bit, nothing to apply"
fi

28
bin/hardening/1.1.23_disable_usb_storage.sh
View File

@ -20,25 +20,35 @@ DESCRIPTION="Disable USB storage."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_USB_STORAGE"
MODULE_FILE="usb-storage"
MODULE_NAME="usb-storage"
# This function will be called if the script status is on enabled / audit mode
audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
if [ "$IS_CONTAINER" -eq 1 ]; then
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!"
else
ok "$KERNEL_OPTION is disabled"
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
ok "$MODULE_NAME is disabled"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
is_kernel_option_enabled "$KERNEL_OPTION"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
if [ "$IS_CONTAINER" -eq 1 ]; then
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!"
else
ok "$KERNEL_OPTION is disabled, nothing to do"
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi
}

92
bin/hardening/1.1.6.1_var_nodev.sh Executable file
View File

@ -0,0 +1,92 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.6.1 Ensure nodev option set for /var Partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="/var partition with nodev option."
# Quick factoring as many script use the same logic
PARTITION="/var"
OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

92
bin/hardening/1.1.6.2_var_nosuid.sh Executable file
View File

@ -0,0 +1,92 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.6.2 Ensure nosuid option set for /var Partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="/var partition with nosuid option."
# Quick factoring as many script use the same logic
PARTITION="/var"
OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

15
bin/hardening/1.5.1_bootloader_ownership.sh
View File

@ -23,6 +23,7 @@ FILE='/boot/grub/grub.cfg'
USER='root'
GROUP='root'
PERMISSIONS='400'
PERMISSIONSOK='400 600'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -33,7 +34,7 @@ audit() {
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
@ -51,7 +52,7 @@ apply() {
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
@ -63,25 +64,25 @@ apply() {
# This function will check config parameters required
check_config() {
is_pkg_installed "grub-pc"
is_pkg_installed "grub-common"
if [ "$FNRET" != 0 ]; then
warn "Grub is not installed, not handling configuration"
exit 128
exit 2
fi
does_user_exist "$USER"
if [ "$FNRET" != 0 ]; then
crit "$USER does not exist"
exit 128
exit 2
fi
does_group_exist "$GROUP"
if [ "$FNRET" != 0 ]; then
crit "$GROUP does not exist"
exit 128
exit 2
fi
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
exit 128
exit 2
fi
}

9
bin/hardening/1.5.2_bootloader_password.sh
View File

@ -51,19 +51,18 @@ apply() {
else
ok "$PWD_PATTERN is present in $FILE"
fi
:
}
# This function will check config parameters required
check_config() {
is_pkg_installed "grub-pc"
is_pkg_installed "grub-common"
if [ "$FNRET" != 0 ]; then
warn "grub-pc is not installed, not handling configuration"
exit 128
warn "Grub is not installed, not handling configuration"
exit 2
fi
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
exit 128
exit 2
fi
}

1
bin/hardening/1.5.3_root_password.sh
View File

@ -38,7 +38,6 @@ apply() {
else
ok "$PATTERN is not present in $FILE"
fi
:
}
# This function will check config parameters required

44
bin/hardening/1.6.1_enable_nx_support.sh
View File

@ -35,31 +35,39 @@ nx_supported_and_enabled() {
# This function will be called if the script status is on enabled / audit mode
audit() {
does_pattern_exist_in_dmesg "$PATTERN"
if [ "$FNRET" != 0 ]; then
nx_supported_and_enabled
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
else
ok "NX is supported and enabled"
fi
if [ "$IS_CONTAINER" -eq 1 ]; then
ok "Container detected, cannot read dmesg!"
else
ok "$PATTERN is present in dmesg"
does_pattern_exist_in_dmesg "$PATTERN"
if [ "$FNRET" != 0 ]; then
nx_supported_and_enabled
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
else
ok "NX is supported and enabled"
fi
else
ok "$PATTERN is present in dmesg"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
does_pattern_exist_in_dmesg "$PATTERN"
if [ "$FNRET" != 0 ]; then
nx_supported_and_enabled
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
else
ok "NX is supported and enabled"
fi
if [ "$IS_CONTAINER" -eq 1 ]; then
ok "Container detected, cannot read dmesg!"
else
ok "$PATTERN is present in dmesg"
does_pattern_exist_in_dmesg "$PATTERN"
if [ "$FNRET" != 0 ]; then
nx_supported_and_enabled
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
else
ok "NX is supported and enabled"
fi
else
ok "$PATTERN is present in dmesg"
fi
fi
}

69
bin/hardening/1.6.3.1_disable_apport.sh Executable file
View File

@ -0,0 +1,69 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.6.3.1 Ensure apport is disabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable apport to avoid confidential data leaks."
PACKAGE='apport'
# This function will be called if the script status is on enabled / audit mode
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!"
else
ok "$PACKAGE is absent"
fi
:
}
# This function will be called if the script status is on enabled mode
apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge "$PACKAGE" -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
:
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

2
bin/hardening/1.6.4_restrict_core_dumps.sh
View File

@ -29,7 +29,7 @@ audit() {
LIMIT_FILES=""
if $SUDO_CMD [ -d "$LIMIT_DIR" ]; then
for file in $($SUDO_CMD ls "$LIMIT_DIR"/*.conf 2>/dev/null); do
LIMIT_FILES="$LIMIT_FILES $LIMIT_DIR/$file"
LIMIT_FILES="$LIMIT_FILES $file"
done
fi
debug "Files to search $LIMIT_FILE $LIMIT_FILES"

89
bin/hardening/1.7.1.2_enable_apparmor.sh
View File

@ -21,32 +21,46 @@ PACKAGES='apparmor apparmor-utils'
# This function will be called if the script status is on enabled / audit mode
audit() {
ERROR=0
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is absent!"
ERROR=1
else
ok "$PACKAGE is installed"
fi
done
ERROR=0
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for line in $RESULT; do
if [[ ! "$line" =~ "apparmor=1" ]] || [[ ! "$line" =~ "security=apparmor" ]]; then
crit "$line is not configured"
ERROR=1
fi
done
IFS=$d_IFS
if [ "$ERROR" = 0 ]; then
ok "$PACKAGES are configured"
is_pkg_installed "grub-common"
if [ "$FNRET" != 0 ]; then
if [ "$IS_CONTAINER" -eq 1 ]; then
ok "Grub is not installed in container"
else
warn "Grub is not installed"
exit 128
fi
else
ERROR=0
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for line in $RESULT; do
if [[ ! "$line" =~ "apparmor=1" ]] || [[ ! "$line" =~ "security=apparmor" ]]; then
crit "$line is not configured"
ERROR=1
fi
done
IFS=$d_IFS
if [ "$ERROR" = 0 ]; then
ok "$PACKAGES are configured"
fi
fi
fi
}
@ -62,26 +76,35 @@ apply() {
fi
done
ERROR=0
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for line in $RESULT; do
if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
crit "$line is not configured"
ERROR=1
is_pkg_installed "grub-pc"
if [ "$FNRET" != 0 ]; then
if [ "$IS_CONTAINER" -eq 1 ]; then
ok "Grub is not installed in container"
else
warn "You should use grub. Install it yourself"
fi
done
IFS=$d_IFS
if [ $ERROR = 1 ]; then
$SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor/" /etc/default/grub
$SUDO_CMD update-grub
else
ok "$PACKAGES are configured"
ERROR=0
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for line in $RESULT; do
if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
crit "$line is not configured"
ERROR=1
fi
done
IFS=$d_IFS
if [ $ERROR = 1 ]; then
$SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor /" /etc/default/grub
$SUDO_CMD update-grub
else
ok "$PACKAGES are configured"
fi
fi
}

16
bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh
View File

@ -21,22 +21,25 @@ PACKAGES='apparmor apparmor-utils'
# This function will be called if the script status is on enabled / audit mode
audit() {
ERROR=0
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is absent!"
ERROR=1
else
ok "$PACKAGE is installed"
fi
done
if [ "$ERROR" = 0 ]; then
RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
if [ -n "$RESULT_UNCONFINED" ]; then
ok "No profiles are unconfined"
if [ -n "$RESULT_UNCONFINED" ]; then
ok "No profiles are unconfined"
else
crit "Some processes are unconfined while they have defined profile"
else
crit "Some processes are unconfined while they have defined profile"
fi
fi
}
@ -46,6 +49,7 @@ apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGES is absent!"
apt_install "$PACKAGE"
else
ok "$PACKAGE is installed"
fi

32
bin/hardening/1.7.1.4_enforcing_apparmor.sh
View File

@ -21,28 +21,31 @@ PACKAGES='apparmor apparmor-utils'
# This function will be called if the script status is on enabled / audit mode
audit() {
ERROR=0
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is absent!"
ERROR=1
else
ok "$PACKAGE is installed"
fi
done
if [ "$ERROR" = 0 ]; then
RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined" || true)
RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode." || true)
RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode.")
if [ -n "$RESULT_UNCONFINED" ]; then
ok "No profiles are unconfined"
else
crit "Some processes are unconfined while they have defined profile"
fi
if [ -n "$RESULT_UNCONFINED" ]; then
ok "No profiles are unconfined"
else
crit "Some processes are unconfined while they have defined profile"
fi
if [ -n "$RESULT_COMPLAIN" ]; then
ok "No profiles are in complain mode"
else
crit "Some processes are in complain mode"
if [ -n "$RESULT_COMPLAIN" ]; then
ok "No profiles are in complain mode"
else
crit "Some processes are in complain mode"
fi
fi
}
@ -52,13 +55,14 @@ apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is absent!"
apt_install "$PACKAGE"
else
ok "$PACKAGE is installed"
fi
done
RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined")
RESULT_COMPLAIN=$(apparmor_status | grep "^0 profiles are in complain mode.")
RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined" || true)
RESULT_COMPLAIN=$(apparmor_status | grep "^0 profiles are in complain mode." || true)
if [ -n "$RESULT_UNCONFINED" ]; then
ok "No profiles are unconfined"

4
bin/hardening/2.2.1.2_configure_systemd-timesyncd.sh
View File

@ -21,8 +21,8 @@ SERVICE_NAME="systemd-timesyncd"
# This function will be called if the script status is on enabled / audit mode
audit() {
is_service_enabled "$SERVICE_NAME"
if [ "$FNRET" = 0 ]; then
status=$(systemctl is-enabled "$SERVICE_NAME")
if [ "$status" = "enabled" ]; then
ok "$SERVICE_NAME is enabled"
else
crit "$SERVICE_NAME is disabled"

18
bin/hardening/2.2.1.3_configure_chrony.sh
View File

@ -25,17 +25,11 @@ CONF_FILE='/etc/chrony/chrony.conf'
# This function will be called if the script status is on enabled / audit mode
audit() {
is_pkg_installed "$PACKAGE"
does_pattern_exist_in_file "$CONF_FILE" "$CONF_DEFAULT_PATTERN"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE"
else
ok "$PACKAGE is installed, checking configuration"
does_pattern_exist_in_file "$CONF_FILE" "$CONF_DEFAULT_PATTERN"
if [ "$FNRET" != 0 ]; then
crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE"
else
ok "$CONF_DEFAULT_PATTERN found in $CONF_FILE"
fi
ok "$CONF_DEFAULT_PATTERN found in $CONF_FILE"
fi
}
@ -46,7 +40,11 @@ apply() {
# This function will check config parameters required
check_config() {
:
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
warn "$PACKAGE is not installed, not handling configuration"
exit 2
fi
}
# Source Root Dir Parameter

32
bin/hardening/2.2.1.4_configure_ntp.sh
View File

@ -20,30 +20,24 @@ DESCRIPTION="Configure Network Time Protocol (ntp). Check restrict parameters an
HARDENING_EXCEPTION=ntp
PACKAGE='ntp'
NTP_CONF_DEFAULT_PATTERN='^restrict -4 default (kod nomodify notrap nopeer noquery|ignore)'
NTP_CONF_DEFAULT_PATTERN='^restrict -4 default (kod nomodify notrap nopeer noquery|kod notrap nomodify nopeer noquery|ignore)'
NTP_CONF_FILE='/etc/ntp.conf'
NTP_INIT_PATTERN='RUNASUSER=ntp'
NTP_INIT_FILE='/etc/init.d/ntp'
# This function will be called if the script status is on enabled / audit mode
audit() {
is_pkg_installed "$PACKAGE"
does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE"
else
ok "$PACKAGE is installed, checking configuration"
does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN"
if [ "$FNRET" != 0 ]; then
crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE"
else
ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
fi
does_pattern_exist_in_file "$NTP_INIT_FILE" "^$NTP_INIT_PATTERN"
if [ "$FNRET" != 0 ]; then
crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE"
else
ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
fi
ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
fi
does_pattern_exist_in_file "$NTP_INIT_FILE" "^$NTP_INIT_PATTERN"
if [ "$FNRET" != 0 ]; then
crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE"
else
ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
fi
}
@ -77,7 +71,11 @@ apply() {
# This function will check config parameters required
check_config() {
:
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
warn "$PACKAGE is not installed, not handling configuration"
exit 2
fi
}
# Source Root Dir Parameter

53
bin/hardening/2.2.15_mta_localhost.sh
View File

@ -21,39 +21,50 @@ HARDENING_EXCEPTION=mail
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Checking netport ports opened"
RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || :
RESULT=${RESULT:-}
debug "Result is $RESULT"
if [ -z "$RESULT" ]; then
ok "Nothing listens on 25 port, probably unix socket configured"
is_pkg_installed net-tools
if [ "$FNRET" != 0 ]; then
warn "netsat not installed, cannot execute check"
exit 2
else
info "Checking $RESULT"
if grep -q "127.0.0.1" <<<"$RESULT"; then
ok "MTA is configured to localhost only"
info "Checking netport ports opened"
RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || :
RESULT=${RESULT:-}
debug "Result is $RESULT"
if [ -z "$RESULT" ]; then
ok "Nothing listens on 25 port, probably unix socket configured"
else
crit "MTA listens worldwide"
info "Checking $RESULT"
if grep -q "127.0.0.1" <<<"$RESULT"; then
ok "MTA is configured to localhost only"
else
crit "MTA listens worldwide"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
info "Checking netport ports opened"
RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
RESULT=${RESULT:-}
debug "Result is $RESULT"
if [ -z "$RESULT" ]; then
ok "Nothing listens on 25 port, probably unix socket configured"
is_pkg_installed net-tools
if [ "$FNRET" != 0 ]; then
warn "netsat not installed, cannot execute check"
exit 2
else
info "Checking $RESULT"
if grep -q "127.0.0.1" <<<"$RESULT"; then
ok "MTA is configured to localhost only"
info "Checking netport ports opened"
RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
RESULT=${RESULT:-}
debug "Result is $RESULT"
if [ -z "$RESULT" ]; then
ok "Nothing listens on 25 port, probably unix socket configured"
else
warn "MTA listens worldwide, correct this considering your MTA"
info "Checking $RESULT"
if grep -q "127.0.0.1" <<<"$RESULT"; then
ok "MTA is configured to localhost only"
else
warn "MTA listens worldwide, correct this considering your MTA"
fi
fi
fi
:
}
# This function will check config parameters required

22
bin/hardening/2.2.17_disable_nis.sh
View File

@ -17,14 +17,32 @@ HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Disable NIS Server."
PACKAGES='nis'
# This function will be called if the script status is on enabled / audit mode
audit() {
:
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!"
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply() {
:
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge "$PACKAGE" -y
apt-get autoremove -y
else
ok "$PACKAGE is absent"
fi
done
}
# This function will check config parameters required

18
bin/hardening/3.1.1_disable_ipv6.sh
View File

@ -21,29 +21,17 @@ SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ip
# This function will be called if the script status is on enabled / audit mode
audit() {
does_sysctl_param_exists "net.ipv6"
is_ipv6_enabled
if [ "$FNRET" != 0 ]; then
ok "ipv6 is disabled"
else
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
done
crit "ipv6 is enabled"
fi
}
# This function will be called if the script status is on enabled mode
apply() {
does_sysctl_param_exists "net.ipv6"
is_ipv6_enabled
if [ "$FNRET" != 0 ]; then
ok "ipv6 is disabled"
else

2
bin/hardening/3.3.1_disable_source_routed_packets.sh
View File

@ -22,7 +22,7 @@ SYSCTL_PARAMS=''
# This function will be called if the script status is on enabled / audit mode
audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
does_sysctl_param_exists "net.ipv6"
is_ipv6_enabled
if [ "$FNRET" = 0 ] || [[ ! "$SYSCTL_VALUES" =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)

16
bin/hardening/3.3.9_disable_ipv6_router_advertisement.sh
View File

@ -21,10 +21,8 @@ SYSCTL_PARAMS='net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0'
# This function will be called if the script status is on enabled / audit mode
audit() {
does_sysctl_param_exists "net.ipv6"
if [ "$FNRET" != 0 ]; then
ok "ipv6 is disabled"
else
is_ipv6_enabled
if [ "$FNRET" = 0 ]; then
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
@ -38,15 +36,15 @@ audit() {
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
done
else
ok "ipv6 disabled"
fi
}
# This function will be called if the script status is on enabled mode
apply() {
does_sysctl_param_exists "net.ipv6"
if [ "$FNRET" != 0 ]; then
ok "ipv6 is disabled"
else
is_ipv6_enabled
if [ "$FNRET" = 0 ]; then
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
@ -62,6 +60,8 @@ apply() {
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
done
else
ok "ipv6 disabled"
fi
}

29
bin/hardening/3.4.1_disable_dccp.sh
View File

@ -17,14 +17,39 @@ HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable Datagram Congestion Control Protocol (DCCP)."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_NF_CT_PROTO_DCCP"
MODULE_NAME="dccp"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Not implemented yet"
if [ "$IS_CONTAINER" -eq 1 ]; then
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
ok "$MODULE_NAME is disabled"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
info "Not implemented yet"
if [ "$IS_CONTAINER" -eq 1 ]; then
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi
}
# This function will check config parameters required

29
bin/hardening/3.4.2_disable_sctp.sh
View File

@ -17,14 +17,39 @@ HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable Stream Control Transmission Protocol (SCTP)."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_NF_CT_PROTO_SCTP"
MODULE_NAME="sctp"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Not implemented yet"
if [ "$IS_CONTAINER" -eq 1 ]; then
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
ok "$MODULE_NAME is disabled"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
info "Not implemented yet"
if [ "$IS_CONTAINER" -eq 1 ]; then
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi
}
# This function will check config parameters required

29
bin/hardening/3.4.3_disable_rds.sh
View File

@ -17,14 +17,39 @@ HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable Reliable Datagram Sockets (RDS)."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_RDS"
MODULE_NAME="rds"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Not implemented yet"
if [ "$IS_CONTAINER" -eq 1 ]; then
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
ok "$MODULE_NAME is disabled"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
info "Not implemented yet"
if [ "$IS_CONTAINER" -eq 1 ]; then
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi
}
# This function will check config parameters required

29
bin/hardening/3.4.4_disable_tipc.sh
View File

@ -17,14 +17,39 @@ HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable Transperent Inter-Process Communication (TIPC)."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_TIPC"
MODULE_NAME="tipc"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Not implemented yet"
if [ "$IS_CONTAINER" -eq 1 ]; then
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
ok "$MODULE_NAME is disabled"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
info "Not implemented yet"
if [ "$IS_CONTAINER" -eq 1 ]; then
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi
}
# This function will check config parameters required

6
bin/hardening/3.5.4.1.1_net_fw_default_policy_drop.sh
View File

@ -20,6 +20,8 @@ DESCRIPTION="Check iptables firewall default policy for DROP on INPUT and FORWAR
PACKAGE="iptables"
FW_CHAINS="INPUT FORWARD"
FW_POLICY="DROP"
FW_CMD="iptables"
FW_TIMEOUT="10"
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -27,9 +29,9 @@ audit() {
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
ipt=$($SUDO_CMD "$PACKAGE" -nL 2>/dev/null || true)
ipt=$($SUDO_CMD "$FW_CMD" -w "$FW_TIMEOUT" -nL 2>/dev/null || true)
if [[ -z "$ipt" ]]; then
crit "Empty return from $PACKAGE command. Aborting..."
crit "Empty return from $FW_CMD command. Aborting..."
return
fi
for chain in $FW_CHAINS; do

6
bin/hardening/4.1.1.3_audit_bootloader.sh
View File

@ -18,7 +18,7 @@ HARDENING_LEVEL=4
DESCRIPTION="Enable auditing for processes that start prior to auditd."
FILE='/etc/default/grub'
OPTIONS='GRUB_CMDLINE_LINUX="audit=1"'
OPTIONS='GRUB_CMDLINE_LINUX=audit=1'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -30,7 +30,7 @@ audit() {
for GRUB_OPTION in $OPTIONS; do
GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
debug "$GRUB_PARAM should be set to $GRUB_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 0 ]; then
@ -55,7 +55,7 @@ apply() {
GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
debug "$GRUB_PARAM should be set to $GRUB_VALUE"
PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 0 ]; then
warn "$PATTERN is not present in $FILE, adding it"

6
bin/hardening/4.1.1.4_audit_backlog_limit.sh
View File

@ -18,7 +18,7 @@ HARDENING_LEVEL=4
DESCRIPTION="Configure audit_backlog_limit to be sufficient."
FILE='/etc/default/grub'
OPTIONS='GRUB_CMDLINE_LINUX="audit_backlog_limit=8192"'
OPTIONS='GRUB_CMDLINE_LINUX=audit_backlog_limit=8192'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -30,7 +30,7 @@ audit() {
for GRUB_OPTION in $OPTIONS; do
GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
debug "$GRUB_PARAM should be set to $GRUB_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 0 ]; then
@ -55,7 +55,7 @@ apply() {
GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
debug "$GRUB_PARAM should be set to $GRUB_VALUE"
PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 0 ]; then
warn "$PATTERN is not present in $FILE, adding it"

51
bin/hardening/4.1.10_record_failed_access_file.sh
View File

@ -21,7 +21,8 @@ AUDIT_PARAMS='-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
FILE='/etc/audit/audit.rules'
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -30,14 +31,21 @@ audit() {
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi
done
IFS=$d_IFS
@ -45,18 +53,31 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required

55
bin/hardening/4.1.11_record_privileged_commands.sh
View File

@ -17,11 +17,12 @@ HARDENING_LEVEL=4
# shellcheck disable=2034
DESCRIPTION="Collect use of privileged commands."
# Find all files with setuid or setgid set
SUDO_CMD='sudo -n'
AUDIT_PARAMS=$($SUDO_CMD find / -xdev \( -perm -4000 -o -perm -2000 \) -type f |
# Find all files with setuid or setgid set
AUDIT_PARAMS=$($SUDO_CMD find / -xdev -ignore_readdir_race \( -perm -4000 -o -perm -2000 \) -type f |
awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }')
FILE='/etc/audit/audit.rules'
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -30,14 +31,21 @@ audit() {
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi
done
IFS=$d_IFS
@ -45,18 +53,31 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required

51
bin/hardening/4.1.12_record_successful_mount.sh
View File

@ -19,7 +19,8 @@ DESCRIPTION="Collect sucessfull file system mounts."
AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts'
FILE='/etc/audit/audit.rules'
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -28,14 +29,21 @@ audit() {
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi
done
IFS=$d_IFS
@ -43,18 +51,31 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required

51
bin/hardening/4.1.13_record_file_deletions.sh
View File

@ -19,7 +19,8 @@ DESCRIPTION="Collects file deletion events by users."
AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete'
FILE='/etc/audit/audit.rules'
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -28,14 +29,21 @@ audit() {
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi
done
IFS=$d_IFS
@ -43,18 +51,31 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required

51
bin/hardening/4.1.14_record_sudoers_edit.sh
View File

@ -19,7 +19,8 @@ DESCRIPTION="Collect changes to system administration scopre."
AUDIT_PARAMS='-w /etc/sudoers -p wa -k sudoers
-w /etc/sudoers.d/ -p wa -k sudoers'
FILE='/etc/audit/audit.rules'
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -28,14 +29,21 @@ audit() {
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi
done
IFS=$d_IFS
@ -43,18 +51,31 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required

51
bin/hardening/4.1.15_record_sudo_usage.sh
View File

@ -18,7 +18,8 @@ HARDENING_LEVEL=4
DESCRIPTION="Collect system administration actions (sudolog)."
AUDIT_PARAMS='-w /var/log/auth.log -p wa -k sudoaction'
FILE='/etc/audit/audit.rules'
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -27,14 +28,21 @@ audit() {
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi
done
IFS=$d_IFS
@ -42,18 +50,31 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required

51
bin/hardening/4.1.16_record_kernel_modules.sh
View File

@ -21,7 +21,8 @@ AUDIT_PARAMS='-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules'
FILE='/etc/audit/audit.rules'
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -30,14 +31,21 @@ audit() {
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi
done
IFS=$d_IFS
@ -45,18 +53,31 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required

51
bin/hardening/4.1.17_freeze_auditd_conf.sh
View File

@ -18,7 +18,8 @@ HARDENING_LEVEL=4
DESCRIPTION="Make the audit configuration immutable."
AUDIT_PARAMS='-e 2'
FILE='/etc/audit/audit.rules'
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -27,14 +28,21 @@ audit() {
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi
done
IFS=$d_IFS
@ -42,18 +50,31 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required

51
bin/hardening/4.1.3_record_date_time_edit.sh
View File

@ -22,7 +22,8 @@ AUDIT_PARAMS='-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-cha
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change'
FILE='/etc/audit/audit.rules'
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -31,14 +32,21 @@ audit() {
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi
done
IFS=$d_IFS
@ -46,18 +54,31 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required

51
bin/hardening/4.1.4_record_user_group_edit.sh
View File

@ -22,7 +22,8 @@ AUDIT_PARAMS='-w /etc/group -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity'
FILE='/etc/audit/audit.rules'
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -31,14 +32,21 @@ audit() {
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi
done
IFS=$d_IFS
@ -46,18 +54,31 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required

51
bin/hardening/4.1.5_record_network_edit.sh
View File

@ -23,7 +23,8 @@ AUDIT_PARAMS='-a exit,always -F arch=b64 -S sethostname -S setdomainname -k syst
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/network -p wa -k system-locale'
FILE='/etc/audit/audit.rules'
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -32,14 +33,21 @@ audit() {
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi
done
IFS=$d_IFS
@ -47,18 +55,31 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required

51
bin/hardening/4.1.6_record_mac_edit.sh
View File

@ -18,7 +18,8 @@ HARDENING_LEVEL=4
DESCRIPTION="Record events that modify the system's mandatory access controls (MAC)."
AUDIT_PARAMS='-w /etc/selinux/ -p wa -k MAC-policy'
FILE='/etc/audit/audit.rules'
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -27,14 +28,21 @@ audit() {
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi
done
IFS=$d_IFS
@ -42,18 +50,31 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required

51
bin/hardening/4.1.7_record_login_logout.sh
View File

@ -20,7 +20,8 @@ DESCRIPTION="Collect login and logout events."
AUDIT_PARAMS='-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins'
FILE='/etc/audit/audit.rules'
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -29,14 +30,21 @@ audit() {
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi
done
IFS=$d_IFS
@ -44,18 +52,31 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required

51
bin/hardening/4.1.8_record_session_init.sh
View File

@ -20,7 +20,8 @@ DESCRIPTION="Collec sessions initiation information."
AUDIT_PARAMS='-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session'
FILE='/etc/audit/audit.rules'
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -29,14 +30,21 @@ audit() {
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi
done
IFS=$d_IFS
@ -44,18 +52,31 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required

51
bin/hardening/4.1.9_record_dac_edit.sh
View File

@ -23,7 +23,8 @@ AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
FILE='/etc/audit/audit.rules'
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -32,14 +33,21 @@ audit() {
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi
done
IFS=$d_IFS
@ -47,18 +55,31 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required

33
bin/hardening/4.2.1.2_enable_syslog-ng.sh
View File

@ -17,29 +17,40 @@ HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure syslog-ng service is activated."
PACKAGE='syslog-ng'
SERVICE_NAME="syslog-ng"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Checking if $SERVICE_NAME is enabled"
is_service_enabled "$SERVICE_NAME"
if [ "$FNRET" = 0 ]; then
ok "$SERVICE_NAME is enabled"
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
crit "$SERVICE_NAME is disabled"
info "Checking if $SERVICE_NAME is enabled"
is_service_enabled "$SERVICE_NAME"
if [ "$FNRET" = 0 ]; then
ok "$SERVICE_NAME is enabled"
else
crit "$SERVICE_NAME is disabled"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
info "Checking if $SERVICE_NAME is enabled"
is_service_enabled "$SERVICE_NAME"
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
info "Enabling $SERVICE_NAME"
update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
update-rc.d "$SERVICE_NAME" defaults >/dev/null 2>&1
crit "$PACKAGE is not installed!"
else
ok "$SERVICE_NAME is enabled"
info "Checking if $SERVICE_NAME is enabled"
is_service_enabled "$SERVICE_NAME"
if [ "$FNRET" != 0 ]; then
info "Enabling $SERVICE_NAME"
update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
update-rc.d "$SERVICE_NAME" defaults >/dev/null 2>&1
else
ok "$SERVICE_NAME is enabled"
fi
fi
}

135
bin/hardening/4.2.1.4_syslog_ng_logfiles_perm.sh
View File

@ -19,6 +19,7 @@ DESCRIPTION="Create and set permissions on syslog-ng logfiles."
# Note: this is not exacly the same check as the one described in CIS PDF
PACKAGE='syslog-ng'
PERMISSIONS=''
USER=''
GROUP=''
@ -26,14 +27,71 @@ EXCEPTIONS=''
# This function will be called if the script status is on enabled / audit mode
audit() {
FILES=$(grep "file(" "$SYSLOG_BASEDIR"/syslog-ng.conf | grep '"' | cut -d'"' -f 2)
for FILE in $FILES; do
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist"
else
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
FILES=$(grep "file(" "$SYSLOG_BASEDIR"/syslog-ng.conf | grep '"' | cut -d'"' -f 2)
for FILE in $FILES; do
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist"
else
FOUND_EXC=0
if grep -q "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
debug "$FILE is found in exceptions"
debug "Setting special user:group:perm"
FOUND_EXC=1
local user_bak="$USER"
local group_bak="$GROUP"
local perm_bak="$PERMISSIONS"
USER="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)"
GROUP="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)"
PERMISSIONS="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership ($USER:$GROUP)"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions ($PERMISSIONS)"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
if [ "$FOUND_EXC" = 1 ]; then
debug "Resetting user:group:perm"
USER="$user_bak"
GROUP="$group_bak"
PERMISSIONS="$perm_bak"
fi
fi
done
fi
}
# This function will be called if the script status is on enabled mode
apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
for FILE in $FILES; do
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
filedir=$(dirname "${FILE#/var/log/}")
if [ ! "$filedir" = "." ] && [ ! -d /var/log/"$filedir" ]; then
debug "Creating /var/log/$filedir for $FILE"
debug "mkdir -p /var/log/$filedir"
mkdir -p /var/log/"$filedir"
fi
touch "$FILE"
fi
FOUND_EXC=0
if grep -q "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
if grep "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
debug "$FILE is found in exceptions"
debug "Setting special user:group:perm"
FOUND_EXC=1
@ -46,15 +104,17 @@ audit() {
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership ($USER:$GROUP)"
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions ($PERMISSIONS)"
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
if [ "$FOUND_EXC" = 1 ]; then
debug "Resetting user:group:perm"
@ -62,57 +122,8 @@ audit() {
GROUP="$group_bak"
PERMISSIONS="$perm_bak"
fi
fi
done
}
# This function will be called if the script status is on enabled mode
apply() {
for FILE in $FILES; do
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
filedir=$(dirname "${FILE#/var/log/}")
if [ ! "$filedir" = "." ] && [ ! -d /var/log/"$filedir" ]; then
debug "Creating /var/log/$filedir for $FILE"
debug "mkdir -p /var/log/$filedir"
mkdir -p /var/log/"$filedir"
fi
touch "$FILE"
fi
FOUND_EXC=0
if grep "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
debug "$FILE is found in exceptions"
debug "Setting special user:group:perm"
FOUND_EXC=1
local user_bak="$USER"
local group_bak="$GROUP"
local perm_bak="$PERMISSIONS"
USER="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)"
GROUP="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)"
PERMISSIONS="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
if [ "$FOUND_EXC" = 1 ]; then
debug "Resetting user:group:perm"
USER="$user_bak"
GROUP="$group_bak"
PERMISSIONS="$perm_bak"
fi
done
done
fi
}
# This function will create the config file for this check with default values

58
bin/hardening/4.2.1.5_syslog-ng_remote_host.sh
View File

@ -17,40 +17,52 @@ HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Configure syslog-ng to send logs to a remote log host."
PACKAGE='syslog-ng'
PATTERN='destination[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".'
# This function will be called if the script status is on enabled / audit mode
audit() {
FOUND=0
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
for FILE in $FILES; do
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
FOUND=1
fi
done
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
crit "$PATTERN is not present in $FILES"
FOUND=0
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
for FILE in $FILES; do
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
FOUND=1
fi
done
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
else
crit "$PATTERN is not present in $FILES"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
FOUND=0
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
for FILE in $FILES; do
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
FOUND=1
fi
done
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
crit "$PATTERN is not present in $FILES, please set a remote host to send your logs"
FOUND=0
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
for FILE in $FILES; do
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
FOUND=1
fi
done
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
else
crit "$PATTERN is not present in $FILES, please set a remote host to send your logs"
fi
fi
}

98
bin/hardening/4.2.1.6_remote_syslog-ng_acl.sh
View File

@ -17,64 +17,74 @@ HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Configure syslog to accept remote syslog messages only on designated log hosts."
PACKAGE='syslog-ng'
REMOTE_HOST=""
PATTERN='source[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".'
# This function will be called if the script status is on enabled / audit mode
audit() {
FOUND=0
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
for FILE in $FILES; do
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
FOUND=1
fi
done
if [[ "$REMOTE_HOST" ]]; then
info "This is the remote host, checking that it only accepts logs from specified zone"
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
else
crit "$PATTERN is not present in $FILES"
fi
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
info "This is the not the remote host checking that it doesn't accept remote logs"
if [ "$FOUND" = 1 ]; then
crit "$PATTERN is present in $FILES"
else
ok "$PATTERN is not present in $FILES"
fi
FOUND=0
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
for FILE in $FILES; do
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
FOUND=1
fi
done
if [[ "$REMOTE_HOST" ]]; then
info "This is the remote host, checking that it only accepts logs from specified zone"
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
else
crit "$PATTERN is not present in $FILES"
fi
else
info "This is the not the remote host checking that it doesn't accept remote logs"
if [ "$FOUND" = 1 ]; then
crit "$PATTERN is present in $FILES"
else
ok "$PATTERN is not present in $FILES"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
FOUND=0
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
for FILE in $FILES; do
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
FOUND=1
fi
done
if [[ "$REMOTE_HOST" ]]; then
info "This is the remote host, checking that it only accepts logs from specified zone"
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
else
crit "$PATTERN is not present in $FILES, setup the machine to receive the logs"
fi
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
info "This is the not the remote host checking that it doesn't accept remote logs"
if [ "$FOUND" = 1 ]; then
warn "$PATTERN is present in $FILES, "
else
ok "$PATTERN is not present in $FILES"
fi
FOUND=0
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
for FILE in $FILES; do
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
FOUND=1
fi
done
if [[ "$REMOTE_HOST" ]]; then
info "This is the remote host, checking that it only accepts logs from specified zone"
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
else
crit "$PATTERN is not present in $FILES, setup the machine to receive the logs"
fi
else
info "This is the not the remote host checking that it doesn't accept remote logs"
if [ "$FOUND" = 1 ]; then
warn "$PATTERN is present in $FILES, "
else
ok "$PATTERN is not present in $FILES"
fi
fi
fi
}

16
bin/hardening/4.2.2.1_journald_logs.sh
View File

@ -18,7 +18,7 @@ HARDENING_LEVEL=3
DESCRIPTION="Configure journald to send logs to syslog-ng."
FILE='/etc/systemd/journald.conf'
OPTIONS='ForwardToSyslog=yes'
OPTIONS='ForwardToSyslog=no'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -34,9 +34,9 @@ audit() {
debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in $FILE"
ok "$PATTERN is not present in $FILE"
else
ok "$PATTERN is present in $FILE"
crit "$PATTERN is present in $FILE"
fi
done
fi
@ -57,18 +57,18 @@ apply() {
debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 0 ]; then
warn "$PATTERN is not present in $FILE, adding it"
if [ "$FNRET" = 0 ]; then
warn "$PATTERN is present in $FILE, deleting it"
does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM"
if [ "$FNRET" != 0 ]; then
info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end"
add_end_of_file "$FILE" "$JOURNALD_PARAM = $JOURNALD_VALUE"
add_end_of_file "$FILE" "$JOURNALD_PARAM=yes"
else
info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing"
replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=$JOURNALD_VALUE"
replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=yes"
fi
else
ok "$PATTERN is present in $FILE"
ok "$PATTERN is not present in $FILE"
fi
done
}

14
bin/hardening/4.2.2.2_journald_compress.sh
View File

@ -18,7 +18,7 @@ HARDENING_LEVEL=3
DESCRIPTION="Configure journald to send logs to syslog-ng."
FILE='/etc/systemd/journald.conf'
OPTIONS='Compress=yes'
OPTIONS='Compress=no'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -34,9 +34,9 @@ audit() {
debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in $FILE"
ok "$PATTERN is not present in $FILE"
else
ok "$PATTERN is present in $FILE"
crit "$PATTERN is present in $FILE"
fi
done
fi
@ -57,18 +57,18 @@ apply() {
debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 0 ]; then
if [ "$FNRET" = 0 ]; then
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM"
if [ "$FNRET" != 0 ]; then
info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end"
add_end_of_file "$FILE" "$JOURNALD_PARAM = $JOURNALD_VALUE"
add_end_of_file "$FILE" "$JOURNALD_PARAM=yes"
else
info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing"
replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=$JOURNALD_VALUE"
replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=yes"
fi
else
ok "$PATTERN is present in $FILE"
ok "$PATTERN is not present in $FILE"
fi
done
}

2
bin/hardening/4.2.2.3_journald_write_persistent.sh
View File

@ -62,7 +62,7 @@ apply() {
does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM"
if [ "$FNRET" != 0 ]; then
info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end"
add_end_of_file "$FILE" "$JOURNALD_PARAM = $JOURNALD_VALUE"
add_end_of_file "$FILE" "$JOURNALD_PARAM=$JOURNALD_VALUE"
else
info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing"
replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=$JOURNALD_VALUE"

52
bin/hardening/5.1.2_crontab_perm_ownership.sh
View File

@ -24,17 +24,22 @@ GROUP='root'
# This function will be called if the script status is on enabled / audit mode
audit() {
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi
}
@ -44,20 +49,21 @@ apply() {
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
touch "$FILE"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
fi
}

52
bin/hardening/5.1.3_cron_hourly_perm_ownership.sh
View File

@ -24,17 +24,22 @@ GROUP='root'
# This function will be called if the script status is on enabled / audit mode
audit() {
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi
}
@ -44,20 +49,21 @@ apply() {
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
touch "$FILE"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
fi
}

52
bin/hardening/5.1.4_cron_daily_perm_ownership.sh
View File

@ -24,17 +24,22 @@ GROUP='root'
# This function will be called if the script status is on enabled / audit mode
audit() {
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi
}
@ -44,20 +49,21 @@ apply() {
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
touch "$FILE"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
fi
}

52
bin/hardening/5.1.5_cron_weekly_perm_ownership.sh
View File

@ -24,17 +24,22 @@ GROUP='root'
# This function will be called if the script status is on enabled / audit mode
audit() {
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi
}
@ -44,20 +49,21 @@ apply() {
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
touch "$FILE"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
fi
}

52
bin/hardening/5.1.6_cron_monthly_perm_ownership.sh
View File

@ -24,17 +24,22 @@ GROUP='root'
# This function will be called if the script status is on enabled / audit mode
audit() {
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi
}
@ -44,20 +49,21 @@ apply() {
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
touch "$FILE"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
fi
}

9
bin/hardening/5.1.8_cron_users.sh
View File

@ -20,6 +20,7 @@ DESCRIPTION="Restrict at/cron to authorized users."
FILES_ABSENT='/etc/cron.deny /etc/at.deny'
FILES_PRESENT='/etc/cron.allow /etc/at.allow'
PERMISSIONS='644'
PERMISSIONSOK='644 640 600 440 400'
USER='root'
GROUP='root'
@ -36,7 +37,7 @@ audit() {
for FILE in $FILES_PRESENT; do
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
crit "$FILE is absent"
crit "$FILE is absent, should exist"
else
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
@ -44,7 +45,7 @@ audit() {
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
@ -68,7 +69,7 @@ apply() {
for FILE in $FILES_PRESENT; do
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
warn "$FILE is absent"
warn "$FILE is absent, fixing (touch)"
touch "$FILE"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
@ -78,7 +79,7 @@ apply() {
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else

8
bin/hardening/5.2.10_disable_root_login.sh
View File

@ -25,14 +25,14 @@ FILE='/etc/ssh/sshd_config'
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
ok "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^$SSH_PARAM"
does_pattern_exist_in_file_nocase "$FILE" "^$SSH_PARAM"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

8
bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh
View File

@ -25,14 +25,14 @@ FILE='/etc/ssh/sshd_config'
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
ok "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

8
bin/hardening/5.2.12_disable_sshd_setenv.sh
View File

@ -25,14 +25,14 @@ FILE='/etc/ssh/sshd_config'
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
ok "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

8
bin/hardening/5.2.13_sshd_ciphers.sh
View File

@ -25,14 +25,14 @@ FILE='/etc/ssh/sshd_config'
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
ok "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

4
bin/hardening/5.2.14_ssh_cry_mac.sh
View File

@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
ok "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
@ -78,7 +78,7 @@ create_config() {
cat <<EOF
status=audit
# Put your MACs
OPTIONS="MACs=umac-128-etm@openssh.com,umac-64-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128@openssh.com,umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256"
OPTIONS="MACs=hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256"
EOF
}

10
bin/hardening/5.2.15_ssh_cry_kex.sh
View File

@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
ok "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
@ -73,15 +73,12 @@ apply() {
}
create_config() {
get_debian_major_version
set +u
debug "Debian version : $DEB_MAJ_VER "
if [[ -z "$DEB_MAJ_VER" ]] || [[ 7 -eq "$DEB_MAJ_VER" ]]; then
if [[ 7 -le "$DEB_MAJ_VER" ]]; then
KEX='diffie-hellman-group-exchange-sha256'
elif [[ 8 -eq "$DEB_MAJ_VER" ]] || [[ 9 -eq "$DEB_MAJ_VER" ]]; then
KEX='curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
else
KEX='diffie-hellman-group-exchange-sha256'
KEX='curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256'
fi
set -u
cat <<EOF
@ -89,6 +86,7 @@ status=audit
# Put your KexAlgorithms
OPTIONS="KexAlgorithms=$KEX"
EOF
}
# This function will check config parameters required

8
bin/hardening/5.2.16_sshd_idle_timeout.sh
View File

@ -25,14 +25,14 @@ FILE='/etc/ssh/sshd_config'
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
ok "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

8
bin/hardening/5.2.17_sshd_login_grace_time.sh
View File

@ -25,14 +25,14 @@ FILE='/etc/ssh/sshd_config'
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
ok "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
does_pattern_exist_in_file_nocase $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

8
bin/hardening/5.2.18_sshd_limit_access.sh
View File

@ -25,7 +25,7 @@ audit() {
OPTIONS="AllowUsers='$ALLOWED_USERS' AllowGroups='$ALLOWED_GROUPS' DenyUsers='$DENIED_USERS' DenyGroups='$DENIED_GROUPS'"
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
ok "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
@ -34,7 +34,7 @@ audit() {
# shellcheck disable=SC2001
SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE")
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
@ -59,12 +59,12 @@ apply() {
# shellcheck disable=SC2001
SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE")
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

2
bin/hardening/5.2.19_ssh_banner.sh
View File

@ -25,7 +25,7 @@ audit() {
OPTIONS="Banner=$BANNER_FILE"
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
ok "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do

63
bin/hardening/5.2.1_sshd_conf_perm_ownership.sh
View File

@ -17,6 +17,7 @@ HARDENING_LEVEL=1
# shellcheck disable=2034
DESCRIPTION="Checking permissions and ownership to root 600 for sshd_config."
PACKAGE='openssh-server'
FILE='/etc/ssh/sshd_config'
PERMISSIONS='600'
USER='root'
@ -24,40 +25,50 @@ GROUP='root'
# This function will be called if the script status is on enabled / audit mode
audit() {
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
ok "$PACKAGE is not installed!"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
does_file_exist "$FILE"
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
touch "$FILE"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
ok "$PACKAGE is not installed"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
touch "$FILE"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
fi
}

8
bin/hardening/5.2.20_enable_ssh_pam.sh
View File

@ -25,14 +25,14 @@ FILE='/etc/ssh/sshd_config'
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
ok "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
does_pattern_exist_in_file_nocase $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

8
bin/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh
View File

@ -25,14 +25,14 @@ FILE='/etc/ssh/sshd_config'
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
ok "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
does_pattern_exist_in_file_nocase $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

8
bin/hardening/5.2.22_configure_ssh_max_startups.sh
View File

@ -25,14 +25,14 @@ FILE='/etc/ssh/sshd_config'
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
ok "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
does_pattern_exist_in_file_nocase $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

29
bin/hardening/5.2.23_limit_ssh_max_sessions.sh
View File

@ -25,18 +25,28 @@ FILE='/etc/ssh/sshd_config'
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
ok "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
does_pattern_exist_in_file_nocase $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in $FILE"
else
VALUE=$($SUDO_CMD grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2)
if [ "$VALUE" -gt "$SSH_VALUE" ]; then
crit "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM"
else
ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM"
fi
fi
fi
done
fi
@ -55,17 +65,22 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
VALUE=$(grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2)
if [ "$VALUE" -gt "$SSH_VALUE" ]; then
warn "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM, replacing it"
replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
else
ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM"
fi
fi
/etc/init.d/ssh reload
fi

8
bin/hardening/5.2.4_sshd_protocol.sh
View File

@ -25,14 +25,14 @@ FILE='/etc/ssh/sshd_config'
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
ok "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

4
bin/hardening/5.2.5_sshd_loglevel.sh
View File

@ -26,7 +26,7 @@ FILE='/etc/ssh/sshd_config'
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
ok "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
@ -61,7 +61,7 @@ apply() {
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

6
bin/hardening/5.2.6_disable_x11_forwarding.sh
View File

@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
ok "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

Some files were not shown because too many files have changed in this diff Show More