mirror of
https://github.com/ovh/debian-cis.git
synced 2025-07-16 13:52:17 +02:00
Compare commits
25 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| fb5be208ef | |||
| b44fb47c3a | |||
| 84ac4db90f | |||
| 40fb536d4e | |||
| d1b371f410 | |||
| 6ab1cab3ce | |||
| 1a7dd5893a | |||
| fa111bc0d0 | |||
| 460843ffb3 | |||
| 896d277d95 | |||
| 6ae05f3fa2 | |||
| 449c695415 | |||
| 2d6550fb13 | |||
| 0b6ea0d97e | |||
| ec9e2addc2 | |||
| ed1baa724e | |||
| bd4ddfc398 | |||
| 5a72d986ea | |||
| c51513e083 | |||
| 6127f2fe67 | |||
| 6efefa07ac | |||
| dce926a536 | |||
| 0edb837f80 | |||
| 1c2e171655 | |||
| 4a652a94c6 |
2
.github/workflows/compile-manual.yml
vendored
2
.github/workflows/compile-manual.yml
vendored
@ -10,7 +10,7 @@ jobs:
|
|||||||
uses: actions/checkout@v2
|
uses: actions/checkout@v2
|
||||||
- name: Produce debian man
|
- name: Produce debian man
|
||||||
run: 'docker run --rm --volume "`pwd`:/data" --user `id -u`:`id -g` pandoc/latex:2.6 MANUAL.md -s -t man > debian/cis-hardening.8'
|
run: 'docker run --rm --volume "`pwd`:/data" --user `id -u`:`id -g` pandoc/latex:2.6 MANUAL.md -s -t man > debian/cis-hardening.8'
|
||||||
- uses: EndBug/add-and-commit@v6
|
- uses: EndBug/add-and-commit@v7
|
||||||
with:
|
with:
|
||||||
add: 'debian/cis-hardening.8'
|
add: 'debian/cis-hardening.8'
|
||||||
message: 'Regenerate man pages (Github action)'
|
message: 'Regenerate man pages (Github action)'
|
||||||
|
|||||||
7
.github/workflows/functionnal-tests.yml
vendored
7
.github/workflows/functionnal-tests.yml
vendored
@ -18,3 +18,10 @@ jobs:
|
|||||||
uses: actions/checkout@v2
|
uses: actions/checkout@v2
|
||||||
- name: Run the tests debian10
|
- name: Run the tests debian10
|
||||||
run: ./tests/docker_build_and_run_tests.sh debian10
|
run: ./tests/docker_build_and_run_tests.sh debian10
|
||||||
|
functionnal-tests-docker-debian11:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: Checkout repo
|
||||||
|
uses: actions/checkout@v2
|
||||||
|
- name: Run the tests debian11
|
||||||
|
run: ./tests/docker_build_and_run_tests.sh debian11
|
||||||
|
|||||||
2
.github/workflows/pre-release.yml
vendored
2
.github/workflows/pre-release.yml
vendored
@ -21,7 +21,7 @@ jobs:
|
|||||||
find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
|
find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
|
||||||
# DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
|
# DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
|
||||||
- name: Delete the tag latest and the release latest
|
- name: Delete the tag latest and the release latest
|
||||||
uses: dev-drprasad/delete-tag-and-release@v0.1.2
|
uses: dev-drprasad/delete-tag-and-release@v0.1.3
|
||||||
with:
|
with:
|
||||||
delete_release: true
|
delete_release: true
|
||||||
tag_name: latest
|
tag_name: latest
|
||||||
|
|||||||
13
.github/workflows/shellcheck_and_shellfmt.yml
vendored
13
.github/workflows/shellcheck_and_shellfmt.yml
vendored
@ -4,19 +4,26 @@ on:
|
|||||||
- push
|
- push
|
||||||
- pull_request
|
- pull_request
|
||||||
jobs:
|
jobs:
|
||||||
sh-checker:
|
shellfmt:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repo
|
- name: Checkout repo
|
||||||
uses: actions/checkout@v2
|
uses: actions/checkout@v2
|
||||||
- name: Run the sh-checker
|
- name: Run the sh-checker
|
||||||
uses: luizm/action-sh-checker@v0.1.10
|
uses: luizm/action-sh-checker@v0.1.12
|
||||||
env:
|
env:
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Optional if sh_checker_comment is false.
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Optional if sh_checker_comment is false.
|
||||||
SHELLCHECK_OPTS: --color=always --shell=bash -x --source-path=SCRIPTDIR # Optional: exclude some shellcheck warnings.
|
|
||||||
SHFMT_OPTS: -l -i 4 -w # Optional: pass arguments to shfmt.
|
SHFMT_OPTS: -l -i 4 -w # Optional: pass arguments to shfmt.
|
||||||
with:
|
with:
|
||||||
|
sh_checker_shellcheck_disable: true
|
||||||
sh_checker_comment: true
|
sh_checker_comment: true
|
||||||
sh_checker_exclude: |
|
sh_checker_exclude: |
|
||||||
src/
|
src/
|
||||||
debian/postrm
|
debian/postrm
|
||||||
|
shellcheck:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: Checkout repo
|
||||||
|
uses: actions/checkout@v2
|
||||||
|
- name: Run shellcheck
|
||||||
|
run: ./shellcheck/docker_build_and_run_shellcheck.sh
|
||||||
|
|||||||
2
.github/workflows/tagged-release.yml
vendored
2
.github/workflows/tagged-release.yml
vendored
@ -35,7 +35,7 @@ jobs:
|
|||||||
find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
|
find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
|
||||||
# DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
|
# DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
|
||||||
- name: Delete the tag latest and the release latest
|
- name: Delete the tag latest and the release latest
|
||||||
uses: dev-drprasad/delete-tag-and-release@v0.1.2
|
uses: dev-drprasad/delete-tag-and-release@v0.1.3
|
||||||
with:
|
with:
|
||||||
delete_release: true
|
delete_release: true
|
||||||
tag_name: latest
|
tag_name: latest
|
||||||
|
|||||||
@ -115,11 +115,20 @@ will create a timestamped backup in this directory.
|
|||||||
the -n option instructs sudo not to prompt for a password.
|
the -n option instructs sudo not to prompt for a password.
|
||||||
Finally note that `--sudo` mode only works for audit mode.
|
Finally note that `--sudo` mode only works for audit mode.
|
||||||
|
|
||||||
|
`--set-log-level=level`
|
||||||
|
: This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug.
|
||||||
|
Default value is : info
|
||||||
|
|
||||||
`--batch`
|
`--batch`
|
||||||
: While performing system audit, this option sets LOGLEVEL to 'ok' and
|
: While performing system audit, this option sets LOGLEVEL to 'ok' and
|
||||||
captures all output to print only one line once the check is done, formatted like :
|
captures all output to print only one line once the check is done, formatted like :
|
||||||
OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
|
OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
|
||||||
|
|
||||||
|
`--allow-unsupported-distribution`
|
||||||
|
Must be specified manually in the command line to allow the run on non compatible
|
||||||
|
version or distribution. If you want to mute the warning change the LOGLEVEL
|
||||||
|
in /etc/hardening.cfg
|
||||||
|
|
||||||
|
|
||||||
# AUTHORS
|
# AUTHORS
|
||||||
|
|
||||||
|
|||||||
@ -44,7 +44,7 @@ hardening [INFO] Treating /opt/cis-hardening/bin/hardening/6.2.19_check_duplicat
|
|||||||
$ git clone https://github.com/ovh/debian-cis.git && cd debian-cis
|
$ git clone https://github.com/ovh/debian-cis.git && cd debian-cis
|
||||||
$ cp debian/default /etc/default/cis-hardening
|
$ cp debian/default /etc/default/cis-hardening
|
||||||
$ sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
|
$ sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
|
||||||
$ bin/hardening/1.1_install_updates.sh --audit-all
|
$ bin/hardening/1.1.1.1_disable_freevxfs.sh --audit-all
|
||||||
hardening [INFO] Treating /opt/cis-hardening/bin/hardening/1.1.1.1_disable_freevxfs.sh
|
hardening [INFO] Treating /opt/cis-hardening/bin/hardening/1.1.1.1_disable_freevxfs.sh
|
||||||
1.1.1.1_disable_freevxfs [INFO] Working on 1.1.1.1_disable_freevxfs
|
1.1.1.1_disable_freevxfs [INFO] Working on 1.1.1.1_disable_freevxfs
|
||||||
1.1.1.1_disable_freevxfs [INFO] [DESCRIPTION] Disable mounting of freevxfs filesystems.
|
1.1.1.1_disable_freevxfs [INFO] [DESCRIPTION] Disable mounting of freevxfs filesystems.
|
||||||
@ -117,9 +117,16 @@ to allow a certain kind of services on the machine, such as http, mail, etc.
|
|||||||
Can be specified multiple times to allow multiple services.
|
Can be specified multiple times to allow multiple services.
|
||||||
Use --allow-service-list to get a list of supported services.
|
Use --allow-service-list to get a list of supported services.
|
||||||
|
|
||||||
|
``--set-log-level <level>``: This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug.
|
||||||
|
Default value is : info
|
||||||
|
|
||||||
``--create-config-files-only``: create the config files in etc/conf.d. Must be run as root,
|
``--create-config-files-only``: create the config files in etc/conf.d. Must be run as root,
|
||||||
before running the audit with user secaudit, to have the rights setup well on the conf files.
|
before running the audit with user secaudit, to have the rights setup well on the conf files.
|
||||||
|
|
||||||
|
``--allow-unsupported-distribution``: must be specified manually in the command line to allow
|
||||||
|
the run on non compatible version or distribution. If you want to mute the warning change the
|
||||||
|
LOGLEVEL in /etc/hardening.cfg
|
||||||
|
|
||||||
## :computer: Hacking
|
## :computer: Hacking
|
||||||
|
|
||||||
**Getting the source**
|
**Getting the source**
|
||||||
|
|||||||
@ -26,6 +26,8 @@ ALLOW_SERVICE_LIST=0
|
|||||||
SET_HARDENING_LEVEL=0
|
SET_HARDENING_LEVEL=0
|
||||||
SUDO_MODE=''
|
SUDO_MODE=''
|
||||||
BATCH_MODE=''
|
BATCH_MODE=''
|
||||||
|
ASK_LOGLEVEL=''
|
||||||
|
ALLOW_UNSUPPORTED_DISTRIBUTION=0
|
||||||
|
|
||||||
usage() {
|
usage() {
|
||||||
cat <<EOF
|
cat <<EOF
|
||||||
@ -98,11 +100,20 @@ OPTIONS:
|
|||||||
the '-n' option instructs sudo not to prompt for a password.
|
the '-n' option instructs sudo not to prompt for a password.
|
||||||
Finally note that '--sudo' mode only works for audit mode.
|
Finally note that '--sudo' mode only works for audit mode.
|
||||||
|
|
||||||
|
--set-log-level <level>
|
||||||
|
This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug.
|
||||||
|
Default value is : info
|
||||||
|
|
||||||
--batch
|
--batch
|
||||||
While performing system audit, this option sets LOGLEVEL to 'ok' and
|
While performing system audit, this option sets LOGLEVEL to 'ok' and
|
||||||
captures all output to print only one line once the check is done, formatted like :
|
captures all output to print only one line once the check is done, formatted like :
|
||||||
OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
|
OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
|
||||||
|
|
||||||
|
--allow-unsupported-distribution
|
||||||
|
Must be specified manually in the command line to allow the run on non compatible
|
||||||
|
version or distribution. If you want to mute the warning change the LOGLEVEL
|
||||||
|
in /etc/hardening.cfg
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
exit 0
|
exit 0
|
||||||
}
|
}
|
||||||
@ -143,6 +154,10 @@ while [[ $# -gt 0 ]]; do
|
|||||||
SET_HARDENING_LEVEL="$2"
|
SET_HARDENING_LEVEL="$2"
|
||||||
shift
|
shift
|
||||||
;;
|
;;
|
||||||
|
--set-log-level)
|
||||||
|
ASK_LOGLEVEL=$2
|
||||||
|
shift
|
||||||
|
;;
|
||||||
--only)
|
--only)
|
||||||
TEST_LIST[${#TEST_LIST[@]}]="$2"
|
TEST_LIST[${#TEST_LIST[@]}]="$2"
|
||||||
shift
|
shift
|
||||||
@ -152,7 +167,10 @@ while [[ $# -gt 0 ]]; do
|
|||||||
;;
|
;;
|
||||||
--batch)
|
--batch)
|
||||||
BATCH_MODE='--batch'
|
BATCH_MODE='--batch'
|
||||||
LOGLEVEL=ok
|
ASK_LOGLEVEL=ok
|
||||||
|
;;
|
||||||
|
--allow-unsupported-distribution)
|
||||||
|
ALLOW_UNSUPPORTED_DISTRIBUTION=1
|
||||||
;;
|
;;
|
||||||
-h | --help)
|
-h | --help)
|
||||||
usage
|
usage
|
||||||
@ -179,16 +197,53 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
|||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
# shellcheck source=../lib/constants.sh
|
|
||||||
[ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
|
|
||||||
# shellcheck source=../etc/hardening.cfg
|
# shellcheck source=../etc/hardening.cfg
|
||||||
[ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
|
[ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
|
||||||
|
if [ "$ASK_LOGLEVEL" ]; then LOGLEVEL=$ASK_LOGLEVEL; fi
|
||||||
# shellcheck source=../lib/common.sh
|
# shellcheck source=../lib/common.sh
|
||||||
[ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
|
[ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
|
||||||
# shellcheck source=../lib/utils.sh
|
# shellcheck source=../lib/utils.sh
|
||||||
[ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh
|
[ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh
|
||||||
|
# shellcheck source=../lib/constants.sh
|
||||||
|
[ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
|
||||||
|
|
||||||
if [ "$BATCH_MODE" ]; then MACHINE_LOG_LEVEL=3; fi
|
# If we're on a unsupported platform and there is no flag --allow-unsupported-distribution
|
||||||
|
# print warning, otherwise quit
|
||||||
|
|
||||||
|
if [ "$DISTRIBUTION" != "debian" ]; then
|
||||||
|
echo "Your distribution has been identified as $DISTRIBUTION which is not debian"
|
||||||
|
if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
|
||||||
|
echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
|
||||||
|
echo "Exiting now"
|
||||||
|
exit 100
|
||||||
|
elif [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ] && [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then
|
||||||
|
echo "Be aware that the result given by this set of scripts can give you a false feedback of security on unsupported distributions !"
|
||||||
|
echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
|
||||||
|
echo "Your debian version is too recent and is not supported yet because there is no official CIS PDF for this version yet."
|
||||||
|
if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
|
||||||
|
echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
|
||||||
|
echo "Exiting now"
|
||||||
|
exit 100
|
||||||
|
elif [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ] && [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then
|
||||||
|
echo "Be aware that the result given by this set of scripts can give you a false feedback of security on unsupported distributions !"
|
||||||
|
echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
|
||||||
|
fi
|
||||||
|
elif [ "$DEB_MAJ_VER" -lt "$SMALLEST_SUPPORTED_DEBIAN_VERSION" ]; then
|
||||||
|
echo "Your debian version is deprecated and is no more maintained. Please upgrade to a supported version."
|
||||||
|
if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
|
||||||
|
echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
|
||||||
|
echo "Exiting now"
|
||||||
|
exit 100
|
||||||
|
elif [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ] && [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then
|
||||||
|
echo "Be aware that the result given by this set of scripts can give you a false feedback of security on unsupported distributions, especially on deprecated ones !"
|
||||||
|
echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
# If --allow-service-list is specified, don't run anything, just list the supported services
|
# If --allow-service-list is specified, don't run anything, just list the supported services
|
||||||
if [ "$ALLOW_SERVICE_LIST" = 1 ]; then
|
if [ "$ALLOW_SERVICE_LIST" = 1 ]; then
|
||||||
@ -294,7 +349,7 @@ if [ "$BATCH_MODE" ]; then
|
|||||||
BATCH_SUMMARY+="RUN_CHECKS:${TOTAL_TREATED_CHECKS:-0} "
|
BATCH_SUMMARY+="RUN_CHECKS:${TOTAL_TREATED_CHECKS:-0} "
|
||||||
BATCH_SUMMARY+="TOTAL_CHECKS_AVAIL:${TOTAL_CHECKS:-0}"
|
BATCH_SUMMARY+="TOTAL_CHECKS_AVAIL:${TOTAL_CHECKS:-0}"
|
||||||
if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
|
if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
|
||||||
CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
|
CONFORMITY_PERCENTAGE=$(div $((PASSED_CHECKS * 100)) $TOTAL_TREATED_CHECKS)
|
||||||
BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:$(printf "%s" "$CONFORMITY_PERCENTAGE")"
|
BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:$(printf "%s" "$CONFORMITY_PERCENTAGE")"
|
||||||
else
|
else
|
||||||
BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0
|
BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0
|
||||||
@ -307,8 +362,8 @@ else
|
|||||||
printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
|
printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
|
||||||
printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
|
printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
|
||||||
|
|
||||||
ENABLED_CHECKS_PERCENTAGE=$(bc -l <<<"scale=2; ($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100")
|
ENABLED_CHECKS_PERCENTAGE=$(div $((TOTAL_TREATED_CHECKS * 100)) $TOTAL_CHECKS)
|
||||||
CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
|
CONFORMITY_PERCENTAGE=$(div $((PASSED_CHECKS * 100)) $TOTAL_TREATED_CHECKS)
|
||||||
printf "%30s %s %%\n" "Enabled Checks Percentage :" "$ENABLED_CHECKS_PERCENTAGE"
|
printf "%30s %s %%\n" "Enabled Checks Percentage :" "$ENABLED_CHECKS_PERCENTAGE"
|
||||||
if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
|
if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
|
||||||
printf "%30s %s %%\n" "Conformity Percentage :" "$CONFORMITY_PERCENTAGE"
|
printf "%30s %s %%\n" "Conformity Percentage :" "$CONFORMITY_PERCENTAGE"
|
||||||
|
|||||||
@ -17,28 +17,36 @@ HARDENING_LEVEL=2
|
|||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
DESCRIPTION="Disable mounting of freevxfs filesystems."
|
DESCRIPTION="Disable mounting of freevxfs filesystems."
|
||||||
|
|
||||||
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
|
|
||||||
|
|
||||||
KERNEL_OPTION="CONFIG_VXFS_FS"
|
KERNEL_OPTION="CONFIG_VXFS_FS"
|
||||||
MODULE_NAME="freevxfs"
|
MODULE_NAME="freevxfs"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
|
if [ "$IS_CONTAINER" -eq 1 ]; then
|
||||||
|
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||||
|
ok "Container detected, consider host enforcing or disable this check!"
|
||||||
|
else
|
||||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
||||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
crit "$KERNEL_OPTION is enabled!"
|
crit "$MODULE_NAME is enabled!"
|
||||||
else
|
else
|
||||||
ok "$KERNEL_OPTION is disabled"
|
ok "$MODULE_NAME is disabled"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply() {
|
apply() {
|
||||||
is_kernel_option_enabled "$KERNEL_OPTION"
|
if [ "$IS_CONTAINER" -eq 1 ]; then
|
||||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||||
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
ok "Container detected, consider host enforcing!"
|
||||||
else
|
else
|
||||||
ok "$KERNEL_OPTION is disabled, nothing to do"
|
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
||||||
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
|
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
|
||||||
|
else
|
||||||
|
ok "$MODULE_NAME is disabled"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -17,28 +17,36 @@ HARDENING_LEVEL=2
|
|||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
DESCRIPTION="Disable mounting of jffs2 filesystems."
|
DESCRIPTION="Disable mounting of jffs2 filesystems."
|
||||||
|
|
||||||
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
|
|
||||||
|
|
||||||
KERNEL_OPTION="CONFIG_JFFS2_FS"
|
KERNEL_OPTION="CONFIG_JFFS2_FS"
|
||||||
MODULE_NAME="jffs2"
|
MODULE_NAME="jffs2"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
if [ "$IS_CONTAINER" -eq 1 ]; then
|
||||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||||
crit "$KERNEL_OPTION is enabled!"
|
ok "Container detected, consider host enforcing or disable this check!"
|
||||||
else
|
else
|
||||||
ok "$KERNEL_OPTION is disabled"
|
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
|
||||||
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
|
crit "$MODULE_NAME is enabled!"
|
||||||
|
else
|
||||||
|
ok "$MODULE_NAME is disabled"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply() {
|
apply() {
|
||||||
is_kernel_option_enabled "$KERNEL_OPTION"
|
if [ "$IS_CONTAINER" -eq 1 ]; then
|
||||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||||
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
ok "Container detected, consider host enforcing!"
|
||||||
else
|
else
|
||||||
ok "$KERNEL_OPTION is disabled, nothing to do"
|
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
|
||||||
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
|
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
|
||||||
|
else
|
||||||
|
ok "$MODULE_NAME is disabled"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -17,28 +17,36 @@ HARDENING_LEVEL=2
|
|||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
DESCRIPTION="Disable mounting of hfs filesystems."
|
DESCRIPTION="Disable mounting of hfs filesystems."
|
||||||
|
|
||||||
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
|
|
||||||
|
|
||||||
KERNEL_OPTION="CONFIG_HFS_FS"
|
KERNEL_OPTION="CONFIG_HFS_FS"
|
||||||
MODULE_FILE="hfs"
|
MODULE_NAME="hfs"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
|
if [ "$IS_CONTAINER" -eq 1 ]; then
|
||||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||||
crit "$KERNEL_OPTION is enabled!"
|
ok "Container detected, consider host enforcing or disable this check!"
|
||||||
else
|
else
|
||||||
ok "$KERNEL_OPTION is disabled"
|
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
||||||
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
|
crit "$MODULE_NAME is enabled!"
|
||||||
|
else
|
||||||
|
ok "$MODULE_NAME is disabled"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply() {
|
apply() {
|
||||||
is_kernel_option_enabled "$KERNEL_OPTION"
|
if [ "$IS_CONTAINER" -eq 1 ]; then
|
||||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||||
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
ok "Container detected, consider host enforcing!"
|
||||||
else
|
else
|
||||||
ok "$KERNEL_OPTION is disabled, nothing to do"
|
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
||||||
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
|
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
|
||||||
|
else
|
||||||
|
ok "$MODULE_NAME is disabled"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -17,28 +17,36 @@ HARDENING_LEVEL=2
|
|||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
DESCRIPTION="Disable mounting of hfsplus filesystems."
|
DESCRIPTION="Disable mounting of hfsplus filesystems."
|
||||||
|
|
||||||
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
|
|
||||||
|
|
||||||
KERNEL_OPTION="CONFIG_HFSPLUS_FS"
|
KERNEL_OPTION="CONFIG_HFSPLUS_FS"
|
||||||
MODULE_FILE="hfsplus"
|
MODULE_NAME="hfsplus"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
|
if [ "$IS_CONTAINER" -eq 1 ]; then
|
||||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||||
crit "$KERNEL_OPTION is enabled!"
|
ok "Container detected, consider host enforcing or disable this check!"
|
||||||
else
|
else
|
||||||
ok "$KERNEL_OPTION is disabled"
|
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
||||||
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
|
crit "$MODULE_NAME is enabled!"
|
||||||
|
else
|
||||||
|
ok "$MODULE_NAME is disabled"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply() {
|
apply() {
|
||||||
is_kernel_option_enabled "$KERNEL_OPTION"
|
if [ "$IS_CONTAINER" -eq 1 ]; then
|
||||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||||
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
ok "Container detected, consider host enforcing!"
|
||||||
else
|
else
|
||||||
ok "$KERNEL_OPTION is disabled, nothing to do"
|
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
||||||
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
|
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
|
||||||
|
else
|
||||||
|
ok "$MODULE_NAME is disabled"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -17,31 +17,37 @@ HARDENING_LEVEL=2
|
|||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
DESCRIPTION="Disable mounting of squashfs filesytems."
|
DESCRIPTION="Disable mounting of squashfs filesytems."
|
||||||
|
|
||||||
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
|
|
||||||
|
|
||||||
KERNEL_OPTION="CONFIG_SQUASHFS"
|
KERNEL_OPTION="CONFIG_SQUASHFS"
|
||||||
MODULE_FILE="squashfs"
|
MODULE_NAME="squashfs"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
|
if [ "$IS_CONTAINER" -eq 1 ]; then
|
||||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||||
crit "$KERNEL_OPTION is enabled!"
|
ok "Container detected, consider host enforcing or disable this check!"
|
||||||
else
|
else
|
||||||
ok "$KERNEL_OPTION is disabled"
|
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
|
||||||
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
|
crit "$MODULE_NAME is enabled!"
|
||||||
|
else
|
||||||
|
ok "$MODULE_NAME is disabled"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
:
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply() {
|
apply() {
|
||||||
is_kernel_option_enabled "$KERNEL_OPTION"
|
if [ "$IS_CONTAINER" -eq 1 ]; then
|
||||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||||
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
ok "Container detected, consider host enforcing!"
|
||||||
else
|
else
|
||||||
ok "$KERNEL_OPTION is disabled, nothing to do"
|
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
|
||||||
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
|
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
|
||||||
|
else
|
||||||
|
ok "$MODULE_NAME is disabled"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
:
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
||||||
|
|||||||
@ -17,28 +17,36 @@ HARDENING_LEVEL=2
|
|||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
DESCRIPTION="Disable mounting of udf filesystems."
|
DESCRIPTION="Disable mounting of udf filesystems."
|
||||||
|
|
||||||
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
|
|
||||||
|
|
||||||
KERNEL_OPTION="CONFIG_UDF_FS"
|
KERNEL_OPTION="CONFIG_UDF_FS"
|
||||||
MODULE_FILE="udf"
|
MODULE_NAME="udf"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
|
if [ "$IS_CONTAINER" -eq 1 ]; then
|
||||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||||
crit "$KERNEL_OPTION is enabled!"
|
ok "Container detected, consider host enforcing or disable this check!"
|
||||||
else
|
else
|
||||||
ok "$KERNEL_OPTION is disabled"
|
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
|
||||||
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
|
crit "$MODULE_NAME is enabled!"
|
||||||
|
else
|
||||||
|
ok "$MODULE_NAME is disabled"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply() {
|
apply() {
|
||||||
is_kernel_option_enabled "$KERNEL_OPTION"
|
if [ "$IS_CONTAINER" -eq 1 ]; then
|
||||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||||
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
ok "Container detected, consider host enforcing!"
|
||||||
else
|
else
|
||||||
ok "$KERNEL_OPTION is disabled, nothing to do"
|
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
|
||||||
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
|
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
|
||||||
|
else
|
||||||
|
ok "$MODULE_NAME is disabled"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -24,6 +24,7 @@ MODULE_FILE="vfat"
|
|||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
|
# TODO check if uefi enabled if yes check if only boot partition use FAT
|
||||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
|
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
|
||||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
crit "$KERNEL_OPTION is enabled!"
|
crit "$KERNEL_OPTION is enabled!"
|
||||||
|
|||||||
@ -20,25 +20,35 @@ DESCRIPTION="Disable USB storage."
|
|||||||
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
|
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
|
||||||
|
|
||||||
KERNEL_OPTION="CONFIG_USB_STORAGE"
|
KERNEL_OPTION="CONFIG_USB_STORAGE"
|
||||||
MODULE_FILE="usb-storage"
|
MODULE_NAME="usb-storage"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
|
if [ "$IS_CONTAINER" -eq 1 ]; then
|
||||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||||
crit "$KERNEL_OPTION is enabled!"
|
ok "Container detected, consider host enforcing or disable this check!"
|
||||||
else
|
else
|
||||||
ok "$KERNEL_OPTION is disabled"
|
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
||||||
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
|
crit "$MODULE_NAME is enabled!"
|
||||||
|
else
|
||||||
|
ok "$MODULE_NAME is disabled"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply() {
|
apply() {
|
||||||
is_kernel_option_enabled "$KERNEL_OPTION"
|
if [ "$IS_CONTAINER" -eq 1 ]; then
|
||||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||||
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
ok "Container detected, consider host enforcing!"
|
||||||
else
|
else
|
||||||
ok "$KERNEL_OPTION is disabled, nothing to do"
|
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
||||||
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
|
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
|
||||||
|
else
|
||||||
|
ok "$MODULE_NAME is disabled"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -29,7 +29,7 @@ audit() {
|
|||||||
LIMIT_FILES=""
|
LIMIT_FILES=""
|
||||||
if $SUDO_CMD [ -d "$LIMIT_DIR" ]; then
|
if $SUDO_CMD [ -d "$LIMIT_DIR" ]; then
|
||||||
for file in $($SUDO_CMD ls "$LIMIT_DIR"/*.conf 2>/dev/null); do
|
for file in $($SUDO_CMD ls "$LIMIT_DIR"/*.conf 2>/dev/null); do
|
||||||
LIMIT_FILES="$LIMIT_FILES $LIMIT_DIR/$file"
|
LIMIT_FILES="$LIMIT_FILES $file"
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
debug "Files to search $LIMIT_FILE $LIMIT_FILES"
|
debug "Files to search $LIMIT_FILE $LIMIT_FILES"
|
||||||
|
|||||||
@ -78,7 +78,7 @@ apply() {
|
|||||||
IFS=$d_IFS
|
IFS=$d_IFS
|
||||||
|
|
||||||
if [ $ERROR = 1 ]; then
|
if [ $ERROR = 1 ]; then
|
||||||
$SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor/" /etc/default/grub
|
$SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor /" /etc/default/grub
|
||||||
$SUDO_CMD update-grub
|
$SUDO_CMD update-grub
|
||||||
else
|
else
|
||||||
ok "$PACKAGES are configured"
|
ok "$PACKAGES are configured"
|
||||||
|
|||||||
@ -17,14 +17,32 @@ HARDENING_LEVEL=3
|
|||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
DESCRIPTION="Disable NIS Server."
|
DESCRIPTION="Disable NIS Server."
|
||||||
|
|
||||||
|
PACKAGES='nis'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
:
|
for PACKAGE in $PACKAGES; do
|
||||||
|
is_pkg_installed "$PACKAGE"
|
||||||
|
if [ "$FNRET" = 0 ]; then
|
||||||
|
crit "$PACKAGE is installed!"
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is absent"
|
||||||
|
fi
|
||||||
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply() {
|
apply() {
|
||||||
:
|
for PACKAGE in $PACKAGES; do
|
||||||
|
is_pkg_installed "$PACKAGE"
|
||||||
|
if [ "$FNRET" = 0 ]; then
|
||||||
|
crit "$PACKAGE is installed, purging it"
|
||||||
|
apt-get purge "$PACKAGE" -y
|
||||||
|
apt-get autoremove -y
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is absent"
|
||||||
|
fi
|
||||||
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
||||||
|
|||||||
@ -21,29 +21,17 @@ SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ip
|
|||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
does_sysctl_param_exists "net.ipv6"
|
is_ipv6_enabled
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
ok "ipv6 is disabled"
|
ok "ipv6 is disabled"
|
||||||
else
|
else
|
||||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
crit "ipv6 is enabled"
|
||||||
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
|
|
||||||
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
|
|
||||||
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
|
|
||||||
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
|
|
||||||
if [ "$FNRET" != 0 ]; then
|
|
||||||
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
|
|
||||||
elif [ "$FNRET" = 255 ]; then
|
|
||||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
|
||||||
else
|
|
||||||
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply() {
|
apply() {
|
||||||
does_sysctl_param_exists "net.ipv6"
|
is_ipv6_enabled
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
ok "ipv6 is disabled"
|
ok "ipv6 is disabled"
|
||||||
else
|
else
|
||||||
|
|||||||
@ -22,7 +22,7 @@ SYSCTL_PARAMS=''
|
|||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||||
does_sysctl_param_exists "net.ipv6"
|
is_ipv6_enabled
|
||||||
if [ "$FNRET" = 0 ] || [[ ! "$SYSCTL_VALUES" =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
|
if [ "$FNRET" = 0 ] || [[ ! "$SYSCTL_VALUES" =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
|
||||||
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
|
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
|
||||||
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
|
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
|
||||||
|
|||||||
@ -21,10 +21,8 @@ SYSCTL_PARAMS='net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0'
|
|||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
does_sysctl_param_exists "net.ipv6"
|
is_ipv6_enabled
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "ipv6 is disabled"
|
|
||||||
else
|
|
||||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||||
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
|
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
|
||||||
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
|
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
|
||||||
@ -38,15 +36,15 @@ audit() {
|
|||||||
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
else
|
||||||
|
ok "ipv6 disabled"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply() {
|
apply() {
|
||||||
does_sysctl_param_exists "net.ipv6"
|
is_ipv6_enabled
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "ipv6 is disabled"
|
|
||||||
else
|
|
||||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||||
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
|
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
|
||||||
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
|
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
|
||||||
@ -62,6 +60,8 @@ apply() {
|
|||||||
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
else
|
||||||
|
ok "ipv6 disabled"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -17,14 +17,39 @@ HARDENING_LEVEL=2
|
|||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
DESCRIPTION="Disable Datagram Congestion Control Protocol (DCCP)."
|
DESCRIPTION="Disable Datagram Congestion Control Protocol (DCCP)."
|
||||||
|
|
||||||
|
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
|
||||||
|
|
||||||
|
KERNEL_OPTION="CONFIG_NF_CT_PROTO_DCCP"
|
||||||
|
MODULE_NAME="dccp"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
info "Not implemented yet"
|
if [ "$IS_CONTAINER" -eq 1 ]; then
|
||||||
|
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||||
|
ok "Container detected, consider host enforcing or disable this check!"
|
||||||
|
else
|
||||||
|
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
||||||
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
|
crit "$MODULE_NAME is enabled!"
|
||||||
|
else
|
||||||
|
ok "$MODULE_NAME is disabled"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply() {
|
apply() {
|
||||||
info "Not implemented yet"
|
if [ "$IS_CONTAINER" -eq 1 ]; then
|
||||||
|
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||||
|
ok "Container detected, consider host enforcing!"
|
||||||
|
else
|
||||||
|
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
||||||
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
|
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
|
||||||
|
else
|
||||||
|
ok "$MODULE_NAME is disabled"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
||||||
|
|||||||
@ -17,14 +17,39 @@ HARDENING_LEVEL=2
|
|||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
DESCRIPTION="Disable Stream Control Transmission Protocol (SCTP)."
|
DESCRIPTION="Disable Stream Control Transmission Protocol (SCTP)."
|
||||||
|
|
||||||
|
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
|
||||||
|
|
||||||
|
KERNEL_OPTION="CONFIG_NF_CT_PROTO_SCTP"
|
||||||
|
MODULE_NAME="sctp"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
info "Not implemented yet"
|
if [ "$IS_CONTAINER" -eq 1 ]; then
|
||||||
|
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||||
|
ok "Container detected, consider host enforcing or disable this check!"
|
||||||
|
else
|
||||||
|
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
||||||
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
|
crit "$MODULE_NAME is enabled!"
|
||||||
|
else
|
||||||
|
ok "$MODULE_NAME is disabled"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply() {
|
apply() {
|
||||||
info "Not implemented yet"
|
if [ "$IS_CONTAINER" -eq 1 ]; then
|
||||||
|
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||||
|
ok "Container detected, consider host enforcing!"
|
||||||
|
else
|
||||||
|
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
||||||
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
|
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
|
||||||
|
else
|
||||||
|
ok "$MODULE_NAME is disabled"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
||||||
|
|||||||
@ -17,14 +17,39 @@ HARDENING_LEVEL=2
|
|||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
DESCRIPTION="Disable Reliable Datagram Sockets (RDS)."
|
DESCRIPTION="Disable Reliable Datagram Sockets (RDS)."
|
||||||
|
|
||||||
|
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
|
||||||
|
|
||||||
|
KERNEL_OPTION="CONFIG_RDS"
|
||||||
|
MODULE_NAME="rds"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
info "Not implemented yet"
|
if [ "$IS_CONTAINER" -eq 1 ]; then
|
||||||
|
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||||
|
ok "Container detected, consider host enforcing or disable this check!"
|
||||||
|
else
|
||||||
|
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
||||||
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
|
crit "$MODULE_NAME is enabled!"
|
||||||
|
else
|
||||||
|
ok "$MODULE_NAME is disabled"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply() {
|
apply() {
|
||||||
info "Not implemented yet"
|
if [ "$IS_CONTAINER" -eq 1 ]; then
|
||||||
|
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||||
|
ok "Container detected, consider host enforcing!"
|
||||||
|
else
|
||||||
|
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
||||||
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
|
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
|
||||||
|
else
|
||||||
|
ok "$MODULE_NAME is disabled"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
||||||
|
|||||||
@ -17,14 +17,39 @@ HARDENING_LEVEL=2
|
|||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
DESCRIPTION="Disable Transperent Inter-Process Communication (TIPC)."
|
DESCRIPTION="Disable Transperent Inter-Process Communication (TIPC)."
|
||||||
|
|
||||||
|
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
|
||||||
|
|
||||||
|
KERNEL_OPTION="CONFIG_TIPC"
|
||||||
|
MODULE_NAME="tipc"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
info "Not implemented yet"
|
if [ "$IS_CONTAINER" -eq 1 ]; then
|
||||||
|
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||||
|
ok "Container detected, consider host enforcing or disable this check!"
|
||||||
|
else
|
||||||
|
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
|
||||||
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
|
crit "$MODULE_NAME is enabled!"
|
||||||
|
else
|
||||||
|
ok "$MODULE_NAME is disabled"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply() {
|
apply() {
|
||||||
info "Not implemented yet"
|
if [ "$IS_CONTAINER" -eq 1 ]; then
|
||||||
|
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||||
|
ok "Container detected, consider host enforcing!"
|
||||||
|
else
|
||||||
|
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
|
||||||
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
|
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
|
||||||
|
else
|
||||||
|
ok "$MODULE_NAME is disabled"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
||||||
|
|||||||
@ -18,7 +18,7 @@ HARDENING_LEVEL=3
|
|||||||
DESCRIPTION="Configure journald to send logs to syslog-ng."
|
DESCRIPTION="Configure journald to send logs to syslog-ng."
|
||||||
|
|
||||||
FILE='/etc/systemd/journald.conf'
|
FILE='/etc/systemd/journald.conf'
|
||||||
OPTIONS='ForwardToSyslog=yes'
|
OPTIONS='ForwardToSyslog=no'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
@ -34,9 +34,9 @@ audit() {
|
|||||||
debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
|
debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
|
||||||
does_pattern_exist_in_file "$FILE" "$PATTERN"
|
does_pattern_exist_in_file "$FILE" "$PATTERN"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PATTERN is not present in $FILE"
|
ok "$PATTERN is not present in $FILE"
|
||||||
else
|
else
|
||||||
ok "$PATTERN is present in $FILE"
|
crit "$PATTERN is present in $FILE"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
@ -57,18 +57,18 @@ apply() {
|
|||||||
debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
|
debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
|
||||||
PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE"
|
PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE"
|
||||||
does_pattern_exist_in_file "$FILE" "$PATTERN"
|
does_pattern_exist_in_file "$FILE" "$PATTERN"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
warn "$PATTERN is not present in $FILE, adding it"
|
warn "$PATTERN is present in $FILE, deleting it"
|
||||||
does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM"
|
does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end"
|
info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end"
|
||||||
add_end_of_file "$FILE" "$JOURNALD_PARAM = $JOURNALD_VALUE"
|
add_end_of_file "$FILE" "$JOURNALD_PARAM=yes"
|
||||||
else
|
else
|
||||||
info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing"
|
info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing"
|
||||||
replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=$JOURNALD_VALUE"
|
replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=yes"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
ok "$PATTERN is present in $FILE"
|
ok "$PATTERN is not present in $FILE"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|||||||
@ -18,7 +18,7 @@ HARDENING_LEVEL=3
|
|||||||
DESCRIPTION="Configure journald to send logs to syslog-ng."
|
DESCRIPTION="Configure journald to send logs to syslog-ng."
|
||||||
|
|
||||||
FILE='/etc/systemd/journald.conf'
|
FILE='/etc/systemd/journald.conf'
|
||||||
OPTIONS='Compress=yes'
|
OPTIONS='Compress=no'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
@ -34,9 +34,9 @@ audit() {
|
|||||||
debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
|
debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
|
||||||
does_pattern_exist_in_file "$FILE" "$PATTERN"
|
does_pattern_exist_in_file "$FILE" "$PATTERN"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PATTERN is not present in $FILE"
|
ok "$PATTERN is not present in $FILE"
|
||||||
else
|
else
|
||||||
ok "$PATTERN is present in $FILE"
|
crit "$PATTERN is present in $FILE"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
@ -57,18 +57,18 @@ apply() {
|
|||||||
debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
|
debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
|
||||||
PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE"
|
PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE"
|
||||||
does_pattern_exist_in_file "$FILE" "$PATTERN"
|
does_pattern_exist_in_file "$FILE" "$PATTERN"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
warn "$PATTERN is not present in $FILE, adding it"
|
warn "$PATTERN is not present in $FILE, adding it"
|
||||||
does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM"
|
does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end"
|
info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end"
|
||||||
add_end_of_file "$FILE" "$JOURNALD_PARAM = $JOURNALD_VALUE"
|
add_end_of_file "$FILE" "$JOURNALD_PARAM=yes"
|
||||||
else
|
else
|
||||||
info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing"
|
info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing"
|
||||||
replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=$JOURNALD_VALUE"
|
replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=yes"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
ok "$PATTERN is present in $FILE"
|
ok "$PATTERN is not present in $FILE"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|||||||
@ -62,7 +62,7 @@ apply() {
|
|||||||
does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM"
|
does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end"
|
info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end"
|
||||||
add_end_of_file "$FILE" "$JOURNALD_PARAM = $JOURNALD_VALUE"
|
add_end_of_file "$FILE" "$JOURNALD_PARAM=$JOURNALD_VALUE"
|
||||||
else
|
else
|
||||||
info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing"
|
info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing"
|
||||||
replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=$JOURNALD_VALUE"
|
replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=$JOURNALD_VALUE"
|
||||||
|
|||||||
@ -24,6 +24,10 @@ GROUP='root'
|
|||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
|
does_file_exist "$FILE"
|
||||||
|
if [ "$FNRET" != 0 ]; then
|
||||||
|
crit "$FILE does not exist"
|
||||||
|
fi
|
||||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$FILE has correct ownership"
|
ok "$FILE has correct ownership"
|
||||||
|
|||||||
@ -24,6 +24,10 @@ GROUP='root'
|
|||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
|
does_file_exist "$FILE"
|
||||||
|
if [ "$FNRET" != 0 ]; then
|
||||||
|
crit "$FILE does not exist"
|
||||||
|
fi
|
||||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$FILE has correct ownership"
|
ok "$FILE has correct ownership"
|
||||||
|
|||||||
@ -24,6 +24,10 @@ GROUP='root'
|
|||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
|
does_file_exist "$FILE"
|
||||||
|
if [ "$FNRET" != 0 ]; then
|
||||||
|
crit "$FILE does not exist"
|
||||||
|
fi
|
||||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$FILE has correct ownership"
|
ok "$FILE has correct ownership"
|
||||||
|
|||||||
@ -24,6 +24,10 @@ GROUP='root'
|
|||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
|
does_file_exist "$FILE"
|
||||||
|
if [ "$FNRET" != 0 ]; then
|
||||||
|
crit "$FILE does not exist"
|
||||||
|
fi
|
||||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$FILE has correct ownership"
|
ok "$FILE has correct ownership"
|
||||||
|
|||||||
@ -24,6 +24,10 @@ GROUP='root'
|
|||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
|
does_file_exist "$FILE"
|
||||||
|
if [ "$FNRET" != 0 ]; then
|
||||||
|
crit "$FILE does not exist"
|
||||||
|
fi
|
||||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$FILE has correct ownership"
|
ok "$FILE has correct ownership"
|
||||||
|
|||||||
@ -20,6 +20,7 @@ DESCRIPTION="Restrict at/cron to authorized users."
|
|||||||
FILES_ABSENT='/etc/cron.deny /etc/at.deny'
|
FILES_ABSENT='/etc/cron.deny /etc/at.deny'
|
||||||
FILES_PRESENT='/etc/cron.allow /etc/at.allow'
|
FILES_PRESENT='/etc/cron.allow /etc/at.allow'
|
||||||
PERMISSIONS='644'
|
PERMISSIONS='644'
|
||||||
|
PERMISSIONSOK='644 640 600 440 400'
|
||||||
USER='root'
|
USER='root'
|
||||||
GROUP='root'
|
GROUP='root'
|
||||||
|
|
||||||
@ -36,7 +37,7 @@ audit() {
|
|||||||
for FILE in $FILES_PRESENT; do
|
for FILE in $FILES_PRESENT; do
|
||||||
does_file_exist "$FILE"
|
does_file_exist "$FILE"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$FILE is absent"
|
crit "$FILE is absent, should exist"
|
||||||
else
|
else
|
||||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -44,7 +45,7 @@ audit() {
|
|||||||
else
|
else
|
||||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||||
fi
|
fi
|
||||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$FILE has correct permissions"
|
ok "$FILE has correct permissions"
|
||||||
else
|
else
|
||||||
@ -68,7 +69,7 @@ apply() {
|
|||||||
for FILE in $FILES_PRESENT; do
|
for FILE in $FILES_PRESENT; do
|
||||||
does_file_exist "$FILE"
|
does_file_exist "$FILE"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
warn "$FILE is absent"
|
warn "$FILE is absent, fixing (touch)"
|
||||||
touch "$FILE"
|
touch "$FILE"
|
||||||
fi
|
fi
|
||||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||||
@ -78,7 +79,7 @@ apply() {
|
|||||||
warn "fixing $FILE ownership to $USER:$GROUP"
|
warn "fixing $FILE ownership to $USER:$GROUP"
|
||||||
chown "$USER":"$GROUP" "$FILE"
|
chown "$USER":"$GROUP" "$FILE"
|
||||||
fi
|
fi
|
||||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$FILE has correct permissions"
|
ok "$FILE has correct permissions"
|
||||||
else
|
else
|
||||||
|
|||||||
@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
|
|||||||
audit() {
|
audit() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PACKAGE is not installed!"
|
ok "$PACKAGE is not installed!"
|
||||||
else
|
else
|
||||||
ok "$PACKAGE is installed"
|
ok "$PACKAGE is installed"
|
||||||
for SSH_OPTION in $OPTIONS; do
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
|||||||
@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
|
|||||||
audit() {
|
audit() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PACKAGE is not installed!"
|
ok "$PACKAGE is not installed!"
|
||||||
else
|
else
|
||||||
ok "$PACKAGE is installed"
|
ok "$PACKAGE is installed"
|
||||||
for SSH_OPTION in $OPTIONS; do
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
|||||||
@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
|
|||||||
audit() {
|
audit() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PACKAGE is not installed!"
|
ok "$PACKAGE is not installed!"
|
||||||
else
|
else
|
||||||
ok "$PACKAGE is installed"
|
ok "$PACKAGE is installed"
|
||||||
for SSH_OPTION in $OPTIONS; do
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
|||||||
@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
|
|||||||
audit() {
|
audit() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PACKAGE is not installed!"
|
ok "$PACKAGE is not installed!"
|
||||||
else
|
else
|
||||||
ok "$PACKAGE is installed"
|
ok "$PACKAGE is installed"
|
||||||
for SSH_OPTION in $OPTIONS; do
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
|||||||
@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
|
|||||||
audit() {
|
audit() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PACKAGE is not installed!"
|
ok "$PACKAGE is not installed!"
|
||||||
else
|
else
|
||||||
ok "$PACKAGE is installed"
|
ok "$PACKAGE is installed"
|
||||||
for SSH_OPTION in $OPTIONS; do
|
for SSH_OPTION in $OPTIONS; do
|
||||||
@ -78,7 +78,7 @@ create_config() {
|
|||||||
cat <<EOF
|
cat <<EOF
|
||||||
status=audit
|
status=audit
|
||||||
# Put your MACs
|
# Put your MACs
|
||||||
OPTIONS="MACs=umac-128-etm@openssh.com,umac-64-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128@openssh.com,umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256"
|
OPTIONS="MACs=hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256"
|
||||||
EOF
|
EOF
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
|
|||||||
audit() {
|
audit() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PACKAGE is not installed!"
|
ok "$PACKAGE is not installed!"
|
||||||
else
|
else
|
||||||
ok "$PACKAGE is installed"
|
ok "$PACKAGE is installed"
|
||||||
for SSH_OPTION in $OPTIONS; do
|
for SSH_OPTION in $OPTIONS; do
|
||||||
@ -73,15 +73,12 @@ apply() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
create_config() {
|
create_config() {
|
||||||
get_debian_major_version
|
|
||||||
set +u
|
set +u
|
||||||
debug "Debian version : $DEB_MAJ_VER "
|
debug "Debian version : $DEB_MAJ_VER "
|
||||||
if [[ -z "$DEB_MAJ_VER" ]] || [[ 7 -eq "$DEB_MAJ_VER" ]]; then
|
if [[ 7 -le "$DEB_MAJ_VER" ]]; then
|
||||||
KEX='diffie-hellman-group-exchange-sha256'
|
KEX='diffie-hellman-group-exchange-sha256'
|
||||||
elif [[ 8 -eq "$DEB_MAJ_VER" ]] || [[ 9 -eq "$DEB_MAJ_VER" ]]; then
|
|
||||||
KEX='curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
|
|
||||||
else
|
else
|
||||||
KEX='diffie-hellman-group-exchange-sha256'
|
KEX='curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256'
|
||||||
fi
|
fi
|
||||||
set -u
|
set -u
|
||||||
cat <<EOF
|
cat <<EOF
|
||||||
@ -89,6 +86,7 @@ status=audit
|
|||||||
# Put your KexAlgorithms
|
# Put your KexAlgorithms
|
||||||
OPTIONS="KexAlgorithms=$KEX"
|
OPTIONS="KexAlgorithms=$KEX"
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
||||||
|
|||||||
@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
|
|||||||
audit() {
|
audit() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PACKAGE is not installed!"
|
ok "$PACKAGE is not installed!"
|
||||||
else
|
else
|
||||||
ok "$PACKAGE is installed"
|
ok "$PACKAGE is installed"
|
||||||
for SSH_OPTION in $OPTIONS; do
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
|||||||
@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
|
|||||||
audit() {
|
audit() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PACKAGE is not installed!"
|
ok "$PACKAGE is not installed!"
|
||||||
else
|
else
|
||||||
ok "$PACKAGE is installed"
|
ok "$PACKAGE is installed"
|
||||||
for SSH_OPTION in $OPTIONS; do
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
|||||||
@ -25,7 +25,7 @@ audit() {
|
|||||||
OPTIONS="AllowUsers='$ALLOWED_USERS' AllowGroups='$ALLOWED_GROUPS' DenyUsers='$DENIED_USERS' DenyGroups='$DENIED_GROUPS'"
|
OPTIONS="AllowUsers='$ALLOWED_USERS' AllowGroups='$ALLOWED_GROUPS' DenyUsers='$DENIED_USERS' DenyGroups='$DENIED_GROUPS'"
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PACKAGE is not installed!"
|
ok "$PACKAGE is not installed!"
|
||||||
else
|
else
|
||||||
ok "$PACKAGE is installed"
|
ok "$PACKAGE is installed"
|
||||||
for SSH_OPTION in $OPTIONS; do
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
|||||||
@ -25,7 +25,7 @@ audit() {
|
|||||||
OPTIONS="Banner=$BANNER_FILE"
|
OPTIONS="Banner=$BANNER_FILE"
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PACKAGE is not installed!"
|
ok "$PACKAGE is not installed!"
|
||||||
else
|
else
|
||||||
ok "$PACKAGE is installed"
|
ok "$PACKAGE is installed"
|
||||||
for SSH_OPTION in $OPTIONS; do
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
|||||||
@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
|
|||||||
audit() {
|
audit() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PACKAGE is not installed!"
|
ok "$PACKAGE is not installed!"
|
||||||
else
|
else
|
||||||
ok "$PACKAGE is installed"
|
ok "$PACKAGE is installed"
|
||||||
for SSH_OPTION in $OPTIONS; do
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
|||||||
@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
|
|||||||
audit() {
|
audit() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PACKAGE is not installed!"
|
ok "$PACKAGE is not installed!"
|
||||||
else
|
else
|
||||||
ok "$PACKAGE is installed"
|
ok "$PACKAGE is installed"
|
||||||
for SSH_OPTION in $OPTIONS; do
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
|||||||
@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
|
|||||||
audit() {
|
audit() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PACKAGE is not installed!"
|
ok "$PACKAGE is not installed!"
|
||||||
else
|
else
|
||||||
ok "$PACKAGE is installed"
|
ok "$PACKAGE is installed"
|
||||||
for SSH_OPTION in $OPTIONS; do
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
|||||||
@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
|
|||||||
audit() {
|
audit() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PACKAGE is not installed!"
|
ok "$PACKAGE is not installed!"
|
||||||
else
|
else
|
||||||
ok "$PACKAGE is installed"
|
ok "$PACKAGE is installed"
|
||||||
for SSH_OPTION in $OPTIONS; do
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
|||||||
@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
|
|||||||
audit() {
|
audit() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PACKAGE is not installed!"
|
ok "$PACKAGE is not installed!"
|
||||||
else
|
else
|
||||||
ok "$PACKAGE is installed"
|
ok "$PACKAGE is installed"
|
||||||
for SSH_OPTION in $OPTIONS; do
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
|||||||
@ -26,7 +26,7 @@ FILE='/etc/ssh/sshd_config'
|
|||||||
audit() {
|
audit() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PACKAGE is not installed!"
|
ok "$PACKAGE is not installed!"
|
||||||
else
|
else
|
||||||
ok "$PACKAGE is installed"
|
ok "$PACKAGE is installed"
|
||||||
for SSH_OPTION in $OPTIONS; do
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
|||||||
@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
|
|||||||
audit() {
|
audit() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PACKAGE is not installed!"
|
ok "$PACKAGE is not installed!"
|
||||||
else
|
else
|
||||||
ok "$PACKAGE is installed"
|
ok "$PACKAGE is installed"
|
||||||
for SSH_OPTION in $OPTIONS; do
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
|||||||
@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
|
|||||||
audit() {
|
audit() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PACKAGE is not installed!"
|
ok "$PACKAGE is not installed!"
|
||||||
else
|
else
|
||||||
ok "$PACKAGE is installed"
|
ok "$PACKAGE is installed"
|
||||||
for SSH_OPTION in $OPTIONS; do
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
|||||||
@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
|
|||||||
audit() {
|
audit() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PACKAGE is not installed!"
|
ok "$PACKAGE is not installed!"
|
||||||
else
|
else
|
||||||
ok "$PACKAGE is installed"
|
ok "$PACKAGE is installed"
|
||||||
for SSH_OPTION in $OPTIONS; do
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
|||||||
@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
|
|||||||
audit() {
|
audit() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PACKAGE is not installed!"
|
ok "$PACKAGE is not installed!"
|
||||||
else
|
else
|
||||||
ok "$PACKAGE is installed"
|
ok "$PACKAGE is installed"
|
||||||
for SSH_OPTION in $OPTIONS; do
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
|||||||
@ -18,8 +18,8 @@ HARDENING_LEVEL=3
|
|||||||
DESCRIPTION="Set lockout for failed password attemps."
|
DESCRIPTION="Set lockout for failed password attemps."
|
||||||
|
|
||||||
PACKAGE='libpam-modules-bin'
|
PACKAGE='libpam-modules-bin'
|
||||||
PATTERN_AUTH='^auth[[:space:]]*required[[:space:]]*pam_tally[2]?\.so'
|
PATTERN_AUTH='^auth[[:space:]]*required[[:space:]]*pam_((tally[2]?)|(faillock))\.so'
|
||||||
PATTERN_ACCOUNT='pam_tally[2]?\.so'
|
PATTERN_ACCOUNT='pam_((tally[2]?)|(faillock))\.so'
|
||||||
FILE_AUTH='/etc/pam.d/common-auth'
|
FILE_AUTH='/etc/pam.d/common-auth'
|
||||||
FILE_ACCOUNT='/etc/pam.d/common-account'
|
FILE_ACCOUNT='/etc/pam.d/common-account'
|
||||||
|
|
||||||
@ -59,14 +59,22 @@ apply() {
|
|||||||
ok "$PATTERN_AUTH is present in $FILE_AUTH"
|
ok "$PATTERN_AUTH is present in $FILE_AUTH"
|
||||||
else
|
else
|
||||||
warn "$PATTERN_AUTH is not present in $FILE_AUTH, adding it"
|
warn "$PATTERN_AUTH is not present in $FILE_AUTH, adding it"
|
||||||
|
if [ 10 -ge "$DEB_MAJ_VER" ]; then
|
||||||
add_line_file_before_pattern "$FILE_AUTH" "auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details."
|
add_line_file_before_pattern "$FILE_AUTH" "auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details."
|
||||||
|
else
|
||||||
|
add_line_file_before_pattern "$FILE_AUTH" "auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details."
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
does_pattern_exist_in_file "$FILE_ACCOUNT" "$PATTERN_ACCOUNT"
|
does_pattern_exist_in_file "$FILE_ACCOUNT" "$PATTERN_ACCOUNT"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$PATTERN_ACCOUNT is present in $FILE_ACCOUNT"
|
ok "$PATTERN_ACCOUNT is present in $FILE_ACCOUNT"
|
||||||
else
|
else
|
||||||
warn "$PATTERN_ACCOUNT is not present in $FILE_ACCOUNT, adding it"
|
warn "$PATTERN_ACCOUNT is not present in $FILE_ACCOUNT, adding it"
|
||||||
add_line_file_before_pattern "$FILE_ACCOUNT" "account required pam_tally.so" "# pam-auth-update(8) for details."
|
if [ 10 -ge "$DEB_MAJ_VER" ]; then
|
||||||
|
add_line_file_before_pattern "$FILE_ACCOUNT" "account required pam_tally2.so" "# pam-auth-update(8) for details."
|
||||||
|
else
|
||||||
|
add_line_file_before_pattern "$FILE_ACCOUNT" "account required pam_faillock.so" "# pam-auth-update(8) for details."
|
||||||
|
fi
|
||||||
|
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|||||||
@ -13,6 +13,9 @@ set -e # One error, it's over
|
|||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
USER='root'
|
USER='root'
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
|
HARDENING_LEVEL=2
|
||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
DESCRIPTION="USB devices are disabled."
|
DESCRIPTION="USB devices are disabled."
|
||||||
|
|
||||||
|
|||||||
@ -12,6 +12,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
|
HARDENING_LEVEL=2
|
||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
DESCRIPTION="Checks there are no carte-blanche authorization in sudoers file(s)."
|
DESCRIPTION="Checks there are no carte-blanche authorization in sudoers file(s)."
|
||||||
|
|
||||||
|
|||||||
@ -25,7 +25,7 @@ OPTIONS='PubkeyAuthentication=yes PasswordAuthentication=no KbdInteractiveAuthen
|
|||||||
audit() {
|
audit() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PACKAGE is not installed!"
|
ok "$PACKAGE is not installed!"
|
||||||
else
|
else
|
||||||
ok "$PACKAGE is installed"
|
ok "$PACKAGE is installed"
|
||||||
for SSH_OPTION in $OPTIONS; do
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
|||||||
@ -24,15 +24,14 @@ FILE='/etc/ssh/sshd_config'
|
|||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
get_debian_major_version
|
|
||||||
set +u
|
set +u
|
||||||
debug "Debian version : $DEB_MAJ_VER "
|
debug "Debian version : $DEB_MAJ_VER "
|
||||||
if [[ -z $DEB_MAJ_VER ]]; then
|
if [[ -z "$DEB_MAJ_VER" ]]; then
|
||||||
set -u
|
set -u
|
||||||
crit "Cannot get Debian version. Aborting..."
|
crit "Cannot get Debian version. Aborting..."
|
||||||
return
|
return
|
||||||
fi
|
fi
|
||||||
if [[ "${DEB_MAJ_VER}" -lt "8" ]]; then
|
if [[ "${DEB_MAJ_VER}" != "sid" ]] && [[ "${DEB_MAJ_VER}" -lt "8" ]]; then
|
||||||
set -u
|
set -u
|
||||||
warn "Debian version too old (${DEB_MAJ_VER}), check does not apply, you should disable this check."
|
warn "Debian version too old (${DEB_MAJ_VER}), check does not apply, you should disable this check."
|
||||||
return
|
return
|
||||||
@ -40,7 +39,7 @@ audit() {
|
|||||||
set -u
|
set -u
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PACKAGE is not installed!"
|
ok "$PACKAGE is not installed!"
|
||||||
else
|
else
|
||||||
ok "$PACKAGE is installed"
|
ok "$PACKAGE is installed"
|
||||||
for SSH_OPTION in $OPTIONS; do
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
|||||||
@ -13,6 +13,7 @@ set -e # One error, it's over
|
|||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
|
HARDENING_LEVEL=3
|
||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
DESCRIPTION="Check all special features in sshd_config are disabled"
|
DESCRIPTION="Check all special features in sshd_config are disabled"
|
||||||
|
|
||||||
@ -24,7 +25,7 @@ OPTIONS='AllowAgentForwarding=no AllowTcpForwarding=no AllowStreamLocalForwardin
|
|||||||
audit() {
|
audit() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PACKAGE is not installed!"
|
ok "$PACKAGE is not installed!"
|
||||||
else
|
else
|
||||||
ok "$PACKAGE is installed"
|
ok "$PACKAGE is installed"
|
||||||
for SSH_OPTION in $OPTIONS; do
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
|||||||
@ -12,6 +12,8 @@
|
|||||||
set -e # One error, it is over
|
set -e # One error, it is over
|
||||||
set -u # One variable unset, it is over
|
set -u # One variable unset, it is over
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
|
HARDENING_LEVEL=3
|
||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
DESCRIPTION="Check <from> field in ssh authorized keys files for users with login shell, and allowed IP if available."
|
DESCRIPTION="Check <from> field in ssh authorized keys files for users with login shell, and allowed IP if available."
|
||||||
|
|
||||||
|
|||||||
@ -12,6 +12,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
|
HARDENING_LEVEL=2
|
||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
DESCRIPTION="Ensure home directory and ssh sensitive files are verified (not publicly readable) before connecting."
|
DESCRIPTION="Ensure home directory and ssh sensitive files are verified (not publicly readable) before connecting."
|
||||||
|
|
||||||
@ -23,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
|
|||||||
audit() {
|
audit() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PACKAGE is not installed!"
|
ok "$PACKAGE is not installed!"
|
||||||
else
|
else
|
||||||
ok "$PACKAGE is installed"
|
ok "$PACKAGE is installed"
|
||||||
for SSH_OPTION in $OPTIONS; do
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
|||||||
@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
|
|||||||
audit() {
|
audit() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PACKAGE is not installed!"
|
ok "$PACKAGE is not installed!"
|
||||||
else
|
else
|
||||||
ok "$PACKAGE is installed"
|
ok "$PACKAGE is installed"
|
||||||
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
|
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
|
||||||
|
|||||||
@ -12,8 +12,11 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
|
HARDENING_LEVEL=3
|
||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
DESCRIPTION="Ensure that legacy services rlogin, rlogind and rcp are disabled and not installed"
|
DESCRIPTION="Ensure that legacy services rlogin, rlogind and rcp are disabled and not installed"
|
||||||
|
|
||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
SERVICES="rlogin rlogind rcp"
|
SERVICES="rlogin rlogind rcp"
|
||||||
|
|
||||||
|
|||||||
@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
|
|||||||
audit() {
|
audit() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PACKAGE is not installed!"
|
ok "$PACKAGE is not installed!"
|
||||||
else
|
else
|
||||||
ok "$PACKAGE is installed"
|
ok "$PACKAGE is installed"
|
||||||
for SSH_OPTION in $OPTIONS; do
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
|||||||
@ -6,14 +6,16 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# 99.5.4.5.1 Check that any password that may exist in /etc/shadow is SHA512 hashed and salted
|
# 99.5.4.5.1 Check that any password that will be created will be SHA512 hashed and salted
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
DESCRIPTION="Check that any password that may exist in /etc/shadow is SHA512 hashed and salted"
|
HARDENING_LEVEL=2
|
||||||
|
# shellcheck disable=2034
|
||||||
|
DESCRIPTION="Check that any password that will be created will be SHA512 hashed and salted"
|
||||||
|
|
||||||
CONF_FILE="/etc/login.defs"
|
CONF_FILE="/etc/login.defs"
|
||||||
CONF_LINE="ENCRYPT_METHOD SHA512"
|
CONF_LINE="ENCRYPT_METHOD SHA512"
|
||||||
|
|||||||
@ -12,6 +12,8 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
|
HARDENING_LEVEL=2
|
||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
DESCRIPTION="Check that any password that may exist in /etc/shadow is SHA512 hashed and salted"
|
DESCRIPTION="Check that any password that may exist in /etc/shadow is SHA512 hashed and salted"
|
||||||
FILE="/etc/shadow"
|
FILE="/etc/shadow"
|
||||||
|
|||||||
65
bin/hardening/99.99_check_distribution.sh
Executable file
65
bin/hardening/99.99_check_distribution.sh
Executable file
@ -0,0 +1,65 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# run-shellcheck
|
||||||
|
#
|
||||||
|
# OVH Security audit
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 99.99 Ensure that the distribution version is debian and that the version is 9 or 10
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
|
HARDENING_LEVEL=1
|
||||||
|
# shellcheck disable=2034
|
||||||
|
DESCRIPTION="Check the distribution and the distribution version"
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit() {
|
||||||
|
if [ "$DISTRIBUTION" != "debian" ]; then
|
||||||
|
crit "Your distribution has been identified as $DISTRIBUTION which is not debian"
|
||||||
|
else
|
||||||
|
if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
|
||||||
|
crit "Your distribution is too recent and is not yet supported."
|
||||||
|
elif [ "$DEB_MAJ_VER" -lt "$SMALLEST_SUPPORTED_DEBIAN_VERSION" ]; then
|
||||||
|
crit "Your distribution is debian but is deprecated. Consider upgrading to a supported version."
|
||||||
|
else
|
||||||
|
ok "Your distribution is debian and the version is supported"
|
||||||
|
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply() {
|
||||||
|
echo "Reporting only here, upgrade your debian version to a supported version if you're on debian"
|
||||||
|
echo "If you use another distribution, consider applying rules corresponding with your distribution available at https://www.cisecurity.org/"
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
# shellcheck source=../../debian/default
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
|
# shellcheck source=../../lib/main.sh
|
||||||
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
19
debian/changelog
vendored
19
debian/changelog
vendored
@ -1,3 +1,22 @@
|
|||||||
|
cis-hardening (3.1-0) unstable; urgency=medium
|
||||||
|
|
||||||
|
* Add missing HARDENING_LEVEL var for some checks
|
||||||
|
* Add dealing with debian 11
|
||||||
|
* Add warning for unsupported distributions and debian version
|
||||||
|
* Remove bc dependency
|
||||||
|
* Add 1.8.1-4 comprehensive tests
|
||||||
|
* Add 3.1-3.x comprehensive tests
|
||||||
|
* Add missing 3.4.x checks and tests (exotic protocol)
|
||||||
|
* Add environment detection (container)
|
||||||
|
* Improve kernel module detection
|
||||||
|
* Improve partition detection
|
||||||
|
* Add cli option to override loglevel
|
||||||
|
* Improve 5.1.8 to allow more restrictive permissions
|
||||||
|
* Upgrade mac and key to be debian10 CIS compliant
|
||||||
|
* Fix path in 1.6.4
|
||||||
|
|
||||||
|
-- Thibault Ayanides <thibault.ayanides@ovhcloud.com> Mon, 22 Feb 2021 8:30:01 +0100
|
||||||
|
|
||||||
cis-hardening (3.0-1) unstable; urgency=medium
|
cis-hardening (3.0-1) unstable; urgency=medium
|
||||||
|
|
||||||
* Add workflows for github action
|
* Add workflows for github action
|
||||||
|
|||||||
11
debian/cis-hardening.8
vendored
11
debian/cis-hardening.8
vendored
@ -127,10 +127,21 @@ Note that you need to provide a sudoers file with NOPASSWD option in
|
|||||||
password.
|
password.
|
||||||
Finally note that \f[C]--sudo\f[R] mode only works for audit mode.
|
Finally note that \f[C]--sudo\f[R] mode only works for audit mode.
|
||||||
.TP
|
.TP
|
||||||
|
.B \f[C]--set-log-level=level\f[R]
|
||||||
|
This option sets LOGLEVEL, you can choose : info, warning, error, ok,
|
||||||
|
debug.
|
||||||
|
Default value is : info
|
||||||
|
.TP
|
||||||
.B \f[C]--batch\f[R]
|
.B \f[C]--batch\f[R]
|
||||||
While performing system audit, this option sets LOGLEVEL to `ok' and
|
While performing system audit, this option sets LOGLEVEL to `ok' and
|
||||||
captures all output to print only one line once the check is done,
|
captures all output to print only one line once the check is done,
|
||||||
formatted like : OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{\&...}]
|
formatted like : OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{\&...}]
|
||||||
|
.PP
|
||||||
|
\f[C]--allow-unsupported-distribution\f[R] Must be specified manually in
|
||||||
|
the command line to allow the run on non compatible version or
|
||||||
|
distribution.
|
||||||
|
If you want to mute the warning change the LOGLEVEL in
|
||||||
|
/etc/hardening.cfg
|
||||||
.SH AUTHORS
|
.SH AUTHORS
|
||||||
.IP \[bu] 2
|
.IP \[bu] 2
|
||||||
Thibault Dewailly, OVHcloud <thibault.dewailly@ovhcloud.com>
|
Thibault Dewailly, OVHcloud <thibault.dewailly@ovhcloud.com>
|
||||||
|
|||||||
2
debian/control
vendored
2
debian/control
vendored
@ -10,7 +10,7 @@ Vcs-Browser: https://github.com/ovh/debian-cis/
|
|||||||
|
|
||||||
Package: cis-hardening
|
Package: cis-hardening
|
||||||
Architecture: all
|
Architecture: all
|
||||||
Depends: ${misc:Depends}, bc, patch
|
Depends: ${misc:Depends}, patch
|
||||||
Description: Suite of configurable scripts to audit or harden a Debian.
|
Description: Suite of configurable scripts to audit or harden a Debian.
|
||||||
Modular Debian security hardening scripts based on cisecurity.org
|
Modular Debian security hardening scripts based on cisecurity.org
|
||||||
⟨cisecurity.org⟩ recommendations. We use it at OVH ⟨https://www.ovh.com⟩ to
|
⟨cisecurity.org⟩ recommendations. We use it at OVH ⟨https://www.ovh.com⟩ to
|
||||||
|
|||||||
@ -112,3 +112,20 @@ sudo_wrapper() {
|
|||||||
crit "Not allowed to \"sudo -n $*\" "
|
crit "Not allowed to \"sudo -n $*\" "
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Math functions
|
||||||
|
#
|
||||||
|
|
||||||
|
div() {
|
||||||
|
local _d=${3:-2}
|
||||||
|
local _n=0000000000
|
||||||
|
_n=${_n:0:$_d}
|
||||||
|
if (($2 == 0)); then
|
||||||
|
echo "N.A"
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
local _r=$(($1$_n / $2))
|
||||||
|
_r=${_r:0:-$_d}.${_r: -$_d}
|
||||||
|
echo $_r
|
||||||
|
}
|
||||||
|
|||||||
@ -31,3 +31,32 @@ BGREEN='\033[1;32m' # Green
|
|||||||
BYELLOW='\033[1;33m' # Yellow
|
BYELLOW='\033[1;33m' # Yellow
|
||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
BWHITE='\033[1;37m' # White
|
BWHITE='\033[1;37m' # White
|
||||||
|
|
||||||
|
# Debian version variables
|
||||||
|
|
||||||
|
CONTAINER_TYPE=""
|
||||||
|
IS_CONTAINER=0
|
||||||
|
|
||||||
|
if [ "$(is_running_in_container "docker")" != "" ]; then
|
||||||
|
CONTAINER_TYPE="docker"
|
||||||
|
IS_CONTAINER=1
|
||||||
|
fi
|
||||||
|
if [ "$(is_running_in_container "lxc")" != "" ]; then
|
||||||
|
CONTAINER_TYPE="lxc"
|
||||||
|
IS_CONTAINER=1
|
||||||
|
fi
|
||||||
|
if [ "$(is_running_in_container "kubepods")" != "" ]; then
|
||||||
|
# shellcheck disable=SC2034
|
||||||
|
CONTAINER_TYPE="kubepods"
|
||||||
|
# shellcheck disable=SC2034
|
||||||
|
IS_CONTAINER=1
|
||||||
|
fi
|
||||||
|
|
||||||
|
get_distribution
|
||||||
|
|
||||||
|
get_debian_major_version
|
||||||
|
|
||||||
|
# shellcheck disable=SC2034
|
||||||
|
SMALLEST_SUPPORTED_DEBIAN_VERSION=9
|
||||||
|
# shellcheck disable=SC2034
|
||||||
|
HIGHEST_SUPPORTED_DEBIAN_VERSION=10
|
||||||
|
|||||||
@ -10,14 +10,15 @@ BATCH_OUTPUT=""
|
|||||||
status=""
|
status=""
|
||||||
forcedstatus=""
|
forcedstatus=""
|
||||||
SUDO_CMD=""
|
SUDO_CMD=""
|
||||||
# shellcheck source=constants.sh
|
|
||||||
[ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
|
|
||||||
# shellcheck source=../etc/hardening.cfg
|
# shellcheck source=../etc/hardening.cfg
|
||||||
[ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
|
[ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
|
||||||
# shellcheck source=../lib/common.sh
|
# shellcheck source=../lib/common.sh
|
||||||
[ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
|
[ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
|
||||||
# shellcheck source=../lib/utils.sh
|
# shellcheck source=../lib/utils.sh
|
||||||
[ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh
|
[ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh
|
||||||
|
# shellcheck source=constants.sh
|
||||||
|
[ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
|
||||||
|
|
||||||
# Environment Sanitizing
|
# Environment Sanitizing
|
||||||
export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
|
export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
|
||||||
|
|||||||
114
lib/utils.sh
114
lib/utils.sh
@ -46,6 +46,30 @@ set_sysctl_param() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# IPV6
|
||||||
|
#
|
||||||
|
|
||||||
|
is_ipv6_enabled() {
|
||||||
|
SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1'
|
||||||
|
|
||||||
|
does_sysctl_param_exists "net.ipv6"
|
||||||
|
local ENABLE=1
|
||||||
|
if [ "$FNRET" = 0 ]; then
|
||||||
|
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||||
|
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
|
||||||
|
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
|
||||||
|
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
|
||||||
|
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
|
||||||
|
if [ "$FNRET" != 0 ]; then
|
||||||
|
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
|
||||||
|
ENABLE=0
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
FNRET=$ENABLE
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Dmesg
|
# Dmesg
|
||||||
#
|
#
|
||||||
@ -295,14 +319,35 @@ is_service_enabled() {
|
|||||||
is_kernel_option_enabled() {
|
is_kernel_option_enabled() {
|
||||||
local KERNEL_OPTION="$1"
|
local KERNEL_OPTION="$1"
|
||||||
local MODULE_NAME=""
|
local MODULE_NAME=""
|
||||||
|
local MODPROBE_FILTER=""
|
||||||
|
local RESULT=""
|
||||||
|
local IS_MONOLITHIC_KERNEL=1
|
||||||
|
local DEF_MODULE=""
|
||||||
|
|
||||||
if [ $# -ge 2 ]; then
|
if [ $# -ge 2 ]; then
|
||||||
MODULE_NAME="$2"
|
MODULE_NAME="$2"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ $# -ge 3 ]; then
|
||||||
|
MODPROBE_FILTER="$3"
|
||||||
|
fi
|
||||||
|
|
||||||
|
debug "Detect if lsmod is available and does not return an error code (otherwise consider as a monolithic kernel"
|
||||||
|
if $SUDO_CMD lsmod >/dev/null 2>&1; then
|
||||||
|
IS_MONOLITHIC_KERNEL=0
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ $IS_MONOLITHIC_KERNEL -eq 1 ]; then
|
||||||
if $SUDO_CMD [ -r "/proc/config.gz" ]; then
|
if $SUDO_CMD [ -r "/proc/config.gz" ]; then
|
||||||
RESULT=$($SUDO_CMD zgrep "^$KERNEL_OPTION=" /proc/config.gz) || :
|
RESULT=$($SUDO_CMD zgrep "^$KERNEL_OPTION=" /proc/config.gz) || :
|
||||||
elif $SUDO_CMD [ -r "/boot/config-$(uname -r)" ]; then
|
elif $SUDO_CMD [ -r "/boot/config-$(uname -r)" ]; then
|
||||||
RESULT=$($SUDO_CMD grep "^$KERNEL_OPTION=" "/boot/config-$(uname -r)") || :
|
RESULT=$($SUDO_CMD grep "^$KERNEL_OPTION=" "/boot/config-$(uname -r)") || :
|
||||||
|
else
|
||||||
|
debug "No information about kernel found, you're probably in a container"
|
||||||
|
FNRET=127
|
||||||
|
return
|
||||||
fi
|
fi
|
||||||
|
|
||||||
ANSWER=$(cut -d = -f 2 <<<"$RESULT")
|
ANSWER=$(cut -d = -f 2 <<<"$RESULT")
|
||||||
if [ "x$ANSWER" = "xy" ]; then
|
if [ "x$ANSWER" = "xy" ]; then
|
||||||
debug "Kernel option $KERNEL_OPTION enabled"
|
debug "Kernel option $KERNEL_OPTION enabled"
|
||||||
@ -325,15 +370,41 @@ is_kernel_option_enabled() {
|
|||||||
if $SUDO_CMD [ -n "$modulefile" ]; then
|
if $SUDO_CMD [ -n "$modulefile" ]; then
|
||||||
debug "We do have $modulefile!"
|
debug "We do have $modulefile!"
|
||||||
# ... but wait, maybe it's blacklisted? check files in /etc/modprobe.d/ for "blacklist xyz"
|
# ... but wait, maybe it's blacklisted? check files in /etc/modprobe.d/ for "blacklist xyz"
|
||||||
if grep -qRE "^\s*blacklist\s+$MODULE_NAME\s*$" /etc/modprobe.d/; then
|
if grep -qRE "^\s*blacklist\s+$MODULE_NAME\s*$" /etc/modprobe.d/*.conf; then
|
||||||
debug "... but it's blacklisted!"
|
debug "... but it's blacklisted!"
|
||||||
FNRET=1 # Not found (found but blacklisted)
|
FNRET=1 # Not found (found but blacklisted)
|
||||||
# FIXME: even if blacklisted, it might be present in the initrd and
|
fi
|
||||||
# be insmod from there... but painful to check :/ maybe lsmod would be enough ?
|
# ... but wait, maybe it's override ? check files in /etc/modprobe.d/ for "install xyz /bin/(true|false)"
|
||||||
|
if grep -aRE "^\s*install\s+$MODULE_NAME\s+/bin/(true|false)\s*$" /etc/modprobe.d/*.conf; then
|
||||||
|
debug "... but it's override!"
|
||||||
|
FNRET=1 # Not found (found but override)
|
||||||
fi
|
fi
|
||||||
FNRET=0 # Found!
|
FNRET=0 # Found!
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
else
|
||||||
|
if [ "$MODPROBE_FILTER" != "" ]; then
|
||||||
|
DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | grep -E "$MODPROBE_FILTER" | xargs)"
|
||||||
|
else
|
||||||
|
DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | xargs)"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$DEF_MODULE" == "install /bin/true" ] || [ "$DEF_MODULE" == "install /bin/false" ]; then
|
||||||
|
debug "$MODULE_NAME is disabled (blacklist with override)"
|
||||||
|
FNRET=1
|
||||||
|
elif [ "$DEF_MODULE" == "" ]; then
|
||||||
|
debug "$MODULE_NAME is disabled"
|
||||||
|
FNRET=1
|
||||||
|
else
|
||||||
|
debug "$MODULE_NAME is enabled"
|
||||||
|
FNRET=0
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$($SUDO_CMD lsmod | grep -E "$MODULE_NAME" 2>/dev/null)" != "" ]; then
|
||||||
|
debug "$MODULE_NAME is enabled"
|
||||||
|
FNRET=0
|
||||||
|
fi
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -344,6 +415,12 @@ is_kernel_option_enabled() {
|
|||||||
is_a_partition() {
|
is_a_partition() {
|
||||||
local PARTITION=$1
|
local PARTITION=$1
|
||||||
FNRET=128
|
FNRET=128
|
||||||
|
if [ ! -f /etc/fstab ] || [ -n "$(sed '/^#/d' /etc/fstab)" ]; then
|
||||||
|
debug "/etc/fstab not found or empty, searching mountpoint"
|
||||||
|
if mountpoint "$PARTITION" | grep -qE ".*is a mountpoint.*"; then
|
||||||
|
FNRET=0
|
||||||
|
fi
|
||||||
|
else
|
||||||
if grep "[[:space:]]$1[[:space:]]" /etc/fstab | grep -vqE "^#"; then
|
if grep "[[:space:]]$1[[:space:]]" /etc/fstab | grep -vqE "^#"; then
|
||||||
debug "$PARTITION found in fstab"
|
debug "$PARTITION found in fstab"
|
||||||
FNRET=0
|
FNRET=0
|
||||||
@ -351,6 +428,8 @@ is_a_partition() {
|
|||||||
debug "Unable to find $PARTITION in fstab"
|
debug "Unable to find $PARTITION in fstab"
|
||||||
FNRET=1
|
FNRET=1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# Verify that $1 is mounted at runtime
|
# Verify that $1 is mounted at runtime
|
||||||
@ -369,6 +448,10 @@ is_mounted() {
|
|||||||
has_mount_option() {
|
has_mount_option() {
|
||||||
local PARTITION=$1
|
local PARTITION=$1
|
||||||
local OPTION=$2
|
local OPTION=$2
|
||||||
|
if [ ! -f /etc/fstab ] || [ -n "$(sed '/^#/d' /etc/fstab)" ]; then
|
||||||
|
debug "/etc/fstab not found or empty, readin current mount options"
|
||||||
|
has_mounted_option "$PARTITION" "$OPTION"
|
||||||
|
else
|
||||||
if grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk '{print $4}' | grep -q "bind"; then
|
if grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk '{print $4}' | grep -q "bind"; then
|
||||||
local actual_partition
|
local actual_partition
|
||||||
actual_partition="$(grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk '{print $1}')"
|
actual_partition="$(grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk '{print $1}')"
|
||||||
@ -382,6 +465,7 @@ has_mount_option() {
|
|||||||
debug "Unable to find $OPTION in fstab for partition $PARTITION"
|
debug "Unable to find $OPTION in fstab for partition $PARTITION"
|
||||||
FNRET=1
|
FNRET=1
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# Verify $1 has the proper option $2 at runtime
|
# Verify $1 has the proper option $2 at runtime
|
||||||
@ -478,9 +562,33 @@ get_debian_major_version() {
|
|||||||
DEB_MAJ_VER=""
|
DEB_MAJ_VER=""
|
||||||
does_file_exist /etc/debian_version
|
does_file_exist /etc/debian_version
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
|
if grep -q "sid" /etc/debian_version; then
|
||||||
|
DEB_MAJ_VER="sid"
|
||||||
|
else
|
||||||
DEB_MAJ_VER=$(cut -d '.' -f1 /etc/debian_version)
|
DEB_MAJ_VER=$(cut -d '.' -f1 /etc/debian_version)
|
||||||
|
fi
|
||||||
else
|
else
|
||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
DEB_MAJ_VER=$(lsb_release -r | cut -f2 | cut -d '.' -f 1)
|
DEB_MAJ_VER=$(lsb_release -r | cut -f2 | cut -d '.' -f 1)
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Returns the distribution
|
||||||
|
|
||||||
|
get_distribution() {
|
||||||
|
DISTRIBUTION=""
|
||||||
|
if [ -f /etc/os-release ]; then
|
||||||
|
# shellcheck disable=2034
|
||||||
|
DISTRIBUTION=$(grep "^ID=" /etc/os-release | sed 's/ID=//' | tr '[:upper:]' '[:lower:]')
|
||||||
|
FNRET=0
|
||||||
|
else
|
||||||
|
debug "Distribution not found !"
|
||||||
|
FNRET=127
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Detect if container based on cgroup detection
|
||||||
|
|
||||||
|
is_running_in_container() {
|
||||||
|
awk -F/ '$2 == "'"$1"'"' /proc/self/cgroup
|
||||||
|
}
|
||||||
|
|||||||
@ -7,7 +7,7 @@ LABEL description="This image is used to run tests"
|
|||||||
|
|
||||||
RUN groupadd -g 500 secaudit && useradd -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
|
RUN groupadd -g 500 secaudit && useradd -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
|
||||||
|
|
||||||
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools auditd
|
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd
|
||||||
|
|
||||||
COPY --chown=500:500 . /opt/debian-cis/
|
COPY --chown=500:500 . /opt/debian-cis/
|
||||||
|
|
||||||
|
|||||||
21
tests/docker/Dockerfile.debian11
Normal file
21
tests/docker/Dockerfile.debian11
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
FROM debian:bullseye
|
||||||
|
|
||||||
|
LABEL vendor="OVH"
|
||||||
|
LABEL project="debian-cis"
|
||||||
|
LABEL url="https://github.com/ovh/debian-cis"
|
||||||
|
LABEL description="This image is used to run tests"
|
||||||
|
|
||||||
|
RUN groupadd -g 500 secaudit && useradd -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
|
||||||
|
|
||||||
|
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd cron
|
||||||
|
|
||||||
|
COPY --chown=500:500 . /opt/debian-cis/
|
||||||
|
|
||||||
|
COPY debian/default /etc/default/cis-hardening
|
||||||
|
RUN sed -i 's#cis-hardening#debian-cis#' /etc/default/cis-hardening
|
||||||
|
|
||||||
|
COPY cisharden.sudoers /etc/sudoers.d/secaudit
|
||||||
|
RUN sed -i 's#cisharden#secaudit#' /etc/sudoers.d/secaudit
|
||||||
|
|
||||||
|
|
||||||
|
ENTRYPOINT ["/opt/debian-cis/tests/launch_tests.sh"]
|
||||||
@ -7,7 +7,7 @@ LABEL description="This image is used to run tests"
|
|||||||
|
|
||||||
RUN groupadd -g 500 secaudit && useradd -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
|
RUN groupadd -g 500 secaudit && useradd -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
|
||||||
|
|
||||||
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools auditd
|
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd
|
||||||
|
|
||||||
COPY --chown=500:500 . /opt/debian-cis/
|
COPY --chown=500:500 . /opt/debian-cis/
|
||||||
|
|
||||||
|
|||||||
@ -7,7 +7,7 @@ LABEL description="This image is used to run tests"
|
|||||||
|
|
||||||
RUN groupadd -g 500 secaudit && useradd -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
|
RUN groupadd -g 500 secaudit && useradd -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
|
||||||
|
|
||||||
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools auditd
|
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd
|
||||||
|
|
||||||
COPY --chown=500:500 . /opt/debian-cis/
|
COPY --chown=500:500 . /opt/debian-cis/
|
||||||
|
|
||||||
|
|||||||
@ -16,5 +16,10 @@ test_audit() {
|
|||||||
# Cleanup
|
# Cleanup
|
||||||
rm /run/shm
|
rm /run/shm
|
||||||
|
|
||||||
# TODO fill comprehensive tests
|
##################################################################
|
||||||
|
# For this test, we only check that it runs properly on a blank #
|
||||||
|
# host, and we check root/sudo consistency. But, we don't test #
|
||||||
|
# the apply function because it can't be automated or it is very #
|
||||||
|
# long to test and not very useful. #
|
||||||
|
##################################################################
|
||||||
}
|
}
|
||||||
|
|||||||
@ -16,5 +16,10 @@ test_audit() {
|
|||||||
# Cleanup
|
# Cleanup
|
||||||
rm /run/shm
|
rm /run/shm
|
||||||
|
|
||||||
# TODO fill comprehensive tests
|
##################################################################
|
||||||
|
# For this test, we only check that it runs properly on a blank #
|
||||||
|
# host, and we check root/sudo consistency. But, we don't test #
|
||||||
|
# the apply function because it can't be automated or it is very #
|
||||||
|
# long to test and not very useful. #
|
||||||
|
##################################################################
|
||||||
}
|
}
|
||||||
|
|||||||
@ -16,5 +16,10 @@ test_audit() {
|
|||||||
# Cleanup
|
# Cleanup
|
||||||
rm /run/shm
|
rm /run/shm
|
||||||
|
|
||||||
# TODO fill comprehensive tests
|
##################################################################
|
||||||
|
# For this test, we only check that it runs properly on a blank #
|
||||||
|
# host, and we check root/sudo consistency. But, we don't test #
|
||||||
|
# the apply function because it can't be automated or it is very #
|
||||||
|
# long to test and not very useful. #
|
||||||
|
##################################################################
|
||||||
}
|
}
|
||||||
|
|||||||
@ -1,12 +1,15 @@
|
|||||||
# shellcheck shell=bash
|
# shellcheck shell=bash
|
||||||
# run-shellcheck
|
# run-shellcheck
|
||||||
test_audit() {
|
test_audit() {
|
||||||
|
if [ -f "/.dockerenv" ]; then
|
||||||
|
skip "SKIPPED on docker"
|
||||||
|
else
|
||||||
describe Running on blank host
|
describe Running on blank host
|
||||||
register_test retvalshouldbe 0
|
register_test retvalshouldbe 0
|
||||||
dismiss_count_for_test
|
dismiss_count_for_test
|
||||||
# shellcheck disable=2154
|
# shellcheck disable=2154
|
||||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
fi
|
||||||
##################################################################
|
##################################################################
|
||||||
# For this test, we only check that it runs properly on a blank #
|
# For this test, we only check that it runs properly on a blank #
|
||||||
# host, and we check root/sudo consistency. But, we don't test #
|
# host, and we check root/sudo consistency. But, we don't test #
|
||||||
|
|||||||
@ -7,5 +7,10 @@ test_audit() {
|
|||||||
# shellcheck disable=2154
|
# shellcheck disable=2154
|
||||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
# TODO fill comprehensive tests
|
##################################################################
|
||||||
|
# For this test, we only check that it runs properly on a blank #
|
||||||
|
# host, and we check root/sudo consistency. But, we don't test #
|
||||||
|
# the apply function because it can't be automated or it is very #
|
||||||
|
# long to test and not very useful. #
|
||||||
|
##################################################################
|
||||||
}
|
}
|
||||||
|
|||||||
@ -7,5 +7,10 @@ test_audit() {
|
|||||||
# shellcheck disable=2154
|
# shellcheck disable=2154
|
||||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
# TODO fill comprehensive tests
|
##################################################################
|
||||||
|
# For this test, we only check that it runs properly on a blank #
|
||||||
|
# host, and we check root/sudo consistency. But, we don't test #
|
||||||
|
# the apply function because it can't be automated or it is very #
|
||||||
|
# long to test and not very useful. #
|
||||||
|
##################################################################
|
||||||
}
|
}
|
||||||
|
|||||||
@ -7,5 +7,36 @@ test_audit() {
|
|||||||
# shellcheck disable=2154
|
# shellcheck disable=2154
|
||||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
# TODO fill comprehensive tests
|
local test_user="motd-user"
|
||||||
|
local test_file="/etc/motd"
|
||||||
|
|
||||||
|
describe Tests purposely failing
|
||||||
|
chmod 777 "$test_file"
|
||||||
|
register_test retvalshouldbe 1
|
||||||
|
register_test contain "permissions were not set to"
|
||||||
|
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
describe correcting situation
|
||||||
|
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||||
|
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||||
|
|
||||||
|
describe Tests purposely failing
|
||||||
|
useradd "$test_user"
|
||||||
|
chown "$test_user":"$test_user" "$test_file"
|
||||||
|
register_test retvalshouldbe 1
|
||||||
|
register_test contain "ownership was not set to"
|
||||||
|
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
describe correcting situation
|
||||||
|
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||||
|
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||||
|
|
||||||
|
describe Checking resolved state
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
register_test contain "has correct permissions"
|
||||||
|
register_test contain "has correct ownership"
|
||||||
|
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
# Cleanup
|
||||||
|
userdel "$test_user"
|
||||||
}
|
}
|
||||||
|
|||||||
@ -7,5 +7,36 @@ test_audit() {
|
|||||||
# shellcheck disable=2154
|
# shellcheck disable=2154
|
||||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
# TODO fill comprehensive tests
|
local test_user="issue-user"
|
||||||
|
local test_file="/etc/issue"
|
||||||
|
|
||||||
|
describe Tests purposely failing
|
||||||
|
chmod 777 "$test_file"
|
||||||
|
register_test retvalshouldbe 1
|
||||||
|
register_test contain "permissions were not set to"
|
||||||
|
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
describe correcting situation
|
||||||
|
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||||
|
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||||
|
|
||||||
|
describe Tests purposely failing
|
||||||
|
useradd "$test_user"
|
||||||
|
chown "$test_user":"$test_user" "$test_file"
|
||||||
|
register_test retvalshouldbe 1
|
||||||
|
register_test contain "ownership was not set to"
|
||||||
|
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
describe correcting situation
|
||||||
|
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||||
|
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||||
|
|
||||||
|
describe Checking resolved state
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
register_test contain "has correct permissions"
|
||||||
|
register_test contain "has correct ownership"
|
||||||
|
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
# Cleanup
|
||||||
|
userdel "$test_user"
|
||||||
}
|
}
|
||||||
|
|||||||
@ -7,5 +7,36 @@ test_audit() {
|
|||||||
# shellcheck disable=2154
|
# shellcheck disable=2154
|
||||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
# TODO fill comprehensive tests
|
local test_user="issue-net-user"
|
||||||
|
local test_file="/etc/issue.net"
|
||||||
|
|
||||||
|
describe Tests purposely failing
|
||||||
|
chmod 777 "$test_file"
|
||||||
|
register_test retvalshouldbe 1
|
||||||
|
register_test contain "permissions were not set to"
|
||||||
|
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
describe correcting situation
|
||||||
|
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||||
|
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||||
|
|
||||||
|
describe Tests purposely failing
|
||||||
|
useradd "$test_user"
|
||||||
|
chown "$test_user":"$test_user" "$test_file"
|
||||||
|
register_test retvalshouldbe 1
|
||||||
|
register_test contain "ownership was not set to"
|
||||||
|
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
describe correcting situation
|
||||||
|
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||||
|
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||||
|
|
||||||
|
describe Checking resolved state
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
register_test contain "has correct permissions"
|
||||||
|
register_test contain "has correct ownership"
|
||||||
|
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
# Cleanup
|
||||||
|
userdel "$test_user"
|
||||||
}
|
}
|
||||||
|
|||||||
@ -7,5 +7,10 @@ test_audit() {
|
|||||||
# shellcheck disable=2154
|
# shellcheck disable=2154
|
||||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
# TODO fill comprehensive tests
|
##################################################################
|
||||||
|
# For this test, we only check that it runs properly on a blank #
|
||||||
|
# host, and we check root/sudo consistency. But, we don't test #
|
||||||
|
# the apply function because it can't be automated or it is very #
|
||||||
|
# long to test and not very useful. #
|
||||||
|
##################################################################
|
||||||
}
|
}
|
||||||
|
|||||||
@ -7,5 +7,10 @@ test_audit() {
|
|||||||
# shellcheck disable=2154
|
# shellcheck disable=2154
|
||||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
# TODO fill comprehensive tests
|
##################################################################
|
||||||
|
# For this test, we only check that it runs properly on a blank #
|
||||||
|
# host, and we check root/sudo consistency. But, we don't test #
|
||||||
|
# the apply function because it can't be automated or it is very #
|
||||||
|
# long to test and not very useful. #
|
||||||
|
##################################################################
|
||||||
}
|
}
|
||||||
|
|||||||
@ -7,5 +7,10 @@ test_audit() {
|
|||||||
# shellcheck disable=2154
|
# shellcheck disable=2154
|
||||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
# TODO fill comprehensive tests
|
##################################################################
|
||||||
|
# For this test, we only check that it runs properly on a blank #
|
||||||
|
# host, and we check root/sudo consistency. But, we don't test #
|
||||||
|
# the apply function because it can't be automated or it is very #
|
||||||
|
# long to test and not very useful. #
|
||||||
|
##################################################################
|
||||||
}
|
}
|
||||||
|
|||||||
@ -7,5 +7,10 @@ test_audit() {
|
|||||||
# shellcheck disable=2154
|
# shellcheck disable=2154
|
||||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
# TODO fill comprehensive tests
|
##################################################################
|
||||||
|
# For this test, we only check that it runs properly on a blank #
|
||||||
|
# host, and we check root/sudo consistency. But, we don't test #
|
||||||
|
# the apply function because it can't be automated or it is very #
|
||||||
|
# long to test and not very useful. #
|
||||||
|
##################################################################
|
||||||
}
|
}
|
||||||
|
|||||||
@ -7,5 +7,23 @@ test_audit() {
|
|||||||
# shellcheck disable=2154
|
# shellcheck disable=2154
|
||||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
# TODO fill comprehensive tests
|
if [ -f "/.dockerenv" ]; then
|
||||||
|
skip "SKIPPED on docker"
|
||||||
|
else
|
||||||
|
describe Tests purposely failing
|
||||||
|
sysctl -w net.ipv6.conf.all.disable_ipv6=0 2>/dev/null
|
||||||
|
register_test retvalshouldbe 1
|
||||||
|
register_test contain "net.ipv6.conf.all.disable_ipv6 was not set to 1"
|
||||||
|
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
describe correcting situation
|
||||||
|
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||||
|
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||||
|
|
||||||
|
describe Checking resolved state
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
register_test contain "correctly set to 1"
|
||||||
|
register_test contain "net.ipv6.conf.all.disable_ipv6 correctly set to 0"
|
||||||
|
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|||||||
@ -7,5 +7,23 @@ test_audit() {
|
|||||||
# shellcheck disable=2154
|
# shellcheck disable=2154
|
||||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
# TODO fill comprehensive tests
|
if [ -f "/.dockerenv" ]; then
|
||||||
|
skip "SKIPPED on docker"
|
||||||
|
else
|
||||||
|
describe Tests purposely failing
|
||||||
|
sysctl -w net.ipv4.conf.all.send_redirects=1 2>/dev/null
|
||||||
|
register_test retvalshouldbe 1
|
||||||
|
register_test contain "net.ipv4.conf.all.send_redirects was not set to 0"
|
||||||
|
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
describe correcting situation
|
||||||
|
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||||
|
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||||
|
|
||||||
|
describe Checking resolved state
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
register_test contain "correctly set to 0"
|
||||||
|
register_test contain "net.ipv4.conf.all.send_redirects correctly set to 0"
|
||||||
|
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|||||||
@ -7,5 +7,30 @@ test_audit() {
|
|||||||
# shellcheck disable=2154
|
# shellcheck disable=2154
|
||||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
# TODO fill comprehensive tests
|
if [ -f "/.dockerenv" ]; then
|
||||||
|
skip "SKIPPED on docker"
|
||||||
|
else
|
||||||
|
describe Tests purposely failing
|
||||||
|
sysctl -w net.ipv4.conf.all.accept_source_route=1 net.ipv4.conf.default.accept_source_route=1 net.ipv6.conf.all.accept_source_route=1 net.ipv6.conf.default.accept_source_route=1 2>/dev/null
|
||||||
|
register_test retvalshouldbe 1
|
||||||
|
register_test contain "net.ipv4.conf.all.accept_source_route was not set to 0"
|
||||||
|
register_test contain "net.ipv4.conf.default.accept_source_route was not set to 0"
|
||||||
|
register_test contain "net.ipv6.conf.all.accept_source_route was not set to 0"
|
||||||
|
register_test contain "net.ipv6.conf.default.accept_source was not set to 0"
|
||||||
|
|
||||||
|
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
describe correcting situation
|
||||||
|
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||||
|
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||||
|
|
||||||
|
describe Checking resolved state
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
register_test contain "correctly set to 0"
|
||||||
|
register_test contain "net.ipv4.conf.all.accept_source_route correctly set to 0"
|
||||||
|
register_test contain "net.ipv4.conf.default.accept_source_route correctly set to 0"
|
||||||
|
register_test contain "net.ipv6.conf.all.accept_source_route correctly set to 0"
|
||||||
|
register_test contain "net.ipv6.conf.default.accept_source correctly set to 0"
|
||||||
|
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|||||||
@ -7,5 +7,30 @@ test_audit() {
|
|||||||
# shellcheck disable=2154
|
# shellcheck disable=2154
|
||||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
# TODO fill comprehensive tests
|
if [ -f "/.dockerenv" ]; then
|
||||||
|
skip "SKIPPED on docker"
|
||||||
|
else
|
||||||
|
describe Tests purposely failing
|
||||||
|
sysctl -w net.ipv4.conf.all.accept_redirects=1 net.ipv4.conf.default.accept_redirects=1 net.ipv6.conf.all.accept_redirects=1 net.ipv6.conf.default.accept_redirects=1 2>/dev/null
|
||||||
|
register_test retvalshouldbe 1
|
||||||
|
register_test contain "net.ipv4.conf.all.accept_redirects was not set to 0"
|
||||||
|
register_test contain "net.ipv4.conf.default.accept_redirects was not set to 0"
|
||||||
|
register_test contain "net.ipv6.conf.all.accept_redirects was not set to 0"
|
||||||
|
register_test contain "net.ipv6.conf.default.accept_redirects was not set to 0"
|
||||||
|
|
||||||
|
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
describe correcting situation
|
||||||
|
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||||
|
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||||
|
|
||||||
|
describe Checking resolved state
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
register_test contain "correctly set to 0"
|
||||||
|
register_test contain "net.ipv4.conf.all.accept_redirects correctly set to 0"
|
||||||
|
register_test contain "net.ipv4.conf.default.accept_redirects correctly set to 0"
|
||||||
|
register_test contain "net.ipv6.conf.all.accept_redirects correctly set to 0"
|
||||||
|
register_test contain "net.ipv6.conf.default.accept_redirects correctly set to 0"
|
||||||
|
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|||||||
@ -7,5 +7,26 @@ test_audit() {
|
|||||||
# shellcheck disable=2154
|
# shellcheck disable=2154
|
||||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
# TODO fill comprehensive tests
|
if [ -f "/.dockerenv" ]; then
|
||||||
|
skip "SKIPPED on docker"
|
||||||
|
else
|
||||||
|
describe Tests purposely failing
|
||||||
|
sysctl -w net.ipv4.conf.all.secure_redirects=1 net.ipv4.conf.default.secure_redirects=1 2>/dev/null
|
||||||
|
register_test retvalshouldbe 1
|
||||||
|
register_test contain "net.ipv4.conf.all.secure_redirects was not set to 0"
|
||||||
|
register_test contain "net.ipv4.conf.default.secure_redirects=0 was not set to 0"
|
||||||
|
|
||||||
|
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
describe correcting situation
|
||||||
|
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||||
|
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||||
|
|
||||||
|
describe Checking resolved state
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
register_test contain "correctly set to 0"
|
||||||
|
register_test contain "net.ipv4.conf.all.secure_redirects correctly set to 0"
|
||||||
|
register_test contain "net.ipv4.conf.default.secure_redirects correctly set to 0"
|
||||||
|
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|||||||
@ -7,5 +7,26 @@ test_audit() {
|
|||||||
# shellcheck disable=2154
|
# shellcheck disable=2154
|
||||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
# TODO fill comprehensive tests
|
if [ -f "/.dockerenv" ]; then
|
||||||
|
skip "SKIPPED on docker"
|
||||||
|
else
|
||||||
|
describe Tests purposely failing
|
||||||
|
sysctl -w net.ipv4.conf.all.log_martians=0 net.ipv4.conf.default.log_martians=0 2>/dev/null
|
||||||
|
register_test retvalshouldbe 1
|
||||||
|
register_test contain "net.ipv4.conf.all.log_martians was not set to 1"
|
||||||
|
register_test contain "net.ipv4.conf.default.log_martians was not set to 1"
|
||||||
|
|
||||||
|
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
describe correcting situation
|
||||||
|
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||||
|
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||||
|
|
||||||
|
describe Checking resolved state
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
register_test contain "correctly set to 1"
|
||||||
|
register_test contain "net.ipv4.conf.all.log_martians correctly set to 1"
|
||||||
|
register_test contain " net.ipv4.conf.default.log_martians correctly set to 1"
|
||||||
|
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|||||||
@ -7,5 +7,24 @@ test_audit() {
|
|||||||
# shellcheck disable=2154
|
# shellcheck disable=2154
|
||||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
# TODO fill comprehensive tests
|
if [ -f "/.dockerenv" ]; then
|
||||||
|
skip "SKIPPED on docker"
|
||||||
|
else
|
||||||
|
describe Tests purposely failing
|
||||||
|
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=0 2>/dev/null
|
||||||
|
register_test retvalshouldbe 1
|
||||||
|
register_test contain "net.ipv4.icmp_echo_ignore_broadcasts was not set to 1"
|
||||||
|
|
||||||
|
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
describe correcting situation
|
||||||
|
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||||
|
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||||
|
|
||||||
|
describe Checking resolved state
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
register_test contain "correctly set to 1"
|
||||||
|
register_test contain "net.ipv4.icmp_echo_ignore_broadcasts correctly set to 1"
|
||||||
|
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|||||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user