elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2025-07-16 22:02:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: elie:v3.0-1
Branches Tags
elie:master elie:damcava35/deb12_scripts_2 elie:damcava35/update_lib elie:damcava35/new_scripts elie:damcava35/issue_249 elie:damcava35/drop_debian10 elie:damcava35/is_ip_v6_enabled elie:damcava35/issue_195 elie:damcava35/fix_only elie:damcava35/fix_packaging elie:damcava35/set_version elie:damcava35/test_pre_commit elie:dev/thibault.dewailly/deb12 elie:dependabot/github_actions/luizm/action-sh-checker-0.9.0 elie:dev/thibault.dewailly/set_hardening_level elie:dev/thibault.dewailly/syslogng_remotecheck
elie:latest elie:v4.1-5 elie:v4.1-4 elie:v4.1-3 elie:v4.1-2 elie:v4.1-1 elie:v4.0-1 elie:v3.8-1 elie:v3.7-1 elie:v3.6-1 elie:v3.5-1 elie:v3.4-1 elie:v3.3-1 elie:v3.2-2 elie:v3.2-1 elie:v3.2-0 elie:v3.1-6 elie:v3.1-5 elie:v3.1-4 elie:v3.1-3 elie:v3.1-2 elie:v3.1-1 elie:v3.1-0 elie:v3.0-1 elie:v3.0 elie:v2.1-6 elie:v2.1-5 elie:v2.1-4 elie:v2.1-3 elie:v2.1-2 elie:v2.1-1 elie:v2.0-6 elie:v2.0-5 elie:v2.0-4 elie:v1.3-4 elie:v1.3-3 elie:v1.3-2 elie:v1.3 elie:v1.2-1 elie:v1.1-1
..
compare: elie:v4.1-4
Branches Tags
elie:damcava35/deb12_scripts_2 elie:damcava35/update_lib elie:damcava35/new_scripts elie:master elie:damcava35/issue_249 elie:damcava35/drop_debian10 elie:damcava35/is_ip_v6_enabled elie:damcava35/issue_195 elie:damcava35/fix_only elie:damcava35/fix_packaging elie:damcava35/set_version elie:damcava35/test_pre_commit elie:dev/thibault.dewailly/deb12 elie:dependabot/github_actions/luizm/action-sh-checker-0.9.0 elie:dev/thibault.dewailly/set_hardening_level elie:dev/thibault.dewailly/syslogng_remotecheck
elie:latest elie:v4.1-5 elie:v4.1-4 elie:v4.1-3 elie:v4.1-2 elie:v4.1-1 elie:v4.0-1 elie:v3.8-1 elie:v3.7-1 elie:v3.6-1 elie:v3.5-1 elie:v3.4-1 elie:v3.3-1 elie:v3.2-2 elie:v3.2-1 elie:v3.2-0 elie:v3.1-6 elie:v3.1-5 elie:v3.1-4 elie:v3.1-3 elie:v3.1-2 elie:v3.1-1 elie:v3.1-0 elie:v3.0-1 elie:v3.0 elie:v2.1-6 elie:v2.1-5 elie:v2.1-4 elie:v2.1-3 elie:v2.1-2 elie:v2.1-1 elie:v2.0-6 elie:v2.0-5 elie:v2.0-4 elie:v1.3-4 elie:v1.3-3 elie:v1.3-2 elie:v1.3 elie:v1.2-1 elie:v1.1-1

130 Commits
v3.0-1 ... v4.1-4

Author SHA1 Message Date
thibault.dewailly
a45aa40ce4 bump to 4.1.4 2024-01-18 09:16:00 +00:00
lgaida
730ab47437 allow multiple users in 5.2.18 (#228) 
* allow multiple exception users for 99.5.2.4

* move clean up part of previous commit

* split clean up part of previous commit

* add tests for multiple allowed and denied ssh users

* fix script to correctly set multiple allowed and denied ssh users

* add cleanup resolved check to 5.2.18

* apply shellfmt to 5.2.18

---------

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2024-01-10 17:07:02 +01:00
lgaida
5313799193 Allow multiple exception users to be defined for 99.5.2.4_ssh_keys_from (#221) 
* allow multiple exception users for 99.5.2.4
 2023-12-27 13:42:10 +01:00
GoldenKiwi
73616af4eb Syslog-ng fixes and enhancements (#226) 
* syslog-ng : fix remote host test and enhance Regex

fixes #124

* enh: add test for 4.2.1.6
 2023-12-27 10:27:06 +01:00
GoldenKiwi
c391723fe5 fix: Allow --only option to be called multiple times (#225) 
--only option was affected with a grep bug since 2017.
the regex was not able to parse more than the first passed argument.

fixes #224
 2023-12-26 17:08:53 +01:00
GoldenKiwi
71019a5512 fix: update Readme to clarify project usage (#223) 
fixes: #219
 2023-12-26 09:57:15 +01:00
GoldenKiwi
fb4df82fc4 fix: typo in README. Update example of --audit usage (#222) 
fixes #220
fixes #217
 2023-12-26 09:19:55 +01:00
thibault.dewailly
c75244e3b2 bump to 4.1.3 2023-11-28 10:34:12 +00:00
Stéphane Lesimple
de295b3a77 Adapt all scripts to yescrypt (#216) 
* Revert "fix: clean obsolete check 99.5.4.5.1, now handled by 5.3.4 (#215)"

This reverts commit 670c8c62f5.

We still want to verify the preexisting hashes in /etc/shadow,
even if the PAM configuration is correct for new passwords (5.3.4).

* Adapt 5.3.4, 99.5.4.5.1 and 99.5.4.5.2 to yescrypt
 2023-11-21 17:43:31 +01:00
dependabot[bot]
693487c3a5 build(deps): bump metcalfc/changelog-generator from 4.1.0 to 4.2.0 (#214) 
Bumps [metcalfc/changelog-generator](https://github.com/metcalfc/changelog-generator) from 4.1.0 to 4.2.0.
- [Release notes](https://github.com/metcalfc/changelog-generator/releases)
- [Changelog](https://github.com/metcalfc/changelog-generator/blob/main/release-notes.png)
- [Commits](https://github.com/metcalfc/changelog-generator/compare/v4.1.0...v4.2.0)

---
updated-dependencies:
- dependency-name: metcalfc/changelog-generator
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2023-11-14 15:44:50 +01:00
GoldenKiwi
670c8c62f5 fix: clean obsolete check 99.5.4.5.1, now handled by 5.3.4 (#215) 
Fixes #209
 2023-11-14 12:03:58 +01:00
GoldenKiwi
0eb2e2ffde enh: remove ssh system sandbox check (#213) 
UsePrivilegeSeparation option is deprecated.
Since the oldest supported Debian distribution is Buster (10), we can safely remove this check

Fixes #212
 2023-11-13 08:53:12 +01:00
dependabot[bot]
d6c334182e build(deps): bump luizm/action-sh-checker from 0.7.0 to 0.8.0 (#210) 
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.7.0 to 0.8.0.
- [Release notes](https://github.com/luizm/action-sh-checker/releases)
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.7.0...v0.8.0)

---
updated-dependencies:
- dependency-name: luizm/action-sh-checker
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-11-10 15:05:25 +01:00
thibault.dewailly
2188577fc9 feat: advertise Debian 12 compatibility in readme 2023-10-02 13:34:09 +00:00
thibault.dewailly
0f59f73297 bump to 4.1.2 2023-10-02 13:17:31 +00:00
GoldenKiwi
f888ce0d39 fix: root_dir is still /opt/cis-hardening for the moment (#208) 2023-10-02 14:50:52 +02:00
thibault.dewailly
f6aa306127 bump to 4.1.1 2023-09-29 14:38:52 +00:00
GoldenKiwi
ceea343ad9 fix: debian12 functional test pass is now mandatory (#207) 2023-09-29 16:34:25 +02:00
GoldenKiwi
2e53dfb573 feat: Officialize Debian 12 support (#206) 
* feat: Officialize Debian 12 support

Functional tests now pass
CIS Benchmark PDF for Debian 12 is not out yet, but the hardening points checked
are still relevant in Debian 12.
OVHcloud is now using it in critical production, hence making it officially supported

---------

Co-authored-by: ThibaultDewailly <ThibaultDewailly@users.noreply.github.com>
 2023-09-29 16:20:34 +02:00
P-EB
08aff5d3fc Update the README to reflect on changes made in PR#204 (#205) 2023-09-29 09:21:40 +02:00
P-EB
32886d3a3d Replace CIS_ROOT_DIR by a more flexible system (#204) 
* Replace CIS_ROOT_DIR by a more flexible system

* Try to adapt the logic change to the functional tests
 2023-09-25 14:24:01 +02:00
GoldenKiwi
5370ec2ef6 feat: add nftables to firewall software allow list (#203) 
* feat: add nftables to firewall software allow list

fixes #191

* fix: enhance 3.5.4.1.1_net_fw_default_policy_drop.sh iptables output check, disable associated test
 2023-09-07 14:36:08 +02:00
dependabot[bot]
9d3fb18e6b build(deps): bump actions/checkout from 3 to 4 (#202) 
Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-09-05 17:07:12 +02:00
GoldenKiwi
6e79fcd00a fix: correct debian version check on 5.2.15 configuration generation (#199) 
fixes #196
 2023-09-01 08:34:28 +02:00
GoldenKiwi
27edec6d5f fix: chore, debug logs print correctly now (#197) 2023-08-31 14:40:27 +02:00
GoldenKiwi
f2cc14c383 fix: chore debian manual update (#198) 
* fix: chore debian manual update

fixes #182

* Regenerate man pages (Github action)

---------

Co-authored-by: ThibaultDewailly <ThibaultDewailly@users.noreply.github.com>
 2023-08-31 14:34:59 +02:00
dependabot[bot]
46377fc255 build(deps): bump dev-drprasad/delete-tag-and-release (#184) 
Bumps [dev-drprasad/delete-tag-and-release](https://github.com/dev-drprasad/delete-tag-and-release) from 0.2.1 to 1.0.1.
- [Release notes](https://github.com/dev-drprasad/delete-tag-and-release/releases)
- [Commits](https://github.com/dev-drprasad/delete-tag-and-release/compare/v0.2.1...v1.0.1)

---
updated-dependencies:
- dependency-name: dev-drprasad/delete-tag-and-release
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2023-08-30 10:32:29 +02:00
Joseph
a468b29036 fix: added systemd-timesyncd to use_time_sync script (#189) (#190) 
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2023-08-30 10:28:03 +02:00
JugeHuge
db9ff8a7fd Update warn messages on 2.2.15_mta_localhost.sh (#193) 
warn messages had typo netsat as it should be netstat
 2023-08-30 10:23:27 +02:00
Stéphane Lesimple
6135c3d0e5 fix: enhance test 99.1.3 speed for large /etc/sudoers.d folders (#188) 
Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>
 2023-07-18 17:28:35 +02:00
Tarik Megzari
a6ad528087 feat: Add experimental debian12 functionnal tests (#187) 
Signed-off-by: Tarik Megzari <tarik.megzari@ovhcloud.com>
Co-authored-by: Tarik Megzari <tarik.megzari@ovhcloud.com>
 2023-07-10 10:52:17 +02:00
thibault.dewailly
bc98bedf73 bump to 4.0-1 2023-07-10 07:21:13 +00:00
Stéphane Lesimple
873ef8827d fix: 99.1.3_acc_sudoers_no_all: fix a race condition (#186) 
On systems where /etc/sudoers.d might be updated often by some automated means, this
check might raise a critical when a previously present file (during the ls) is no longer
present (during its attempted read), so before raising a critical, re-check that it
does exists first.
 2023-07-03 17:05:45 +02:00
GoldenKiwi
bd27cd0dae fix: change auditd file rule remediation (#179) 
Fixes #165
 2023-05-05 12:32:22 +02:00
GoldenKiwi
f28ffc244c fix: correct debian package compression override (#181) 2023-05-02 18:06:59 +02:00
GoldenKiwi
19ce790a27 fix: ensure mountpoints are properly detected (#177) 
Fixes #155
When real entries are present in fstab, system startup or runtime mountpoints are now properly detected
Add a supplementary check in case of partition not present in fstab
 2023-05-02 18:01:53 +02:00
GoldenKiwi
47cf86237b fix: correct search in 5.4.5_default_timeout in apply mode (#178) 
fixes #116
 2023-05-02 17:57:35 +02:00
GoldenKiwi
ccd9c1a7aa fix: force xz compression during .deb build (#180) 
zst compression is only available on Debian 12, since the release is built on Ubuntu latest, this was breaking release.
Fixes #175
 2023-05-02 15:24:32 +02:00
GoldenKiwi
04457e7df2 feat: official Debian 11 compatibility (#176) 
Introduce Debian 11 compatibility
Based on CIS_Debian_Linux_11_Benchmark_v1.0.0

After review, here are the notable changes :
 - Harden /var/log more (noexec,nodev,nosuid)
 - Harden /var/log/audit more (noexec,nodev,nosuid)
 - Harden /home more (nosuid)
 - Disable cramfs
 - Fix 5.3.4_acc_pam_sha512.sh
 - Deprecate Debian 9 and remove useless docker images

NB : more audit log rules have been introduced and will be inserted in the checks later
Fix #158
 2023-05-02 14:16:19 +02:00
dependabot[bot]
05521d5961 Bump luizm/action-sh-checker from 0.5.0 to 0.7.0 (#171) 
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.5.0 to 0.7.0.
- [Release notes](https://github.com/luizm/action-sh-checker/releases)
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.5.0...v0.7.0)

---
updated-dependencies:
- dependency-name: luizm/action-sh-checker
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-04-26 10:20:11 +02:00
thibault.dewailly
06525f06f9 bump to 3.8-1 2023-03-23 10:03:37 +00:00
dependabot[bot]
d5c1c63971 Bump luizm/action-sh-checker from 0.4.0 to 0.5.0 (#161) 
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.4.0 to 0.5.0.
- [Release notes](https://github.com/luizm/action-sh-checker/releases)
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.4.0...v0.5.0)

---
updated-dependencies:
- dependency-name: luizm/action-sh-checker
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2023-03-23 10:56:12 +01:00
dependabot[bot]
7d93ddeb86 Bump metcalfc/changelog-generator from 3.0.0 to 4.1.0 (#169) 
Bumps [metcalfc/changelog-generator](https://github.com/metcalfc/changelog-generator) from 3.0.0 to 4.1.0.
- [Release notes](https://github.com/metcalfc/changelog-generator/releases)
- [Changelog](https://github.com/metcalfc/changelog-generator/blob/main/release-notes.png)
- [Commits](https://github.com/metcalfc/changelog-generator/compare/v3.0.0...v4.1.0)

---
updated-dependencies:
- dependency-name: metcalfc/changelog-generator
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2023-03-23 10:50:46 +01:00
dependabot[bot]
a35ecab377 Bump dev-drprasad/delete-tag-and-release from 0.2.0 to 0.2.1 (#170) 
Bumps [dev-drprasad/delete-tag-and-release](https://github.com/dev-drprasad/delete-tag-and-release) from 0.2.0 to 0.2.1.
- [Release notes](https://github.com/dev-drprasad/delete-tag-and-release/releases)
- [Commits](https://github.com/dev-drprasad/delete-tag-and-release/compare/v0.2.0...v0.2.1)

---
updated-dependencies:
- dependency-name: dev-drprasad/delete-tag-and-release
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-03-23 10:47:09 +01:00
Stéphane Lesimple
dc952b90df fix: timeout of 99.1.3 (#168) 
The 99.1.3_acc_sudoers_no_all.sh script can sometimes timeout
on servers where /etc/sudoers.d/ has thousands of files.
This patch makes it run roughly 5x faster, as tested on a
server with 1500 files in sudoers.d/.

Closes #167.

Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>

Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>
 2022-12-22 09:47:35 +01:00
Tarik Megzari
82a217032d fix(6.2.9): Start from UID 1000 for home ownership check (#164) 
Rename 6.2.3 and 6.2.9 checks to be more accurate
Remove home existence check from 6.2.9 as it's handled by 6.2.3
Update tests accordingly
Fixes #163

Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
 2022-09-30 10:28:48 +02:00
ymartin-ovh
e478a89bad bump to 3.7-1 (#160) 2022-07-04 15:37:08 +02:00
ymartin-ovh
371c23cd52 feat: add FIND_IGNORE_NOSUCHFILE_ERR flag (#159) 
This flag can be used to prevent find-related checks to fail because one part of filesystem disappear (ie. ephemeral directories or files)
 2022-07-04 14:29:25 +02:00
Tarik Megzari
ea8334d516 bump to 3.6-1 (#157) 
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
 2022-06-27 12:13:01 +02:00
dependabot[bot]
987bb9c975 Bump luizm/action-sh-checker from 0.3.0 to 0.4.0 (#154) 
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.3.0 to 0.4.0.
- [Release notes](https://github.com/luizm/action-sh-checker/releases)
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.3.0...v0.4.0)

---
updated-dependencies:
- dependency-name: luizm/action-sh-checker
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-06-26 16:58:46 +02:00
dependabot[bot]
3031bb55d1 Bump actions-ecosystem/action-get-latest-tag from 1.5.0 to 1.6.0 (#153) 
Bumps [actions-ecosystem/action-get-latest-tag](https://github.com/actions-ecosystem/action-get-latest-tag) from 1.5.0 to 1.6.0.
- [Release notes](https://github.com/actions-ecosystem/action-get-latest-tag/releases)
- [Commits](https://github.com/actions-ecosystem/action-get-latest-tag/compare/v1.5.0...v1.6.0)

---
updated-dependencies:
- dependency-name: actions-ecosystem/action-get-latest-tag
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
 2022-06-24 17:55:26 +02:00
ymartin-ovh
66ccc6316a feat: Filter the filesystem to check when the list is built. (#156) 
* feat: Attempt to filter-out filesystem that match exclusion regex.
 2022-06-24 17:45:47 +02:00
Tarik Megzari
7a3145d7f1 bump to 3.5-1 (#152) 
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
 2022-03-23 18:40:25 +01:00
GoldenKiwi
5c072668d5 fix: add 10s wait timeout on iptables command (#151) 
When the tested server has its iptables heavily manipulated (e.g Kubernetes)
The lock aquirement can sometimes fail, hence generating false positives
The command will retry 10 times with a 1 second interval
 2022-03-23 16:56:38 +01:00
GoldenKiwi
d1bd1eb2e7 bump to 3.4-1 (#150) 2022-03-18 16:49:25 +01:00
GoldenKiwi
ad5c71c3ce fix: allow passwd-, group- and shadow- debian default permissions (#149) 2022-03-18 16:41:49 +01:00
dependabot[bot]
33964c0a3d Bump EndBug/add-and-commit from 8.0.2 to 9 (#148) 
Bumps [EndBug/add-and-commit](https://github.com/EndBug/add-and-commit) from 8.0.2 to 9.
- [Release notes](https://github.com/EndBug/add-and-commit/releases)
- [Changelog](https://github.com/EndBug/add-and-commit/blob/main/CHANGELOG.md)
- [Commits](https://github.com/EndBug/add-and-commit/compare/v8.0.2...v9)

---
updated-dependencies:
- dependency-name: EndBug/add-and-commit
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-03-14 15:36:48 +01:00
Tarik Megzari
8320d0eecc CI: Fix release action (#147) 
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
 2022-03-03 12:02:12 +01:00
Tarik Megzari
a0d33ab158 Update changelog for release 3.3-1 (#146) 
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
 2022-03-03 10:26:42 +01:00
Jan Schmidle
a6a22084e1 missing shadowtools backup files is ok (#132) 
* missing shadowtools backup files is ok

* update corresponding test cases
 2022-03-02 18:05:37 +01:00
Tarik Megzari
b962155a3c fix: Avoid find failures on too many files (#144) 
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2022-03-02 17:49:28 +01:00
dependabot[bot]
20bf51f65b Bump actions/checkout from 2 to 3 (#145) 
Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-03-02 00:14:50 +01:00
dependabot[bot]
adfe28470a Bump metcalfc/changelog-generator from 1.0.0 to 3.0.0 (#133) 
Bumps [metcalfc/changelog-generator](https://github.com/metcalfc/changelog-generator) from 1.0.0 to 3.0.0.
- [Release notes](https://github.com/metcalfc/changelog-generator/releases)
- [Changelog](https://github.com/metcalfc/changelog-generator/blob/main/release-notes.png)
- [Commits](https://github.com/metcalfc/changelog-generator/compare/v1.0.0...v3.0.0)

---
updated-dependencies:
- dependency-name: metcalfc/changelog-generator
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-03-01 23:48:57 +01:00
dependabot[bot]
c94ee10afe Bump EndBug/add-and-commit from 7 to 8.0.2 (#142) 
Bumps [EndBug/add-and-commit](https://github.com/EndBug/add-and-commit) from 7 to 8.0.2.
- [Release notes](https://github.com/EndBug/add-and-commit/releases)
- [Changelog](https://github.com/EndBug/add-and-commit/blob/main/CHANGELOG.md)
- [Commits](https://github.com/EndBug/add-and-commit/compare/v7...v8.0.2)

---
updated-dependencies:
- dependency-name: EndBug/add-and-commit
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-03-01 20:39:39 +01:00
dependabot[bot]
453a72b8c8 Bump actions-ecosystem/action-get-latest-tag from 1.4.1 to 1.5.0 (#143) 
Bumps [actions-ecosystem/action-get-latest-tag](https://github.com/actions-ecosystem/action-get-latest-tag) from 1.4.1 to 1.5.0.
- [Release notes](https://github.com/actions-ecosystem/action-get-latest-tag/releases)
- [Commits](https://github.com/actions-ecosystem/action-get-latest-tag/compare/v1.4.1...v1.5.0)

---
updated-dependencies:
- dependency-name: actions-ecosystem/action-get-latest-tag
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-03-01 20:28:33 +01:00
Tarik Megzari
bb03764918 fix: Catch unexpected failures (#140) 
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
 2022-01-31 15:38:38 +01:00
Tarik Megzari
17d272420a feat: Dissociate iptables pkg name from command (#137) 
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
 2021-12-27 15:40:55 +01:00
Tarik Megzari
f1c1517bd2 Update changelog for release 3.2-2 (#135) 
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
 2021-12-13 16:06:57 +01:00
tdenof
1341622335 Fix empty fstab test (#134) 
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Co-authored-by: Thibault Dewailly <thibault.dewailly@corp.ovh.com>
 2021-12-08 08:42:22 +01:00
thibault.dewailly
c8fcfed248 Update changelog for release 3.2-1 2021-12-01 11:04:56 +00:00
Sebastien BLAISOT
97914976c8 Skip NTP and Chrony config check if they are not installed (#120) 
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-12-01 10:49:08 +01:00
Sebastien BLAISOT
66c8ccf495 Fix 3.4.2 audit rule (#123) 
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-12-01 10:23:11 +01:00
Sebastien BLAISOT
b53bf1795c Fix grub detection (#119) 
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-12-01 08:58:32 +01:00
Sebastien BLAISOT
1a874b2b35 Allow grub.cfg permission to be 600 (#121) 
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-11-30 18:47:19 +01:00
Sebastien BLAISOT
7266ec7cb4 Honor --set-log-level parameter (#127) 
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-11-30 18:42:33 +01:00
Jan Schmidle
8f855ac159 fix: kernel module detection (#129) 
* fix: add filter to hfs

* fix is_kernel_option_enabled check

as the module in question could have dependencies which have been blacklisted as well we need to make sure that the comparison only checks for the module in question - the last line in the output.

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-10-20 14:51:29 +02:00
Sebastien BLAISOT
ad192c9457 Add silent mode and json summary (#128) 
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-10-20 13:22:59 +02:00
Sebastien BLAISOT
3d2d97a727 FIX(1.7.1.4): don't abort script in case of unconfined processes (#130) 2021-10-20 13:14:36 +02:00
Sebastien BLAISOT
6e2fb1570c FIX(2.2.1.4): Validate debian default ntp config (#118) 2021-10-15 16:19:51 +02:00
dependabot[bot]
faf5b155e5 Bump metcalfc/changelog-generator from v0.4.4 to v1.0.0 (#81) 
Bumps [metcalfc/changelog-generator](https://github.com/metcalfc/changelog-generator) from v0.4.4 to v1.0.0.
- [Release notes](https://github.com/metcalfc/changelog-generator/releases)
- [Changelog](https://github.com/metcalfc/changelog-generator/blob/main/release-notes.png)
- [Commits](https://github.com/metcalfc/changelog-generator/compare/v0.4.4...e5306b306fa2e34f05258789e0e5c526c1bd4352)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Thibault Ayanides <thibault.ayanides@ovhcloud.com>
 2021-08-10 13:57:13 +02:00
dependabot[bot]
43887d4165 Bump luizm/action-sh-checker from 0.1.13 to 0.3.0 (#111) 
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.1.13 to 0.3.0.
- [Release notes](https://github.com/luizm/action-sh-checker/releases)
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.1.13...v0.3.0)

---
updated-dependencies:
- dependency-name: luizm/action-sh-checker
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2021-08-10 13:47:31 +02:00
dependabot[bot]
499ebf2f9b Bump dev-drprasad/delete-tag-and-release from v0.1.3 to v0.2.0 (#72) 
Bumps [dev-drprasad/delete-tag-and-release](https://github.com/dev-drprasad/delete-tag-and-release) from v0.1.3 to v0.2.0.
- [Release notes](https://github.com/dev-drprasad/delete-tag-and-release/releases)
- [Commits](https://github.com/dev-drprasad/delete-tag-and-release/compare/v0.1.3...085c6969f18bad0de1b9f3fe6692a3cd01f64fe5)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Thibault Ayanides <thibault.ayanides@ovhcloud.com>
 2021-08-10 10:39:53 +02:00
Thibault Ayanides
afed5a9dce 99.5.4.5.2: fix bug where sha512 option rounds provoke KO (#112) 2021-08-10 10:30:35 +02:00
dependabot[bot]
01c3d1b98c Bump luizm/action-sh-checker from v0.1.12 to v0.1.13 (#73) 
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from v0.1.12 to v0.1.13.
- [Release notes](https://github.com/luizm/action-sh-checker/releases)
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.1.12...164368daf52a9126460854f9c0de00abc079a350)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Thibault Ayanides <thibault.ayanides@ovhcloud.com>
 2021-08-10 09:43:59 +02:00
dependabot[bot]
25e899168f Bump actions-ecosystem/action-get-latest-tag from 1 to 1.4.1 (#101) 
Bumps [actions-ecosystem/action-get-latest-tag](https://github.com/actions-ecosystem/action-get-latest-tag) from 1 to 1.4.1.
- [Release notes](https://github.com/actions-ecosystem/action-get-latest-tag/releases)
- [Commits](https://github.com/actions-ecosystem/action-get-latest-tag/compare/v1...v1.4.1)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Thibault Ayanides <thibault.ayanides@ovhcloud.com>
 2021-08-10 09:36:28 +02:00
Thibault Ayanides
9a2e3a0e0d Fix 5.4.5 pattern search (#108) 
fix #107
 2021-08-09 10:49:56 +02:00
Thibault Ayanides
334d743125 fix EXCEPTIONS management (#104) 
* FIX(1.1.21, 6.1.10) fix EXCEPTIONS management
* Update changelog
* Refactor test for 6.1.10-14
 2021-06-02 13:47:19 +02:00
Thibault Ayanides
4ed8adf790 Update changelog (#103) 2021-05-28 15:06:48 +02:00
Thibault Ayanides
f4328deeb2 Fix unbound variable (#102) 2021-05-28 15:00:58 +02:00
Thibault Ayanides
29505255ff Update changelog (#99) 2021-05-07 09:16:15 +02:00
Thibault Ayanides
9e6c9a0d8a Accept lower values (#95) 
* IMP(5.2.23): accept lower value as valid

* IMP(5.2.7): accept lower value as valid
 2021-04-27 16:04:13 +02:00
Thibault Ayanides
1cade2e375 FIX(2.2.1.2): custom func not working for systemd (#90) 
fix #87
 2021-04-27 13:49:05 +02:00
Thibault Ayanides
fc8a2b2561 FIX: add commands to sudoers (#91) 2021-04-27 13:31:59 +02:00
Thibault Ayanides
cadc25c28c Dir exceptions (#96) 
* IMP(1.1.21): add EXCEPTIONS
* IMP(6.1.10): add EXCEPTIONS
 2021-04-26 17:05:22 +02:00
Thibault Ayanides
8c6c9a7571 IMP(tests): checks that stderr is empty 
Fix #97
 2021-04-26 17:01:19 +02:00
Thibault Ayanides
dd41988933 Update changelog 2021-04-13 11:00:29 +02:00
Thibault Ayanides
f6c6e6a0a8 FIX(4.1.11): add SUDO to find suid files 2021-04-13 11:00:29 +02:00
Thibault Ayanides
d26ad48416 Update changelog 2021-04-02 09:25:41 +02:00
Thibault Ayanides
d110a2aa19 Ignore case for sshd conf 
fix #85
 2021-04-02 09:25:41 +02:00
Thibault Ayanides
cbd81b8ab2 Update changelog (#82) 2021-03-26 12:16:50 +01:00
Thibault Ayanides
1c51e4cec4 Check that package are installed before launching check (#69) 
* FIX(1.6.1,1.7.1.x): check if apparmor and grub is installed

* FIX(2.2.15): check package install

* FIX(4.2.x): check package install

* FIX(5.1.x): check crontab files exist

* FIX(5.2.1): check package install

* FIX(99.3.3.x): check conf file exist

* Remove useless SUDO_CMD

* Deal with non existant /run/shm

* Replace exit code 128 by exit code 2

fix #65

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-03-25 14:01:57 +01:00
Thibault Ayanides
f8ac58700d FIX(4.1.1.4): bad pattern (#67) 
fix #61
 2021-03-25 13:50:08 +01:00
Thibault Ayanides
1c1393c7e3 Fix div function to manage 0 on numerator (#79) 
fix #77

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-03-23 08:36:36 +01:00
Thibault Ayanides
c50f200c5c FIX(5.4.5.2): explicit sha512 
fix #74
 2021-03-22 15:22:50 +01:00
Simão Gomes Viana
c0ecc9cd6f README: fix spelling and spacing in first line 2021-03-19 08:36:31 +01:00
Thibault Ayanides
fb5be208ef Update changelog 2021-03-15 08:25:26 +01:00
jeremydenoun
b44fb47c3a add log details to be more comprehensive (#49) 
Co-authored-by: Jeremy Denoun <jeremy.denoun@iguanesolutions.com>
 2021-02-17 12:04:11 +01:00
jeremydenoun
84ac4db90f fix incorrect path from ls (#45) 
Co-authored-by: Jeremy Denoun <jeremy.denoun@iguanesolutions.com>
 2021-02-17 12:00:13 +01:00
Thibault Ayanides
40fb536d4e Add missing HARDENING_LEVEL (#44) 
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-02-17 11:51:51 +01:00
Thibault Ayanides
d1b371f410 Add is_ipv6_disabled (#57) 
Modify some checks to make it pass when ipv6 is diabled

fix #50

	modified:   bin/hardening/3.1.1_disable_ipv6.sh
	modified:   bin/hardening/3.3.1_disable_source_routed_packets.sh
	modified:   bin/hardening/3.3.9_disable_ipv6_router_advertisement.sh
	modified:   lib/utils.sh

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-02-17 11:45:20 +01:00
Thibault Ayanides
6ab1cab3ce IMP(5.1.8): allow more restrictive permissions (#59) 
fix #52

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-02-17 11:40:31 +01:00
Thibault Ayanides
1a7dd5893a Use pam_faillock instead of pam_tally for bullseye (#56) 
Fix #55
See https://github.com/linux-pam/linux-pam/releases/tag/v1.4.0
pam_tally is deprecated and replaced by pam_faillock

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-02-17 11:36:58 +01:00
Thibault Ayanides
fa111bc0d0 Update mac and kex to match debian10 CIS (#60) 
fix #53

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-02-17 11:31:22 +01:00
Thibault Ayanides
460843ffb3 Fix #51 (#58) 2021-02-17 11:19:38 +01:00
jeremydenoun
896d277d95 fix #46 bug (#47) 
Co-authored-by: Jeremy Denoun <jeremy.denoun@iguanesolutions.com>
 2021-02-11 14:00:18 +01:00
Thibault Ayanides
6ae05f3fa2 Add dealing with debian 11 
* ADD: add dockerfile for debian11
* FIX: fix crontab file not found on debian11 blank
* Add workflow for debian11
* FIX: fix debian version func to manage debian11
* Add dealing with unsupported version and distro
* Add 99.99 check that check if distro version is supported
* Use global var for debian major and distro

fix #26
 2021-02-08 13:54:24 +01:00
Thibault Ayanides
449c695415 IMP: improve partition detection in container 
fix #27
 2021-02-08 09:07:09 +01:00
dependabot[bot]
2d6550fb13 Bump dev-drprasad/delete-tag-and-release from v0.1.2 to v0.1.3 (#41) 
Bumps [dev-drprasad/delete-tag-and-release](https://github.com/dev-drprasad/delete-tag-and-release) from v0.1.2 to v0.1.3.
- [Release notes](https://github.com/dev-drprasad/delete-tag-and-release/releases)
- [Commits](https://github.com/dev-drprasad/delete-tag-and-release/compare/v0.1.2...3c280cb168f9f46f0036f47c7f57bba2ec18f61c)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2021-02-04 16:23:41 +01:00
jeremydenoun
0b6ea0d97e IMP: add multiple Improvements 
* add new kernel module detection (enable & listing)  with detection of monolithic kernel
* change way to detect if file system type is disabled
* add global IS_CONTAINER variable
* disable test for 3.4.x to be consistent with others
* add cli options to override configuration loglevel
 2021-02-04 16:21:49 +01:00
dependabot[bot]
ec9e2addc2 Bump luizm/action-sh-checker from v0.1.10 to v0.1.12 
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from v0.1.10 to v0.1.12.
- [Release notes](https://github.com/luizm/action-sh-checker/releases)
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.1.10...442951059cb22d260c6e69309ae59cb7bb2334b8)

Signed-off-by: dependabot[bot] <support@github.com>
 2021-02-01 13:08:50 +01:00
Thibault Ayanides
ed1baa724e IMP: mark some checks as useless 2021-01-25 13:02:52 +01:00
Thibault Ayanides
bd4ddfc398 ADD(3.4.x): add checks and tests 2021-01-25 13:02:52 +01:00
Thibault Ayanides
5a72d986ea IMP(3.1-3.x): add comprehensive tests 2021-01-25 13:02:52 +01:00
Thibault Ayanides
c51513e083 IMP(1.8.1.4-6): add comprehensive tests 2021-01-25 13:02:52 +01:00
Thibault Ayanides
6127f2fe67 IMP(4.2.2.x): improve dealing with default conf 
The default for journald is Compress=yes and ForwardToSyslog=yes
So we check that Compress=no and ForwardToSyslog=no are not in the conf file.
 2021-01-25 13:02:52 +01:00
Thibault Serti
6efefa07ac Update shellcheck workflow 
fix #34
 2021-01-22 14:45:01 +01:00
jeremydenoun
dce926a536 Add default variable to avoid unbound variable 
Co-authored-by: Jeremy Denoun <jeremy.denoun@iguanesolutions.com>
 2021-01-22 10:02:44 +01:00
jeremydenoun
0edb837f80 Remove bc dependency 
Co-authored-by: Jeremy Denoun <jeremy.denoun@iguanesolutions.com>
 2021-01-22 09:31:53 +01:00
jeremydenoun
1c2e171655 Fix ovh/debian-cis:#25 (#28) 
Co-authored-by: Jeremy Denoun <jeremy.denoun@iguanesolutions.com>
 2021-01-21 16:01:34 +01:00
dependabot[bot]
4a652a94c6 Bump EndBug/add-and-commit from v6 to v7 
Bumps [EndBug/add-and-commit](https://github.com/EndBug/add-and-commit) from v6 to v7.
- [Release notes](https://github.com/EndBug/add-and-commit/releases)
- [Changelog](https://github.com/EndBug/add-and-commit/blob/master/CHANGELOG.md)
- [Commits](https://github.com/EndBug/add-and-commit/compare/v6...b3c7c1e078a023d75fb0bd326e02962575ce0519)

Signed-off-by: dependabot[bot] <support@github.com>
 2021-01-18 15:52:46 +01:00
512 changed files with 6715 additions and 3420 deletions
Expand all files Collapse all files

4
.github/workflows/compile-manual.yml vendored
View File

@ -7,10 +7,10 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout repo - name: Checkout repo
uses: actions/checkout@v2 uses: actions/checkout@v4
- name: Produce debian man - name: Produce debian man
run: 'docker run --rm --volume "`pwd`:/data" --user `id -u`:`id -g` pandoc/latex:2.6 MANUAL.md -s -t man > debian/cis-hardening.8' run: 'docker run --rm --volume "`pwd`:/data" --user `id -u`:`id -g` pandoc/latex:2.6 MANUAL.md -s -t man > debian/cis-hardening.8'
- uses: EndBug/add-and-commit@v6 - uses: EndBug/add-and-commit@v9
with: with:
add: 'debian/cis-hardening.8' add: 'debian/cis-hardening.8'
message: 'Regenerate man pages (Github action)' message: 'Regenerate man pages (Github action)'

23
.github/workflows/functionnal-tests.yml vendored
View File

@ -4,17 +4,24 @@ on:
- pull_request - pull_request
- push - push
jobs: jobs:
functionnal-tests-docker-debian9:
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v2
- name: Run the tests debian9
run: ./tests/docker_build_and_run_tests.sh debian9
functionnal-tests-docker-debian10: functionnal-tests-docker-debian10:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout repo - name: Checkout repo
uses: actions/checkout@v2 uses: actions/checkout@v4
- name: Run the tests debian10 - name: Run the tests debian10
run: ./tests/docker_build_and_run_tests.sh debian10 run: ./tests/docker_build_and_run_tests.sh debian10
functionnal-tests-docker-debian11:
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v4
- name: Run the tests debian11
run: ./tests/docker_build_and_run_tests.sh debian11
functionnal-tests-docker-debian12:
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v4
- name: Run the tests debian12
run: ./tests/docker_build_and_run_tests.sh debian12

8
.github/workflows/pre-release.yml vendored
View File

@ -11,7 +11,7 @@ jobs:
steps: steps:
# CHECKOUT CODE # CHECKOUT CODE
- name: Checkout code - name: Checkout code
uses: actions/checkout@v2 uses: actions/checkout@v4
# BUILD THE .DEB PACKAGE # BUILD THE .DEB PACKAGE
- name: Build - name: Build
run: | run: |
@ -21,7 +21,7 @@ jobs:
find ../ -name "*.deb" -exec mv {} cis-hardening.deb \; find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
# DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
- name: Delete the tag latest and the release latest - name: Delete the tag latest and the release latest
uses: dev-drprasad/delete-tag-and-release@v0.1.2 uses: dev-drprasad/delete-tag-and-release@v1.0.1
with: with:
delete_release: true delete_release: true
tag_name: latest tag_name: latest
@ -29,12 +29,12 @@ jobs:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# GET LATEST VERSION TAG # GET LATEST VERSION TAG
- name: Get latest version tag - name: Get latest version tag
uses: actions-ecosystem/action-get-latest-tag@v1 uses: actions-ecosystem/action-get-latest-tag@v1.6.0
id: get-latest-tag id: get-latest-tag
# GENERATE CHANGELOG CORRESPONDING TO COMMIT BETWEEN HEAD AND COMPUTED LAST TAG # GENERATE CHANGELOG CORRESPONDING TO COMMIT BETWEEN HEAD AND COMPUTED LAST TAG
- name: Generate changelog - name: Generate changelog
id: changelog id: changelog
uses: metcalfc/changelog-generator@v0.4.4 uses: metcalfc/changelog-generator@v4.2.0
with: with:
myToken: ${{ secrets.GITHUB_TOKEN }} myToken: ${{ secrets.GITHUB_TOKEN }}
head-ref: ${{ github.sha }} head-ref: ${{ github.sha }}

15
.github/workflows/shellcheck_and_shellfmt.yml vendored
View File

@ -4,19 +4,26 @@ on:
- push - push
- pull_request - pull_request
jobs: jobs:
sh-checker: shellfmt:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout repo - name: Checkout repo
uses: actions/checkout@v2 uses: actions/checkout@v4
- name: Run the sh-checker - name: Run the sh-checker
uses: luizm/action-sh-checker@v0.1.10 uses: luizm/action-sh-checker@v0.8.0
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Optional if sh_checker_comment is false. GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Optional if sh_checker_comment is false.
SHELLCHECK_OPTS: --color=always --shell=bash -x --source-path=SCRIPTDIR # Optional: exclude some shellcheck warnings.
SHFMT_OPTS: -l -i 4 -w # Optional: pass arguments to shfmt. SHFMT_OPTS: -l -i 4 -w # Optional: pass arguments to shfmt.
with: with:
sh_checker_shellcheck_disable: true
sh_checker_comment: true sh_checker_comment: true
sh_checker_exclude: | sh_checker_exclude: |
src/ src/
debian/postrm debian/postrm
shellcheck:
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v4
- name: Run shellcheck
run: ./shellcheck/docker_build_and_run_shellcheck.sh

6
.github/workflows/tagged-release.yml vendored
View File

@ -7,8 +7,6 @@ on:
jobs: jobs:
build: build:
name: Create Release name: Create Release
# only runs on master
if: github.event.base_ref == 'refs/heads/master'
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
# GET VERSION TAG # GET VERSION TAG
@ -17,7 +15,7 @@ jobs:
run: echo ::set-output name=tag::${GITHUB_REF#refs/*/} run: echo ::set-output name=tag::${GITHUB_REF#refs/*/}
# CHECKOUT CODE # CHECKOUT CODE
- name: Checkout code - name: Checkout code
uses: actions/checkout@v2 uses: actions/checkout@v4
with: with:
ref: ${{ steps.vars.outputs.tag }} ref: ${{ steps.vars.outputs.tag }}
# GENERATE CHANGELOG CORRESPONDING TO ENTRY IN DEBIAN/CHANGELOG # GENERATE CHANGELOG CORRESPONDING TO ENTRY IN DEBIAN/CHANGELOG
@ -35,7 +33,7 @@ jobs:
find ../ -name "*.deb" -exec mv {} cis-hardening.deb \; find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
# DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
- name: Delete the tag latest and the release latest - name: Delete the tag latest and the release latest
uses: dev-drprasad/delete-tag-and-release@v0.1.2 uses: dev-drprasad/delete-tag-and-release@v1.0.1
with: with:
delete_release: true delete_release: true
tag_name: latest tag_name: latest

15
MANUAL.md
View File

@ -4,7 +4,7 @@
# NAME # NAME
cis-hardening - CIS Debian 9/10 Hardening cis-hardening - CIS Debian 10/11/12 Hardening
# SYNOPSIS # SYNOPSIS
@ -12,7 +12,7 @@ cis-hardening - CIS Debian 9/10 Hardening
# DESCRIPTION # DESCRIPTION
Modular Debian 9/10 security hardening scripts based on the CIS (https://www.cisecurity.org) recommendations. Modular Debian 10/11/12 security hardening scripts based on the CIS (https://www.cisecurity.org) recommendations.
We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS infrastructure. We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
@ -115,11 +115,20 @@ will create a timestamped backup in this directory.
the -n option instructs sudo not to prompt for a password. the -n option instructs sudo not to prompt for a password.
Finally note that `--sudo` mode only works for audit mode. Finally note that `--sudo` mode only works for audit mode.
`--set-log-level=level`
: This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug.
Default value is : info
`--batch` `--batch`
: While performing system audit, this option sets LOGLEVEL to 'ok' and : While performing system audit, this option sets LOGLEVEL to 'ok' and
captures all output to print only one line once the check is done, formatted like : captures all output to print only one line once the check is done, formatted like :
OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}] OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
`--allow-unsupported-distribution`
Must be specified manually in the command line to allow the run on non compatible
version or distribution. If you want to mute the warning change the LOGLEVEL
in /etc/hardening.cfg
# AUTHORS # AUTHORS
@ -130,7 +139,7 @@ will create a timestamped backup in this directory.
# COPYRIGHT # COPYRIGHT
Copyright 2020 OVHcloud Copyright 2023 OVHcloud
Licensed under the Apache License, Version 2.0 (the "License"); Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License. you may not use this file except in compliance with the License.

42
README.md
View File

@ -1,7 +1,4 @@
# :lock: CIS Debian 9/10 Hardening # :lock: CIS Debian 10/11/12 Hardening
:tada: **News**: this projet is back in the game and is from now on maintained. Be free to use and to
report issues if you find any !
<p align="center"> <p align="center">
@ -16,9 +13,12 @@ report issues if you find any !
![License](https://img.shields.io/github/license/ovh/debian-cis) ![License](https://img.shields.io/github/license/ovh/debian-cis)
--- ---
Modular Debian 9/10 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org) Modular Debian 10/11/12 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
recommendations. We use it at [OVHcloud](https://www.ovhcloud.com) to harden our PCI-DSS infrastructure. recommendations. We use it at [OVHcloud](https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
NB : Although Debian 12 CIS Hardening guide is still in development, we do use this set of scripts
in production at OVHcloud on Debian 12 Operating Systems.
```console ```console
$ bin/hardening.sh --audit-all $ bin/hardening.sh --audit-all
[...] [...]
@ -43,9 +43,11 @@ hardening [INFO] Treating /opt/cis-hardening/bin/hardening/6.2.19_check_duplicat
```console ```console
$ git clone https://github.com/ovh/debian-cis.git && cd debian-cis $ git clone https://github.com/ovh/debian-cis.git && cd debian-cis
$ cp debian/default /etc/default/cis-hardening $ cp debian/default /etc/default/cis-hardening
$ sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening $ sed -i "s#CIS_LIB_DIR=.*#CIS_LIB_DIR='$(pwd)'/lib#" /etc/default/cis-hardening
$ bin/hardening/1.1_install_updates.sh --audit-all $ sed -i "s#CIS_CHECKS_DIR=.*#CIS_CHECKS_DIR='$(pwd)'/bin/hardening#" /etc/default/cis-hardening
hardening [INFO] Treating /opt/cis-hardening/bin/hardening/1.1.1.1_disable_freevxfs.sh $ sed -i "s#CIS_CONF_DIR=.*#CIS_CONF_DIR='$(pwd)'/etc#" /etc/default/cis-hardening
$ sed -i "s#CIS_TMP_DIR=.*#CIS_TMP_DIR='$(pwd)'/tmp#" /etc/default/cis-hardening
$ ./bin/hardening/1.1.1.1_disable_freevxfs.sh --audit
1.1.1.1_disable_freevxfs [INFO] Working on 1.1.1.1_disable_freevxfs 1.1.1.1_disable_freevxfs [INFO] Working on 1.1.1.1_disable_freevxfs
1.1.1.1_disable_freevxfs [INFO] [DESCRIPTION] Disable mounting of freevxfs filesystems. 1.1.1.1_disable_freevxfs [INFO] [DESCRIPTION] Disable mounting of freevxfs filesystems.
1.1.1.1_disable_freevxfs [INFO] Checking Configuration 1.1.1.1_disable_freevxfs [INFO] Checking Configuration
@ -117,9 +119,16 @@ to allow a certain kind of services on the machine, such as http, mail, etc.
Can be specified multiple times to allow multiple services. Can be specified multiple times to allow multiple services.
Use --allow-service-list to get a list of supported services. Use --allow-service-list to get a list of supported services.
``--set-log-level <level>``: This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug.
Default value is : info
``--create-config-files-only``: create the config files in etc/conf.d. Must be run as root, ``--create-config-files-only``: create the config files in etc/conf.d. Must be run as root,
before running the audit with user secaudit, to have the rights setup well on the conf files. before running the audit with user secaudit, to have the rights setup well on the conf files.
``--allow-unsupported-distribution``: must be specified manually in the command line to allow
the run on non compatible version or distribution. If you want to mute the warning change the
LOGLEVEL in /etc/hardening.cfg
## :computer: Hacking ## :computer: Hacking
**Getting the source** **Getting the source**
@ -165,7 +174,7 @@ Functional tests are available. They are to be run in a Docker environment.
$ ./tests/docker_build_and_run_tests.sh <target> [name of test script...] $ ./tests/docker_build_and_run_tests.sh <target> [name of test script...]
``` ```
With `target` being like `debian9` or `debian10`. With `target` being like `debian10` or `debian11`.
Running without script arguments will run all tests in `./tests/hardening/` directory. Running without script arguments will run all tests in `./tests/hardening/` directory.
Or you can specify one or several test script to be run. Or you can specify one or several test script to be run.
@ -237,6 +246,20 @@ built a secure environment. While we use it at OVHcloud to harden our PCI-DSS co
infrastructure, we can not guarantee that it will work for you. It will not infrastructure, we can not guarantee that it will work for you. It will not
magically secure any random host. magically secure any random host.
A word about numbering, implementation and sustainability over time of this repository:
This project is born with the Debian 7 distribution in 2016. Over time, CIS Benchmark PDF
has evolved, changing it's numbering, deleting obsolete checks.
In order to keep retro-compatiblity with the last maintained Debian, the numbering
has not been changed along with the PDF, because the configuration scripts are named after it.
Changing the numbering might break automation for admins using it for years, and handling
this issue without breaking anything would require a huge refactoring.
As a consequence, please do not worry about numbering, the checks are there,
but the numbering accross PDFs might differ.
Please also note that all the check inside CIS Benchmark PDF might not be implemented
in this set of scripts.
We did choose the most relevant to us at OVHcloud, do not hesitate to make a
Pull Request in order to add the missing script you might find relevant for you.
Additionally, quoting the License: Additionally, quoting the License:
> THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY > THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY
@ -250,6 +273,7 @@ Additionally, quoting the License:
> (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS > (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
> SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
## :satellite: Reference ## :satellite: Reference
- **Center for Internet Security**: https://www.cisecurity.org/ - **Center for Internet Security**: https://www.cisecurity.org/

140
bin/hardening.sh
View File

@ -26,6 +26,9 @@ ALLOW_SERVICE_LIST=0
SET_HARDENING_LEVEL=0 SET_HARDENING_LEVEL=0
SUDO_MODE='' SUDO_MODE=''
BATCH_MODE='' BATCH_MODE=''
SUMMARY_JSON=''
ASK_LOGLEVEL=''
ALLOW_UNSUPPORTED_DISTRIBUTION=0
usage() { usage() {
cat <<EOF cat <<EOF
@ -98,11 +101,24 @@ OPTIONS:
the '-n' option instructs sudo not to prompt for a password. the '-n' option instructs sudo not to prompt for a password.
Finally note that '--sudo' mode only works for audit mode. Finally note that '--sudo' mode only works for audit mode.
--set-log-level <level>
This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug or silent.
Default value is : info
--summary-json
While performing system audit, this option sets LOGLEVEL to silent and
only output a json summary at the end
--batch --batch
While performing system audit, this option sets LOGLEVEL to 'ok' and While performing system audit, this option sets LOGLEVEL to 'ok' and
captures all output to print only one line once the check is done, formatted like : captures all output to print only one line once the check is done, formatted like :
OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}] OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
--allow-unsupported-distribution
Must be specified manually in the command line to allow the run on non compatible
version or distribution. If you want to mute the warning change the LOGLEVEL
in /etc/hardening.cfg
EOF EOF
exit 0 exit 0
} }
@ -143,6 +159,10 @@ while [[ $# -gt 0 ]]; do
SET_HARDENING_LEVEL="$2" SET_HARDENING_LEVEL="$2"
shift shift
;; ;;
--set-log-level)
ASK_LOGLEVEL=$2
shift
;;
--only) --only)
TEST_LIST[${#TEST_LIST[@]}]="$2" TEST_LIST[${#TEST_LIST[@]}]="$2"
shift shift
@ -150,9 +170,16 @@ while [[ $# -gt 0 ]]; do
--sudo) --sudo)
SUDO_MODE='--sudo' SUDO_MODE='--sudo'
;; ;;
--summary-json)
SUMMARY_JSON='--summary-json'
ASK_LOGLEVEL=silent
;;
--batch) --batch)
BATCH_MODE='--batch' BATCH_MODE='--batch'
LOGLEVEL=ok ASK_LOGLEVEL=ok
;;
--allow-unsupported-distribution)
ALLOW_UNSUPPORTED_DISTRIBUTION=1
;; ;;
-h | --help) -h | --help)
usage usage
@ -174,26 +201,63 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../debian/default # shellcheck source=../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ] || [ -z "${CIS_CONF_DIR}" ] || [ -z "${CIS_CHECKS_DIR}" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR, CIS_CONF_DIR, CIS_CHECKS_DIR variables, aborting."
exit 128 exit 128
fi fi
# shellcheck source=../lib/constants.sh
[ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
# shellcheck source=../etc/hardening.cfg
[ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
# shellcheck source=../lib/common.sh
[ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
# shellcheck source=../lib/utils.sh
[ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh
if [ "$BATCH_MODE" ]; then MACHINE_LOG_LEVEL=3; fi # shellcheck source=../etc/hardening.cfg
[ -r "${CIS_CONF_DIR}"/hardening.cfg ] && . "${CIS_CONF_DIR}"/hardening.cfg
if [ "$ASK_LOGLEVEL" ]; then LOGLEVEL=$ASK_LOGLEVEL; fi
# shellcheck source=../lib/common.sh
[ -r "${CIS_LIB_DIR}"/common.sh ] && . "${CIS_LIB_DIR}"/common.sh
# shellcheck source=../lib/utils.sh
[ -r "${CIS_LIB_DIR}"/utils.sh ] && . "${CIS_LIB_DIR}"/utils.sh
# shellcheck source=../lib/constants.sh
[ -r "${CIS_LIB_DIR}"/constants.sh ] && . "${CIS_LIB_DIR}"/constants.sh
# If we're on a unsupported platform and there is no flag --allow-unsupported-distribution
# print warning, otherwise quit
if [ "$DISTRIBUTION" != "debian" ]; then
echo "Your distribution has been identified as $DISTRIBUTION which is not debian"
if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
echo "Exiting now"
exit 100
elif [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ] && [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then
echo "Be aware that the result given by this set of scripts can give you a false feedback of security on unsupported distributions !"
echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
fi
else
if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
echo "Your debian version is too recent and is not supported yet because there is no official CIS PDF for this version yet."
if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
echo "Exiting now"
exit 100
elif [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ] && [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then
echo "Be aware that the result given by this set of scripts can give you a false feedback of security on unsupported distributions !"
echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
fi
elif [ "$DEB_MAJ_VER" -lt "$SMALLEST_SUPPORTED_DEBIAN_VERSION" ]; then
echo "Your debian version is deprecated and is no more maintained. Please upgrade to a supported version."
if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
echo "Exiting now"
exit 100
elif [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ] && [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then
echo "Be aware that the result given by this set of scripts can give you a false feedback of security on unsupported distributions, especially on deprecated ones !"
echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
fi
fi
fi
# If --allow-service-list is specified, don't run anything, just list the supported services # If --allow-service-list is specified, don't run anything, just list the supported services
if [ "$ALLOW_SERVICE_LIST" = 1 ]; then if [ "$ALLOW_SERVICE_LIST" = 1 ]; then
declare -a HARDENING_EXCEPTIONS_LIST declare -a HARDENING_EXCEPTIONS_LIST
for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do for SCRIPT in $(find "${CIS_CHECKS_DIR}"/ -name "*.sh" | sort -V); do
template=$(grep "^HARDENING_EXCEPTION=" "$SCRIPT" | cut -d= -f2) template=$(grep "^HARDENING_EXCEPTION=" "$SCRIPT" | cut -d= -f2)
[ -n "$template" ] && HARDENING_EXCEPTIONS_LIST[${#HARDENING_EXCEPTIONS_LIST[@]}]="$template" [ -n "$template" ] && HARDENING_EXCEPTIONS_LIST[${#HARDENING_EXCEPTIONS_LIST[@]}]="$template"
done done
@ -208,7 +272,7 @@ if [ -n "$SET_HARDENING_LEVEL" ] && [ "$SET_HARDENING_LEVEL" != 0 ]; then
exit 1 exit 1
fi fi
for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do for SCRIPT in $(find "${CIS_CHECKS_DIR}"/ -name "*.sh" | sort -V); do
SCRIPT_BASENAME=$(basename "$SCRIPT" .sh) SCRIPT_BASENAME=$(basename "$SCRIPT" .sh)
script_level=$(grep "^HARDENING_LEVEL=" "$SCRIPT" | cut -d= -f2) script_level=$(grep "^HARDENING_LEVEL=" "$SCRIPT" | cut -d= -f2)
if [ -z "$script_level" ]; then if [ -z "$script_level" ]; then
@ -217,7 +281,7 @@ if [ -n "$SET_HARDENING_LEVEL" ] && [ "$SET_HARDENING_LEVEL" != 0 ]; then
fi fi
wantedstatus=disabled wantedstatus=disabled
[ "$script_level" -le "$SET_HARDENING_LEVEL" ] && wantedstatus=enabled [ "$script_level" -le "$SET_HARDENING_LEVEL" ] && wantedstatus=enabled
sed -i -re "s/^status=.+/status=$wantedstatus/" "$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg" sed -i -re "s/^status=.+/status=$wantedstatus/" "${CIS_CONF_DIR}/conf.d/$SCRIPT_BASENAME.cfg"
done done
echo "Configuration modified to enable scripts for hardening level at or below $SET_HARDENING_LEVEL" echo "Configuration modified to enable scripts for hardening level at or below $SET_HARDENING_LEVEL"
exit 0 exit 0
@ -229,13 +293,13 @@ if [ "$CREATE_CONFIG" = 1 ] && [ "$EUID" -ne 0 ]; then
fi fi
# Parse every scripts and execute them in the required mode # Parse every scripts and execute them in the required mode
for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do for SCRIPT in $(find "${CIS_CHECKS_DIR}"/ -name "*.sh" | sort -V); do
if [ "${#TEST_LIST[@]}" -gt 0 ]; then if [ "${#TEST_LIST[@]}" -gt 0 ]; then
# --only X has been specified at least once, is this script in my list ? # --only X has been specified at least once, is this script in my list ?
SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename "$SCRIPT")") SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename "$SCRIPT")")
# shellcheck disable=SC2001 # shellcheck disable=SC2001
SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX") SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX")
if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<<"${TEST_LIST[@]}"; then if ! grep -qE "(^|[[:space:]])$SCRIPT_PREFIX_RE([[:space:]]|$)" <<<"${TEST_LIST[@]}"; then
# not in the list # not in the list
continue continue
fi fi
@ -243,20 +307,20 @@ for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
info "Treating $SCRIPT" info "Treating $SCRIPT"
if [ "$CREATE_CONFIG" = 1 ]; then if [ "$CREATE_CONFIG" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only" debug "$SCRIPT --create-config-files-only"
"$SCRIPT" --create-config-files-only "$BATCH_MODE" LOGLEVEL=$LOGLEVEL "$SCRIPT" --create-config-files-only "$BATCH_MODE"
elif [ "$AUDIT" = 1 ]; then elif [ "$AUDIT" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE" debug "$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
"$SCRIPT" --audit "$SUDO_MODE" "$BATCH_MODE" LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit "$SUDO_MODE" "$BATCH_MODE"
elif [ "$AUDIT_ALL" = 1 ]; then elif [ "$AUDIT_ALL" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE" debug "$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
"$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE" LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
elif [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then elif [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE" debug "$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
"$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE" LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
elif [ "$APPLY" = 1 ]; then elif [ "$APPLY" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT" debug "$SCRIPT"
"$SCRIPT" LOGLEVEL=$LOGLEVEL "$SCRIPT"
fi fi
SCRIPT_EXITCODE=$? SCRIPT_EXITCODE=$?
@ -268,8 +332,8 @@ for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
PASSED_CHECKS=$((PASSED_CHECKS + 1)) PASSED_CHECKS=$((PASSED_CHECKS + 1))
if [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then if [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then
SCRIPT_BASENAME=$(basename "$SCRIPT" .sh) SCRIPT_BASENAME=$(basename "$SCRIPT" .sh)
sed -i -re 's/^status=.+/status=enabled/' "$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg" sed -i -re 's/^status=.+/status=enabled/' "${CIS_CONF_DIR}/conf.d/$SCRIPT_BASENAME.cfg"
info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg" info "Status set to enabled in ${CIS_CONF_DIR}/conf.d/$SCRIPT_BASENAME.cfg"
fi fi
;; ;;
1) 1)
@ -294,12 +358,24 @@ if [ "$BATCH_MODE" ]; then
BATCH_SUMMARY+="RUN_CHECKS:${TOTAL_TREATED_CHECKS:-0} " BATCH_SUMMARY+="RUN_CHECKS:${TOTAL_TREATED_CHECKS:-0} "
BATCH_SUMMARY+="TOTAL_CHECKS_AVAIL:${TOTAL_CHECKS:-0}" BATCH_SUMMARY+="TOTAL_CHECKS_AVAIL:${TOTAL_CHECKS:-0}"
if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100") CONFORMITY_PERCENTAGE=$(div $((PASSED_CHECKS * 100)) $TOTAL_TREATED_CHECKS)
BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:$(printf "%s" "$CONFORMITY_PERCENTAGE")" BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:$(printf "%s" "$CONFORMITY_PERCENTAGE")"
else else
BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0 BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0
fi fi
becho "$BATCH_SUMMARY" becho "$BATCH_SUMMARY"
elif [ "$SUMMARY_JSON" ]; then
if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
CONFORMITY_PERCENTAGE=$(div $((PASSED_CHECKS * 100)) $TOTAL_TREATED_CHECKS)
else
CONFORMITY_PERCENTAGE=0 # No check runned, avoid division by 0
fi
printf '{'
printf '"available_checks": %s, ' "$TOTAL_CHECKS"
printf '"run_checks": %s, ' "$TOTAL_TREATED_CHECKS"
printf '"passed_checks": %s, ' "$PASSED_CHECKS"
printf '"conformity_percentage": %s' "$CONFORMITY_PERCENTAGE"
printf '}\n'
else else
printf "%40s\n" "################### SUMMARY ###################" printf "%40s\n" "################### SUMMARY ###################"
printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS" printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"
@ -307,8 +383,8 @@ else
printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS" printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS" printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
ENABLED_CHECKS_PERCENTAGE=$(bc -l <<<"scale=2; ($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100") ENABLED_CHECKS_PERCENTAGE=$(div $((TOTAL_TREATED_CHECKS * 100)) $TOTAL_CHECKS)
CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100") CONFORMITY_PERCENTAGE=$(div $((PASSED_CHECKS * 100)) $TOTAL_TREATED_CHECKS)
printf "%30s %s %%\n" "Enabled Checks Percentage :" "$ENABLED_CHECKS_PERCENTAGE" printf "%30s %s %%\n" "Enabled Checks Percentage :" "$ENABLED_CHECKS_PERCENTAGE"
if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
printf "%30s %s %%\n" "Conformity Percentage :" "$CONFORMITY_PERCENTAGE" printf "%30s %s %%\n" "Conformity Percentage :" "$CONFORMITY_PERCENTAGE"

34
bin/hardening/1.1.1.1_disable_freevxfs.sh
View File

@ -17,28 +17,36 @@ HARDENING_LEVEL=2
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Disable mounting of freevxfs filesystems." DESCRIPTION="Disable mounting of freevxfs filesystems."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_VXFS_FS" KERNEL_OPTION="CONFIG_VXFS_FS"
MODULE_NAME="freevxfs" MODULE_NAME="freevxfs"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
if [ "$IS_CONTAINER" -eq 1 ]; then
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!" crit "$MODULE_NAME is enabled!"
else else
ok "$KERNEL_OPTION is disabled" ok "$MODULE_NAME is disabled"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
is_kernel_option_enabled "$KERNEL_OPTION" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" ok "Container detected, consider host enforcing!"
else else
ok "$KERNEL_OPTION is disabled, nothing to do" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }
@ -52,17 +60,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

38
bin/hardening/1.1.1.2_disable_jffs2.sh
View File

@ -17,28 +17,36 @@ HARDENING_LEVEL=2
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Disable mounting of jffs2 filesystems." DESCRIPTION="Disable mounting of jffs2 filesystems."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_JFFS2_FS" KERNEL_OPTION="CONFIG_JFFS2_FS"
MODULE_NAME="jffs2" MODULE_NAME="jffs2"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
crit "$KERNEL_OPTION is enabled!" ok "Container detected, consider host enforcing or disable this check!"
else else
ok "$KERNEL_OPTION is disabled" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
is_kernel_option_enabled "$KERNEL_OPTION" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" ok "Container detected, consider host enforcing!"
else else
ok "$KERNEL_OPTION is disabled, nothing to do" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }
@ -52,17 +60,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

40
bin/hardening/1.1.1.3_disable_hfs.sh
View File

@ -17,28 +17,36 @@ HARDENING_LEVEL=2
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Disable mounting of hfs filesystems." DESCRIPTION="Disable mounting of hfs filesystems."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_HFS_FS" KERNEL_OPTION="CONFIG_HFS_FS"
MODULE_FILE="hfs" MODULE_NAME="hfs"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
crit "$KERNEL_OPTION is enabled!" ok "Container detected, consider host enforcing or disable this check!"
else else
ok "$KERNEL_OPTION is disabled" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
is_kernel_option_enabled "$KERNEL_OPTION" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" ok "Container detected, consider host enforcing!"
else else
ok "$KERNEL_OPTION is disabled, nothing to do" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }
@ -52,17 +60,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

40
bin/hardening/1.1.1.4_disable_hfsplus.sh
View File

@ -17,28 +17,36 @@ HARDENING_LEVEL=2
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Disable mounting of hfsplus filesystems." DESCRIPTION="Disable mounting of hfsplus filesystems."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_HFSPLUS_FS" KERNEL_OPTION="CONFIG_HFSPLUS_FS"
MODULE_FILE="hfsplus" MODULE_NAME="hfsplus"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
crit "$KERNEL_OPTION is enabled!" ok "Container detected, consider host enforcing or disable this check!"
else else
ok "$KERNEL_OPTION is disabled" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
is_kernel_option_enabled "$KERNEL_OPTION" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" ok "Container detected, consider host enforcing!"
else else
ok "$KERNEL_OPTION is disabled, nothing to do" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }
@ -52,17 +60,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

42
bin/hardening/1.1.1.5_disable_squashfs.sh
View File

@ -17,31 +17,37 @@ HARDENING_LEVEL=2
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Disable mounting of squashfs filesytems." DESCRIPTION="Disable mounting of squashfs filesytems."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_SQUASHFS" KERNEL_OPTION="CONFIG_SQUASHFS"
MODULE_FILE="squashfs" MODULE_NAME="squashfs"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
crit "$KERNEL_OPTION is enabled!" ok "Container detected, consider host enforcing or disable this check!"
else else
ok "$KERNEL_OPTION is disabled" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
:
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
is_kernel_option_enabled "$KERNEL_OPTION" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" ok "Container detected, consider host enforcing!"
else else
ok "$KERNEL_OPTION is disabled, nothing to do" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
:
} }
# This function will check config parameters required # This function will check config parameters required
@ -54,17 +60,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

40
bin/hardening/1.1.1.6_disable_udf.sh
View File

@ -17,28 +17,36 @@ HARDENING_LEVEL=2
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Disable mounting of udf filesystems." DESCRIPTION="Disable mounting of udf filesystems."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_UDF_FS" KERNEL_OPTION="CONFIG_UDF_FS"
MODULE_FILE="udf" MODULE_NAME="udf"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
crit "$KERNEL_OPTION is enabled!" ok "Container detected, consider host enforcing or disable this check!"
else else
ok "$KERNEL_OPTION is disabled" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
is_kernel_option_enabled "$KERNEL_OPTION" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" ok "Container detected, consider host enforcing!"
else else
ok "$KERNEL_OPTION is disabled, nothing to do" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }
@ -52,17 +60,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

11
bin/hardening/1.1.1.7_restrict_fat.sh
View File

@ -24,6 +24,7 @@ MODULE_FILE="vfat"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
# TODO check if uefi enabled if yes check if only boot partition use FAT
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!" crit "$KERNEL_OPTION is enabled!"
@ -52,17 +53,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

76
bin/hardening/1.1.1.8_disable_cramfs.sh Executable file
View File

@ -0,0 +1,76 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.1.1 Ensure Mounting of cramfs filesystems is disabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable mounting of cramfs filesystems."
KERNEL_OPTION="CONFIG_CRAMFS"
MODULE_NAME="cramfs"
# This function will be called if the script status is on enabled / audit mode
audit() {
if [ "$IS_CONTAINER" -eq 1 ]; then
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
ok "$MODULE_NAME is disabled"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$IS_CONTAINER" -eq 1 ]; then
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "${CIS_LIB_DIR}"/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128
fi

10
bin/hardening/1.1.10_var_tmp_noexec.sh
View File

@ -76,17 +76,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

92
bin/hardening/1.1.11.1_var_log_noexec.sh Executable file
View File

@ -0,0 +1,92 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.11.1 Ensure noexec option set on /var/log partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="/var/log partition with noexec option."
# Quick factoring as many script use the same logic
PARTITION="/var/log"
OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "${CIS_LIB_DIR}"/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128
fi

92
bin/hardening/1.1.11.2_var_log_nosuid.sh Executable file
View File

@ -0,0 +1,92 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.11.2 Ensure nosuid option set on /var/log partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="/var/log partition with nosuid option."
# Quick factoring as many script use the same logic
PARTITION="/var/log"
OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "${CIS_LIB_DIR}"/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128
fi

92
bin/hardening/1.1.11.3_var_log_nodev.sh Executable file
View File

@ -0,0 +1,92 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.11.3 ensure nodev option set on /var/log partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="/var/log partition with nodev option."
# Quick factoring as many script use the same logic
PARTITION="/var/log"
OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "${CIS_LIB_DIR}"/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128
fi

10
bin/hardening/1.1.11_var_log_partition.sh
View File

@ -63,17 +63,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

92
bin/hardening/1.1.12.1_var_log_audit_noexec.sh Executable file
View File

@ -0,0 +1,92 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.12.1 Ensure noexec option set on /var/log/audit partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="/var/log/audit partition with noexec option."
# Quick factoring as many script use the same logic
PARTITION="/var/log/audit"
OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "${CIS_LIB_DIR}"/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128
fi

92
bin/hardening/1.1.12.2_var_log_audit_nosuid.sh Executable file
View File

@ -0,0 +1,92 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.12.2 Ensure nosuid option set on /var/log/audit partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="/var/log/audit partition with nosuid option."
# Quick factoring as many script use the same logic
PARTITION="/var/log/audit"
OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "${CIS_LIB_DIR}"/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128
fi

92
bin/hardening/1.1.12.3_var_log_audit_nodev.sh Executable file
View File

@ -0,0 +1,92 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.12.3 Ensure nodev option set on /var/log/audit partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="/var/log/audit partition with nodev option."
# Quick factoring as many script use the same logic
PARTITION="/var/log/audit"
OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "${CIS_LIB_DIR}"/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128
fi

10
bin/hardening/1.1.12_var_log_audit_partition.sh
View File

@ -63,17 +63,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/1.1.13_home_partition.sh
View File

@ -63,17 +63,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

92
bin/hardening/1.1.14.1_home_nosuid.sh Executable file
View File

@ -0,0 +1,92 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.14.1 Ensure nosuid option set on /home partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="/home partition with nosuid option."
# Quick factoring as many script use the same logic
PARTITION="/home"
OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "${CIS_LIB_DIR}"/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128
fi

10
bin/hardening/1.1.14_home_nodev.sh
View File

@ -76,17 +76,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

14
bin/hardening/1.1.15_run_shm_nodev.sh
View File

@ -24,7 +24,11 @@ OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
if [ -e "$PARTITION" ]; then
PARTITION=$(readlink -e "$PARTITION") PARTITION=$(readlink -e "$PARTITION")
else
PARTITION="/dev/shm"
fi
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
@ -77,17 +81,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

14
bin/hardening/1.1.16_run_shm_nosuid.sh
View File

@ -24,7 +24,11 @@ OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
if [ -e "$PARTITION" ]; then
PARTITION=$(readlink -e "$PARTITION") PARTITION=$(readlink -e "$PARTITION")
else
PARTITION="/dev/shm"
fi
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
@ -77,17 +81,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

14
bin/hardening/1.1.17_run_shm_noexec.sh
View File

@ -24,7 +24,11 @@ OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
if [ -e "$PARTITION" ]; then
PARTITION=$(readlink -e "$PARTITION") PARTITION=$(readlink -e "$PARTITION")
else
PARTITION="/dev/shm"
fi
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then
@ -77,17 +81,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/1.1.18_removable_device_nodev.sh
View File

@ -64,17 +64,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/1.1.19_removable_device_nosuid.sh
View File

@ -64,17 +64,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/1.1.20_removable_device_noexec.sh
View File

@ -64,17 +64,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

45
bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh
View File

@ -17,12 +17,32 @@ HARDENING_LEVEL=2
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them." DESCRIPTION="Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them."
EXCEPTIONS=''
# find emits following error if directory or file disappear during
# tree traversal: find: /tmp/xxx: No such file or directory
FIND_IGNORE_NOSUCHFILE_ERR=false
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
info "Checking if setuid is set on world writable Directories" info "Checking if setuid is set on world writable Directories"
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}') if [ -n "$EXCEPTIONS" ]; then
# maybe EXCEPTIONS allow us to filter out some FS
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCEPTIONS")
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=SC2086 # shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
else
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
fi
if [ -n "$RESULT" ]; then if [ -n "$RESULT" ]; then
crit "Some world writable directories are not on sticky bit mode!" crit "Some world writable directories are not on sticky bit mode!"
# shellcheck disable=SC2001 # shellcheck disable=SC2001
@ -35,9 +55,16 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) if [ -n "$EXCEPTIONS" ]; then
# shellcheck disable=SC2086
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCEPTIONS" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex "$EXCEPTIONS" -print 2>/dev/null)
else
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
fi
if [ -n "$RESULT" ]; then if [ -n "$RESULT" ]; then
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t warn "Setting sticky bit on world writable directories"
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d -perm -0002 2>/dev/null | xargs chmod a+t
else else
ok "All world writable directories have a sticky bit, nothing to apply" ok "All world writable directories have a sticky bit, nothing to apply"
fi fi
@ -54,17 +81,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/1.1.22_disable_automounting.sh
View File

@ -52,17 +52,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

38
bin/hardening/1.1.23_disable_usb_storage.sh
View File

@ -20,25 +20,35 @@ DESCRIPTION="Disable USB storage."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels # Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_USB_STORAGE" KERNEL_OPTION="CONFIG_USB_STORAGE"
MODULE_FILE="usb-storage" MODULE_NAME="usb-storage"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
crit "$KERNEL_OPTION is enabled!" ok "Container detected, consider host enforcing or disable this check!"
else else
ok "$KERNEL_OPTION is disabled" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
is_kernel_option_enabled "$KERNEL_OPTION" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" ok "Container detected, consider host enforcing!"
else else
ok "$KERNEL_OPTION is disabled, nothing to do" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }
@ -52,17 +62,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/1.1.2_tmp_partition.sh
View File

@ -63,17 +63,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/1.1.3_tmp_nodev.sh
View File

@ -76,17 +76,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/1.1.4_tmp_nosuid.sh
View File

@ -76,17 +76,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/1.1.5_tmp_noexec.sh
View File

@ -76,17 +76,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

92
bin/hardening/1.1.6.1_var_nodev.sh Executable file
View File

@ -0,0 +1,92 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.6.1 Ensure nodev option set for /var Partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="/var partition with nodev option."
# Quick factoring as many script use the same logic
PARTITION="/var"
OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "${CIS_LIB_DIR}"/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128
fi

92
bin/hardening/1.1.6.2_var_nosuid.sh Executable file
View File

@ -0,0 +1,92 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.6.2 Ensure nosuid option set for /var Partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="/var partition with nosuid option."
# Quick factoring as many script use the same logic
PARTITION="/var"
OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "${CIS_LIB_DIR}"/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128
fi

10
bin/hardening/1.1.6_var_partition.sh
View File

@ -65,17 +65,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/1.1.7_var_tmp_partition.sh
View File

@ -65,17 +65,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/1.1.8_var_tmp_nodev.sh
View File

@ -76,17 +76,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/1.1.9_var_tmp_nosuid.sh
View File

@ -76,17 +76,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/1.3.1_install_sudo.sh
View File

@ -50,17 +50,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/1.3.2_pty_sudo.sh
View File

@ -64,17 +64,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/1.3.3_logfile_sudo.sh
View File

@ -64,17 +64,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/1.4.1_install_tripwire.sh
View File

@ -53,17 +53,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/1.4.2_tripwire_cron.sh
View File

@ -68,17 +68,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

25
bin/hardening/1.5.1_bootloader_ownership.sh
View File

@ -23,6 +23,7 @@ FILE='/boot/grub/grub.cfg'
USER='root' USER='root'
GROUP='root' GROUP='root'
PERMISSIONS='400' PERMISSIONS='400'
PERMISSIONSOK='400 600'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
@ -33,7 +34,7 @@ audit() {
crit "$FILE ownership was not set to $USER:$GROUP" crit "$FILE ownership was not set to $USER:$GROUP"
fi fi
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
@ -51,7 +52,7 @@ apply() {
chown "$USER":"$GROUP" "$FILE" chown "$USER":"$GROUP" "$FILE"
fi fi
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
@ -63,25 +64,25 @@ apply() {
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
is_pkg_installed "grub-pc" is_pkg_installed "grub-common"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "Grub is not installed, not handling configuration" warn "Grub is not installed, not handling configuration"
exit 128 exit 2
fi fi
does_user_exist "$USER" does_user_exist "$USER"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$USER does not exist" crit "$USER does not exist"
exit 128 exit 2
fi fi
does_group_exist "$GROUP" does_group_exist "$GROUP"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$GROUP does not exist" crit "$GROUP does not exist"
exit 128 exit 2
fi fi
does_file_exist "$FILE" does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
exit 128 exit 2
fi fi
} }
@ -90,17 +91,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

19
bin/hardening/1.5.2_bootloader_password.sh
View File

@ -51,19 +51,18 @@ apply() {
else else
ok "$PWD_PATTERN is present in $FILE" ok "$PWD_PATTERN is present in $FILE"
fi fi
:
} }
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
is_pkg_installed "grub-pc" is_pkg_installed "grub-common"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "grub-pc is not installed, not handling configuration" warn "Grub is not installed, not handling configuration"
exit 128 exit 2
fi fi
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
exit 128 exit 2
fi fi
} }
@ -72,17 +71,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

11
bin/hardening/1.5.3_root_password.sh
View File

@ -38,7 +38,6 @@ apply() {
else else
ok "$PATTERN is not present in $FILE" ok "$PATTERN is not present in $FILE"
fi fi
:
} }
# This function will check config parameters required # This function will check config parameters required
@ -51,17 +50,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

18
bin/hardening/1.6.1_enable_nx_support.sh
View File

@ -35,6 +35,9 @@ nx_supported_and_enabled() {
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
if [ "$IS_CONTAINER" -eq 1 ]; then
ok "Container detected, cannot read dmesg!"
else
does_pattern_exist_in_dmesg "$PATTERN" does_pattern_exist_in_dmesg "$PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
nx_supported_and_enabled nx_supported_and_enabled
@ -46,10 +49,14 @@ audit() {
else else
ok "$PATTERN is present in dmesg" ok "$PATTERN is present in dmesg"
fi fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
if [ "$IS_CONTAINER" -eq 1 ]; then
ok "Container detected, cannot read dmesg!"
else
does_pattern_exist_in_dmesg "$PATTERN" does_pattern_exist_in_dmesg "$PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
nx_supported_and_enabled nx_supported_and_enabled
@ -61,6 +68,7 @@ apply() {
else else
ok "$PATTERN is present in dmesg" ok "$PATTERN is present in dmesg"
fi fi
fi
} }
# This function will check config parameters required # This function will check config parameters required
@ -73,17 +81,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/1.6.2_enable_randomized_vm_placement.sh
View File

@ -55,17 +55,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

69
bin/hardening/1.6.3.1_disable_apport.sh Executable file
View File

@ -0,0 +1,69 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.6.3.1 Ensure apport is disabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable apport to avoid confidential data leaks."
PACKAGE='apport'
# This function will be called if the script status is on enabled / audit mode
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!"
else
ok "$PACKAGE is absent"
fi
:
}
# This function will be called if the script status is on enabled mode
apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge "$PACKAGE" -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
:
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "${CIS_LIB_DIR}"/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128
fi

10
bin/hardening/1.6.3_disable_prelink.sh
View File

@ -54,17 +54,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

12
bin/hardening/1.6.4_restrict_core_dumps.sh
View File

@ -29,7 +29,7 @@ audit() {
LIMIT_FILES="" LIMIT_FILES=""
if $SUDO_CMD [ -d "$LIMIT_DIR" ]; then if $SUDO_CMD [ -d "$LIMIT_DIR" ]; then
for file in $($SUDO_CMD ls "$LIMIT_DIR"/*.conf 2>/dev/null); do for file in $($SUDO_CMD ls "$LIMIT_DIR"/*.conf 2>/dev/null); do
LIMIT_FILES="$LIMIT_FILES $LIMIT_DIR/$file" LIMIT_FILES="$LIMIT_FILES $file"
done done
fi fi
debug "Files to search $LIMIT_FILE $LIMIT_FILES" debug "Files to search $LIMIT_FILE $LIMIT_FILES"
@ -87,17 +87,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/1.7.1.1_install_apparmor.sh
View File

@ -54,17 +54,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

33
bin/hardening/1.7.1.2_enable_apparmor.sh
View File

@ -21,15 +21,27 @@ PACKAGES='apparmor apparmor-utils'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
ERROR=0
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is absent!" crit "$PACKAGE is absent!"
ERROR=1
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
fi fi
done done
if [ "$ERROR" = 0 ]; then
is_pkg_installed "grub-common"
if [ "$FNRET" != 0 ]; then
if [ "$IS_CONTAINER" -eq 1 ]; then
ok "Grub is not installed in container"
else
warn "Grub is not installed"
exit 128
fi
else
ERROR=0 ERROR=0
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg) RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
@ -48,6 +60,8 @@ audit() {
ok "$PACKAGES are configured" ok "$PACKAGES are configured"
fi fi
fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
@ -62,6 +76,14 @@ apply() {
fi fi
done done
is_pkg_installed "grub-pc"
if [ "$FNRET" != 0 ]; then
if [ "$IS_CONTAINER" -eq 1 ]; then
ok "Grub is not installed in container"
else
warn "You should use grub. Install it yourself"
fi
else
ERROR=0 ERROR=0
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg) RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
@ -83,6 +105,7 @@ apply() {
else else
ok "$PACKAGES are configured" ok "$PACKAGES are configured"
fi fi
fi
} }
# This function will check config parameters required # This function will check config parameters required
@ -95,17 +118,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

16
bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh
View File

@ -21,15 +21,17 @@ PACKAGES='apparmor apparmor-utils'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
ERROR=0
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is absent!" crit "$PACKAGE is absent!"
ERROR=1
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
fi fi
done done
if [ "$ERROR" = 0 ]; then
RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined") RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
if [ -n "$RESULT_UNCONFINED" ]; then if [ -n "$RESULT_UNCONFINED" ]; then
@ -38,6 +40,7 @@ audit() {
else else
crit "Some processes are unconfined while they have defined profile" crit "Some processes are unconfined while they have defined profile"
fi fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
@ -46,6 +49,7 @@ apply() {
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGES is absent!" crit "$PACKAGES is absent!"
apt_install "$PACKAGE"
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
fi fi
@ -71,17 +75,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

24
bin/hardening/1.7.1.4_enforcing_apparmor.sh
View File

@ -21,17 +21,19 @@ PACKAGES='apparmor apparmor-utils'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
ERROR=0
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is absent!" crit "$PACKAGE is absent!"
ERROR=1
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
fi fi
done done
if [ "$ERROR" = 0 ]; then
RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined") RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined" || true)
RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode.") RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode." || true)
if [ -n "$RESULT_UNCONFINED" ]; then if [ -n "$RESULT_UNCONFINED" ]; then
ok "No profiles are unconfined" ok "No profiles are unconfined"
@ -44,6 +46,7 @@ audit() {
else else
crit "Some processes are in complain mode" crit "Some processes are in complain mode"
fi fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
@ -52,13 +55,14 @@ apply() {
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is absent!" crit "$PACKAGE is absent!"
apt_install "$PACKAGE"
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
fi fi
done done
RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined") RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined" || true)
RESULT_COMPLAIN=$(apparmor_status | grep "^0 profiles are in complain mode.") RESULT_COMPLAIN=$(apparmor_status | grep "^0 profiles are in complain mode." || true)
if [ -n "$RESULT_UNCONFINED" ]; then if [ -n "$RESULT_UNCONFINED" ]; then
ok "No profiles are unconfined" ok "No profiles are unconfined"
@ -85,17 +89,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/1.8.1.1_remove_os_info_motd.sh
View File

@ -51,17 +51,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/1.8.1.2_remove_os_info_issue.sh
View File

@ -51,17 +51,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/1.8.1.3_remove_os_info_issue_net.sh
View File

@ -51,17 +51,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/1.8.1.4_motd_perms.sh
View File

@ -76,17 +76,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/1.8.1.5_etc_issue_perms.sh
View File

@ -76,17 +76,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/1.8.1.6_etc_issue_net_perms.sh
View File

@ -76,17 +76,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/1.8.2_graphical_warning_banners.sh
View File

@ -37,17 +37,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/1.9_install_updates.sh
View File

@ -53,17 +53,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/2.1.1_disable_xinetd.sh
View File

@ -51,17 +51,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/2.1.2_disable_bsd_inetd.sh
View File

@ -55,17 +55,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

12
bin/hardening/2.2.1.1_use_time_sync.sh
View File

@ -17,7 +17,7 @@ HARDENING_LEVEL=3
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Ensure time synchronization is in use" DESCRIPTION="Ensure time synchronization is in use"
PACKAGES="ntp chrony" PACKAGES="systemd-timesyncd ntp chrony"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
@ -49,17 +49,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

14
bin/hardening/2.2.1.2_configure_systemd-timesyncd.sh
View File

@ -21,8 +21,8 @@ SERVICE_NAME="systemd-timesyncd"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_service_enabled "$SERVICE_NAME" status=$(systemctl is-enabled "$SERVICE_NAME")
if [ "$FNRET" = 0 ]; then if [ "$status" = "enabled" ]; then
ok "$SERVICE_NAME is enabled" ok "$SERVICE_NAME is enabled"
else else
crit "$SERVICE_NAME is disabled" crit "$SERVICE_NAME is disabled"
@ -44,17 +44,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

22
bin/hardening/2.2.1.3_configure_chrony.sh
View File

@ -25,18 +25,12 @@ CONF_FILE='/etc/chrony/chrony.conf'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed, checking configuration"
does_pattern_exist_in_file "$CONF_FILE" "$CONF_DEFAULT_PATTERN" does_pattern_exist_in_file "$CONF_FILE" "$CONF_DEFAULT_PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE" crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE"
else else
ok "$CONF_DEFAULT_PATTERN found in $CONF_FILE" ok "$CONF_DEFAULT_PATTERN found in $CONF_FILE"
fi fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
@ -46,7 +40,11 @@ apply() {
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
: is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
warn "$PACKAGE is not installed, not handling configuration"
exit 2
fi
} }
# Source Root Dir Parameter # Source Root Dir Parameter
@ -54,17 +52,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

24
bin/hardening/2.2.1.4_configure_ntp.sh
View File

@ -20,18 +20,13 @@ DESCRIPTION="Configure Network Time Protocol (ntp). Check restrict parameters an
HARDENING_EXCEPTION=ntp HARDENING_EXCEPTION=ntp
PACKAGE='ntp' PACKAGE='ntp'
NTP_CONF_DEFAULT_PATTERN='^restrict -4 default (kod nomodify notrap nopeer noquery|ignore)' NTP_CONF_DEFAULT_PATTERN='^restrict -4 default (kod nomodify notrap nopeer noquery|kod notrap nomodify nopeer noquery|ignore)'
NTP_CONF_FILE='/etc/ntp.conf' NTP_CONF_FILE='/etc/ntp.conf'
NTP_INIT_PATTERN='RUNASUSER=ntp' NTP_INIT_PATTERN='RUNASUSER=ntp'
NTP_INIT_FILE='/etc/init.d/ntp' NTP_INIT_FILE='/etc/init.d/ntp'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed, checking configuration"
does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN" does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE" crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE"
@ -44,7 +39,6 @@ audit() {
else else
ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE" ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
fi fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
@ -77,7 +71,11 @@ apply() {
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
: is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
warn "$PACKAGE is not installed, not handling configuration"
exit 2
fi
} }
# Source Root Dir Parameter # Source Root Dir Parameter
@ -85,17 +83,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/2.2.10_disable_http_server.sh
View File

@ -58,17 +58,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/2.2.11_disable_imap_pop.sh
View File

@ -58,17 +58,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/2.2.12_disable_samba.sh
View File

@ -71,17 +71,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/2.2.13_disable_http_proxy.sh
View File

@ -57,17 +57,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/2.2.14_disable_snmp_server.sh
View File

@ -57,17 +57,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

23
bin/hardening/2.2.15_mta_localhost.sh
View File

@ -21,6 +21,11 @@ HARDENING_EXCEPTION=mail
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_pkg_installed net-tools
if [ "$FNRET" != 0 ]; then
warn "netstat not installed, cannot execute check"
exit 2
else
info "Checking netport ports opened" info "Checking netport ports opened"
RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || : RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || :
RESULT=${RESULT:-} RESULT=${RESULT:-}
@ -35,10 +40,16 @@ audit() {
crit "MTA listens worldwide" crit "MTA listens worldwide"
fi fi
fi fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
is_pkg_installed net-tools
if [ "$FNRET" != 0 ]; then
warn "netstat not installed, cannot execute check"
exit 2
else
info "Checking netport ports opened" info "Checking netport ports opened"
RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || : RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
RESULT=${RESULT:-} RESULT=${RESULT:-}
@ -53,7 +64,7 @@ apply() {
warn "MTA listens worldwide, correct this considering your MTA" warn "MTA listens worldwide, correct this considering your MTA"
fi fi
fi fi
: fi
} }
# This function will check config parameters required # This function will check config parameters required
@ -66,17 +77,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/2.2.16_disable_rsync.sh
View File

@ -68,17 +68,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

32
bin/hardening/2.2.17_disable_nis.sh
View File

@ -17,14 +17,32 @@ HARDENING_LEVEL=3
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Disable NIS Server." DESCRIPTION="Disable NIS Server."
PACKAGES='nis'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
: for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!"
else
ok "$PACKAGE is absent"
fi
done
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
: for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge "$PACKAGE" -y
apt-get autoremove -y
else
ok "$PACKAGE is absent"
fi
done
} }
# This function will check config parameters required # This function will check config parameters required
@ -37,17 +55,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/2.2.2_disable_xwindow_system.sh
View File

@ -58,17 +58,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/2.2.3_disable_avahi_server.sh
View File

@ -55,17 +55,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/2.2.4_disable_print_server.sh
View File

@ -57,17 +57,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/2.2.5_disable_dhcp.sh
View File

@ -57,17 +57,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/2.2.6_disable_ldap.sh
View File

@ -57,17 +57,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/2.2.7_disable_nfs_rpc.sh
View File

@ -57,17 +57,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/2.2.8_disable_dns_server.sh
View File

@ -57,17 +57,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/2.2.9_disable_ftp.sh
View File

@ -58,17 +58,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/2.3.1_disable_nis.sh
View File

@ -52,17 +52,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/2.3.2_disable_rsh_client.sh
View File

@ -56,17 +56,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/2.3.3_disable_talk_client.sh
View File

@ -55,17 +55,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/2.3.4_disable_telnet_client.sh
View File

@ -55,17 +55,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

10
bin/hardening/2.3.5_disable_ldap_client.sh
View File

@ -55,17 +55,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

28
bin/hardening/3.1.1_disable_ipv6.sh
View File

@ -21,29 +21,17 @@ SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ip
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
does_sysctl_param_exists "net.ipv6" is_ipv6_enabled
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
ok "ipv6 is disabled" ok "ipv6 is disabled"
else else
for SYSCTL_VALUES in $SYSCTL_PARAMS; do crit "ipv6 is enabled"
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
done
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
does_sysctl_param_exists "net.ipv6" is_ipv6_enabled
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
ok "ipv6 is disabled" ok "ipv6 is disabled"
else else
@ -75,17 +63,17 @@ if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "${CIS_LIB_DIR}"/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

Some files were not shown because too many files have changed in this diff Show More