elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2025-07-16 22:02:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: elie:v3.1-0
Branches Tags
elie:master elie:damcava35/deb12_scripts_2 elie:damcava35/update_lib elie:damcava35/new_scripts elie:damcava35/issue_249 elie:damcava35/drop_debian10 elie:damcava35/is_ip_v6_enabled elie:damcava35/issue_195 elie:damcava35/fix_only elie:damcava35/fix_packaging elie:damcava35/set_version elie:damcava35/test_pre_commit elie:dev/thibault.dewailly/deb12 elie:dependabot/github_actions/luizm/action-sh-checker-0.9.0 elie:dev/thibault.dewailly/set_hardening_level elie:dev/thibault.dewailly/syslogng_remotecheck
elie:latest elie:v4.1-5 elie:v4.1-4 elie:v4.1-3 elie:v4.1-2 elie:v4.1-1 elie:v4.0-1 elie:v3.8-1 elie:v3.7-1 elie:v3.6-1 elie:v3.5-1 elie:v3.4-1 elie:v3.3-1 elie:v3.2-2 elie:v3.2-1 elie:v3.2-0 elie:v3.1-6 elie:v3.1-5 elie:v3.1-4 elie:v3.1-3 elie:v3.1-2 elie:v3.1-1 elie:v3.1-0 elie:v3.0-1 elie:v3.0 elie:v2.1-6 elie:v2.1-5 elie:v2.1-4 elie:v2.1-3 elie:v2.1-2 elie:v2.1-1 elie:v2.0-6 elie:v2.0-5 elie:v2.0-4 elie:v1.3-4 elie:v1.3-3 elie:v1.3-2 elie:v1.3 elie:v1.2-1 elie:v1.1-1
...
compare: elie:v3.1-2
Branches Tags
elie:damcava35/deb12_scripts_2 elie:damcava35/update_lib elie:damcava35/new_scripts elie:master elie:damcava35/issue_249 elie:damcava35/drop_debian10 elie:damcava35/is_ip_v6_enabled elie:damcava35/issue_195 elie:damcava35/fix_only elie:damcava35/fix_packaging elie:damcava35/set_version elie:damcava35/test_pre_commit elie:dev/thibault.dewailly/deb12 elie:dependabot/github_actions/luizm/action-sh-checker-0.9.0 elie:dev/thibault.dewailly/set_hardening_level elie:dev/thibault.dewailly/syslogng_remotecheck
elie:latest elie:v4.1-5 elie:v4.1-4 elie:v4.1-3 elie:v4.1-2 elie:v4.1-1 elie:v4.0-1 elie:v3.8-1 elie:v3.7-1 elie:v3.6-1 elie:v3.5-1 elie:v3.4-1 elie:v3.3-1 elie:v3.2-2 elie:v3.2-1 elie:v3.2-0 elie:v3.1-6 elie:v3.1-5 elie:v3.1-4 elie:v3.1-3 elie:v3.1-2 elie:v3.1-1 elie:v3.1-0 elie:v3.0-1 elie:v3.0 elie:v2.1-6 elie:v2.1-5 elie:v2.1-4 elie:v2.1-3 elie:v2.1-2 elie:v2.1-1 elie:v2.0-6 elie:v2.0-5 elie:v2.0-4 elie:v1.3-4 elie:v1.3-3 elie:v1.3-2 elie:v1.3 elie:v1.2-1 elie:v1.1-1

8 Commits
v3.1-0 ... v3.1-2

Author SHA1 Message Date
Thibault Ayanides
d26ad48416 Update changelog 2021-04-02 09:25:41 +02:00
Thibault Ayanides
d110a2aa19 Ignore case for sshd conf 
fix #85
 2021-04-02 09:25:41 +02:00
Thibault Ayanides
cbd81b8ab2 Update changelog (#82) 2021-03-26 12:16:50 +01:00
Thibault Ayanides
1c51e4cec4 Check that package are installed before launching check (#69) 
* FIX(1.6.1,1.7.1.x): check if apparmor and grub is installed

* FIX(2.2.15): check package install

* FIX(4.2.x): check package install

* FIX(5.1.x): check crontab files exist

* FIX(5.2.1): check package install

* FIX(99.3.3.x): check conf file exist

* Remove useless SUDO_CMD

* Deal with non existant /run/shm

* Replace exit code 128 by exit code 2

fix #65

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-03-25 14:01:57 +01:00
Thibault Ayanides
f8ac58700d FIX(4.1.1.4): bad pattern (#67) 
fix #61
 2021-03-25 13:50:08 +01:00
Thibault Ayanides
1c1393c7e3 Fix div function to manage 0 on numerator (#79) 
fix #77

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-03-23 08:36:36 +01:00
Thibault Ayanides
c50f200c5c FIX(5.4.5.2): explicit sha512 
fix #74
 2021-03-22 15:22:50 +01:00
Simão Gomes Viana
c0ecc9cd6f README: fix spelling and spacing in first line 2021-03-19 08:36:31 +01:00
47 changed files with 638 additions and 466 deletions
Expand all files Collapse all files

2
README.md
View File

@ -1,6 +1,6 @@
# :lock: CIS Debian 9/10 Hardening # :lock: CIS Debian 9/10 Hardening
:tada: **News**: this projet is back in the game and is from now on maintained. Be free to use and to :tada: **News**: this project is back in the game and is from now on maintained. Be free to use and to
report issues if you find any! report issues if you find any!

4
bin/hardening/1.1.15_run_shm_nodev.sh
View File

@ -24,7 +24,11 @@ OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
if [ -e "$PARTITION" ]; then
PARTITION=$(readlink -e "$PARTITION") PARTITION=$(readlink -e "$PARTITION")
else
PARTITION="/dev/shm"
fi
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then

4
bin/hardening/1.1.16_run_shm_nosuid.sh
View File

@ -24,7 +24,11 @@ OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
if [ -e "$PARTITION" ]; then
PARTITION=$(readlink -e "$PARTITION") PARTITION=$(readlink -e "$PARTITION")
else
PARTITION="/dev/shm"
fi
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then

4
bin/hardening/1.1.17_run_shm_noexec.sh
View File

@ -24,7 +24,11 @@ OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
if [ -e "$PARTITION" ]; then
PARTITION=$(readlink -e "$PARTITION") PARTITION=$(readlink -e "$PARTITION")
else
PARTITION="/dev/shm"
fi
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then

8
bin/hardening/1.5.1_bootloader_ownership.sh
View File

@ -66,22 +66,22 @@ check_config() {
is_pkg_installed "grub-pc" is_pkg_installed "grub-pc"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "Grub is not installed, not handling configuration" warn "Grub is not installed, not handling configuration"
exit 128 exit 2
fi fi
does_user_exist "$USER" does_user_exist "$USER"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$USER does not exist" crit "$USER does not exist"
exit 128 exit 2
fi fi
does_group_exist "$GROUP" does_group_exist "$GROUP"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$GROUP does not exist" crit "$GROUP does not exist"
exit 128 exit 2
fi fi
does_file_exist "$FILE" does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
exit 128 exit 2
fi fi
} }

5
bin/hardening/1.5.2_bootloader_password.sh
View File

@ -51,7 +51,6 @@ apply() {
else else
ok "$PWD_PATTERN is present in $FILE" ok "$PWD_PATTERN is present in $FILE"
fi fi
:
} }
# This function will check config parameters required # This function will check config parameters required
@ -59,11 +58,11 @@ check_config() {
is_pkg_installed "grub-pc" is_pkg_installed "grub-pc"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "grub-pc is not installed, not handling configuration" warn "grub-pc is not installed, not handling configuration"
exit 128 exit 2
fi fi
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
exit 128 exit 2
fi fi
} }

1
bin/hardening/1.5.3_root_password.sh
View File

@ -38,7 +38,6 @@ apply() {
else else
ok "$PATTERN is not present in $FILE" ok "$PATTERN is not present in $FILE"
fi fi
:
} }
# This function will check config parameters required # This function will check config parameters required

8
bin/hardening/1.6.1_enable_nx_support.sh
View File

@ -35,6 +35,9 @@ nx_supported_and_enabled() {
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
if [ "$IS_CONTAINER" -eq 1 ]; then
ok "Container detected, cannot read dmesg!"
else
does_pattern_exist_in_dmesg "$PATTERN" does_pattern_exist_in_dmesg "$PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
nx_supported_and_enabled nx_supported_and_enabled
@ -46,10 +49,14 @@ audit() {
else else
ok "$PATTERN is present in dmesg" ok "$PATTERN is present in dmesg"
fi fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
if [ "$IS_CONTAINER" -eq 1 ]; then
ok "Container detected, cannot read dmesg!"
else
does_pattern_exist_in_dmesg "$PATTERN" does_pattern_exist_in_dmesg "$PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
nx_supported_and_enabled nx_supported_and_enabled
@ -61,6 +68,7 @@ apply() {
else else
ok "$PATTERN is present in dmesg" ok "$PATTERN is present in dmesg"
fi fi
fi
} }
# This function will check config parameters required # This function will check config parameters required

23
bin/hardening/1.7.1.2_enable_apparmor.sh
View File

@ -21,15 +21,27 @@ PACKAGES='apparmor apparmor-utils'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
ERROR=0
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is absent!" crit "$PACKAGE is absent!"
ERROR=1
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
fi fi
done done
if [ "$ERROR" = 0 ]; then
is_pkg_installed "grub-pc"
if [ "$FNRET" != 0 ]; then
if [ "$IS_CONTAINER" -eq 1 ]; then
ok "Grub is not installed in container"
else
warn "Grub is not installed"
exit 128
fi
else
ERROR=0 ERROR=0
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg) RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
@ -48,6 +60,8 @@ audit() {
ok "$PACKAGES are configured" ok "$PACKAGES are configured"
fi fi
fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
@ -62,6 +76,14 @@ apply() {
fi fi
done done
is_pkg_installed "grub-pc"
if [ "$FNRET" != 0 ]; then
if [ "$IS_CONTAINER" -eq 1 ]; then
ok "Grub is not installed in container"
else
warn "You should use grub. Install it yourself"
fi
else
ERROR=0 ERROR=0
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg) RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
@ -83,6 +105,7 @@ apply() {
else else
ok "$PACKAGES are configured" ok "$PACKAGES are configured"
fi fi
fi
} }
# This function will check config parameters required # This function will check config parameters required

6
bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh
View File

@ -21,15 +21,17 @@ PACKAGES='apparmor apparmor-utils'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
ERROR=0
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is absent!" crit "$PACKAGE is absent!"
ERROR=1
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
fi fi
done done
if [ "$ERROR" = 0 ]; then
RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined") RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
if [ -n "$RESULT_UNCONFINED" ]; then if [ -n "$RESULT_UNCONFINED" ]; then
@ -38,6 +40,7 @@ audit() {
else else
crit "Some processes are unconfined while they have defined profile" crit "Some processes are unconfined while they have defined profile"
fi fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
@ -46,6 +49,7 @@ apply() {
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGES is absent!" crit "$PACKAGES is absent!"
apt_install "$PACKAGE"
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
fi fi

6
bin/hardening/1.7.1.4_enforcing_apparmor.sh
View File

@ -21,15 +21,17 @@ PACKAGES='apparmor apparmor-utils'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
ERROR=0
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is absent!" crit "$PACKAGE is absent!"
ERROR=1
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
fi fi
done done
if [ "$ERROR" = 0 ]; then
RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined") RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode.") RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode.")
@ -44,6 +46,7 @@ audit() {
else else
crit "Some processes are in complain mode" crit "Some processes are in complain mode"
fi fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
@ -52,6 +55,7 @@ apply() {
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is absent!" crit "$PACKAGE is absent!"
apt_install "$PACKAGE"
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
fi fi

13
bin/hardening/2.2.15_mta_localhost.sh
View File

@ -21,6 +21,11 @@ HARDENING_EXCEPTION=mail
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_pkg_installed net-tools
if [ "$FNRET" != 0 ]; then
warn "netsat not installed, cannot execute check"
exit 2
else
info "Checking netport ports opened" info "Checking netport ports opened"
RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || : RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || :
RESULT=${RESULT:-} RESULT=${RESULT:-}
@ -35,10 +40,16 @@ audit() {
crit "MTA listens worldwide" crit "MTA listens worldwide"
fi fi
fi fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
is_pkg_installed net-tools
if [ "$FNRET" != 0 ]; then
warn "netsat not installed, cannot execute check"
exit 2
else
info "Checking netport ports opened" info "Checking netport ports opened"
RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || : RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
RESULT=${RESULT:-} RESULT=${RESULT:-}
@ -53,7 +64,7 @@ apply() {
warn "MTA listens worldwide, correct this considering your MTA" warn "MTA listens worldwide, correct this considering your MTA"
fi fi
fi fi
: fi
} }
# This function will check config parameters required # This function will check config parameters required

6
bin/hardening/4.1.1.3_audit_bootloader.sh
View File

@ -18,7 +18,7 @@ HARDENING_LEVEL=4
DESCRIPTION="Enable auditing for processes that start prior to auditd." DESCRIPTION="Enable auditing for processes that start prior to auditd."
FILE='/etc/default/grub' FILE='/etc/default/grub'
OPTIONS='GRUB_CMDLINE_LINUX="audit=1"' OPTIONS='GRUB_CMDLINE_LINUX=audit=1'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
@ -30,7 +30,7 @@ audit() {
for GRUB_OPTION in $OPTIONS; do for GRUB_OPTION in $OPTIONS; do
GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1) GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3) GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
PATTERN="^$GRUB_PARAM=$GRUB_VALUE" PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
debug "$GRUB_PARAM should be set to $GRUB_VALUE" debug "$GRUB_PARAM should be set to $GRUB_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
@ -55,7 +55,7 @@ apply() {
GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1) GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3) GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
debug "$GRUB_PARAM should be set to $GRUB_VALUE" debug "$GRUB_PARAM should be set to $GRUB_VALUE"
PATTERN="^$GRUB_PARAM=$GRUB_VALUE" PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"

6
bin/hardening/4.1.1.4_audit_backlog_limit.sh
View File

@ -18,7 +18,7 @@ HARDENING_LEVEL=4
DESCRIPTION="Configure audit_backlog_limit to be sufficient." DESCRIPTION="Configure audit_backlog_limit to be sufficient."
FILE='/etc/default/grub' FILE='/etc/default/grub'
OPTIONS='GRUB_CMDLINE_LINUX="audit_backlog_limit=8192"' OPTIONS='GRUB_CMDLINE_LINUX=audit_backlog_limit=8192'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
@ -30,7 +30,7 @@ audit() {
for GRUB_OPTION in $OPTIONS; do for GRUB_OPTION in $OPTIONS; do
GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1) GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3) GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
PATTERN="^$GRUB_PARAM=$GRUB_VALUE" PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
debug "$GRUB_PARAM should be set to $GRUB_VALUE" debug "$GRUB_PARAM should be set to $GRUB_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
@ -55,7 +55,7 @@ apply() {
GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1) GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3) GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
debug "$GRUB_PARAM should be set to $GRUB_VALUE" debug "$GRUB_PARAM should be set to $GRUB_VALUE"
PATTERN="^$GRUB_PARAM=$GRUB_VALUE" PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"

3
bin/hardening/4.1.11_record_privileged_commands.sh
View File

@ -18,8 +18,7 @@ HARDENING_LEVEL=4
DESCRIPTION="Collect use of privileged commands." DESCRIPTION="Collect use of privileged commands."
# Find all files with setuid or setgid set # Find all files with setuid or setgid set
SUDO_CMD='sudo -n' AUDIT_PARAMS=$(find / -xdev \( -perm -4000 -o -perm -2000 \) -type f |
AUDIT_PARAMS=$($SUDO_CMD find / -xdev \( -perm -4000 -o -perm -2000 \) -type f |
awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }') awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }')
FILE='/etc/audit/audit.rules' FILE='/etc/audit/audit.rules'

11
bin/hardening/4.2.1.2_enable_syslog-ng.sh
View File

@ -17,10 +17,15 @@ HARDENING_LEVEL=3
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Ensure syslog-ng service is activated." DESCRIPTION="Ensure syslog-ng service is activated."
PACKAGE='syslog-ng'
SERVICE_NAME="syslog-ng" SERVICE_NAME="syslog-ng"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
info "Checking if $SERVICE_NAME is enabled" info "Checking if $SERVICE_NAME is enabled"
is_service_enabled "$SERVICE_NAME" is_service_enabled "$SERVICE_NAME"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -28,10 +33,15 @@ audit() {
else else
crit "$SERVICE_NAME is disabled" crit "$SERVICE_NAME is disabled"
fi fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
info "Checking if $SERVICE_NAME is enabled" info "Checking if $SERVICE_NAME is enabled"
is_service_enabled "$SERVICE_NAME" is_service_enabled "$SERVICE_NAME"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
@ -41,6 +51,7 @@ apply() {
else else
ok "$SERVICE_NAME is enabled" ok "$SERVICE_NAME is enabled"
fi fi
fi
} }
# This function will check config parameters required # This function will check config parameters required

11
bin/hardening/4.2.1.4_syslog_ng_logfiles_perm.sh
View File

@ -19,6 +19,7 @@ DESCRIPTION="Create and set permissions on syslog-ng logfiles."
# Note: this is not exacly the same check as the one described in CIS PDF # Note: this is not exacly the same check as the one described in CIS PDF
PACKAGE='syslog-ng'
PERMISSIONS='' PERMISSIONS=''
USER='' USER=''
GROUP='' GROUP=''
@ -26,6 +27,10 @@ EXCEPTIONS=''
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
FILES=$(grep "file(" "$SYSLOG_BASEDIR"/syslog-ng.conf | grep '"' | cut -d'"' -f 2) FILES=$(grep "file(" "$SYSLOG_BASEDIR"/syslog-ng.conf | grep '"' | cut -d'"' -f 2)
for FILE in $FILES; do for FILE in $FILES; do
does_file_exist "$FILE" does_file_exist "$FILE"
@ -64,10 +69,15 @@ audit() {
fi fi
fi fi
done done
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
for FILE in $FILES; do for FILE in $FILES; do
does_file_exist "$FILE" does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
@ -113,6 +123,7 @@ apply() {
PERMISSIONS="$perm_bak" PERMISSIONS="$perm_bak"
fi fi
done done
fi
} }
# This function will create the config file for this check with default values # This function will create the config file for this check with default values

12
bin/hardening/4.2.1.5_syslog-ng_remote_host.sh
View File

@ -17,10 +17,16 @@ HARDENING_LEVEL=3
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Configure syslog-ng to send logs to a remote log host." DESCRIPTION="Configure syslog-ng to send logs to a remote log host."
PACKAGE='syslog-ng'
PATTERN='destination[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".' PATTERN='destination[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
FOUND=0 FOUND=0
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)" FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
for FILE in $FILES; do for FILE in $FILES; do
@ -35,10 +41,15 @@ audit() {
else else
crit "$PATTERN is not present in $FILES" crit "$PATTERN is not present in $FILES"
fi fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
FOUND=0 FOUND=0
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)" FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
for FILE in $FILES; do for FILE in $FILES; do
@ -52,6 +63,7 @@ apply() {
else else
crit "$PATTERN is not present in $FILES, please set a remote host to send your logs" crit "$PATTERN is not present in $FILES, please set a remote host to send your logs"
fi fi
fi
} }
# This function will create the config file for this check with default values # This function will create the config file for this check with default values

14
bin/hardening/4.2.1.6_remote_syslog-ng_acl.sh
View File

@ -17,11 +17,17 @@ HARDENING_LEVEL=3
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Configure syslog to accept remote syslog messages only on designated log hosts." DESCRIPTION="Configure syslog to accept remote syslog messages only on designated log hosts."
PACKAGE='syslog-ng'
REMOTE_HOST="" REMOTE_HOST=""
PATTERN='source[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".' PATTERN='source[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
FOUND=0 FOUND=0
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)" FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
for FILE in $FILES; do for FILE in $FILES; do
@ -45,12 +51,16 @@ audit() {
else else
ok "$PATTERN is not present in $FILES" ok "$PATTERN is not present in $FILES"
fi fi
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
FOUND=0 FOUND=0
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)" FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
for FILE in $FILES; do for FILE in $FILES; do
@ -74,7 +84,7 @@ apply() {
else else
ok "$PATTERN is not present in $FILES" ok "$PATTERN is not present in $FILES"
fi fi
fi
fi fi
} }

6
bin/hardening/5.1.2_crontab_perm_ownership.sh
View File

@ -27,7 +27,7 @@ audit() {
does_file_exist "$FILE" does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
fi else
has_file_correct_ownership "$FILE" "$USER" "$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
@ -40,6 +40,7 @@ audit() {
else else
crit "$FILE permissions were not set to $PERMISSIONS" crit "$FILE permissions were not set to $PERMISSIONS"
fi fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
@ -48,7 +49,7 @@ apply() {
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
info "$FILE does not exist" info "$FILE does not exist"
touch "$FILE" touch "$FILE"
fi else
has_file_correct_ownership "$FILE" "$USER" "$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
@ -63,6 +64,7 @@ apply() {
info "fixing $FILE permissions to $PERMISSIONS" info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE" chmod 0"$PERMISSIONS" "$FILE"
fi fi
fi
} }
# This function will check config parameters required # This function will check config parameters required

6
bin/hardening/5.1.3_cron_hourly_perm_ownership.sh
View File

@ -27,7 +27,7 @@ audit() {
does_file_exist "$FILE" does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
fi else
has_file_correct_ownership "$FILE" "$USER" "$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
@ -40,6 +40,7 @@ audit() {
else else
crit "$FILE permissions were not set to $PERMISSIONS" crit "$FILE permissions were not set to $PERMISSIONS"
fi fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
@ -48,7 +49,7 @@ apply() {
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
info "$FILE does not exist" info "$FILE does not exist"
touch "$FILE" touch "$FILE"
fi else
has_file_correct_ownership "$FILE" "$USER" "$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
@ -63,6 +64,7 @@ apply() {
info "fixing $FILE permissions to $PERMISSIONS" info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE" chmod 0"$PERMISSIONS" "$FILE"
fi fi
fi
} }
# This function will check config parameters required # This function will check config parameters required

6
bin/hardening/5.1.4_cron_daily_perm_ownership.sh
View File

@ -27,7 +27,7 @@ audit() {
does_file_exist "$FILE" does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
fi else
has_file_correct_ownership "$FILE" "$USER" "$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
@ -40,6 +40,7 @@ audit() {
else else
crit "$FILE permissions were not set to $PERMISSIONS" crit "$FILE permissions were not set to $PERMISSIONS"
fi fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
@ -48,7 +49,7 @@ apply() {
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
info "$FILE does not exist" info "$FILE does not exist"
touch "$FILE" touch "$FILE"
fi else
has_file_correct_ownership "$FILE" "$USER" "$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
@ -63,6 +64,7 @@ apply() {
info "fixing $FILE permissions to $PERMISSIONS" info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE" chmod 0"$PERMISSIONS" "$FILE"
fi fi
fi
} }
# This function will check config parameters required # This function will check config parameters required

6
bin/hardening/5.1.5_cron_weekly_perm_ownership.sh
View File

@ -27,7 +27,7 @@ audit() {
does_file_exist "$FILE" does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
fi else
has_file_correct_ownership "$FILE" "$USER" "$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
@ -40,6 +40,7 @@ audit() {
else else
crit "$FILE permissions were not set to $PERMISSIONS" crit "$FILE permissions were not set to $PERMISSIONS"
fi fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
@ -48,7 +49,7 @@ apply() {
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
info "$FILE does not exist" info "$FILE does not exist"
touch "$FILE" touch "$FILE"
fi else
has_file_correct_ownership "$FILE" "$USER" "$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
@ -63,6 +64,7 @@ apply() {
info "fixing $FILE permissions to $PERMISSIONS" info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE" chmod 0"$PERMISSIONS" "$FILE"
fi fi
fi
} }
# This function will check config parameters required # This function will check config parameters required

6
bin/hardening/5.1.6_cron_monthly_perm_ownership.sh
View File

@ -27,7 +27,7 @@ audit() {
does_file_exist "$FILE" does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
fi else
has_file_correct_ownership "$FILE" "$USER" "$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
@ -40,6 +40,7 @@ audit() {
else else
crit "$FILE permissions were not set to $PERMISSIONS" crit "$FILE permissions were not set to $PERMISSIONS"
fi fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
@ -48,7 +49,7 @@ apply() {
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
info "$FILE does not exist" info "$FILE does not exist"
touch "$FILE" touch "$FILE"
fi else
has_file_correct_ownership "$FILE" "$USER" "$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
@ -63,6 +64,7 @@ apply() {
info "fixing $FILE permissions to $PERMISSIONS" info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE" chmod 0"$PERMISSIONS" "$FILE"
fi fi
fi
} }
# This function will check config parameters required # This function will check config parameters required

6
bin/hardening/5.2.10_disable_root_login.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^$SSH_PARAM" does_pattern_exist_in_file_nocase "$FILE" "^$SSH_PARAM"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else else

6
bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else else

6
bin/hardening/5.2.12_disable_sshd_setenv.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else else

6
bin/hardening/5.2.13_sshd_ciphers.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else else

6
bin/hardening/5.2.16_sshd_idle_timeout.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else else

6
bin/hardening/5.2.17_sshd_login_grace_time.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file_nocase $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else else

6
bin/hardening/5.2.18_sshd_limit_access.sh
View File

@ -34,7 +34,7 @@ audit() {
# shellcheck disable=SC2001 # shellcheck disable=SC2001
SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE") SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE")
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -59,12 +59,12 @@ apply() {
# shellcheck disable=SC2001 # shellcheck disable=SC2001
SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE") SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE")
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else else

11
bin/hardening/5.2.1_sshd_conf_perm_ownership.sh
View File

@ -17,6 +17,7 @@ HARDENING_LEVEL=1
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Checking permissions and ownership to root 600 for sshd_config." DESCRIPTION="Checking permissions and ownership to root 600 for sshd_config."
PACKAGE='openssh-server'
FILE='/etc/ssh/sshd_config' FILE='/etc/ssh/sshd_config'
PERMISSIONS='600' PERMISSIONS='600'
USER='root' USER='root'
@ -24,6 +25,10 @@ GROUP='root'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
ok "$PACKAGE is not installed!"
else
has_file_correct_ownership "$FILE" "$USER" "$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
@ -36,10 +41,15 @@ audit() {
else else
crit "$FILE permissions were not set to $PERMISSIONS" crit "$FILE permissions were not set to $PERMISSIONS"
fi fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
ok "$PACKAGE is not installed"
else
does_file_exist "$FILE" does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
info "$FILE does not exist" info "$FILE does not exist"
@ -59,6 +69,7 @@ apply() {
info "fixing $FILE permissions to $PERMISSIONS" info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE" chmod 0"$PERMISSIONS" "$FILE"
fi fi
fi
} }
# This function will check config parameters required # This function will check config parameters required

6
bin/hardening/5.2.20_enable_ssh_pam.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file_nocase $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else else

6
bin/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file_nocase $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else else

6
bin/hardening/5.2.22_configure_ssh_max_startups.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file_nocase $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else else

6
bin/hardening/5.2.23_limit_ssh_max_sessions.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file_nocase $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else else

6
bin/hardening/5.2.4_sshd_protocol.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else else

2
bin/hardening/5.2.5_sshd_loglevel.sh
View File

@ -61,7 +61,7 @@ apply() {
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else else

4
bin/hardening/5.2.6_disable_x11_forwarding.sh
View File

@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else else

6
bin/hardening/5.2.7_sshd_maxauthtries.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else else

6
bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else else

6
bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else else

14
bin/hardening/99.3.3.4_hosts_allow_permissions.sh
View File

@ -24,6 +24,11 @@ GROUP='root'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
else
ok "$FILE exist"
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
@ -36,10 +41,19 @@ audit() {
else else
crit "$FILE ownership was not set to $USER:$GROUP" crit "$FILE ownership was not set to $USER:$GROUP"
fi fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist"
touch "$FILE"
warn "You may want to fill it with allowed networks"
else
ok "$FILE exist"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"

14
bin/hardening/99.3.3.5_hosts_deny_permissions.sh
View File

@ -24,6 +24,11 @@ GROUP='root'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
else
ok "$FILE exist"
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
@ -36,10 +41,19 @@ audit() {
else else
crit "$FILE ownership was not set to $USER:$GROUP" crit "$FILE ownership was not set to $USER:$GROUP"
fi fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist"
touch "$FILE"
warn "You may want to fill it with allowed networks"
else
ok "$FILE exist"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"

16
debian/changelog vendored
View File

@ -1,3 +1,19 @@
cis-hardening (3.1-2) unstable; urgency=medium
* Fix case for sshd pattern searching
-- Thibault Ayanides <thibault.ayanides@ovhcloud.com> Fri, 02 Apr 2021 09:16:16 +0200
cis-hardening (3.1-1) unstable; urgency=medium
* Various mispeling fixes
* Fix div function that causes a display bug when runnin test with --only
* Fix 4.1.1.4 bad pattern bug
* Fix 5.4.2.2
* Various verification that package is installed or file exist before running check (openssh, apparmor, crontab)
-- Thibault Ayanides <thibault.ayanides@ovhcloud.com> Thu, 25 Mar 2021 14:59:49 +0100
cis-hardening (3.1-0) unstable; urgency=medium cis-hardening (3.1-0) unstable; urgency=medium
* Add missing HARDENING_LEVEL var for some checks * Add missing HARDENING_LEVEL var for some checks

4
lib/common.sh
View File

@ -121,6 +121,10 @@ div() {
local _d=${3:-2} local _d=${3:-2}
local _n=0000000000 local _n=0000000000
_n=${_n:0:$_d} _n=${_n:0:$_d}
if (($1 == 0)); then
echo "0"
return
fi
if (($2 == 0)); then if (($2 == 0)); then
echo "N.A" echo "N.A"
return return

2
tests/hardening/99.5.4.5.2_acc_shadow_sha512.sh
View File

@ -22,7 +22,7 @@ test_audit() {
run lockedpasswd /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run lockedpasswd /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
mv /tmp/shadow.bak /etc/shadow mv /tmp/shadow.bak /etc/shadow
chpasswd <<EOF chpasswd -c SHA512 <<EOF
secaudit:mypassword secaudit:mypassword
EOF EOF
describe Pass: Found properly hashed password describe Pass: Found properly hashed password