elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2025-07-15 21:32:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: elie:v3.1-0
Branches Tags
elie:master elie:damcava35/deb12_scripts_2 elie:damcava35/update_lib elie:damcava35/new_scripts elie:damcava35/issue_249 elie:damcava35/drop_debian10 elie:damcava35/is_ip_v6_enabled elie:damcava35/issue_195 elie:damcava35/fix_only elie:damcava35/fix_packaging elie:damcava35/set_version elie:damcava35/test_pre_commit elie:dev/thibault.dewailly/deb12 elie:dependabot/github_actions/luizm/action-sh-checker-0.9.0 elie:dev/thibault.dewailly/set_hardening_level elie:dev/thibault.dewailly/syslogng_remotecheck
elie:latest elie:v4.1-5 elie:v4.1-4 elie:v4.1-3 elie:v4.1-2 elie:v4.1-1 elie:v4.0-1 elie:v3.8-1 elie:v3.7-1 elie:v3.6-1 elie:v3.5-1 elie:v3.4-1 elie:v3.3-1 elie:v3.2-2 elie:v3.2-1 elie:v3.2-0 elie:v3.1-6 elie:v3.1-5 elie:v3.1-4 elie:v3.1-3 elie:v3.1-2 elie:v3.1-1 elie:v3.1-0 elie:v3.0-1 elie:v3.0 elie:v2.1-6 elie:v2.1-5 elie:v2.1-4 elie:v2.1-3 elie:v2.1-2 elie:v2.1-1 elie:v2.0-6 elie:v2.0-5 elie:v2.0-4 elie:v1.3-4 elie:v1.3-3 elie:v1.3-2 elie:v1.3 elie:v1.2-1 elie:v1.1-1
...
compare: elie:v3.1-4
Branches Tags
elie:damcava35/deb12_scripts_2 elie:damcava35/update_lib elie:damcava35/new_scripts elie:master elie:damcava35/issue_249 elie:damcava35/drop_debian10 elie:damcava35/is_ip_v6_enabled elie:damcava35/issue_195 elie:damcava35/fix_only elie:damcava35/fix_packaging elie:damcava35/set_version elie:damcava35/test_pre_commit elie:dev/thibault.dewailly/deb12 elie:dependabot/github_actions/luizm/action-sh-checker-0.9.0 elie:dev/thibault.dewailly/set_hardening_level elie:dev/thibault.dewailly/syslogng_remotecheck
elie:latest elie:v4.1-5 elie:v4.1-4 elie:v4.1-3 elie:v4.1-2 elie:v4.1-1 elie:v4.0-1 elie:v3.8-1 elie:v3.7-1 elie:v3.6-1 elie:v3.5-1 elie:v3.4-1 elie:v3.3-1 elie:v3.2-2 elie:v3.2-1 elie:v3.2-0 elie:v3.1-6 elie:v3.1-5 elie:v3.1-4 elie:v3.1-3 elie:v3.1-2 elie:v3.1-1 elie:v3.1-0 elie:v3.0-1 elie:v3.0 elie:v2.1-6 elie:v2.1-5 elie:v2.1-4 elie:v2.1-3 elie:v2.1-2 elie:v2.1-1 elie:v2.0-6 elie:v2.0-5 elie:v2.0-4 elie:v1.3-4 elie:v1.3-3 elie:v1.3-2 elie:v1.3 elie:v1.2-1 elie:v1.1-1

16 Commits
v3.1-0 ... v3.1-4

Author SHA1 Message Date
Thibault Ayanides
29505255ff Update changelog (#99) 2021-05-07 09:16:15 +02:00
Thibault Ayanides
9e6c9a0d8a Accept lower values (#95) 
* IMP(5.2.23): accept lower value as valid

* IMP(5.2.7): accept lower value as valid
 2021-04-27 16:04:13 +02:00
Thibault Ayanides
1cade2e375 FIX(2.2.1.2): custom func not working for systemd (#90) 
fix #87
 2021-04-27 13:49:05 +02:00
Thibault Ayanides
fc8a2b2561 FIX: add commands to sudoers (#91) 2021-04-27 13:31:59 +02:00
Thibault Ayanides
cadc25c28c Dir exceptions (#96) 
* IMP(1.1.21): add EXCEPTIONS
* IMP(6.1.10): add EXCEPTIONS
 2021-04-26 17:05:22 +02:00
Thibault Ayanides
8c6c9a7571 IMP(tests): checks that stderr is empty 
Fix #97
 2021-04-26 17:01:19 +02:00
Thibault Ayanides
dd41988933 Update changelog 2021-04-13 11:00:29 +02:00
Thibault Ayanides
f6c6e6a0a8 FIX(4.1.11): add SUDO to find suid files 2021-04-13 11:00:29 +02:00
Thibault Ayanides
d26ad48416 Update changelog 2021-04-02 09:25:41 +02:00
Thibault Ayanides
d110a2aa19 Ignore case for sshd conf 
fix #85
 2021-04-02 09:25:41 +02:00
Thibault Ayanides
cbd81b8ab2 Update changelog (#82) 2021-03-26 12:16:50 +01:00
Thibault Ayanides
1c51e4cec4 Check that package are installed before launching check (#69) 
* FIX(1.6.1,1.7.1.x): check if apparmor and grub is installed

* FIX(2.2.15): check package install

* FIX(4.2.x): check package install

* FIX(5.1.x): check crontab files exist

* FIX(5.2.1): check package install

* FIX(99.3.3.x): check conf file exist

* Remove useless SUDO_CMD

* Deal with non existant /run/shm

* Replace exit code 128 by exit code 2

fix #65

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-03-25 14:01:57 +01:00
Thibault Ayanides
f8ac58700d FIX(4.1.1.4): bad pattern (#67) 
fix #61
 2021-03-25 13:50:08 +01:00
Thibault Ayanides
1c1393c7e3 Fix div function to manage 0 on numerator (#79) 
fix #77

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-03-23 08:36:36 +01:00
Thibault Ayanides
c50f200c5c FIX(5.4.5.2): explicit sha512 
fix #74
 2021-03-22 15:22:50 +01:00
Simão Gomes Viana
c0ecc9cd6f README: fix spelling and spacing in first line 2021-03-19 08:36:31 +01:00
54 changed files with 818 additions and 481 deletions
Expand all files Collapse all files

4
README.md
View File

@ -1,7 +1,7 @@
# :lock: CIS Debian 9/10 Hardening
:tada: **News**: this projet is back in the game and is from now on maintained. Be free to use and to
report issues if you find any !
:tada: **News**: this project is back in the game and is from now on maintained. Be free to use and to
report issues if you find any!
<p align="center">

6
bin/hardening/1.1.15_run_shm_nodev.sh
View File

@ -24,7 +24,11 @@ OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
PARTITION=$(readlink -e "$PARTITION")
if [ -e "$PARTITION" ]; then
PARTITION=$(readlink -e "$PARTITION")
else
PARTITION="/dev/shm"
fi
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then

6
bin/hardening/1.1.16_run_shm_nosuid.sh
View File

@ -24,7 +24,11 @@ OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
PARTITION=$(readlink -e "$PARTITION")
if [ -e "$PARTITION" ]; then
PARTITION=$(readlink -e "$PARTITION")
else
PARTITION="/dev/shm"
fi
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then

6
bin/hardening/1.1.17_run_shm_noexec.sh
View File

@ -24,7 +24,11 @@ OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
PARTITION=$(readlink -e "$PARTITION")
if [ -e "$PARTITION" ]; then
PARTITION=$(readlink -e "$PARTITION")
else
PARTITION="/dev/shm"
fi
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then

41
bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh
View File

@ -23,6 +23,19 @@ audit() {
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
# shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
IFS_BAK=$IFS
IFS=$'\n'
for LINE in $RESULT; do
debug "line : $LINE"
if echo "$EXCEPTIONS" | grep -q "$LINE"; then
debug "$LINE is confirmed as an exception"
# shellcheck disable=SC2001
RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
else
debug "$LINE not found in exceptions"
fi
done
IFS=$IFS_BAK
if [ -n "$RESULT" ]; then
crit "Some world writable directories are not on sticky bit mode!"
# shellcheck disable=SC2001
@ -36,17 +49,41 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
IFS_BAK=$IFS
IFS=$'\n'
for LINE in $RESULT; do
debug "line : $LINE"
if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then
debug "$ACCOUNT is confirmed as an exception"
# shellcheck disable=SC2001
RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
else
debug "$ACCOUNT not found in exceptions"
fi
done
IFS=$IFS_BAK
if [ -n "$RESULT" ]; then
warn "Setting sticky bit on world writable directories"
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
else
ok "All world writable directories have a sticky bit, nothing to apply"
fi
}
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=audit
# Put here your exceptions separated by spaces
EXCEPTIONS=""
EOF
}
# This function will check config parameters required
check_config() {
# No param for this function
:
if [ -z "$EXCEPTIONS" ]; then
EXCEPTIONS="@"
fi
}
# Source Root Dir Parameter

8
bin/hardening/1.5.1_bootloader_ownership.sh
View File

@ -66,22 +66,22 @@ check_config() {
is_pkg_installed "grub-pc"
if [ "$FNRET" != 0 ]; then
warn "Grub is not installed, not handling configuration"
exit 128
exit 2
fi
does_user_exist "$USER"
if [ "$FNRET" != 0 ]; then
crit "$USER does not exist"
exit 128
exit 2
fi
does_group_exist "$GROUP"
if [ "$FNRET" != 0 ]; then
crit "$GROUP does not exist"
exit 128
exit 2
fi
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
exit 128
exit 2
fi
}

5
bin/hardening/1.5.2_bootloader_password.sh
View File

@ -51,7 +51,6 @@ apply() {
else
ok "$PWD_PATTERN is present in $FILE"
fi
:
}
# This function will check config parameters required
@ -59,11 +58,11 @@ check_config() {
is_pkg_installed "grub-pc"
if [ "$FNRET" != 0 ]; then
warn "grub-pc is not installed, not handling configuration"
exit 128
exit 2
fi
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
exit 128
exit 2
fi
}

1
bin/hardening/1.5.3_root_password.sh
View File

@ -38,7 +38,6 @@ apply() {
else
ok "$PATTERN is not present in $FILE"
fi
:
}
# This function will check config parameters required

44
bin/hardening/1.6.1_enable_nx_support.sh
View File

@ -35,31 +35,39 @@ nx_supported_and_enabled() {
# This function will be called if the script status is on enabled / audit mode
audit() {
does_pattern_exist_in_dmesg "$PATTERN"
if [ "$FNRET" != 0 ]; then
nx_supported_and_enabled
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
else
ok "NX is supported and enabled"
fi
if [ "$IS_CONTAINER" -eq 1 ]; then
ok "Container detected, cannot read dmesg!"
else
ok "$PATTERN is present in dmesg"
does_pattern_exist_in_dmesg "$PATTERN"
if [ "$FNRET" != 0 ]; then
nx_supported_and_enabled
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
else
ok "NX is supported and enabled"
fi
else
ok "$PATTERN is present in dmesg"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
does_pattern_exist_in_dmesg "$PATTERN"
if [ "$FNRET" != 0 ]; then
nx_supported_and_enabled
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
else
ok "NX is supported and enabled"
fi
if [ "$IS_CONTAINER" -eq 1 ]; then
ok "Container detected, cannot read dmesg!"
else
ok "$PATTERN is present in dmesg"
does_pattern_exist_in_dmesg "$PATTERN"
if [ "$FNRET" != 0 ]; then
nx_supported_and_enabled
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
else
ok "NX is supported and enabled"
fi
else
ok "$PATTERN is present in dmesg"
fi
fi
}

89
bin/hardening/1.7.1.2_enable_apparmor.sh
View File

@ -21,32 +21,46 @@ PACKAGES='apparmor apparmor-utils'
# This function will be called if the script status is on enabled / audit mode
audit() {
ERROR=0
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is absent!"
ERROR=1
else
ok "$PACKAGE is installed"
fi
done
ERROR=0
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for line in $RESULT; do
if [[ ! "$line" =~ "apparmor=1" ]] || [[ ! "$line" =~ "security=apparmor" ]]; then
crit "$line is not configured"
ERROR=1
fi
done
IFS=$d_IFS
if [ "$ERROR" = 0 ]; then
ok "$PACKAGES are configured"
is_pkg_installed "grub-pc"
if [ "$FNRET" != 0 ]; then
if [ "$IS_CONTAINER" -eq 1 ]; then
ok "Grub is not installed in container"
else
warn "Grub is not installed"
exit 128
fi
else
ERROR=0
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for line in $RESULT; do
if [[ ! "$line" =~ "apparmor=1" ]] || [[ ! "$line" =~ "security=apparmor" ]]; then
crit "$line is not configured"
ERROR=1
fi
done
IFS=$d_IFS
if [ "$ERROR" = 0 ]; then
ok "$PACKAGES are configured"
fi
fi
fi
}
@ -62,26 +76,35 @@ apply() {
fi
done
ERROR=0
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for line in $RESULT; do
if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
crit "$line is not configured"
ERROR=1
is_pkg_installed "grub-pc"
if [ "$FNRET" != 0 ]; then
if [ "$IS_CONTAINER" -eq 1 ]; then
ok "Grub is not installed in container"
else
warn "You should use grub. Install it yourself"
fi
done
IFS=$d_IFS
if [ $ERROR = 1 ]; then
$SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor /" /etc/default/grub
$SUDO_CMD update-grub
else
ok "$PACKAGES are configured"
ERROR=0
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for line in $RESULT; do
if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
crit "$line is not configured"
ERROR=1
fi
done
IFS=$d_IFS
if [ $ERROR = 1 ]; then
$SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor /" /etc/default/grub
$SUDO_CMD update-grub
else
ok "$PACKAGES are configured"
fi
fi
}

16
bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh
View File

@ -21,22 +21,25 @@ PACKAGES='apparmor apparmor-utils'
# This function will be called if the script status is on enabled / audit mode
audit() {
ERROR=0
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is absent!"
ERROR=1
else
ok "$PACKAGE is installed"
fi
done
if [ "$ERROR" = 0 ]; then
RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
if [ -n "$RESULT_UNCONFINED" ]; then
ok "No profiles are unconfined"
if [ -n "$RESULT_UNCONFINED" ]; then
ok "No profiles are unconfined"
else
crit "Some processes are unconfined while they have defined profile"
else
crit "Some processes are unconfined while they have defined profile"
fi
fi
}
@ -46,6 +49,7 @@ apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGES is absent!"
apt_install "$PACKAGE"
else
ok "$PACKAGE is installed"
fi

28
bin/hardening/1.7.1.4_enforcing_apparmor.sh
View File

@ -21,28 +21,31 @@ PACKAGES='apparmor apparmor-utils'
# This function will be called if the script status is on enabled / audit mode
audit() {
ERROR=0
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is absent!"
ERROR=1
else
ok "$PACKAGE is installed"
fi
done
if [ "$ERROR" = 0 ]; then
RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode.")
RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode.")
if [ -n "$RESULT_UNCONFINED" ]; then
ok "No profiles are unconfined"
else
crit "Some processes are unconfined while they have defined profile"
fi
if [ -n "$RESULT_UNCONFINED" ]; then
ok "No profiles are unconfined"
else
crit "Some processes are unconfined while they have defined profile"
fi
if [ -n "$RESULT_COMPLAIN" ]; then
ok "No profiles are in complain mode"
else
crit "Some processes are in complain mode"
if [ -n "$RESULT_COMPLAIN" ]; then
ok "No profiles are in complain mode"
else
crit "Some processes are in complain mode"
fi
fi
}
@ -52,6 +55,7 @@ apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is absent!"
apt_install "$PACKAGE"
else
ok "$PACKAGE is installed"
fi

4
bin/hardening/2.2.1.2_configure_systemd-timesyncd.sh
View File

@ -21,8 +21,8 @@ SERVICE_NAME="systemd-timesyncd"
# This function will be called if the script status is on enabled / audit mode
audit() {
is_service_enabled "$SERVICE_NAME"
if [ "$FNRET" = 0 ]; then
status=$(systemctl is-enabled "$SERVICE_NAME")
if [ "$status" = "enabled" ]; then
ok "$SERVICE_NAME is enabled"
else
crit "$SERVICE_NAME is disabled"

53
bin/hardening/2.2.15_mta_localhost.sh
View File

@ -21,39 +21,50 @@ HARDENING_EXCEPTION=mail
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Checking netport ports opened"
RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || :
RESULT=${RESULT:-}
debug "Result is $RESULT"
if [ -z "$RESULT" ]; then
ok "Nothing listens on 25 port, probably unix socket configured"
is_pkg_installed net-tools
if [ "$FNRET" != 0 ]; then
warn "netsat not installed, cannot execute check"
exit 2
else
info "Checking $RESULT"
if grep -q "127.0.0.1" <<<"$RESULT"; then
ok "MTA is configured to localhost only"
info "Checking netport ports opened"
RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || :
RESULT=${RESULT:-}
debug "Result is $RESULT"
if [ -z "$RESULT" ]; then
ok "Nothing listens on 25 port, probably unix socket configured"
else
crit "MTA listens worldwide"
info "Checking $RESULT"
if grep -q "127.0.0.1" <<<"$RESULT"; then
ok "MTA is configured to localhost only"
else
crit "MTA listens worldwide"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
info "Checking netport ports opened"
RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
RESULT=${RESULT:-}
debug "Result is $RESULT"
if [ -z "$RESULT" ]; then
ok "Nothing listens on 25 port, probably unix socket configured"
is_pkg_installed net-tools
if [ "$FNRET" != 0 ]; then
warn "netsat not installed, cannot execute check"
exit 2
else
info "Checking $RESULT"
if grep -q "127.0.0.1" <<<"$RESULT"; then
ok "MTA is configured to localhost only"
info "Checking netport ports opened"
RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
RESULT=${RESULT:-}
debug "Result is $RESULT"
if [ -z "$RESULT" ]; then
ok "Nothing listens on 25 port, probably unix socket configured"
else
warn "MTA listens worldwide, correct this considering your MTA"
info "Checking $RESULT"
if grep -q "127.0.0.1" <<<"$RESULT"; then
ok "MTA is configured to localhost only"
else
warn "MTA listens worldwide, correct this considering your MTA"
fi
fi
fi
:
}
# This function will check config parameters required

6
bin/hardening/4.1.1.3_audit_bootloader.sh
View File

@ -18,7 +18,7 @@ HARDENING_LEVEL=4
DESCRIPTION="Enable auditing for processes that start prior to auditd."
FILE='/etc/default/grub'
OPTIONS='GRUB_CMDLINE_LINUX="audit=1"'
OPTIONS='GRUB_CMDLINE_LINUX=audit=1'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -30,7 +30,7 @@ audit() {
for GRUB_OPTION in $OPTIONS; do
GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
debug "$GRUB_PARAM should be set to $GRUB_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 0 ]; then
@ -55,7 +55,7 @@ apply() {
GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
debug "$GRUB_PARAM should be set to $GRUB_VALUE"
PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 0 ]; then
warn "$PATTERN is not present in $FILE, adding it"

6
bin/hardening/4.1.1.4_audit_backlog_limit.sh
View File

@ -18,7 +18,7 @@ HARDENING_LEVEL=4
DESCRIPTION="Configure audit_backlog_limit to be sufficient."
FILE='/etc/default/grub'
OPTIONS='GRUB_CMDLINE_LINUX="audit_backlog_limit=8192"'
OPTIONS='GRUB_CMDLINE_LINUX=audit_backlog_limit=8192'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -30,7 +30,7 @@ audit() {
for GRUB_OPTION in $OPTIONS; do
GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
debug "$GRUB_PARAM should be set to $GRUB_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 0 ]; then
@ -55,7 +55,7 @@ apply() {
GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
debug "$GRUB_PARAM should be set to $GRUB_VALUE"
PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 0 ]; then
warn "$PATTERN is not present in $FILE, adding it"

2
bin/hardening/4.1.11_record_privileged_commands.sh
View File

@ -17,8 +17,8 @@ HARDENING_LEVEL=4
# shellcheck disable=2034
DESCRIPTION="Collect use of privileged commands."
# Find all files with setuid or setgid set
SUDO_CMD='sudo -n'
# Find all files with setuid or setgid set
AUDIT_PARAMS=$($SUDO_CMD find / -xdev \( -perm -4000 -o -perm -2000 \) -type f |
awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }')
FILE='/etc/audit/audit.rules'

33
bin/hardening/4.2.1.2_enable_syslog-ng.sh
View File

@ -17,29 +17,40 @@ HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure syslog-ng service is activated."
PACKAGE='syslog-ng'
SERVICE_NAME="syslog-ng"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Checking if $SERVICE_NAME is enabled"
is_service_enabled "$SERVICE_NAME"
if [ "$FNRET" = 0 ]; then
ok "$SERVICE_NAME is enabled"
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
crit "$SERVICE_NAME is disabled"
info "Checking if $SERVICE_NAME is enabled"
is_service_enabled "$SERVICE_NAME"
if [ "$FNRET" = 0 ]; then
ok "$SERVICE_NAME is enabled"
else
crit "$SERVICE_NAME is disabled"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
info "Checking if $SERVICE_NAME is enabled"
is_service_enabled "$SERVICE_NAME"
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
info "Enabling $SERVICE_NAME"
update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
update-rc.d "$SERVICE_NAME" defaults >/dev/null 2>&1
crit "$PACKAGE is not installed!"
else
ok "$SERVICE_NAME is enabled"
info "Checking if $SERVICE_NAME is enabled"
is_service_enabled "$SERVICE_NAME"
if [ "$FNRET" != 0 ]; then
info "Enabling $SERVICE_NAME"
update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
update-rc.d "$SERVICE_NAME" defaults >/dev/null 2>&1
else
ok "$SERVICE_NAME is enabled"
fi
fi
}

135
bin/hardening/4.2.1.4_syslog_ng_logfiles_perm.sh
View File

@ -19,6 +19,7 @@ DESCRIPTION="Create and set permissions on syslog-ng logfiles."
# Note: this is not exacly the same check as the one described in CIS PDF
PACKAGE='syslog-ng'
PERMISSIONS=''
USER=''
GROUP=''
@ -26,14 +27,71 @@ EXCEPTIONS=''
# This function will be called if the script status is on enabled / audit mode
audit() {
FILES=$(grep "file(" "$SYSLOG_BASEDIR"/syslog-ng.conf | grep '"' | cut -d'"' -f 2)
for FILE in $FILES; do
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist"
else
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
FILES=$(grep "file(" "$SYSLOG_BASEDIR"/syslog-ng.conf | grep '"' | cut -d'"' -f 2)
for FILE in $FILES; do
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist"
else
FOUND_EXC=0
if grep -q "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
debug "$FILE is found in exceptions"
debug "Setting special user:group:perm"
FOUND_EXC=1
local user_bak="$USER"
local group_bak="$GROUP"
local perm_bak="$PERMISSIONS"
USER="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)"
GROUP="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)"
PERMISSIONS="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership ($USER:$GROUP)"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions ($PERMISSIONS)"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
if [ "$FOUND_EXC" = 1 ]; then
debug "Resetting user:group:perm"
USER="$user_bak"
GROUP="$group_bak"
PERMISSIONS="$perm_bak"
fi
fi
done
fi
}
# This function will be called if the script status is on enabled mode
apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
for FILE in $FILES; do
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
filedir=$(dirname "${FILE#/var/log/}")
if [ ! "$filedir" = "." ] && [ ! -d /var/log/"$filedir" ]; then
debug "Creating /var/log/$filedir for $FILE"
debug "mkdir -p /var/log/$filedir"
mkdir -p /var/log/"$filedir"
fi
touch "$FILE"
fi
FOUND_EXC=0
if grep -q "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
if grep "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
debug "$FILE is found in exceptions"
debug "Setting special user:group:perm"
FOUND_EXC=1
@ -46,15 +104,17 @@ audit() {
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership ($USER:$GROUP)"
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions ($PERMISSIONS)"
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
if [ "$FOUND_EXC" = 1 ]; then
debug "Resetting user:group:perm"
@ -62,57 +122,8 @@ audit() {
GROUP="$group_bak"
PERMISSIONS="$perm_bak"
fi
fi
done
}
# This function will be called if the script status is on enabled mode
apply() {
for FILE in $FILES; do
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
filedir=$(dirname "${FILE#/var/log/}")
if [ ! "$filedir" = "." ] && [ ! -d /var/log/"$filedir" ]; then
debug "Creating /var/log/$filedir for $FILE"
debug "mkdir -p /var/log/$filedir"
mkdir -p /var/log/"$filedir"
fi
touch "$FILE"
fi
FOUND_EXC=0
if grep "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
debug "$FILE is found in exceptions"
debug "Setting special user:group:perm"
FOUND_EXC=1
local user_bak="$USER"
local group_bak="$GROUP"
local perm_bak="$PERMISSIONS"
USER="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)"
GROUP="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)"
PERMISSIONS="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
if [ "$FOUND_EXC" = 1 ]; then
debug "Resetting user:group:perm"
USER="$user_bak"
GROUP="$group_bak"
PERMISSIONS="$perm_bak"
fi
done
done
fi
}
# This function will create the config file for this check with default values

58
bin/hardening/4.2.1.5_syslog-ng_remote_host.sh
View File

@ -17,40 +17,52 @@ HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Configure syslog-ng to send logs to a remote log host."
PACKAGE='syslog-ng'
PATTERN='destination[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".'
# This function will be called if the script status is on enabled / audit mode
audit() {
FOUND=0
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
for FILE in $FILES; do
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
FOUND=1
fi
done
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
crit "$PATTERN is not present in $FILES"
FOUND=0
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
for FILE in $FILES; do
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
FOUND=1
fi
done
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
else
crit "$PATTERN is not present in $FILES"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
FOUND=0
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
for FILE in $FILES; do
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
FOUND=1
fi
done
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
crit "$PATTERN is not present in $FILES, please set a remote host to send your logs"
FOUND=0
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
for FILE in $FILES; do
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
FOUND=1
fi
done
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
else
crit "$PATTERN is not present in $FILES, please set a remote host to send your logs"
fi
fi
}

98
bin/hardening/4.2.1.6_remote_syslog-ng_acl.sh
View File

@ -17,64 +17,74 @@ HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Configure syslog to accept remote syslog messages only on designated log hosts."
PACKAGE='syslog-ng'
REMOTE_HOST=""
PATTERN='source[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".'
# This function will be called if the script status is on enabled / audit mode
audit() {
FOUND=0
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
for FILE in $FILES; do
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
FOUND=1
fi
done
if [[ "$REMOTE_HOST" ]]; then
info "This is the remote host, checking that it only accepts logs from specified zone"
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
else
crit "$PATTERN is not present in $FILES"
fi
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
info "This is the not the remote host checking that it doesn't accept remote logs"
if [ "$FOUND" = 1 ]; then
crit "$PATTERN is present in $FILES"
else
ok "$PATTERN is not present in $FILES"
fi
FOUND=0
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
for FILE in $FILES; do
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
FOUND=1
fi
done
if [[ "$REMOTE_HOST" ]]; then
info "This is the remote host, checking that it only accepts logs from specified zone"
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
else
crit "$PATTERN is not present in $FILES"
fi
else
info "This is the not the remote host checking that it doesn't accept remote logs"
if [ "$FOUND" = 1 ]; then
crit "$PATTERN is present in $FILES"
else
ok "$PATTERN is not present in $FILES"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
FOUND=0
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
for FILE in $FILES; do
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
FOUND=1
fi
done
if [[ "$REMOTE_HOST" ]]; then
info "This is the remote host, checking that it only accepts logs from specified zone"
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
else
crit "$PATTERN is not present in $FILES, setup the machine to receive the logs"
fi
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
info "This is the not the remote host checking that it doesn't accept remote logs"
if [ "$FOUND" = 1 ]; then
warn "$PATTERN is present in $FILES, "
else
ok "$PATTERN is not present in $FILES"
fi
FOUND=0
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
for FILE in $FILES; do
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
FOUND=1
fi
done
if [[ "$REMOTE_HOST" ]]; then
info "This is the remote host, checking that it only accepts logs from specified zone"
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
else
crit "$PATTERN is not present in $FILES, setup the machine to receive the logs"
fi
else
info "This is the not the remote host checking that it doesn't accept remote logs"
if [ "$FOUND" = 1 ]; then
warn "$PATTERN is present in $FILES, "
else
ok "$PATTERN is not present in $FILES"
fi
fi
fi
}

50
bin/hardening/5.1.2_crontab_perm_ownership.sh
View File

@ -27,18 +27,19 @@ audit() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi
}
@ -48,20 +49,21 @@ apply() {
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
touch "$FILE"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
fi
}

50
bin/hardening/5.1.3_cron_hourly_perm_ownership.sh
View File

@ -27,18 +27,19 @@ audit() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi
}
@ -48,20 +49,21 @@ apply() {
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
touch "$FILE"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
fi
}

50
bin/hardening/5.1.4_cron_daily_perm_ownership.sh
View File

@ -27,18 +27,19 @@ audit() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi
}
@ -48,20 +49,21 @@ apply() {
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
touch "$FILE"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
fi
}

50
bin/hardening/5.1.5_cron_weekly_perm_ownership.sh
View File

@ -27,18 +27,19 @@ audit() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi
}
@ -48,20 +49,21 @@ apply() {
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
touch "$FILE"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
fi
}

50
bin/hardening/5.1.6_cron_monthly_perm_ownership.sh
View File

@ -27,18 +27,19 @@ audit() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi
}
@ -48,20 +49,21 @@ apply() {
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
touch "$FILE"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
fi
}

6
bin/hardening/5.2.10_disable_root_login.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^$SSH_PARAM"
does_pattern_exist_in_file_nocase "$FILE" "^$SSH_PARAM"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

6
bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

6
bin/hardening/5.2.12_disable_sshd_setenv.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

6
bin/hardening/5.2.13_sshd_ciphers.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

6
bin/hardening/5.2.16_sshd_idle_timeout.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

6
bin/hardening/5.2.17_sshd_login_grace_time.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
does_pattern_exist_in_file_nocase $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

6
bin/hardening/5.2.18_sshd_limit_access.sh
View File

@ -34,7 +34,7 @@ audit() {
# shellcheck disable=SC2001
SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE")
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
@ -59,12 +59,12 @@ apply() {
# shellcheck disable=SC2001
SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE")
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

63
bin/hardening/5.2.1_sshd_conf_perm_ownership.sh
View File

@ -17,6 +17,7 @@ HARDENING_LEVEL=1
# shellcheck disable=2034
DESCRIPTION="Checking permissions and ownership to root 600 for sshd_config."
PACKAGE='openssh-server'
FILE='/etc/ssh/sshd_config'
PERMISSIONS='600'
USER='root'
@ -24,40 +25,50 @@ GROUP='root'
# This function will be called if the script status is on enabled / audit mode
audit() {
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
ok "$PACKAGE is not installed!"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
does_file_exist "$FILE"
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
touch "$FILE"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
ok "$PACKAGE is not installed"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
touch "$FILE"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
fi
}

6
bin/hardening/5.2.20_enable_ssh_pam.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
does_pattern_exist_in_file_nocase $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

6
bin/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
does_pattern_exist_in_file_nocase $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

6
bin/hardening/5.2.22_configure_ssh_max_startups.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
does_pattern_exist_in_file_nocase $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

27
bin/hardening/5.2.23_limit_ssh_max_sessions.sh
View File

@ -32,11 +32,21 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
does_pattern_exist_in_file_nocase $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in $FILE"
else
VALUE=$($SUDO_CMD grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2)
if [ "$VALUE" -gt "$SSH_VALUE" ]; then
crit "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM"
else
ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM"
fi
fi
fi
done
fi
@ -55,17 +65,22 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
VALUE=$(grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2)
if [ "$VALUE" -gt "$SSH_VALUE" ]; then
warn "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM, replacing it"
replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
else
ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM"
fi
fi
/etc/init.d/ssh reload
fi

6
bin/hardening/5.2.4_sshd_protocol.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

2
bin/hardening/5.2.5_sshd_loglevel.sh
View File

@ -61,7 +61,7 @@ apply() {
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

4
bin/hardening/5.2.6_disable_x11_forwarding.sh
View File

@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

29
bin/hardening/5.2.7_sshd_maxauthtries.sh
View File

@ -32,11 +32,21 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in $FILE"
else
VALUE=$($SUDO_CMD grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2)
if [ "$VALUE" -gt "$SSH_VALUE" ]; then
crit "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM"
else
ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM"
fi
fi
fi
done
fi
@ -55,17 +65,22 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
warn "$PATTERN is not present in $FILE"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
VALUE=$(grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2)
if [ "$VALUE" -gt "$SSH_VALUE" ]; then
warn "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM, replacing it"
replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
else
ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM"
fi
fi
/etc/init.d/ssh reload
fi

6
bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

6
bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

40
bin/hardening/6.1.10_find_world_writable_file.sh
View File

@ -23,6 +23,19 @@ audit() {
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
# shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null)
IFS_BAK=$IFS
IFS=$'\n'
for LINE in $RESULT; do
debug "line : $LINE"
if echo "$EXCEPTIONS" | grep -q "$LINE"; then
debug "$LINE is confirmed as an exception"
# shellcheck disable=SC2001
RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
else
debug "$LINE not found in exceptions"
fi
done
IFS=$IFS_BAK
if [ -n "$RESULT" ]; then
crit "Some world writable files are present"
# shellcheck disable=SC2001
@ -36,6 +49,19 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
IFS_BAK=$IFS
IFS=$'\n'
for LINE in $RESULT; do
debug "line : $LINE"
if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then
debug "$ACCOUNT is confirmed as an exception"
# shellcheck disable=SC2001
RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
else
debug "$ACCOUNT not found in exceptions"
fi
done
IFS=$IFS_BAK
if [ -n "$RESULT" ]; then
warn "chmoding o-w all files in the system"
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null | xargs chmod o-w
@ -44,10 +70,20 @@ apply() {
fi
}
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=audit
# Put here your exceptions separated by spaces
EXCEPTIONS=""
EOF
}
# This function will check config parameters required
check_config() {
# No param for this function
:
if [ -z "$EXCEPTIONS" ]; then
EXCEPTIONS="@"
fi
}
# Source Root Dir Parameter

34
bin/hardening/99.3.3.4_hosts_allow_permissions.sh
View File

@ -24,22 +24,36 @@ GROUP='root'
# This function will be called if the script status is on enabled / audit mode
audit() {
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
ok "$FILE exist"
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist"
touch "$FILE"
warn "You may want to fill it with allowed networks"
else
ok "$FILE exist"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"

34
bin/hardening/99.3.3.5_hosts_deny_permissions.sh
View File

@ -24,22 +24,36 @@ GROUP='root'
# This function will be called if the script status is on enabled / audit mode
audit() {
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
ok "$FILE exist"
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist"
touch "$FILE"
warn "You may want to fill it with allowed networks"
else
ok "$FILE exist"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"

4
cisharden.sudoers
View File

@ -20,6 +20,10 @@ Cmnd_Alias SCL_CMD = /bin/grep ,\
/sbin/sysctl -a,\
/bin/dmesg "",\
/bin/netstat,\
/usr/sbin/lsmod,\
/sbin/lsmod,\
/sbin/modprobe,\
/usr/sbin/modprobe -n -v*,\
/usr/sbin/apparmor_status
cisharden ALL = (root) NOPASSWD: SCL_CMD

31
debian/changelog vendored
View File

@ -1,3 +1,34 @@
cis-hardening (3.1-4) unstable; urgency=medium
* Add test to check stderr is empty
* Fix 2.2.1.2 audit and apply
* Accept lower values as valid 5.2.7 and 5.2.23
* Add dir exceptions in 1.1.21 and 6.1.10
-- Thibault Ayanides <thibault.ayanides@ovhcloud.com> Thu, 06 May 2021 10:07:22 +0200
cis-hardening (3.1-3) unstable; urgency=medium
* Fix 4.1.11 permissions
-- Thibault Ayanides <thibault.ayanides@ovhcloud.com> Mon, 12 Apr 2021 12:17:16 +0200
cis-hardening (3.1-2) unstable; urgency=medium
* Fix case for sshd pattern searching
-- Thibault Ayanides <thibault.ayanides@ovhcloud.com> Fri, 02 Apr 2021 09:16:16 +0200
cis-hardening (3.1-1) unstable; urgency=medium
* Various mispeling fixes
* Fix div function that causes a display bug when runnin test with --only
* Fix 4.1.1.4 bad pattern bug
* Fix 5.4.2.2
* Various verification that package is installed or file exist before running check (openssh, apparmor, crontab)
-- Thibault Ayanides <thibault.ayanides@ovhcloud.com> Thu, 25 Mar 2021 14:59:49 +0100
cis-hardening (3.1-0) unstable; urgency=medium
* Add missing HARDENING_LEVEL var for some checks

4
lib/common.sh
View File

@ -121,6 +121,10 @@ div() {
local _d=${3:-2}
local _n=0000000000
_n=${_n:0:$_d}
if (($1 == 0)); then
echo "0"
return
fi
if (($2 == 0)); then
echo "N.A"
return

16
tests/hardening/5.2.23_limit_ssh_max_sessions.sh
View File

@ -7,6 +7,22 @@ test_audit() {
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
echo "maxsessions 1" >>/etc/ssh/sshd_config
describe Running restrictive
register_test retvalshouldbe 0
register_test contain "[ OK ] 1 is lower than recommended 10"
run restrictive /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# delete last line
sed -i '$ d' /etc/ssh/sshd_config
echo "maxsessions 15" >>/etc/ssh/sshd_config
describe Running too permissive
register_test retvalshouldbe 1
register_test contain "[ KO ] 15 is higher than recommended 10"
run permissive /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Correcting situation
# `apply` performs a service reload after each change in the config file
# the service needs to be started for the reload to succeed

16
tests/hardening/5.2.7_sshd_maxauthtries.sh
View File

@ -7,6 +7,22 @@ test_audit() {
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
echo "MaxAuthTries 2" >>/etc/ssh/sshd_config
describe Running restrictive
register_test retvalshouldbe 0
register_test contain "[ OK ] 2 is lower than recommended 4"
run restrictive /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# delete last line
sed -i '$ d' /etc/ssh/sshd_config
echo "MaxAuthTries 6" >>/etc/ssh/sshd_config
describe Running too permissive
register_test retvalshouldbe 1
register_test contain "[ KO ] 6 is higher than recommended 4"
run permissive /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Correcting situation
# `apply` performs a service reload after each change in the config file
# the service needs to be started for the reload to succeed

2
tests/hardening/99.5.4.5.2_acc_shadow_sha512.sh
View File

@ -22,7 +22,7 @@ test_audit() {
run lockedpasswd /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
mv /tmp/shadow.bak /etc/shadow
chpasswd <<EOF
chpasswd -c SHA512 <<EOF
secaudit:mypassword
EOF
describe Pass: Found properly hashed password

16
tests/launch_tests.sh
View File

@ -131,12 +131,12 @@ play_consistency_tests() {
fi
}
# Actually runs one signel audit script
# Actually runs one single audit script
_run() {
usecase_name=$1
shift
printf "\033[34m*** [%03d] %s \033[0m(%s)\n" "$testno" "$usecase_name" "$*"
bash -c "$*" >"$outdir/$usecase_name.log" && true
bash -c "$*" >"$outdir/$usecase_name.log" 2>"$outdir/${usecase_name}_err.log" && true
echo $? >"$outdir/$usecase_name.retval"
ret=$(<"$outdir"/"$usecase_name".retval)
get_stdout
@ -188,15 +188,25 @@ for test_file in $tests_list; do
echo ""
done
stderrunexpected=""
for file in "$outdir"/*_err.log; do
if [ -s "$file" ]; then
stderrunexpected="$stderrunexpected $(basename "$file")"
fi
done
printf "\033[1;36m###\n### %s \033[0m\n" "Test report"
if [ $((nbfailedret + nbfailedgrep + nbfailedconsist)) -eq 0 ]; then
if [ $((nbfailedret + nbfailedgrep + nbfailedconsist)) -eq 0 ] && [ -z "$stderrunexpected" ]; then
echo -e "\033[42m\033[30mAll tests succeeded :)\033[0m"
echo -e "\033[42m\033[30mStderr is empty :)\033[0m"
else
(
echo -e "\033[41mOne or more tests failed :(\033[0m"
echo -e "- $nbfailedret unexpected return values ${listfailedret}"
echo -e "- $nbfailedgrep unexpected text values $listfailedgrep"
echo -e "- $nbfailedconsist root/sudo consistency $listfailedconsist"
echo -e "- stderr detected on $stderrunexpected"
) | tee "$outdir"/summary
fi
echo