elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2025-07-16 22:02:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: elie:v3.1-0
Branches Tags
elie:master elie:damcava35/deb12_scripts_2 elie:damcava35/update_lib elie:damcava35/new_scripts elie:damcava35/issue_249 elie:damcava35/drop_debian10 elie:damcava35/is_ip_v6_enabled elie:damcava35/issue_195 elie:damcava35/fix_only elie:damcava35/fix_packaging elie:damcava35/set_version elie:damcava35/test_pre_commit elie:dev/thibault.dewailly/deb12 elie:dependabot/github_actions/luizm/action-sh-checker-0.9.0 elie:dev/thibault.dewailly/set_hardening_level elie:dev/thibault.dewailly/syslogng_remotecheck
elie:latest elie:v4.1-5 elie:v4.1-4 elie:v4.1-3 elie:v4.1-2 elie:v4.1-1 elie:v4.0-1 elie:v3.8-1 elie:v3.7-1 elie:v3.6-1 elie:v3.5-1 elie:v3.4-1 elie:v3.3-1 elie:v3.2-2 elie:v3.2-1 elie:v3.2-0 elie:v3.1-6 elie:v3.1-5 elie:v3.1-4 elie:v3.1-3 elie:v3.1-2 elie:v3.1-1 elie:v3.1-0 elie:v3.0-1 elie:v3.0 elie:v2.1-6 elie:v2.1-5 elie:v2.1-4 elie:v2.1-3 elie:v2.1-2 elie:v2.1-1 elie:v2.0-6 elie:v2.0-5 elie:v2.0-4 elie:v1.3-4 elie:v1.3-3 elie:v1.3-2 elie:v1.3 elie:v1.2-1 elie:v1.1-1
...
compare: elie:v3.5-1
Branches Tags
elie:damcava35/deb12_scripts_2 elie:damcava35/update_lib elie:damcava35/new_scripts elie:master elie:damcava35/issue_249 elie:damcava35/drop_debian10 elie:damcava35/is_ip_v6_enabled elie:damcava35/issue_195 elie:damcava35/fix_only elie:damcava35/fix_packaging elie:damcava35/set_version elie:damcava35/test_pre_commit elie:dev/thibault.dewailly/deb12 elie:dependabot/github_actions/luizm/action-sh-checker-0.9.0 elie:dev/thibault.dewailly/set_hardening_level elie:dev/thibault.dewailly/syslogng_remotecheck
elie:latest elie:v4.1-5 elie:v4.1-4 elie:v4.1-3 elie:v4.1-2 elie:v4.1-1 elie:v4.0-1 elie:v3.8-1 elie:v3.7-1 elie:v3.6-1 elie:v3.5-1 elie:v3.4-1 elie:v3.3-1 elie:v3.2-2 elie:v3.2-1 elie:v3.2-0 elie:v3.1-6 elie:v3.1-5 elie:v3.1-4 elie:v3.1-3 elie:v3.1-2 elie:v3.1-1 elie:v3.1-0 elie:v3.0-1 elie:v3.0 elie:v2.1-6 elie:v2.1-5 elie:v2.1-4 elie:v2.1-3 elie:v2.1-2 elie:v2.1-1 elie:v2.0-6 elie:v2.0-5 elie:v2.0-4 elie:v1.3-4 elie:v1.3-3 elie:v1.3-2 elie:v1.3 elie:v1.2-1 elie:v1.1-1

53 Commits
v3.1-0 ... v3.5-1

Author SHA1 Message Date
Tarik Megzari
7a3145d7f1 bump to 3.5-1 (#152) 
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
 2022-03-23 18:40:25 +01:00
GoldenKiwi
5c072668d5 fix: add 10s wait timeout on iptables command (#151) 
When the tested server has its iptables heavily manipulated (e.g Kubernetes)
The lock aquirement can sometimes fail, hence generating false positives
The command will retry 10 times with a 1 second interval
 2022-03-23 16:56:38 +01:00
GoldenKiwi
d1bd1eb2e7 bump to 3.4-1 (#150) 2022-03-18 16:49:25 +01:00
GoldenKiwi
ad5c71c3ce fix: allow passwd-, group- and shadow- debian default permissions (#149) 2022-03-18 16:41:49 +01:00
dependabot[bot]
33964c0a3d Bump EndBug/add-and-commit from 8.0.2 to 9 (#148) 
Bumps [EndBug/add-and-commit](https://github.com/EndBug/add-and-commit) from 8.0.2 to 9.
- [Release notes](https://github.com/EndBug/add-and-commit/releases)
- [Changelog](https://github.com/EndBug/add-and-commit/blob/main/CHANGELOG.md)
- [Commits](https://github.com/EndBug/add-and-commit/compare/v8.0.2...v9)

---
updated-dependencies:
- dependency-name: EndBug/add-and-commit
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-03-14 15:36:48 +01:00
Tarik Megzari
8320d0eecc CI: Fix release action (#147) 
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
 2022-03-03 12:02:12 +01:00
Tarik Megzari
a0d33ab158 Update changelog for release 3.3-1 (#146) 
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
 2022-03-03 10:26:42 +01:00
Jan Schmidle
a6a22084e1 missing shadowtools backup files is ok (#132) 
* missing shadowtools backup files is ok

* update corresponding test cases
 2022-03-02 18:05:37 +01:00
Tarik Megzari
b962155a3c fix: Avoid find failures on too many files (#144) 
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2022-03-02 17:49:28 +01:00
dependabot[bot]
20bf51f65b Bump actions/checkout from 2 to 3 (#145) 
Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-03-02 00:14:50 +01:00
dependabot[bot]
adfe28470a Bump metcalfc/changelog-generator from 1.0.0 to 3.0.0 (#133) 
Bumps [metcalfc/changelog-generator](https://github.com/metcalfc/changelog-generator) from 1.0.0 to 3.0.0.
- [Release notes](https://github.com/metcalfc/changelog-generator/releases)
- [Changelog](https://github.com/metcalfc/changelog-generator/blob/main/release-notes.png)
- [Commits](https://github.com/metcalfc/changelog-generator/compare/v1.0.0...v3.0.0)

---
updated-dependencies:
- dependency-name: metcalfc/changelog-generator
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-03-01 23:48:57 +01:00
dependabot[bot]
c94ee10afe Bump EndBug/add-and-commit from 7 to 8.0.2 (#142) 
Bumps [EndBug/add-and-commit](https://github.com/EndBug/add-and-commit) from 7 to 8.0.2.
- [Release notes](https://github.com/EndBug/add-and-commit/releases)
- [Changelog](https://github.com/EndBug/add-and-commit/blob/main/CHANGELOG.md)
- [Commits](https://github.com/EndBug/add-and-commit/compare/v7...v8.0.2)

---
updated-dependencies:
- dependency-name: EndBug/add-and-commit
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-03-01 20:39:39 +01:00
dependabot[bot]
453a72b8c8 Bump actions-ecosystem/action-get-latest-tag from 1.4.1 to 1.5.0 (#143) 
Bumps [actions-ecosystem/action-get-latest-tag](https://github.com/actions-ecosystem/action-get-latest-tag) from 1.4.1 to 1.5.0.
- [Release notes](https://github.com/actions-ecosystem/action-get-latest-tag/releases)
- [Commits](https://github.com/actions-ecosystem/action-get-latest-tag/compare/v1.4.1...v1.5.0)

---
updated-dependencies:
- dependency-name: actions-ecosystem/action-get-latest-tag
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-03-01 20:28:33 +01:00
Tarik Megzari
bb03764918 fix: Catch unexpected failures (#140) 
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
 2022-01-31 15:38:38 +01:00
Tarik Megzari
17d272420a feat: Dissociate iptables pkg name from command (#137) 
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
 2021-12-27 15:40:55 +01:00
Tarik Megzari
f1c1517bd2 Update changelog for release 3.2-2 (#135) 
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
 2021-12-13 16:06:57 +01:00
tdenof
1341622335 Fix empty fstab test (#134) 
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Co-authored-by: Thibault Dewailly <thibault.dewailly@corp.ovh.com>
 2021-12-08 08:42:22 +01:00
thibault.dewailly
c8fcfed248 Update changelog for release 3.2-1 2021-12-01 11:04:56 +00:00
Sebastien BLAISOT
97914976c8 Skip NTP and Chrony config check if they are not installed (#120) 
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-12-01 10:49:08 +01:00
Sebastien BLAISOT
66c8ccf495 Fix 3.4.2 audit rule (#123) 
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-12-01 10:23:11 +01:00
Sebastien BLAISOT
b53bf1795c Fix grub detection (#119) 
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-12-01 08:58:32 +01:00
Sebastien BLAISOT
1a874b2b35 Allow grub.cfg permission to be 600 (#121) 
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-11-30 18:47:19 +01:00
Sebastien BLAISOT
7266ec7cb4 Honor --set-log-level parameter (#127) 
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-11-30 18:42:33 +01:00
Jan Schmidle
8f855ac159 fix: kernel module detection (#129) 
* fix: add filter to hfs

* fix is_kernel_option_enabled check

as the module in question could have dependencies which have been blacklisted as well we need to make sure that the comparison only checks for the module in question - the last line in the output.

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-10-20 14:51:29 +02:00
Sebastien BLAISOT
ad192c9457 Add silent mode and json summary (#128) 
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-10-20 13:22:59 +02:00
Sebastien BLAISOT
3d2d97a727 FIX(1.7.1.4): don't abort script in case of unconfined processes (#130) 2021-10-20 13:14:36 +02:00
Sebastien BLAISOT
6e2fb1570c FIX(2.2.1.4): Validate debian default ntp config (#118) 2021-10-15 16:19:51 +02:00
dependabot[bot]
faf5b155e5 Bump metcalfc/changelog-generator from v0.4.4 to v1.0.0 (#81) 
Bumps [metcalfc/changelog-generator](https://github.com/metcalfc/changelog-generator) from v0.4.4 to v1.0.0.
- [Release notes](https://github.com/metcalfc/changelog-generator/releases)
- [Changelog](https://github.com/metcalfc/changelog-generator/blob/main/release-notes.png)
- [Commits](https://github.com/metcalfc/changelog-generator/compare/v0.4.4...e5306b306fa2e34f05258789e0e5c526c1bd4352)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Thibault Ayanides <thibault.ayanides@ovhcloud.com>
 2021-08-10 13:57:13 +02:00
dependabot[bot]
43887d4165 Bump luizm/action-sh-checker from 0.1.13 to 0.3.0 (#111) 
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.1.13 to 0.3.0.
- [Release notes](https://github.com/luizm/action-sh-checker/releases)
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.1.13...v0.3.0)

---
updated-dependencies:
- dependency-name: luizm/action-sh-checker
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2021-08-10 13:47:31 +02:00
dependabot[bot]
499ebf2f9b Bump dev-drprasad/delete-tag-and-release from v0.1.3 to v0.2.0 (#72) 
Bumps [dev-drprasad/delete-tag-and-release](https://github.com/dev-drprasad/delete-tag-and-release) from v0.1.3 to v0.2.0.
- [Release notes](https://github.com/dev-drprasad/delete-tag-and-release/releases)
- [Commits](https://github.com/dev-drprasad/delete-tag-and-release/compare/v0.1.3...085c6969f18bad0de1b9f3fe6692a3cd01f64fe5)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Thibault Ayanides <thibault.ayanides@ovhcloud.com>
 2021-08-10 10:39:53 +02:00
Thibault Ayanides
afed5a9dce 99.5.4.5.2: fix bug where sha512 option rounds provoke KO (#112) 2021-08-10 10:30:35 +02:00
dependabot[bot]
01c3d1b98c Bump luizm/action-sh-checker from v0.1.12 to v0.1.13 (#73) 
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from v0.1.12 to v0.1.13.
- [Release notes](https://github.com/luizm/action-sh-checker/releases)
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.1.12...164368daf52a9126460854f9c0de00abc079a350)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Thibault Ayanides <thibault.ayanides@ovhcloud.com>
 2021-08-10 09:43:59 +02:00
dependabot[bot]
25e899168f Bump actions-ecosystem/action-get-latest-tag from 1 to 1.4.1 (#101) 
Bumps [actions-ecosystem/action-get-latest-tag](https://github.com/actions-ecosystem/action-get-latest-tag) from 1 to 1.4.1.
- [Release notes](https://github.com/actions-ecosystem/action-get-latest-tag/releases)
- [Commits](https://github.com/actions-ecosystem/action-get-latest-tag/compare/v1...v1.4.1)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Thibault Ayanides <thibault.ayanides@ovhcloud.com>
 2021-08-10 09:36:28 +02:00
Thibault Ayanides
9a2e3a0e0d Fix 5.4.5 pattern search (#108) 
fix #107
 2021-08-09 10:49:56 +02:00
Thibault Ayanides
334d743125 fix EXCEPTIONS management (#104) 
* FIX(1.1.21, 6.1.10) fix EXCEPTIONS management
* Update changelog
* Refactor test for 6.1.10-14
 2021-06-02 13:47:19 +02:00
Thibault Ayanides
4ed8adf790 Update changelog (#103) 2021-05-28 15:06:48 +02:00
Thibault Ayanides
f4328deeb2 Fix unbound variable (#102) 2021-05-28 15:00:58 +02:00
Thibault Ayanides
29505255ff Update changelog (#99) 2021-05-07 09:16:15 +02:00
Thibault Ayanides
9e6c9a0d8a Accept lower values (#95) 
* IMP(5.2.23): accept lower value as valid

* IMP(5.2.7): accept lower value as valid
 2021-04-27 16:04:13 +02:00
Thibault Ayanides
1cade2e375 FIX(2.2.1.2): custom func not working for systemd (#90) 
fix #87
 2021-04-27 13:49:05 +02:00
Thibault Ayanides
fc8a2b2561 FIX: add commands to sudoers (#91) 2021-04-27 13:31:59 +02:00
Thibault Ayanides
cadc25c28c Dir exceptions (#96) 
* IMP(1.1.21): add EXCEPTIONS
* IMP(6.1.10): add EXCEPTIONS
 2021-04-26 17:05:22 +02:00
Thibault Ayanides
8c6c9a7571 IMP(tests): checks that stderr is empty 
Fix #97
 2021-04-26 17:01:19 +02:00
Thibault Ayanides
dd41988933 Update changelog 2021-04-13 11:00:29 +02:00
Thibault Ayanides
f6c6e6a0a8 FIX(4.1.11): add SUDO to find suid files 2021-04-13 11:00:29 +02:00
Thibault Ayanides
d26ad48416 Update changelog 2021-04-02 09:25:41 +02:00
Thibault Ayanides
d110a2aa19 Ignore case for sshd conf 
fix #85
 2021-04-02 09:25:41 +02:00
Thibault Ayanides
cbd81b8ab2 Update changelog (#82) 2021-03-26 12:16:50 +01:00
Thibault Ayanides
1c51e4cec4 Check that package are installed before launching check (#69) 
* FIX(1.6.1,1.7.1.x): check if apparmor and grub is installed

* FIX(2.2.15): check package install

* FIX(4.2.x): check package install

* FIX(5.1.x): check crontab files exist

* FIX(5.2.1): check package install

* FIX(99.3.3.x): check conf file exist

* Remove useless SUDO_CMD

* Deal with non existant /run/shm

* Replace exit code 128 by exit code 2

fix #65

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-03-25 14:01:57 +01:00
Thibault Ayanides
f8ac58700d FIX(4.1.1.4): bad pattern (#67) 
fix #61
 2021-03-25 13:50:08 +01:00
Thibault Ayanides
1c1393c7e3 Fix div function to manage 0 on numerator (#79) 
fix #77

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-03-23 08:36:36 +01:00
Thibault Ayanides
c50f200c5c FIX(5.4.5.2): explicit sha512 
fix #74
 2021-03-22 15:22:50 +01:00
Simão Gomes Viana
c0ecc9cd6f README: fix spelling and spacing in first line 2021-03-19 08:36:31 +01:00
90 changed files with 1233 additions and 716 deletions
Expand all files Collapse all files

4
.github/workflows/compile-manual.yml vendored
View File

@ -7,10 +7,10 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout repo - name: Checkout repo
uses: actions/checkout@v2 uses: actions/checkout@v3
- name: Produce debian man - name: Produce debian man
run: 'docker run --rm --volume "`pwd`:/data" --user `id -u`:`id -g` pandoc/latex:2.6 MANUAL.md -s -t man > debian/cis-hardening.8' run: 'docker run --rm --volume "`pwd`:/data" --user `id -u`:`id -g` pandoc/latex:2.6 MANUAL.md -s -t man > debian/cis-hardening.8'
- uses: EndBug/add-and-commit@v7 - uses: EndBug/add-and-commit@v9
with: with:
add: 'debian/cis-hardening.8' add: 'debian/cis-hardening.8'
message: 'Regenerate man pages (Github action)' message: 'Regenerate man pages (Github action)'

6
.github/workflows/functionnal-tests.yml vendored
View File

@ -8,20 +8,20 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout repo - name: Checkout repo
uses: actions/checkout@v2 uses: actions/checkout@v3
- name: Run the tests debian9 - name: Run the tests debian9
run: ./tests/docker_build_and_run_tests.sh debian9 run: ./tests/docker_build_and_run_tests.sh debian9
functionnal-tests-docker-debian10: functionnal-tests-docker-debian10:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout repo - name: Checkout repo
uses: actions/checkout@v2 uses: actions/checkout@v3
- name: Run the tests debian10 - name: Run the tests debian10
run: ./tests/docker_build_and_run_tests.sh debian10 run: ./tests/docker_build_and_run_tests.sh debian10
functionnal-tests-docker-debian11: functionnal-tests-docker-debian11:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout repo - name: Checkout repo
uses: actions/checkout@v2 uses: actions/checkout@v3
- name: Run the tests debian11 - name: Run the tests debian11
run: ./tests/docker_build_and_run_tests.sh debian11 run: ./tests/docker_build_and_run_tests.sh debian11

8
.github/workflows/pre-release.yml vendored
View File

@ -11,7 +11,7 @@ jobs:
steps: steps:
# CHECKOUT CODE # CHECKOUT CODE
- name: Checkout code - name: Checkout code
uses: actions/checkout@v2 uses: actions/checkout@v3
# BUILD THE .DEB PACKAGE # BUILD THE .DEB PACKAGE
- name: Build - name: Build
run: | run: |
@ -21,7 +21,7 @@ jobs:
find ../ -name "*.deb" -exec mv {} cis-hardening.deb \; find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
# DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
- name: Delete the tag latest and the release latest - name: Delete the tag latest and the release latest
uses: dev-drprasad/delete-tag-and-release@v0.1.3 uses: dev-drprasad/delete-tag-and-release@v0.2.0
with: with:
delete_release: true delete_release: true
tag_name: latest tag_name: latest
@ -29,12 +29,12 @@ jobs:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# GET LATEST VERSION TAG # GET LATEST VERSION TAG
- name: Get latest version tag - name: Get latest version tag
uses: actions-ecosystem/action-get-latest-tag@v1 uses: actions-ecosystem/action-get-latest-tag@v1.5.0
id: get-latest-tag id: get-latest-tag
# GENERATE CHANGELOG CORRESPONDING TO COMMIT BETWEEN HEAD AND COMPUTED LAST TAG # GENERATE CHANGELOG CORRESPONDING TO COMMIT BETWEEN HEAD AND COMPUTED LAST TAG
- name: Generate changelog - name: Generate changelog
id: changelog id: changelog
uses: metcalfc/changelog-generator@v0.4.4 uses: metcalfc/changelog-generator@v3.0.0
with: with:
myToken: ${{ secrets.GITHUB_TOKEN }} myToken: ${{ secrets.GITHUB_TOKEN }}
head-ref: ${{ github.sha }} head-ref: ${{ github.sha }}

6
.github/workflows/shellcheck_and_shellfmt.yml vendored
View File

@ -8,9 +8,9 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout repo - name: Checkout repo
uses: actions/checkout@v2 uses: actions/checkout@v3
- name: Run the sh-checker - name: Run the sh-checker
uses: luizm/action-sh-checker@v0.1.12 uses: luizm/action-sh-checker@v0.3.0
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Optional if sh_checker_comment is false. GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Optional if sh_checker_comment is false.
SHFMT_OPTS: -l -i 4 -w # Optional: pass arguments to shfmt. SHFMT_OPTS: -l -i 4 -w # Optional: pass arguments to shfmt.
@ -24,6 +24,6 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout repo - name: Checkout repo
uses: actions/checkout@v2 uses: actions/checkout@v3
- name: Run shellcheck - name: Run shellcheck
run: ./shellcheck/docker_build_and_run_shellcheck.sh run: ./shellcheck/docker_build_and_run_shellcheck.sh

6
.github/workflows/tagged-release.yml vendored
View File

@ -7,8 +7,6 @@ on:
jobs: jobs:
build: build:
name: Create Release name: Create Release
# only runs on master
if: github.event.base_ref == 'refs/heads/master'
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
# GET VERSION TAG # GET VERSION TAG
@ -17,7 +15,7 @@ jobs:
run: echo ::set-output name=tag::${GITHUB_REF#refs/*/} run: echo ::set-output name=tag::${GITHUB_REF#refs/*/}
# CHECKOUT CODE # CHECKOUT CODE
- name: Checkout code - name: Checkout code
uses: actions/checkout@v2 uses: actions/checkout@v3
with: with:
ref: ${{ steps.vars.outputs.tag }} ref: ${{ steps.vars.outputs.tag }}
# GENERATE CHANGELOG CORRESPONDING TO ENTRY IN DEBIAN/CHANGELOG # GENERATE CHANGELOG CORRESPONDING TO ENTRY IN DEBIAN/CHANGELOG
@ -35,7 +33,7 @@ jobs:
find ../ -name "*.deb" -exec mv {} cis-hardening.deb \; find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
# DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
- name: Delete the tag latest and the release latest - name: Delete the tag latest and the release latest
uses: dev-drprasad/delete-tag-and-release@v0.1.3 uses: dev-drprasad/delete-tag-and-release@v0.2.0
with: with:
delete_release: true delete_release: true
tag_name: latest tag_name: latest

4
README.md
View File

@ -1,7 +1,7 @@
# :lock: CIS Debian 9/10 Hardening # :lock: CIS Debian 9/10 Hardening
:tada: **News**: this projet is back in the game and is from now on maintained. Be free to use and to :tada: **News**: this project is back in the game and is from now on maintained. Be free to use and to
report issues if you find any ! report issues if you find any!
<p align="center"> <p align="center">

37
bin/hardening.sh
View File

@ -26,6 +26,7 @@ ALLOW_SERVICE_LIST=0
SET_HARDENING_LEVEL=0 SET_HARDENING_LEVEL=0
SUDO_MODE='' SUDO_MODE=''
BATCH_MODE='' BATCH_MODE=''
SUMMARY_JSON=''
ASK_LOGLEVEL='' ASK_LOGLEVEL=''
ALLOW_UNSUPPORTED_DISTRIBUTION=0 ALLOW_UNSUPPORTED_DISTRIBUTION=0
@ -80,7 +81,7 @@ $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
Modifies the policy to allow a certain kind of services on the machine, such Modifies the policy to allow a certain kind of services on the machine, such
as http, mail, etc. Can be specified multiple times to allow multiple services. as http, mail, etc. Can be specified multiple times to allow multiple services.
Use --allow-service-list to get a list of supported services. Use --allow-service-list to get a list of supported services.
--create-config-files-only --create-config-files-only
Create the config files in etc/conf.d Create the config files in etc/conf.d
Must be run as root, before running the audit with user secaudit Must be run as root, before running the audit with user secaudit
@ -101,14 +102,18 @@ OPTIONS:
Finally note that '--sudo' mode only works for audit mode. Finally note that '--sudo' mode only works for audit mode.
--set-log-level <level> --set-log-level <level>
This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug. This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug or silent.
Default value is : info Default value is : info
--summary-json
While performing system audit, this option sets LOGLEVEL to silent and
only output a json summary at the end
--batch --batch
While performing system audit, this option sets LOGLEVEL to 'ok' and While performing system audit, this option sets LOGLEVEL to 'ok' and
captures all output to print only one line once the check is done, formatted like : captures all output to print only one line once the check is done, formatted like :
OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}] OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
--allow-unsupported-distribution --allow-unsupported-distribution
Must be specified manually in the command line to allow the run on non compatible Must be specified manually in the command line to allow the run on non compatible
version or distribution. If you want to mute the warning change the LOGLEVEL version or distribution. If you want to mute the warning change the LOGLEVEL
@ -165,6 +170,10 @@ while [[ $# -gt 0 ]]; do
--sudo) --sudo)
SUDO_MODE='--sudo' SUDO_MODE='--sudo'
;; ;;
--summary-json)
SUMMARY_JSON='--summary-json'
ASK_LOGLEVEL=silent
;;
--batch) --batch)
BATCH_MODE='--batch' BATCH_MODE='--batch'
ASK_LOGLEVEL=ok ASK_LOGLEVEL=ok
@ -299,19 +308,19 @@ for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
info "Treating $SCRIPT" info "Treating $SCRIPT"
if [ "$CREATE_CONFIG" = 1 ]; then if [ "$CREATE_CONFIG" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only" debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only"
"$SCRIPT" --create-config-files-only "$BATCH_MODE" LOGLEVEL=$LOGLEVEL "$SCRIPT" --create-config-files-only "$BATCH_MODE"
elif [ "$AUDIT" = 1 ]; then elif [ "$AUDIT" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE" debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
"$SCRIPT" --audit "$SUDO_MODE" "$BATCH_MODE" LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit "$SUDO_MODE" "$BATCH_MODE"
elif [ "$AUDIT_ALL" = 1 ]; then elif [ "$AUDIT_ALL" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE" debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
"$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE" LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
elif [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then elif [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE" debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
"$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE" LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
elif [ "$APPLY" = 1 ]; then elif [ "$APPLY" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT" debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT"
"$SCRIPT" LOGLEVEL=$LOGLEVEL "$SCRIPT"
fi fi
SCRIPT_EXITCODE=$? SCRIPT_EXITCODE=$?
@ -355,6 +364,18 @@ if [ "$BATCH_MODE" ]; then
BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0 BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0
fi fi
becho "$BATCH_SUMMARY" becho "$BATCH_SUMMARY"
elif [ "$SUMMARY_JSON" ]; then
if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
CONFORMITY_PERCENTAGE=$(div $((PASSED_CHECKS * 100)) $TOTAL_TREATED_CHECKS)
else
CONFORMITY_PERCENTAGE=0 # No check runned, avoid division by 0
fi
printf '{'
printf '"available_checks": %s, ' "$TOTAL_CHECKS"
printf '"run_checks": %s, ' "$TOTAL_TREATED_CHECKS"
printf '"passed_checks": %s, ' "$PASSED_CHECKS"
printf '"conformity_percentage": %s' "$CONFORMITY_PERCENTAGE"
printf '}\n'
else else
printf "%40s\n" "################### SUMMARY ###################" printf "%40s\n" "################### SUMMARY ###################"
printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS" printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"

4
bin/hardening/1.1.1.3_disable_hfs.sh
View File

@ -26,7 +26,7 @@ audit() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!" ok "Container detected, consider host enforcing or disable this check!"
else else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!" crit "$MODULE_NAME is enabled!"
else else
@ -41,7 +41,7 @@ apply() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!" ok "Container detected, consider host enforcing!"
else else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)" warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else else

4
bin/hardening/1.1.1.4_disable_hfsplus.sh
View File

@ -26,7 +26,7 @@ audit() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!" ok "Container detected, consider host enforcing or disable this check!"
else else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!" crit "$MODULE_NAME is enabled!"
else else
@ -41,7 +41,7 @@ apply() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!" ok "Container detected, consider host enforcing!"
else else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)" warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else else

6
bin/hardening/1.1.15_run_shm_nodev.sh
View File

@ -24,7 +24,11 @@ OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
PARTITION=$(readlink -e "$PARTITION") if [ -e "$PARTITION" ]; then
PARTITION=$(readlink -e "$PARTITION")
else
PARTITION="/dev/shm"
fi
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then

6
bin/hardening/1.1.16_run_shm_nosuid.sh
View File

@ -24,7 +24,11 @@ OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
PARTITION=$(readlink -e "$PARTITION") if [ -e "$PARTITION" ]; then
PARTITION=$(readlink -e "$PARTITION")
else
PARTITION="/dev/shm"
fi
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then

6
bin/hardening/1.1.17_run_shm_noexec.sh
View File

@ -24,7 +24,11 @@ OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
PARTITION=$(readlink -e "$PARTITION") if [ -e "$PARTITION" ]; then
PARTITION=$(readlink -e "$PARTITION")
else
PARTITION="/dev/shm"
fi
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then

23
bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh
View File

@ -17,12 +17,20 @@ HARDENING_LEVEL=2
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them." DESCRIPTION="Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them."
EXCEPTIONS=''
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
info "Checking if setuid is set on world writable Directories" info "Checking if setuid is set on world writable Directories"
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}') FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
# shellcheck disable=SC2086 if [ -n "$EXCEPTIONS" ]; then
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) # shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null)
else
# shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
fi
if [ -n "$RESULT" ]; then if [ -n "$RESULT" ]; then
crit "Some world writable directories are not on sticky bit mode!" crit "Some world writable directories are not on sticky bit mode!"
# shellcheck disable=SC2001 # shellcheck disable=SC2001
@ -35,9 +43,16 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) if [ -n "$EXCEPTIONS" ]; then
# shellcheck disable=SC2086
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null)
else
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
fi
if [ -n "$RESULT" ]; then if [ -n "$RESULT" ]; then
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t warn "Setting sticky bit on world writable directories"
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d -perm -0002 2>/dev/null | xargs chmod a+t
else else
ok "All world writable directories have a sticky bit, nothing to apply" ok "All world writable directories have a sticky bit, nothing to apply"
fi fi

15
bin/hardening/1.5.1_bootloader_ownership.sh
View File

@ -23,6 +23,7 @@ FILE='/boot/grub/grub.cfg'
USER='root' USER='root'
GROUP='root' GROUP='root'
PERMISSIONS='400' PERMISSIONS='400'
PERMISSIONSOK='400 600'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
@ -33,7 +34,7 @@ audit() {
crit "$FILE ownership was not set to $USER:$GROUP" crit "$FILE ownership was not set to $USER:$GROUP"
fi fi
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
@ -51,7 +52,7 @@ apply() {
chown "$USER":"$GROUP" "$FILE" chown "$USER":"$GROUP" "$FILE"
fi fi
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
@ -63,25 +64,25 @@ apply() {
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
is_pkg_installed "grub-pc" is_pkg_installed "grub-common"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "Grub is not installed, not handling configuration" warn "Grub is not installed, not handling configuration"
exit 128 exit 2
fi fi
does_user_exist "$USER" does_user_exist "$USER"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$USER does not exist" crit "$USER does not exist"
exit 128 exit 2
fi fi
does_group_exist "$GROUP" does_group_exist "$GROUP"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$GROUP does not exist" crit "$GROUP does not exist"
exit 128 exit 2
fi fi
does_file_exist "$FILE" does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
exit 128 exit 2
fi fi
} }

9
bin/hardening/1.5.2_bootloader_password.sh
View File

@ -51,19 +51,18 @@ apply() {
else else
ok "$PWD_PATTERN is present in $FILE" ok "$PWD_PATTERN is present in $FILE"
fi fi
:
} }
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
is_pkg_installed "grub-pc" is_pkg_installed "grub-common"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "grub-pc is not installed, not handling configuration" warn "Grub is not installed, not handling configuration"
exit 128 exit 2
fi fi
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
exit 128 exit 2
fi fi
} }

1
bin/hardening/1.5.3_root_password.sh
View File

@ -38,7 +38,6 @@ apply() {
else else
ok "$PATTERN is not present in $FILE" ok "$PATTERN is not present in $FILE"
fi fi
:
} }
# This function will check config parameters required # This function will check config parameters required

44
bin/hardening/1.6.1_enable_nx_support.sh
View File

@ -35,31 +35,39 @@ nx_supported_and_enabled() {
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
does_pattern_exist_in_dmesg "$PATTERN" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" != 0 ]; then ok "Container detected, cannot read dmesg!"
nx_supported_and_enabled
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
else
ok "NX is supported and enabled"
fi
else else
ok "$PATTERN is present in dmesg" does_pattern_exist_in_dmesg "$PATTERN"
if [ "$FNRET" != 0 ]; then
nx_supported_and_enabled
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
else
ok "NX is supported and enabled"
fi
else
ok "$PATTERN is present in dmesg"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
does_pattern_exist_in_dmesg "$PATTERN" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" != 0 ]; then ok "Container detected, cannot read dmesg!"
nx_supported_and_enabled
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
else
ok "NX is supported and enabled"
fi
else else
ok "$PATTERN is present in dmesg" does_pattern_exist_in_dmesg "$PATTERN"
if [ "$FNRET" != 0 ]; then
nx_supported_and_enabled
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
else
ok "NX is supported and enabled"
fi
else
ok "$PATTERN is present in dmesg"
fi
fi fi
} }

89
bin/hardening/1.7.1.2_enable_apparmor.sh
View File

@ -21,32 +21,46 @@ PACKAGES='apparmor apparmor-utils'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
ERROR=0
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is absent!" crit "$PACKAGE is absent!"
ERROR=1
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
fi fi
done done
ERROR=0
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for line in $RESULT; do
if [[ ! "$line" =~ "apparmor=1" ]] || [[ ! "$line" =~ "security=apparmor" ]]; then
crit "$line is not configured"
ERROR=1
fi
done
IFS=$d_IFS
if [ "$ERROR" = 0 ]; then if [ "$ERROR" = 0 ]; then
ok "$PACKAGES are configured" is_pkg_installed "grub-common"
if [ "$FNRET" != 0 ]; then
if [ "$IS_CONTAINER" -eq 1 ]; then
ok "Grub is not installed in container"
else
warn "Grub is not installed"
exit 128
fi
else
ERROR=0
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for line in $RESULT; do
if [[ ! "$line" =~ "apparmor=1" ]] || [[ ! "$line" =~ "security=apparmor" ]]; then
crit "$line is not configured"
ERROR=1
fi
done
IFS=$d_IFS
if [ "$ERROR" = 0 ]; then
ok "$PACKAGES are configured"
fi
fi
fi fi
} }
@ -62,26 +76,35 @@ apply() {
fi fi
done done
ERROR=0 is_pkg_installed "grub-pc"
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg) if [ "$FNRET" != 0 ]; then
if [ "$IS_CONTAINER" -eq 1 ]; then
# define custom IFS and save default one ok "Grub is not installed in container"
d_IFS=$IFS else
c_IFS=$'\n' warn "You should use grub. Install it yourself"
IFS=$c_IFS
for line in $RESULT; do
if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
crit "$line is not configured"
ERROR=1
fi fi
done
IFS=$d_IFS
if [ $ERROR = 1 ]; then
$SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor /" /etc/default/grub
$SUDO_CMD update-grub
else else
ok "$PACKAGES are configured" ERROR=0
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for line in $RESULT; do
if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
crit "$line is not configured"
ERROR=1
fi
done
IFS=$d_IFS
if [ $ERROR = 1 ]; then
$SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor /" /etc/default/grub
$SUDO_CMD update-grub
else
ok "$PACKAGES are configured"
fi
fi fi
} }

16
bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh
View File

@ -21,22 +21,25 @@ PACKAGES='apparmor apparmor-utils'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
ERROR=0
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is absent!" crit "$PACKAGE is absent!"
ERROR=1
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
fi fi
done done
if [ "$ERROR" = 0 ]; then
RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined") if [ -n "$RESULT_UNCONFINED" ]; then
ok "No profiles are unconfined"
if [ -n "$RESULT_UNCONFINED" ]; then else
ok "No profiles are unconfined" crit "Some processes are unconfined while they have defined profile"
fi
else
crit "Some processes are unconfined while they have defined profile"
fi fi
} }
@ -46,6 +49,7 @@ apply() {
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGES is absent!" crit "$PACKAGES is absent!"
apt_install "$PACKAGE"
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
fi fi

32
bin/hardening/1.7.1.4_enforcing_apparmor.sh
View File

@ -21,28 +21,31 @@ PACKAGES='apparmor apparmor-utils'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
ERROR=0
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is absent!" crit "$PACKAGE is absent!"
ERROR=1
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
fi fi
done done
if [ "$ERROR" = 0 ]; then
RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined" || true)
RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode." || true)
RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined") if [ -n "$RESULT_UNCONFINED" ]; then
RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode.") ok "No profiles are unconfined"
else
crit "Some processes are unconfined while they have defined profile"
fi
if [ -n "$RESULT_UNCONFINED" ]; then if [ -n "$RESULT_COMPLAIN" ]; then
ok "No profiles are unconfined" ok "No profiles are in complain mode"
else else
crit "Some processes are unconfined while they have defined profile" crit "Some processes are in complain mode"
fi fi
if [ -n "$RESULT_COMPLAIN" ]; then
ok "No profiles are in complain mode"
else
crit "Some processes are in complain mode"
fi fi
} }
@ -52,13 +55,14 @@ apply() {
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is absent!" crit "$PACKAGE is absent!"
apt_install "$PACKAGE"
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
fi fi
done done
RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined") RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined" || true)
RESULT_COMPLAIN=$(apparmor_status | grep "^0 profiles are in complain mode.") RESULT_COMPLAIN=$(apparmor_status | grep "^0 profiles are in complain mode." || true)
if [ -n "$RESULT_UNCONFINED" ]; then if [ -n "$RESULT_UNCONFINED" ]; then
ok "No profiles are unconfined" ok "No profiles are unconfined"

4
bin/hardening/2.2.1.2_configure_systemd-timesyncd.sh
View File

@ -21,8 +21,8 @@ SERVICE_NAME="systemd-timesyncd"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_service_enabled "$SERVICE_NAME" status=$(systemctl is-enabled "$SERVICE_NAME")
if [ "$FNRET" = 0 ]; then if [ "$status" = "enabled" ]; then
ok "$SERVICE_NAME is enabled" ok "$SERVICE_NAME is enabled"
else else
crit "$SERVICE_NAME is disabled" crit "$SERVICE_NAME is disabled"

18
bin/hardening/2.2.1.3_configure_chrony.sh
View File

@ -25,17 +25,11 @@ CONF_FILE='/etc/chrony/chrony.conf'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_pkg_installed "$PACKAGE" does_pattern_exist_in_file "$CONF_FILE" "$CONF_DEFAULT_PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!" crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE"
else else
ok "$PACKAGE is installed, checking configuration" ok "$CONF_DEFAULT_PATTERN found in $CONF_FILE"
does_pattern_exist_in_file "$CONF_FILE" "$CONF_DEFAULT_PATTERN"
if [ "$FNRET" != 0 ]; then
crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE"
else
ok "$CONF_DEFAULT_PATTERN found in $CONF_FILE"
fi
fi fi
} }
@ -46,7 +40,11 @@ apply() {
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
: is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
warn "$PACKAGE is not installed, not handling configuration"
exit 2
fi
} }
# Source Root Dir Parameter # Source Root Dir Parameter

32
bin/hardening/2.2.1.4_configure_ntp.sh
View File

@ -20,30 +20,24 @@ DESCRIPTION="Configure Network Time Protocol (ntp). Check restrict parameters an
HARDENING_EXCEPTION=ntp HARDENING_EXCEPTION=ntp
PACKAGE='ntp' PACKAGE='ntp'
NTP_CONF_DEFAULT_PATTERN='^restrict -4 default (kod nomodify notrap nopeer noquery|ignore)' NTP_CONF_DEFAULT_PATTERN='^restrict -4 default (kod nomodify notrap nopeer noquery|kod notrap nomodify nopeer noquery|ignore)'
NTP_CONF_FILE='/etc/ntp.conf' NTP_CONF_FILE='/etc/ntp.conf'
NTP_INIT_PATTERN='RUNASUSER=ntp' NTP_INIT_PATTERN='RUNASUSER=ntp'
NTP_INIT_FILE='/etc/init.d/ntp' NTP_INIT_FILE='/etc/init.d/ntp'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_pkg_installed "$PACKAGE" does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!" crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE"
else else
ok "$PACKAGE is installed, checking configuration" ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN" fi
if [ "$FNRET" != 0 ]; then does_pattern_exist_in_file "$NTP_INIT_FILE" "^$NTP_INIT_PATTERN"
crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE" if [ "$FNRET" != 0 ]; then
else crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE"
ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE" else
fi ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
does_pattern_exist_in_file "$NTP_INIT_FILE" "^$NTP_INIT_PATTERN"
if [ "$FNRET" != 0 ]; then
crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE"
else
ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
fi
fi fi
} }
@ -77,7 +71,11 @@ apply() {
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
: is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
warn "$PACKAGE is not installed, not handling configuration"
exit 2
fi
} }
# Source Root Dir Parameter # Source Root Dir Parameter

53
bin/hardening/2.2.15_mta_localhost.sh
View File

@ -21,39 +21,50 @@ HARDENING_EXCEPTION=mail
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
info "Checking netport ports opened" is_pkg_installed net-tools
RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || : if [ "$FNRET" != 0 ]; then
RESULT=${RESULT:-} warn "netsat not installed, cannot execute check"
debug "Result is $RESULT" exit 2
if [ -z "$RESULT" ]; then
ok "Nothing listens on 25 port, probably unix socket configured"
else else
info "Checking $RESULT" info "Checking netport ports opened"
if grep -q "127.0.0.1" <<<"$RESULT"; then RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || :
ok "MTA is configured to localhost only" RESULT=${RESULT:-}
debug "Result is $RESULT"
if [ -z "$RESULT" ]; then
ok "Nothing listens on 25 port, probably unix socket configured"
else else
crit "MTA listens worldwide" info "Checking $RESULT"
if grep -q "127.0.0.1" <<<"$RESULT"; then
ok "MTA is configured to localhost only"
else
crit "MTA listens worldwide"
fi
fi fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
info "Checking netport ports opened" is_pkg_installed net-tools
RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || : if [ "$FNRET" != 0 ]; then
RESULT=${RESULT:-} warn "netsat not installed, cannot execute check"
debug "Result is $RESULT" exit 2
if [ -z "$RESULT" ]; then
ok "Nothing listens on 25 port, probably unix socket configured"
else else
info "Checking $RESULT" info "Checking netport ports opened"
if grep -q "127.0.0.1" <<<"$RESULT"; then RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
ok "MTA is configured to localhost only" RESULT=${RESULT:-}
debug "Result is $RESULT"
if [ -z "$RESULT" ]; then
ok "Nothing listens on 25 port, probably unix socket configured"
else else
warn "MTA listens worldwide, correct this considering your MTA" info "Checking $RESULT"
if grep -q "127.0.0.1" <<<"$RESULT"; then
ok "MTA is configured to localhost only"
else
warn "MTA listens worldwide, correct this considering your MTA"
fi
fi fi
fi fi
:
} }
# This function will check config parameters required # This function will check config parameters required

2
bin/hardening/3.4.2_disable_sctp.sh
View File

@ -28,7 +28,7 @@ audit() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!" ok "Container detected, consider host enforcing or disable this check!"
else else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!" crit "$MODULE_NAME is enabled!"
else else

6
bin/hardening/3.5.4.1.1_net_fw_default_policy_drop.sh
View File

@ -20,6 +20,8 @@ DESCRIPTION="Check iptables firewall default policy for DROP on INPUT and FORWAR
PACKAGE="iptables" PACKAGE="iptables"
FW_CHAINS="INPUT FORWARD" FW_CHAINS="INPUT FORWARD"
FW_POLICY="DROP" FW_POLICY="DROP"
FW_CMD="iptables"
FW_TIMEOUT="10"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
@ -27,9 +29,9 @@ audit() {
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!" crit "$PACKAGE is not installed!"
else else
ipt=$($SUDO_CMD "$PACKAGE" -nL 2>/dev/null || true) ipt=$($SUDO_CMD "$FW_CMD" -w "$FW_TIMEOUT" -nL 2>/dev/null || true)
if [[ -z "$ipt" ]]; then if [[ -z "$ipt" ]]; then
crit "Empty return from $PACKAGE command. Aborting..." crit "Empty return from $FW_CMD command. Aborting..."
return return
fi fi
for chain in $FW_CHAINS; do for chain in $FW_CHAINS; do

6
bin/hardening/4.1.1.3_audit_bootloader.sh
View File

@ -18,7 +18,7 @@ HARDENING_LEVEL=4
DESCRIPTION="Enable auditing for processes that start prior to auditd." DESCRIPTION="Enable auditing for processes that start prior to auditd."
FILE='/etc/default/grub' FILE='/etc/default/grub'
OPTIONS='GRUB_CMDLINE_LINUX="audit=1"' OPTIONS='GRUB_CMDLINE_LINUX=audit=1'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
@ -30,7 +30,7 @@ audit() {
for GRUB_OPTION in $OPTIONS; do for GRUB_OPTION in $OPTIONS; do
GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1) GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3) GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
PATTERN="^$GRUB_PARAM=$GRUB_VALUE" PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
debug "$GRUB_PARAM should be set to $GRUB_VALUE" debug "$GRUB_PARAM should be set to $GRUB_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
@ -55,7 +55,7 @@ apply() {
GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1) GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3) GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
debug "$GRUB_PARAM should be set to $GRUB_VALUE" debug "$GRUB_PARAM should be set to $GRUB_VALUE"
PATTERN="^$GRUB_PARAM=$GRUB_VALUE" PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"

6
bin/hardening/4.1.1.4_audit_backlog_limit.sh
View File

@ -18,7 +18,7 @@ HARDENING_LEVEL=4
DESCRIPTION="Configure audit_backlog_limit to be sufficient." DESCRIPTION="Configure audit_backlog_limit to be sufficient."
FILE='/etc/default/grub' FILE='/etc/default/grub'
OPTIONS='GRUB_CMDLINE_LINUX="audit_backlog_limit=8192"' OPTIONS='GRUB_CMDLINE_LINUX=audit_backlog_limit=8192'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
@ -30,7 +30,7 @@ audit() {
for GRUB_OPTION in $OPTIONS; do for GRUB_OPTION in $OPTIONS; do
GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1) GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3) GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
PATTERN="^$GRUB_PARAM=$GRUB_VALUE" PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
debug "$GRUB_PARAM should be set to $GRUB_VALUE" debug "$GRUB_PARAM should be set to $GRUB_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
@ -55,7 +55,7 @@ apply() {
GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1) GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3) GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
debug "$GRUB_PARAM should be set to $GRUB_VALUE" debug "$GRUB_PARAM should be set to $GRUB_VALUE"
PATTERN="^$GRUB_PARAM=$GRUB_VALUE" PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"

4
bin/hardening/4.1.11_record_privileged_commands.sh
View File

@ -17,9 +17,9 @@ HARDENING_LEVEL=4
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Collect use of privileged commands." DESCRIPTION="Collect use of privileged commands."
# Find all files with setuid or setgid set
SUDO_CMD='sudo -n' SUDO_CMD='sudo -n'
AUDIT_PARAMS=$($SUDO_CMD find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | # Find all files with setuid or setgid set
AUDIT_PARAMS=$($SUDO_CMD find / -xdev -ignore_readdir_race \( -perm -4000 -o -perm -2000 \) -type f |
awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }') awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }')
FILE='/etc/audit/audit.rules' FILE='/etc/audit/audit.rules'

33
bin/hardening/4.2.1.2_enable_syslog-ng.sh
View File

@ -17,29 +17,40 @@ HARDENING_LEVEL=3
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Ensure syslog-ng service is activated." DESCRIPTION="Ensure syslog-ng service is activated."
PACKAGE='syslog-ng'
SERVICE_NAME="syslog-ng" SERVICE_NAME="syslog-ng"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
info "Checking if $SERVICE_NAME is enabled" is_pkg_installed "$PACKAGE"
is_service_enabled "$SERVICE_NAME" if [ "$FNRET" != 0 ]; then
if [ "$FNRET" = 0 ]; then crit "$PACKAGE is not installed!"
ok "$SERVICE_NAME is enabled"
else else
crit "$SERVICE_NAME is disabled" info "Checking if $SERVICE_NAME is enabled"
is_service_enabled "$SERVICE_NAME"
if [ "$FNRET" = 0 ]; then
ok "$SERVICE_NAME is enabled"
else
crit "$SERVICE_NAME is disabled"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
info "Checking if $SERVICE_NAME is enabled" is_pkg_installed "$PACKAGE"
is_service_enabled "$SERVICE_NAME"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
info "Enabling $SERVICE_NAME" crit "$PACKAGE is not installed!"
update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
update-rc.d "$SERVICE_NAME" defaults >/dev/null 2>&1
else else
ok "$SERVICE_NAME is enabled" info "Checking if $SERVICE_NAME is enabled"
is_service_enabled "$SERVICE_NAME"
if [ "$FNRET" != 0 ]; then
info "Enabling $SERVICE_NAME"
update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
update-rc.d "$SERVICE_NAME" defaults >/dev/null 2>&1
else
ok "$SERVICE_NAME is enabled"
fi
fi fi
} }

135
bin/hardening/4.2.1.4_syslog_ng_logfiles_perm.sh
View File

@ -19,6 +19,7 @@ DESCRIPTION="Create and set permissions on syslog-ng logfiles."
# Note: this is not exacly the same check as the one described in CIS PDF # Note: this is not exacly the same check as the one described in CIS PDF
PACKAGE='syslog-ng'
PERMISSIONS='' PERMISSIONS=''
USER='' USER=''
GROUP='' GROUP=''
@ -26,14 +27,71 @@ EXCEPTIONS=''
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
FILES=$(grep "file(" "$SYSLOG_BASEDIR"/syslog-ng.conf | grep '"' | cut -d'"' -f 2) is_pkg_installed "$PACKAGE"
for FILE in $FILES; do if [ "$FNRET" != 0 ]; then
does_file_exist "$FILE" crit "$PACKAGE is not installed!"
if [ "$FNRET" != 0 ]; then else
warn "$FILE does not exist" FILES=$(grep "file(" "$SYSLOG_BASEDIR"/syslog-ng.conf | grep '"' | cut -d'"' -f 2)
else for FILE in $FILES; do
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist"
else
FOUND_EXC=0
if grep -q "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
debug "$FILE is found in exceptions"
debug "Setting special user:group:perm"
FOUND_EXC=1
local user_bak="$USER"
local group_bak="$GROUP"
local perm_bak="$PERMISSIONS"
USER="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)"
GROUP="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)"
PERMISSIONS="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership ($USER:$GROUP)"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions ($PERMISSIONS)"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
if [ "$FOUND_EXC" = 1 ]; then
debug "Resetting user:group:perm"
USER="$user_bak"
GROUP="$group_bak"
PERMISSIONS="$perm_bak"
fi
fi
done
fi
}
# This function will be called if the script status is on enabled mode
apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
for FILE in $FILES; do
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
filedir=$(dirname "${FILE#/var/log/}")
if [ ! "$filedir" = "." ] && [ ! -d /var/log/"$filedir" ]; then
debug "Creating /var/log/$filedir for $FILE"
debug "mkdir -p /var/log/$filedir"
mkdir -p /var/log/"$filedir"
fi
touch "$FILE"
fi
FOUND_EXC=0 FOUND_EXC=0
if grep -q "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then if grep "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
debug "$FILE is found in exceptions" debug "$FILE is found in exceptions"
debug "Setting special user:group:perm" debug "Setting special user:group:perm"
FOUND_EXC=1 FOUND_EXC=1
@ -46,15 +104,17 @@ audit() {
fi fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership ($USER:$GROUP)" ok "$FILE has correct ownership"
else else
crit "$FILE ownership was not set to $USER:$GROUP" warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi fi
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions ($PERMISSIONS)" ok "$FILE has correct permissions"
else else
crit "$FILE permissions were not set to $PERMISSIONS" info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi fi
if [ "$FOUND_EXC" = 1 ]; then if [ "$FOUND_EXC" = 1 ]; then
debug "Resetting user:group:perm" debug "Resetting user:group:perm"
@ -62,57 +122,8 @@ audit() {
GROUP="$group_bak" GROUP="$group_bak"
PERMISSIONS="$perm_bak" PERMISSIONS="$perm_bak"
fi fi
fi done
done fi
}
# This function will be called if the script status is on enabled mode
apply() {
for FILE in $FILES; do
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
filedir=$(dirname "${FILE#/var/log/}")
if [ ! "$filedir" = "." ] && [ ! -d /var/log/"$filedir" ]; then
debug "Creating /var/log/$filedir for $FILE"
debug "mkdir -p /var/log/$filedir"
mkdir -p /var/log/"$filedir"
fi
touch "$FILE"
fi
FOUND_EXC=0
if grep "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
debug "$FILE is found in exceptions"
debug "Setting special user:group:perm"
FOUND_EXC=1
local user_bak="$USER"
local group_bak="$GROUP"
local perm_bak="$PERMISSIONS"
USER="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)"
GROUP="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)"
PERMISSIONS="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
if [ "$FOUND_EXC" = 1 ]; then
debug "Resetting user:group:perm"
USER="$user_bak"
GROUP="$group_bak"
PERMISSIONS="$perm_bak"
fi
done
} }
# This function will create the config file for this check with default values # This function will create the config file for this check with default values

58
bin/hardening/4.2.1.5_syslog-ng_remote_host.sh
View File

@ -17,40 +17,52 @@ HARDENING_LEVEL=3
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Configure syslog-ng to send logs to a remote log host." DESCRIPTION="Configure syslog-ng to send logs to a remote log host."
PACKAGE='syslog-ng'
PATTERN='destination[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".' PATTERN='destination[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
FOUND=0 is_pkg_installed "$PACKAGE"
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)" if [ "$FNRET" != 0 ]; then
for FILE in $FILES; do crit "$PACKAGE is not installed!"
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
FOUND=1
fi
done
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
else else
crit "$PATTERN is not present in $FILES" FOUND=0
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
for FILE in $FILES; do
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
FOUND=1
fi
done
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
else
crit "$PATTERN is not present in $FILES"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
FOUND=0 is_pkg_installed "$PACKAGE"
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)" if [ "$FNRET" != 0 ]; then
for FILE in $FILES; do crit "$PACKAGE is not installed!"
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
FOUND=1
fi
done
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
else else
crit "$PATTERN is not present in $FILES, please set a remote host to send your logs" FOUND=0
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
for FILE in $FILES; do
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
FOUND=1
fi
done
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
else
crit "$PATTERN is not present in $FILES, please set a remote host to send your logs"
fi
fi fi
} }

98
bin/hardening/4.2.1.6_remote_syslog-ng_acl.sh
View File

@ -17,64 +17,74 @@ HARDENING_LEVEL=3
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Configure syslog to accept remote syslog messages only on designated log hosts." DESCRIPTION="Configure syslog to accept remote syslog messages only on designated log hosts."
PACKAGE='syslog-ng'
REMOTE_HOST="" REMOTE_HOST=""
PATTERN='source[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".' PATTERN='source[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
FOUND=0 is_pkg_installed "$PACKAGE"
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)" if [ "$FNRET" != 0 ]; then
for FILE in $FILES; do crit "$PACKAGE is not installed!"
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
FOUND=1
fi
done
if [[ "$REMOTE_HOST" ]]; then
info "This is the remote host, checking that it only accepts logs from specified zone"
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
else
crit "$PATTERN is not present in $FILES"
fi
else else
info "This is the not the remote host checking that it doesn't accept remote logs" FOUND=0
if [ "$FOUND" = 1 ]; then FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
crit "$PATTERN is present in $FILES" for FILE in $FILES; do
else does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
ok "$PATTERN is not present in $FILES" if [ "$FNRET" = 0 ]; then
fi FOUND=1
fi
done
if [[ "$REMOTE_HOST" ]]; then
info "This is the remote host, checking that it only accepts logs from specified zone"
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
else
crit "$PATTERN is not present in $FILES"
fi
else
info "This is the not the remote host checking that it doesn't accept remote logs"
if [ "$FOUND" = 1 ]; then
crit "$PATTERN is present in $FILES"
else
ok "$PATTERN is not present in $FILES"
fi
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
FOUND=0 is_pkg_installed "$PACKAGE"
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)" if [ "$FNRET" != 0 ]; then
for FILE in $FILES; do crit "$PACKAGE is not installed!"
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
FOUND=1
fi
done
if [[ "$REMOTE_HOST" ]]; then
info "This is the remote host, checking that it only accepts logs from specified zone"
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
else
crit "$PATTERN is not present in $FILES, setup the machine to receive the logs"
fi
else else
info "This is the not the remote host checking that it doesn't accept remote logs" FOUND=0
if [ "$FOUND" = 1 ]; then FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
warn "$PATTERN is present in $FILES, " for FILE in $FILES; do
else does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
ok "$PATTERN is not present in $FILES" if [ "$FNRET" = 0 ]; then
fi FOUND=1
fi
done
if [[ "$REMOTE_HOST" ]]; then
info "This is the remote host, checking that it only accepts logs from specified zone"
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
else
crit "$PATTERN is not present in $FILES, setup the machine to receive the logs"
fi
else
info "This is the not the remote host checking that it doesn't accept remote logs"
if [ "$FOUND" = 1 ]; then
warn "$PATTERN is present in $FILES, "
else
ok "$PATTERN is not present in $FILES"
fi
fi
fi fi
} }

50
bin/hardening/5.1.2_crontab_perm_ownership.sh
View File

@ -27,18 +27,19 @@ audit() {
does_file_exist "$FILE" does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else else
crit "$FILE ownership was not set to $USER:$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
fi if [ "$FNRET" = 0 ]; then
has_file_correct_permissions "$FILE" "$PERMISSIONS" ok "$FILE has correct ownership"
if [ "$FNRET" = 0 ]; then else
ok "$FILE has correct permissions" crit "$FILE ownership was not set to $USER:$GROUP"
else fi
crit "$FILE permissions were not set to $PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi fi
} }
@ -48,20 +49,21 @@ apply() {
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
info "$FILE does not exist" info "$FILE does not exist"
touch "$FILE" touch "$FILE"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else else
warn "fixing $FILE ownership to $USER:$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
chown "$USER":"$GROUP" "$FILE" if [ "$FNRET" = 0 ]; then
fi ok "$FILE has correct ownership"
has_file_correct_permissions "$FILE" "$PERMISSIONS" else
if [ "$FNRET" = 0 ]; then warn "fixing $FILE ownership to $USER:$GROUP"
ok "$FILE has correct permissions" chown "$USER":"$GROUP" "$FILE"
else fi
info "fixing $FILE permissions to $PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE" if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
fi fi
} }

50
bin/hardening/5.1.3_cron_hourly_perm_ownership.sh
View File

@ -27,18 +27,19 @@ audit() {
does_file_exist "$FILE" does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else else
crit "$FILE ownership was not set to $USER:$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
fi if [ "$FNRET" = 0 ]; then
has_file_correct_permissions "$FILE" "$PERMISSIONS" ok "$FILE has correct ownership"
if [ "$FNRET" = 0 ]; then else
ok "$FILE has correct permissions" crit "$FILE ownership was not set to $USER:$GROUP"
else fi
crit "$FILE permissions were not set to $PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi fi
} }
@ -48,20 +49,21 @@ apply() {
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
info "$FILE does not exist" info "$FILE does not exist"
touch "$FILE" touch "$FILE"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else else
warn "fixing $FILE ownership to $USER:$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
chown "$USER":"$GROUP" "$FILE" if [ "$FNRET" = 0 ]; then
fi ok "$FILE has correct ownership"
has_file_correct_permissions "$FILE" "$PERMISSIONS" else
if [ "$FNRET" = 0 ]; then warn "fixing $FILE ownership to $USER:$GROUP"
ok "$FILE has correct permissions" chown "$USER":"$GROUP" "$FILE"
else fi
info "fixing $FILE permissions to $PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE" if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
fi fi
} }

50
bin/hardening/5.1.4_cron_daily_perm_ownership.sh
View File

@ -27,18 +27,19 @@ audit() {
does_file_exist "$FILE" does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else else
crit "$FILE ownership was not set to $USER:$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
fi if [ "$FNRET" = 0 ]; then
has_file_correct_permissions "$FILE" "$PERMISSIONS" ok "$FILE has correct ownership"
if [ "$FNRET" = 0 ]; then else
ok "$FILE has correct permissions" crit "$FILE ownership was not set to $USER:$GROUP"
else fi
crit "$FILE permissions were not set to $PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi fi
} }
@ -48,20 +49,21 @@ apply() {
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
info "$FILE does not exist" info "$FILE does not exist"
touch "$FILE" touch "$FILE"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else else
warn "fixing $FILE ownership to $USER:$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
chown "$USER":"$GROUP" "$FILE" if [ "$FNRET" = 0 ]; then
fi ok "$FILE has correct ownership"
has_file_correct_permissions "$FILE" "$PERMISSIONS" else
if [ "$FNRET" = 0 ]; then warn "fixing $FILE ownership to $USER:$GROUP"
ok "$FILE has correct permissions" chown "$USER":"$GROUP" "$FILE"
else fi
info "fixing $FILE permissions to $PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE" if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
fi fi
} }

50
bin/hardening/5.1.5_cron_weekly_perm_ownership.sh
View File

@ -27,18 +27,19 @@ audit() {
does_file_exist "$FILE" does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else else
crit "$FILE ownership was not set to $USER:$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
fi if [ "$FNRET" = 0 ]; then
has_file_correct_permissions "$FILE" "$PERMISSIONS" ok "$FILE has correct ownership"
if [ "$FNRET" = 0 ]; then else
ok "$FILE has correct permissions" crit "$FILE ownership was not set to $USER:$GROUP"
else fi
crit "$FILE permissions were not set to $PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi fi
} }
@ -48,20 +49,21 @@ apply() {
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
info "$FILE does not exist" info "$FILE does not exist"
touch "$FILE" touch "$FILE"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else else
warn "fixing $FILE ownership to $USER:$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
chown "$USER":"$GROUP" "$FILE" if [ "$FNRET" = 0 ]; then
fi ok "$FILE has correct ownership"
has_file_correct_permissions "$FILE" "$PERMISSIONS" else
if [ "$FNRET" = 0 ]; then warn "fixing $FILE ownership to $USER:$GROUP"
ok "$FILE has correct permissions" chown "$USER":"$GROUP" "$FILE"
else fi
info "fixing $FILE permissions to $PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE" if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
fi fi
} }

50
bin/hardening/5.1.6_cron_monthly_perm_ownership.sh
View File

@ -27,18 +27,19 @@ audit() {
does_file_exist "$FILE" does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else else
crit "$FILE ownership was not set to $USER:$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
fi if [ "$FNRET" = 0 ]; then
has_file_correct_permissions "$FILE" "$PERMISSIONS" ok "$FILE has correct ownership"
if [ "$FNRET" = 0 ]; then else
ok "$FILE has correct permissions" crit "$FILE ownership was not set to $USER:$GROUP"
else fi
crit "$FILE permissions were not set to $PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi fi
} }
@ -48,20 +49,21 @@ apply() {
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
info "$FILE does not exist" info "$FILE does not exist"
touch "$FILE" touch "$FILE"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else else
warn "fixing $FILE ownership to $USER:$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
chown "$USER":"$GROUP" "$FILE" if [ "$FNRET" = 0 ]; then
fi ok "$FILE has correct ownership"
has_file_correct_permissions "$FILE" "$PERMISSIONS" else
if [ "$FNRET" = 0 ]; then warn "fixing $FILE ownership to $USER:$GROUP"
ok "$FILE has correct permissions" chown "$USER":"$GROUP" "$FILE"
else fi
info "fixing $FILE permissions to $PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE" if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
fi fi
} }

6
bin/hardening/5.2.10_disable_root_login.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^$SSH_PARAM" does_pattern_exist_in_file_nocase "$FILE" "^$SSH_PARAM"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else else

6
bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else else

6
bin/hardening/5.2.12_disable_sshd_setenv.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else else

6
bin/hardening/5.2.13_sshd_ciphers.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else else

6
bin/hardening/5.2.16_sshd_idle_timeout.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else else

6
bin/hardening/5.2.17_sshd_login_grace_time.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file_nocase $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else else

6
bin/hardening/5.2.18_sshd_limit_access.sh
View File

@ -34,7 +34,7 @@ audit() {
# shellcheck disable=SC2001 # shellcheck disable=SC2001
SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE") SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE")
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -59,12 +59,12 @@ apply() {
# shellcheck disable=SC2001 # shellcheck disable=SC2001
SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE") SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE")
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else else

63
bin/hardening/5.2.1_sshd_conf_perm_ownership.sh
View File

@ -17,6 +17,7 @@ HARDENING_LEVEL=1
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Checking permissions and ownership to root 600 for sshd_config." DESCRIPTION="Checking permissions and ownership to root 600 for sshd_config."
PACKAGE='openssh-server'
FILE='/etc/ssh/sshd_config' FILE='/etc/ssh/sshd_config'
PERMISSIONS='600' PERMISSIONS='600'
USER='root' USER='root'
@ -24,40 +25,50 @@ GROUP='root'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
has_file_correct_ownership "$FILE" "$USER" "$GROUP" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" != 0 ]; then
ok "$FILE has correct ownership" ok "$PACKAGE is not installed!"
else else
crit "$FILE ownership was not set to $USER:$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
fi if [ "$FNRET" = 0 ]; then
has_file_correct_permissions "$FILE" "$PERMISSIONS" ok "$FILE has correct ownership"
if [ "$FNRET" = 0 ]; then else
ok "$FILE has correct permissions" crit "$FILE ownership was not set to $USER:$GROUP"
else fi
crit "$FILE permissions were not set to $PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
does_file_exist "$FILE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
info "$FILE does not exist" ok "$PACKAGE is not installed"
touch "$FILE"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else else
warn "fixing $FILE ownership to $USER:$GROUP" does_file_exist "$FILE"
chown "$USER":"$GROUP" "$FILE" if [ "$FNRET" != 0 ]; then
fi info "$FILE does not exist"
has_file_correct_permissions "$FILE" "$PERMISSIONS" touch "$FILE"
if [ "$FNRET" = 0 ]; then fi
ok "$FILE has correct permissions" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
else if [ "$FNRET" = 0 ]; then
info "fixing $FILE permissions to $PERMISSIONS" ok "$FILE has correct ownership"
chmod 0"$PERMISSIONS" "$FILE" else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
fi fi
} }

6
bin/hardening/5.2.20_enable_ssh_pam.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file_nocase $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else else

6
bin/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file_nocase $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else else

6
bin/hardening/5.2.22_configure_ssh_max_startups.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file_nocase $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else else

27
bin/hardening/5.2.23_limit_ssh_max_sessions.sh
View File

@ -32,11 +32,21 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file_nocase $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
crit "$PATTERN is not present in $FILE" does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in $FILE"
else
VALUE=$($SUDO_CMD grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2)
if [ "$VALUE" -gt "$SSH_VALUE" ]; then
crit "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM"
else
ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM"
fi
fi
fi fi
done done
fi fi
@ -55,17 +65,22 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" VALUE=$(grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2)
replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" if [ "$VALUE" -gt "$SSH_VALUE" ]; then
warn "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM, replacing it"
replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
else
ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM"
fi
fi fi
/etc/init.d/ssh reload /etc/init.d/ssh reload
fi fi

6
bin/hardening/5.2.4_sshd_protocol.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else else

2
bin/hardening/5.2.5_sshd_loglevel.sh
View File

@ -61,7 +61,7 @@ apply() {
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else else

4
bin/hardening/5.2.6_disable_x11_forwarding.sh
View File

@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else else

29
bin/hardening/5.2.7_sshd_maxauthtries.sh
View File

@ -32,11 +32,21 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
crit "$PATTERN is not present in $FILE" does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in $FILE"
else
VALUE=$($SUDO_CMD grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2)
if [ "$VALUE" -gt "$SSH_VALUE" ]; then
crit "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM"
else
ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM"
fi
fi
fi fi
done done
fi fi
@ -55,17 +65,22 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" VALUE=$(grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2)
replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" if [ "$VALUE" -gt "$SSH_VALUE" ]; then
warn "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM, replacing it"
replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
else
ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM"
fi
fi fi
/etc/init.d/ssh reload /etc/init.d/ssh reload
fi fi

6
bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else else

6
bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else else

11
bin/hardening/5.4.5_default_timeout.sh
View File

@ -31,7 +31,7 @@ audit() {
debug "$FILE_SEARCHED is a directory" debug "$FILE_SEARCHED is a directory"
# shellcheck disable=2044 # shellcheck disable=2044
for file_in_dir in $(find "$FILE_SEARCHED" -type f); do for file_in_dir in $(find "$FILE_SEARCHED" -type f); do
does_pattern_exist_in_file "$file_in_dir" "^$PATTERN" does_pattern_exist_in_file "$file_in_dir" "$PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir" debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
else else
@ -41,7 +41,7 @@ audit() {
fi fi
done done
else else
does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN" does_pattern_exist_in_file "$FILE_SEARCHED" "$PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED" debug "$PATTERN is not present in $FILE_SEARCHED"
else else
@ -64,7 +64,7 @@ apply() {
debug "$FILE_SEARCHED is a directory" debug "$FILE_SEARCHED is a directory"
# shellcheck disable=2044 # shellcheck disable=2044
for file_in_dir in $(find "$FILE_SEARCHED" -type f); do for file_in_dir in $(find "$FILE_SEARCHED" -type f); do
does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN" does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "$PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir" debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
else else
@ -74,7 +74,7 @@ apply() {
fi fi
done done
else else
does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN" does_pattern_exist_in_file "$FILE_SEARCHED" "$PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED" debug "$PATTERN is not present in $FILE_SEARCHED"
else else
@ -87,8 +87,7 @@ apply() {
warn "$PATTERN is not present in $FILES_TO_SEARCH" warn "$PATTERN is not present in $FILES_TO_SEARCH"
touch "$FILE" touch "$FILE"
chmod 644 "$FILE" chmod 644 "$FILE"
add_end_of_file "$FILE" "$PATTERN$VALUE" add_end_of_file "$FILE" "readonly $PATTERN$VALUE"
add_end_of_file "$FILE" "readonly TMOUT"
add_end_of_file "$FILE" "export TMOUT" add_end_of_file "$FILE" "export TMOUT"
else else
ok "$PATTERN is present in $FILES_TO_SEARCH" ok "$PATTERN is present in $FILES_TO_SEARCH"

23
bin/hardening/6.1.10_find_world_writable_file.sh
View File

@ -17,12 +17,21 @@ HARDENING_LEVEL=3
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Ensure no world writable files exist" DESCRIPTION="Ensure no world writable files exist"
EXCLUDED=''
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
info "Checking if there are world writable files" info "Checking if there are world writable files"
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}') FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
# shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null) if [ -n "$EXCLUDED" ]; then
# shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
else
# shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -0002 -print 2>/dev/null)
fi
if [ -n "$RESULT" ]; then if [ -n "$RESULT" ]; then
crit "Some world writable files are present" crit "Some world writable files are present"
# shellcheck disable=SC2001 # shellcheck disable=SC2001
@ -35,10 +44,16 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null) if [ -n "$EXCLUDED" ]; then
# shellcheck disable=SC2086
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
else
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -print 2>/dev/null)
fi
if [ -n "$RESULT" ]; then if [ -n "$RESULT" ]; then
warn "chmoding o-w all files in the system" warn "chmoding o-w all files in the system"
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null | xargs chmod o-w df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -print 2>/dev/null | xargs chmod o-w
else else
ok "No world writable files found, nothing to apply" ok "No world writable files found, nothing to apply"
fi fi

11
bin/hardening/6.1.11_find_unowned_files.sh
View File

@ -26,10 +26,10 @@ audit() {
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}') FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
if [ -n "$EXCLUDED" ]; then if [ -n "$EXCLUDED" ]; then
# shellcheck disable=SC2086 # shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null) RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nouser -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
else else
# shellcheck disable=SC2086 # shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -print 2>/dev/null) RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nouser -print 2>/dev/null)
fi fi
if [ -n "$RESULT" ]; then if [ -n "$RESULT" ]; then
crit "Some unowned files are present" crit "Some unowned files are present"
@ -44,13 +44,14 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
if [ -n "$EXCLUDED" ]; then if [ -n "$EXCLUDED" ]; then
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null) # shellcheck disable=SC2086
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -regextype 'egrep' ! -regex $EXCLUDED -ls 2>/dev/null)
else else
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null) RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -ls 2>/dev/null)
fi fi
if [ -n "$RESULT" ]; then if [ -n "$RESULT" ]; then
warn "Applying chown on all unowned files in the system" warn "Applying chown on all unowned files in the system"
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown "$USER" df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -print 2>/dev/null | xargs chown "$USER"
else else
ok "No unowned files found, nothing to apply" ok "No unowned files found, nothing to apply"
fi fi

11
bin/hardening/6.1.12_find_ungrouped_files.sh
View File

@ -26,10 +26,10 @@ audit() {
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}') FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
if [ -n "$EXCLUDED" ]; then if [ -n "$EXCLUDED" ]; then
# shellcheck disable=SC2086 # shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null) RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
else else
# shellcheck disable=SC2086 # shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -print 2>/dev/null) RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nogroup -print 2>/dev/null)
fi fi
if [ -n "$RESULT" ]; then if [ -n "$RESULT" ]; then
crit "Some ungrouped files are present" crit "Some ungrouped files are present"
@ -44,13 +44,14 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
if [ -n "$EXCLUDED" ]; then if [ -n "$EXCLUDED" ]; then
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null) # shellcheck disable=SC2086
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex $EXCLUDED -ls 2>/dev/null)
else else
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null) RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -ls 2>/dev/null)
fi fi
if [ -n "$RESULT" ]; then if [ -n "$RESULT" ]; then
warn "Applying chgrp on all ungrouped files in the system" warn "Applying chgrp on all ungrouped files in the system"
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp "$GROUP" df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -print 2>/dev/null | xargs chgrp "$GROUP"
else else
ok "No ungrouped files found, nothing to apply" ok "No ungrouped files found, nothing to apply"
fi fi

4
bin/hardening/6.1.13_find_suid_files.sh
View File

@ -24,9 +24,9 @@ audit() {
FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }') FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
# shellcheck disable=2086 # shellcheck disable=2086
if [ -n "$IGNORED_PATH" ]; then if [ -n "$IGNORED_PATH" ]; then
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print) FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -4000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
else else
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -print) FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -4000 -print)
fi fi
BAD_BINARIES="" BAD_BINARIES=""
for BINARY in $FOUND_BINARIES; do for BINARY in $FOUND_BINARIES; do

4
bin/hardening/6.1.14_find_sgid_files.sh
View File

@ -24,9 +24,9 @@ audit() {
FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }') FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
# shellcheck disable=2086 # shellcheck disable=2086
if [ -n "$IGNORED_PATH" ]; then if [ -n "$IGNORED_PATH" ]; then
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print) FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -2000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
else else
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print) FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -2000 -print)
fi fi
BAD_BINARIES="" BAD_BINARIES=""
for BINARY in $FOUND_BINARIES; do for BINARY in $FOUND_BINARIES; do

54
bin/hardening/6.1.3_etc_gshadow-_permissions.sh
View File

@ -25,35 +25,45 @@ GROUPSOK='root shadow'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
has_file_correct_permissions "$FILE" "$PERMISSIONS" does_file_exist "$FILE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" != 0 ]; then
ok "$FILE has correct permissions" ok "$FILE does not exist"
else else
crit "$FILE permissions were not set to $PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
fi if [ "$FNRET" = 0 ]; then
has_file_one_of_ownership "$FILE" "$USER" "$GROUPSOK" ok "$FILE has correct permissions"
if [ "$FNRET" = 0 ]; then else
ok "$FILE has correct ownership" crit "$FILE permissions were not set to $PERMISSIONS"
else fi
crit "$FILE ownership was not set to $USER:$GROUPSOK" has_file_one_of_ownership "$FILE" "$USER" "$GROUPSOK"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUPSOK"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
has_file_correct_permissions "$FILE" "$PERMISSIONS" does_file_exist "$FILE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" != 0 ]; then
ok "$FILE has correct permissions" ok "$FILE does not exist"
else else
info "fixing $FILE permissions to $PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE" if [ "$FNRET" = 0 ]; then
fi ok "$FILE has correct permissions"
has_file_one_of_ownership "$FILE" "$USER" "$GROUPSOK" else
if [ "$FNRET" = 0 ]; then info "fixing $FILE permissions to $PERMISSIONS"
ok "$FILE has correct ownership" chmod 0"$PERMISSIONS" "$FILE"
else fi
info "fixing $FILE ownership to $USER:$GROUP" has_file_one_of_ownership "$FILE" "$USER" "$GROUPSOK"
chown "$USER":"$GROUP" "$FILE" if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
info "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
fi fi
} }

55
bin/hardening/6.1.6_etc_passwd-_permissions.sh
View File

@ -19,40 +19,51 @@ DESCRIPTION="Check 600 permissions and root:root ownership on /etc/passwd-"
FILE='/etc/passwd-' FILE='/etc/passwd-'
PERMISSIONS='600' PERMISSIONS='600'
PERMISSIONSOK='644 640 600'
USER='root' USER='root'
GROUP='root' GROUP='root'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
has_file_correct_permissions "$FILE" "$PERMISSIONS" does_file_exist "$FILE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" != 0 ]; then
ok "$FILE has correct permissions" ok "$FILE does not exist"
else else
crit "$FILE permissions were not set to $PERMISSIONS" has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
fi if [ "$FNRET" = 0 ]; then
has_file_correct_ownership "$FILE" "$USER" "$GROUP" ok "$FILE has correct permissions"
if [ "$FNRET" = 0 ]; then else
ok "$FILE has correct ownership" crit "$FILE permissions were not set to $PERMISSIONS"
else fi
crit "$FILE ownership was not set to $USER:$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
has_file_correct_permissions "$FILE" "$PERMISSIONS" does_file_exist "$FILE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" != 0 ]; then
ok "$FILE has correct permissions" ok "$FILE does not exist"
else else
info "fixing $FILE permissions to $PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE" if [ "$FNRET" = 0 ]; then
fi ok "$FILE has correct permissions"
has_file_correct_ownership "$FILE" "$USER" "$GROUP" else
if [ "$FNRET" = 0 ]; then info "fixing $FILE permissions to $PERMISSIONS"
ok "$FILE has correct ownership" chmod 0"$PERMISSIONS" "$FILE"
else fi
info "fixing $FILE ownership to $USER:$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
chown "$USER":"$GROUP" "$FILE" if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
info "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
fi fi
} }

55
bin/hardening/6.1.7_etc_shadow-_permissions.sh
View File

@ -19,40 +19,51 @@ DESCRIPTION="Check 600 permissions and root:shadow ownership on /etc/shadow-"
FILE='/etc/shadow-' FILE='/etc/shadow-'
PERMISSIONS='600' PERMISSIONS='600'
PERMISSIONSOK='640 600'
USER='root' USER='root'
GROUP='shadow' GROUP='shadow'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
has_file_correct_permissions "$FILE" "$PERMISSIONS" does_file_exist "$FILE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" != 0 ]; then
ok "$FILE has correct permissions" ok "$FILE does not exist"
else else
crit "$FILE permissions were not set to $PERMISSIONS" has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
fi if [ "$FNRET" = 0 ]; then
has_file_correct_ownership "$FILE" "$USER" "$GROUP" ok "$FILE has correct permissions"
if [ "$FNRET" = 0 ]; then else
ok "$FILE has correct ownership" crit "$FILE permissions were not set to $PERMISSIONS"
else fi
crit "$FILE ownership was not set to $USER:$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
has_file_correct_permissions "$FILE" "$PERMISSIONS" does_file_exist "$FILE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" != 0 ]; then
ok "$FILE has correct permissions" ok "$FILE does not exist"
else else
info "fixing $FILE permissions to $PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE" if [ "$FNRET" = 0 ]; then
fi ok "$FILE has correct permissions"
has_file_correct_ownership "$FILE" "$USER" "$GROUP" else
if [ "$FNRET" = 0 ]; then info "fixing $FILE permissions to $PERMISSIONS"
ok "$FILE has correct ownership" chmod 0"$PERMISSIONS" "$FILE"
else fi
info "fixing $FILE ownership to $USER:$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
chown "$USER":"$GROUP" "$FILE" if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
info "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
fi fi
} }

55
bin/hardening/6.1.8_etc_group-_permissions.sh
View File

@ -19,40 +19,51 @@ DESCRIPTION="Check 600 permissions and root:root ownership on /etc/group-"
FILE='/etc/group-' FILE='/etc/group-'
PERMISSIONS='600' PERMISSIONS='600'
PERMISSIONSOK='644 640 600'
USER='root' USER='root'
GROUP='root' GROUP='root'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
has_file_correct_permissions "$FILE" "$PERMISSIONS" does_file_exist "$FILE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" != 0 ]; then
ok "$FILE has correct permissions" ok "$FILE does not exist"
else else
crit "$FILE permissions were not set to $PERMISSIONS" has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
fi if [ "$FNRET" = 0 ]; then
has_file_correct_ownership "$FILE" "$USER" "$GROUP" ok "$FILE has correct permissions"
if [ "$FNRET" = 0 ]; then else
ok "$FILE has correct ownership" crit "$FILE permissions were not set to $PERMISSIONS"
else fi
crit "$FILE ownership was not set to $USER:$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
has_file_correct_permissions "$FILE" "$PERMISSIONS" does_file_exist "$FILE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" != 0 ]; then
ok "$FILE has correct permissions" ok "$FILE does not exist"
else else
info "fixing $FILE permissions to $PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE" if [ "$FNRET" = 0 ]; then
fi ok "$FILE has correct permissions"
has_file_correct_ownership "$FILE" "$USER" "$GROUP" else
if [ "$FNRET" = 0 ]; then info "fixing $FILE permissions to $PERMISSIONS"
ok "$FILE has correct ownership" chmod 0"$PERMISSIONS" "$FILE"
else fi
info "fixing $FILE ownership to $USER:$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
chown "$USER":"$GROUP" "$FILE" if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
info "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
fi fi
} }

34
bin/hardening/99.3.3.4_hosts_allow_permissions.sh
View File

@ -24,22 +24,36 @@ GROUP='root'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
has_file_correct_permissions "$FILE" "$PERMISSIONS" does_file_exist "$FILE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" != 0 ]; then
ok "$FILE has correct permissions" crit "$FILE does not exist"
else else
crit "$FILE permissions were not set to $PERMISSIONS" ok "$FILE exist"
fi has_file_correct_permissions "$FILE" "$PERMISSIONS"
has_file_correct_ownership "$FILE" "$USER" "$GROUP" if [ "$FNRET" = 0 ]; then
if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions"
ok "$FILE has correct ownership" else
else crit "$FILE permissions were not set to $PERMISSIONS"
crit "$FILE ownership was not set to $USER:$GROUP" fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist"
touch "$FILE"
warn "You may want to fill it with allowed networks"
else
ok "$FILE exist"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"

34
bin/hardening/99.3.3.5_hosts_deny_permissions.sh
View File

@ -24,22 +24,36 @@ GROUP='root'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
has_file_correct_permissions "$FILE" "$PERMISSIONS" does_file_exist "$FILE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" != 0 ]; then
ok "$FILE has correct permissions" crit "$FILE does not exist"
else else
crit "$FILE permissions were not set to $PERMISSIONS" ok "$FILE exist"
fi has_file_correct_permissions "$FILE" "$PERMISSIONS"
has_file_correct_ownership "$FILE" "$USER" "$GROUP" if [ "$FNRET" = 0 ]; then
if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions"
ok "$FILE has correct ownership" else
else crit "$FILE permissions were not set to $PERMISSIONS"
crit "$FILE ownership was not set to $USER:$GROUP" fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist"
touch "$FILE"
warn "You may want to fill it with allowed networks"
else
ok "$FILE exist"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"

1
bin/hardening/99.5.4.5.1_acc_logindefs_sha512.sh
View File

@ -49,7 +49,6 @@ apply() {
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file "$CONF_FILE" "^$(echo "$CONF_LINE" | cut -d ' ' -f1)[[:space:]]*.*" "$CONF_LINE" replace_in_file "$CONF_FILE" "^$(echo "$CONF_LINE" | cut -d ' ' -f1)[[:space:]]*.*" "$CONF_LINE"
fi fi
/etc/init.d/ssh reload >/dev/null 2>&1
fi fi
} }

2
bin/hardening/99.5.4.5.2_acc_shadow_sha512.sh
View File

@ -37,7 +37,7 @@ audit() {
pw_found+="$user " pw_found+="$user "
ok "User $user has a disabled password." ok "User $user has a disabled password."
# Check password against $6$<salt>$<encrypted>, see `man 3 crypt` # Check password against $6$<salt>$<encrypted>, see `man 3 crypt`
elif [[ $passwd =~ ^\$6\$[a-zA-Z0-9./]{2,16}\$[a-zA-Z0-9./]{86}$ ]]; then elif [[ $passwd =~ ^\$6(\$rounds=[0-9]+)?\$[a-zA-Z0-9./]{2,16}\$[a-zA-Z0-9./]{86}$ ]]; then
pw_found+="$user " pw_found+="$user "
ok "User $user has suitable SHA512 hashed password." ok "User $user has suitable SHA512 hashed password."
else else

4
cisharden.sudoers
View File

@ -20,6 +20,10 @@ Cmnd_Alias SCL_CMD = /bin/grep ,\
/sbin/sysctl -a,\ /sbin/sysctl -a,\
/bin/dmesg "",\ /bin/dmesg "",\
/bin/netstat,\ /bin/netstat,\
/usr/sbin/lsmod,\
/sbin/lsmod,\
/sbin/modprobe,\
/usr/sbin/modprobe -n -v*,\
/usr/sbin/apparmor_status /usr/sbin/apparmor_status
cisharden ALL = (root) NOPASSWD: SCL_CMD cisharden ALL = (root) NOPASSWD: SCL_CMD

87
debian/changelog vendored
View File

@ -1,3 +1,90 @@
cis-hardening (3.5-1) unstable; urgency=medium
* fix: add 10s wait timeout on iptables command (#151)
-- Tarik Megzari <tarik.megzari@corp.ovh.com> Wed, 23 Mar 2022 17:28:08 +0100
cis-hardening (3.4-1) unstable; urgency=medium
* fix: allow passwd-, group- and shadow- debian default permissions (#149)
-- Thibault Dewailly <thibault.dewailly@ovhcloud.com> Fri, 18 Mar 2022 15:43:24 +0000
cis-hardening (3.3-1) unstable; urgency=medium
* fix: missing shadowtools backup files is ok (#132)
* feat: Dissociate iptables pkg name from command (#137)
* fix: Catch unexpected failures (#140)
* fix: Avoid find failures on too many files (#144)
-- Tarik Megzari <tarik.megzari@corp.ovh.com> Wed, 02 Mar 2022 13:25:33 +0100
cis-hardening (3.2-2) unstable; urgency=medium
* Fix empty fstab test
-- Tarik Megzari <tarik.megzari@corp.ovh.com> Wed, 08 Dec 2021 13:59:49 +0100
cis-hardening (3.2-1) unstable; urgency=medium
- Skip NTP and Chrony config check if they are not installed (#120)
- Fix 3.4.2 audit rule (#123)
- Fix grub detection (#119)
- Allow grub.cfg permission to be 600 (#121)
- Honor --set-log-level parameter (#127)
- fix: kernel module detection (#129)
- Add silent mode and json summary (#128)
- FIX(1.7.1.4): don't abort script in case of unconfined processes (#130)
- FIX(2.2.1.4): Validate debian default ntp config (#118)
- 99.5.4.5.2: fix bug where sha512 option rounds provoke KO (#112)
- Fix 5.4.5 pattern search (#108)
-- Thibault Dewailly <thibault.dewailly@ovhcloud.com> Wed, 01 Dec 2021 10:56:47 +0000
cis-hardening (3.1-6) unstable; urgency=medium
* Improve EXCEPTIONS management (1.1.21,6.1.10)
* Fix bug linked with regex quoting (6.1.10-11-12-13-14)
-- Thibault Ayanides <thibault.ayanides@ovhcloud.com> Wed, 02 Jun 2021 09:45:40 +0200
cis-hardening (3.1-5) unstable; urgency=medium
* Fix unbound EXCEPTIONS variable in some cases
-- Thibault Ayanides <thibault.ayanides@ovhcloud.com> Fri, 28 May 2021 15:02:34 +0200
cis-hardening (3.1-4) unstable; urgency=medium
* Add test to check stderr is empty
* Fix 2.2.1.2 audit and apply
* Accept lower values as valid 5.2.7 and 5.2.23
* Add dir exceptions in 1.1.21 and 6.1.10
-- Thibault Ayanides <thibault.ayanides@ovhcloud.com> Thu, 06 May 2021 10:07:22 +0200
cis-hardening (3.1-3) unstable; urgency=medium
* Fix 4.1.11 permissions
-- Thibault Ayanides <thibault.ayanides@ovhcloud.com> Mon, 12 Apr 2021 12:17:16 +0200
cis-hardening (3.1-2) unstable; urgency=medium
* Fix case for sshd pattern searching
-- Thibault Ayanides <thibault.ayanides@ovhcloud.com> Fri, 02 Apr 2021 09:16:16 +0200
cis-hardening (3.1-1) unstable; urgency=medium
* Various mispeling fixes
* Fix div function that causes a display bug when runnin test with --only
* Fix 4.1.1.4 bad pattern bug
* Fix 5.4.2.2
* Various verification that package is installed or file exist before running check (openssh, apparmor, crontab)
-- Thibault Ayanides <thibault.ayanides@ovhcloud.com> Thu, 25 Mar 2021 14:59:49 +0100
cis-hardening (3.1-0) unstable; urgency=medium cis-hardening (3.1-0) unstable; urgency=medium
* Add missing HARDENING_LEVEL var for some checks * Add missing HARDENING_LEVEL var for some checks

21
lib/common.sh
View File

@ -25,6 +25,9 @@ backup_file() {
# #
case $LOGLEVEL in case $LOGLEVEL in
silent)
MACHINE_LOG_LEVEL=0
;;
error) error)
MACHINE_LOG_LEVEL=1 MACHINE_LOG_LEVEL=1
;; ;;
@ -100,6 +103,20 @@ debug() {
if [ "$MACHINE_LOG_LEVEL" -ge 5 ]; then _logger "$GRAY" "[DBG ] $*"; fi if [ "$MACHINE_LOG_LEVEL" -ge 5 ]; then _logger "$GRAY" "[DBG ] $*"; fi
} }
exception() {
# Trap exit code is the same as the trapped one unless we call an explicit exit
TRAP_CODE=$?
if [ "$ACTIONS_DONE" -ne 1 ]; then
if [ "$BATCH_MODE" -eq 1 ]; then
BATCH_OUTPUT="KO $SCRIPT_NAME $BATCH_OUTPUT KO{Unexpected exit code: $TRAP_CODE}"
becho "$BATCH_OUTPUT"
else
crit "Check failed with unexpected exit code: $TRAP_CODE"
fi
exit 1 # Means critical status
fi
}
# #
# sudo wrapper # sudo wrapper
# issue crit state if not allowed to perform sudo # issue crit state if not allowed to perform sudo
@ -121,6 +138,10 @@ div() {
local _d=${3:-2} local _d=${3:-2}
local _n=0000000000 local _n=0000000000
_n=${_n:0:$_d} _n=${_n:0:$_d}
if (($1 == 0)); then
echo "0"
return
fi
if (($2 == 0)); then if (($2 == 0)); then
echo "N.A" echo "N.A"
return return

14
lib/main.sh
View File

@ -10,9 +10,17 @@ BATCH_OUTPUT=""
status="" status=""
forcedstatus="" forcedstatus=""
SUDO_CMD="" SUDO_CMD=""
SAVED_LOGLEVEL=""
ACTIONS_DONE=0
if [ -n "${LOGLEVEL:-}" ]; then
SAVED_LOGLEVEL=$LOGLEVEL
fi
# shellcheck source=../etc/hardening.cfg # shellcheck source=../etc/hardening.cfg
[ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg [ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
if [ -n "$SAVED_LOGLEVEL" ]; then
LOGLEVEL=$SAVED_LOGLEVEL
fi
# shellcheck source=../lib/common.sh # shellcheck source=../lib/common.sh
[ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh [ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
# shellcheck source=../lib/utils.sh # shellcheck source=../lib/utils.sh
@ -104,6 +112,9 @@ if [ -z "$status" ]; then
exit 2 exit 2
fi fi
# We want to trap unexpected failures in check scripts
trap exception EXIT
case $status in case $status in
enabled | true) enabled | true)
info "Checking Configuration" info "Checking Configuration"
@ -121,6 +132,7 @@ audit)
;; ;;
disabled | false) disabled | false)
info "$SCRIPT_NAME is disabled, ignoring" info "$SCRIPT_NAME is disabled, ignoring"
ACTIONS_DONE=1
exit 2 # Means unknown status exit 2 # Means unknown status
;; ;;
*) *)
@ -128,6 +140,8 @@ disabled | false)
;; ;;
esac esac
ACTIONS_DONE=1
if [ "$CRITICAL_ERRORS_NUMBER" -eq 0 ]; then if [ "$CRITICAL_ERRORS_NUMBER" -eq 0 ]; then
if [ "$BATCH_MODE" -eq 1 ]; then if [ "$BATCH_MODE" -eq 1 ]; then
BATCH_OUTPUT="OK $SCRIPT_NAME $BATCH_OUTPUT" BATCH_OUTPUT="OK $SCRIPT_NAME $BATCH_OUTPUT"

12
lib/utils.sh
View File

@ -384,9 +384,9 @@ is_kernel_option_enabled() {
fi fi
else else
if [ "$MODPROBE_FILTER" != "" ]; then if [ "$MODPROBE_FILTER" != "" ]; then
DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | grep -E "$MODPROBE_FILTER" | xargs)" DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | grep -E "$MODPROBE_FILTER" | tail -1 | xargs)"
else else
DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | xargs)" DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | tail -1 | xargs)"
fi fi
if [ "$DEF_MODULE" == "install /bin/true" ] || [ "$DEF_MODULE" == "install /bin/false" ]; then if [ "$DEF_MODULE" == "install /bin/true" ] || [ "$DEF_MODULE" == "install /bin/false" ]; then
@ -415,9 +415,9 @@ is_kernel_option_enabled() {
is_a_partition() { is_a_partition() {
local PARTITION=$1 local PARTITION=$1
FNRET=128 FNRET=128
if [ ! -f /etc/fstab ] || [ -n "$(sed '/^#/d' /etc/fstab)" ]; then if [ ! -f /etc/fstab ] || [ -z "$(sed '/^#/d' /etc/fstab)" ]; then
debug "/etc/fstab not found or empty, searching mountpoint" debug "/etc/fstab not found or empty, searching mountpoint"
if mountpoint "$PARTITION" | grep -qE ".*is a mountpoint.*"; then if mountpoint -q "$PARTITION"; then
FNRET=0 FNRET=0
fi fi
else else
@ -448,8 +448,8 @@ is_mounted() {
has_mount_option() { has_mount_option() {
local PARTITION=$1 local PARTITION=$1
local OPTION=$2 local OPTION=$2
if [ ! -f /etc/fstab ] || [ -n "$(sed '/^#/d' /etc/fstab)" ]; then if [ ! -f /etc/fstab ] || [ -z "$(sed '/^#/d' /etc/fstab)" ]; then
debug "/etc/fstab not found or empty, readin current mount options" debug "/etc/fstab not found or empty, reading current mount options"
has_mounted_option "$PARTITION" "$OPTION" has_mounted_option "$PARTITION" "$OPTION"
else else
if grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk '{print $4}' | grep -q "bind"; then if grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk '{print $4}' | grep -q "bind"; then

5
tests/hardening/1.1.15_run_shm_nodev.sh
View File

@ -2,15 +2,14 @@
# run-shellcheck # run-shellcheck
test_audit() { test_audit() {
describe Running on blank host describe Running on blank host
register_test retvalshouldbe 1 register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
ln -s /dev/shm /run/shm ln -s /dev/shm /run/shm
describe Partition symlink describe Partition symlink
register_test retvalshouldbe 1 register_test retvalshouldbe 0
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# Cleanup # Cleanup

3
tests/hardening/1.1.16_run_shm_nosuid.sh
View File

@ -3,14 +3,13 @@
test_audit() { test_audit() {
describe Running on blank host describe Running on blank host
register_test retvalshouldbe 0 register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
ln -s /dev/shm /run/shm ln -s /dev/shm /run/shm
describe Partition symlink describe Partition symlink
register_test retvalshouldbe 1 register_test retvalshouldbe 0
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# Cleanup # Cleanup

3
tests/hardening/1.1.17_run_shm_noexec.sh
View File

@ -3,14 +3,13 @@
test_audit() { test_audit() {
describe Running on blank host describe Running on blank host
register_test retvalshouldbe 0 register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
ln -s /dev/shm /run/shm ln -s /dev/shm /run/shm
describe Partition symlink describe Partition symlink
register_test retvalshouldbe 1 register_test retvalshouldbe 0
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# Cleanup # Cleanup

42
tests/hardening/1.1.21_sticky_bit_world_writable_folder.sh
View File

@ -1,29 +1,35 @@
# shellcheck shell=bash # shellcheck shell=bash
# run-shellcheck # run-shellcheck
test_audit() { test_audit() {
describe Running void to generate the conf file that will later be edited
# shellcheck disable=2154
/opt/debian-cis/bin/hardening/"${script}".sh || true
# shellcheck disable=2016
echo 'EXCEPTIONS="$EXCEPTIONS /home/secaudit/exception"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
mkdir /home/secaudit/exception
chmod 777 /home/secaudit/exception
describe Running on blank host describe Running on blank host
register_test retvalshouldbe 0 register_test retvalshouldbe 0
register_test contain "All world writable directories have a sticky bit" register_test contain "All world writable directories have a sticky bit"
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
describe Tests purposely failing
local targetdir="/home/secaudit/world_writable_folder"
mkdir $targetdir || true
chmod 777 "$targetdir"
register_test retvalshouldbe 1
register_test contain "Some world writable directories are not on sticky bit mode"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation describe Tests purposely failing
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg local targetdir="/home/secaudit/world_writable_folder"
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true mkdir $targetdir || true
chmod 777 "$targetdir"
register_test retvalshouldbe 1
register_test contain "Some world writable directories are not on sticky bit mode"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "All world writable directories have a sticky bit"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "All world writable directories have a sticky bit"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
} }

16
tests/hardening/5.2.23_limit_ssh_max_sessions.sh
View File

@ -7,6 +7,22 @@ test_audit() {
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
echo "maxsessions 1" >>/etc/ssh/sshd_config
describe Running restrictive
register_test retvalshouldbe 0
register_test contain "[ OK ] 1 is lower than recommended 10"
run restrictive /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# delete last line
sed -i '$ d' /etc/ssh/sshd_config
echo "maxsessions 15" >>/etc/ssh/sshd_config
describe Running too permissive
register_test retvalshouldbe 1
register_test contain "[ KO ] 15 is higher than recommended 10"
run permissive /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Correcting situation describe Correcting situation
# `apply` performs a service reload after each change in the config file # `apply` performs a service reload after each change in the config file
# the service needs to be started for the reload to succeed # the service needs to be started for the reload to succeed

16
tests/hardening/5.2.7_sshd_maxauthtries.sh
View File

@ -7,6 +7,22 @@ test_audit() {
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
echo "MaxAuthTries 2" >>/etc/ssh/sshd_config
describe Running restrictive
register_test retvalshouldbe 0
register_test contain "[ OK ] 2 is lower than recommended 4"
run restrictive /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# delete last line
sed -i '$ d' /etc/ssh/sshd_config
echo "MaxAuthTries 6" >>/etc/ssh/sshd_config
describe Running too permissive
register_test retvalshouldbe 1
register_test contain "[ KO ] 6 is higher than recommended 4"
run permissive /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Correcting situation describe Correcting situation
# `apply` performs a service reload after each change in the config file # `apply` performs a service reload after each change in the config file
# the service needs to be started for the reload to succeed # the service needs to be started for the reload to succeed

49
tests/hardening/6.1.10_find_world_writable_file.sh
View File

@ -1,32 +1,33 @@
# shellcheck shell=bash # shellcheck shell=bash
# run-shellcheck # run-shellcheck
test_audit() { test_audit() {
describe Running void to generate the conf file that will later be edited
# shellcheck disable=2154
/opt/debian-cis/bin/hardening/"${script}".sh || true
# shellcheck disable=2016
echo 'EXCLUDED="$EXCLUDED ^/dev/.*"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
#run this test only if we're not in docker describe Running on blank host
if [ -f "/.dockerenv" ]; then register_test retvalshouldbe 0
skip "SKIPPED on docker" register_test contain "No world writable files found"
else # shellcheck disable=2154
describe Running on blank host run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
register_test retvalshouldbe 0
register_test contain "No world writable files found"
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Tests purposely failing describe Tests purposely failing
local targetfile="/home/secaudit/worldwritable" local targetfile="/home/secaudit/worldwritable"
touch "$targetfile" touch "$targetfile"
chmod 777 "$targetfile" chmod 777 "$targetfile"
register_test retvalshouldbe 1 register_test retvalshouldbe 1
register_test contain "Some world writable files are present" register_test contain "Some world writable files are present"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "No world writable files found"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "No world writable files found"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
} }

9
tests/hardening/6.1.11_find_unowned_files.sh
View File

@ -1,6 +1,15 @@
# shellcheck shell=bash # shellcheck shell=bash
# run-shellcheck # run-shellcheck
test_audit() { test_audit() {
describe Running void to generate the conf file that will later be edited
# shellcheck disable=2154
/opt/debian-cis/bin/hardening/"${script}".sh || true
# shellcheck disable=2016
echo 'EXCLUDED="$EXCLUDED ^/home/secaudit/6.1.11/.*"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
mkdir /home/secaudit/6.1.11/
touch /home/secaudit/6.1.11/test
chown 1200 /home/secaudit/6.1.11/test
describe Running on blank host describe Running on blank host
register_test retvalshouldbe 0 register_test retvalshouldbe 0
register_test contain "No unowned files found" register_test contain "No unowned files found"

9
tests/hardening/6.1.12_find_ungrouped_files.sh
View File

@ -1,6 +1,15 @@
# shellcheck shell=bash # shellcheck shell=bash
# run-shellcheck # run-shellcheck
test_audit() { test_audit() {
describe Running void to generate the conf file that will later be edited
# shellcheck disable=2154
/opt/debian-cis/bin/hardening/"${script}".sh || true
# shellcheck disable=2016
echo 'EXCLUDED="$EXCLUDED ^/home/secaudit/6.1.12/.*"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
mkdir /home/secaudit/6.1.12/
touch /home/secaudit/6.1.12/test
chown 1200:1200 /home/secaudit/6.1.12/test
describe Running on blank host describe Running on blank host
register_test retvalshouldbe 0 register_test retvalshouldbe 0
register_test contain "No ungrouped files found" register_test contain "No ungrouped files found"

6
tests/hardening/6.1.3_etc_gshadow-_permissions.sh
View File

@ -37,6 +37,12 @@ test_audit() {
register_test contain "has correct ownership" register_test contain "has correct ownership"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Missing File should be OK as well
rm "$test_file"
register_test retvalshouldbe 0
register_test contain "does not exist"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# Cleanup # Cleanup
userdel "$test_user" userdel "$test_user"
} }

13
tests/hardening/6.1.6_etc_passwd-_permissions.sh
View File

@ -10,6 +10,13 @@ test_audit() {
local test_user="testetcpasswd-user" local test_user="testetcpasswd-user"
local test_file="/etc/passwd-" local test_file="/etc/passwd-"
describe Debian default right shall be accepted
chmod 644 "$test_file"
chown root:root "$test_file"
register_test retvalshouldbe 0
register_test contain "has correct permissions"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Tests purposely failing describe Tests purposely failing
chmod 777 "$test_file" chmod 777 "$test_file"
register_test retvalshouldbe 1 register_test retvalshouldbe 1
@ -37,6 +44,12 @@ test_audit() {
register_test contain "has correct ownership" register_test contain "has correct ownership"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Missing File should be OK as well
rm "$test_file"
register_test retvalshouldbe 0
register_test contain "does not exist"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# Cleanup # Cleanup
userdel "$test_user" userdel "$test_user"
} }

13
tests/hardening/6.1.7_etc_shadow-_permissions.sh
View File

@ -10,6 +10,13 @@ test_audit() {
local test_user="testetcshadow-user" local test_user="testetcshadow-user"
local test_file="/etc/shadow-" local test_file="/etc/shadow-"
describe Debian default right shall be accepted
chmod 640 "$test_file"
chown root:shadow "$test_file"
register_test retvalshouldbe 0
register_test contain "has correct permissions"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Tests purposely failing describe Tests purposely failing
chmod 777 "$test_file" chmod 777 "$test_file"
register_test retvalshouldbe 1 register_test retvalshouldbe 1
@ -37,6 +44,12 @@ test_audit() {
register_test contain "has correct ownership" register_test contain "has correct ownership"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Missing File should be OK as well
rm "$test_file"
register_test retvalshouldbe 0
register_test contain "does not exist"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# Cleanup # Cleanup
userdel "$test_user" userdel "$test_user"
} }

13
tests/hardening/6.1.8_etc_group-_permissions.sh
View File

@ -10,6 +10,13 @@ test_audit() {
local test_user="testetcgroup--user" local test_user="testetcgroup--user"
local test_file="/etc/group-" local test_file="/etc/group-"
describe Debian default right shall be accepted
chmod 644 "$test_file"
chown root:root "$test_file"
register_test retvalshouldbe 0
register_test contain "has correct permissions"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Tests purposely failing describe Tests purposely failing
chmod 777 "$test_file" chmod 777 "$test_file"
register_test retvalshouldbe 1 register_test retvalshouldbe 1
@ -37,6 +44,12 @@ test_audit() {
register_test contain "has correct ownership" register_test contain "has correct ownership"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Missing File should be OK as well
rm "$test_file"
register_test retvalshouldbe 0
register_test contain "does not exist"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# Cleanup # Cleanup
userdel "$test_user" userdel "$test_user"
} }

10
tests/hardening/99.5.4.5.2_acc_shadow_sha512.sh
View File

@ -22,11 +22,19 @@ test_audit() {
run lockedpasswd /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run lockedpasswd /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
mv /tmp/shadow.bak /etc/shadow mv /tmp/shadow.bak /etc/shadow
chpasswd <<EOF chpasswd -c SHA512 <<EOF
secaudit:mypassword secaudit:mypassword
EOF EOF
describe Pass: Found properly hashed password describe Pass: Found properly hashed password
register_test retvalshouldbe 0 register_test retvalshouldbe 0
register_test contain "User secaudit has suitable SHA512 hashed password" register_test contain "User secaudit has suitable SHA512 hashed password"
run sha512pass /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run sha512pass /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
chpasswd -c SHA512 -s 1000 <<EOF
secaudit:mypassword
EOF
describe Pass: Found properly hashed password with custom round number
register_test retvalshouldbe 0
register_test contain "User secaudit has suitable SHA512 hashed password"
run sha512pass /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
} }

16
tests/launch_tests.sh
View File

@ -131,12 +131,12 @@ play_consistency_tests() {
fi fi
} }
# Actually runs one signel audit script # Actually runs one single audit script
_run() { _run() {
usecase_name=$1 usecase_name=$1
shift shift
printf "\033[34m*** [%03d] %s \033[0m(%s)\n" "$testno" "$usecase_name" "$*" printf "\033[34m*** [%03d] %s \033[0m(%s)\n" "$testno" "$usecase_name" "$*"
bash -c "$*" >"$outdir/$usecase_name.log" && true bash -c "$*" >"$outdir/$usecase_name.log" 2>"$outdir/${usecase_name}_err.log" && true
echo $? >"$outdir/$usecase_name.retval" echo $? >"$outdir/$usecase_name.retval"
ret=$(<"$outdir"/"$usecase_name".retval) ret=$(<"$outdir"/"$usecase_name".retval)
get_stdout get_stdout
@ -188,15 +188,25 @@ for test_file in $tests_list; do
echo "" echo ""
done done
stderrunexpected=""
for file in "$outdir"/*_err.log; do
if [ -s "$file" ]; then
stderrunexpected="$stderrunexpected $(basename "$file")"
fi
done
printf "\033[1;36m###\n### %s \033[0m\n" "Test report" printf "\033[1;36m###\n### %s \033[0m\n" "Test report"
if [ $((nbfailedret + nbfailedgrep + nbfailedconsist)) -eq 0 ]; then if [ $((nbfailedret + nbfailedgrep + nbfailedconsist)) -eq 0 ] && [ -z "$stderrunexpected" ]; then
echo -e "\033[42m\033[30mAll tests succeeded :)\033[0m" echo -e "\033[42m\033[30mAll tests succeeded :)\033[0m"
echo -e "\033[42m\033[30mStderr is empty :)\033[0m"
else else
( (
echo -e "\033[41mOne or more tests failed :(\033[0m" echo -e "\033[41mOne or more tests failed :(\033[0m"
echo -e "- $nbfailedret unexpected return values ${listfailedret}" echo -e "- $nbfailedret unexpected return values ${listfailedret}"
echo -e "- $nbfailedgrep unexpected text values $listfailedgrep" echo -e "- $nbfailedgrep unexpected text values $listfailedgrep"
echo -e "- $nbfailedconsist root/sudo consistency $listfailedconsist" echo -e "- $nbfailedconsist root/sudo consistency $listfailedconsist"
echo -e "- stderr detected on $stderrunexpected"
) | tee "$outdir"/summary ) | tee "$outdir"/summary
fi fi
echo echo