elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2025-07-15 21:32:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: elie:v3.1-1
Branches Tags
elie:master elie:damcava35/deb12_scripts_2 elie:damcava35/update_lib elie:damcava35/new_scripts elie:damcava35/issue_249 elie:damcava35/drop_debian10 elie:damcava35/is_ip_v6_enabled elie:damcava35/issue_195 elie:damcava35/fix_only elie:damcava35/fix_packaging elie:damcava35/set_version elie:damcava35/test_pre_commit elie:dev/thibault.dewailly/deb12 elie:dependabot/github_actions/luizm/action-sh-checker-0.9.0 elie:dev/thibault.dewailly/set_hardening_level elie:dev/thibault.dewailly/syslogng_remotecheck
elie:latest elie:v4.1-5 elie:v4.1-4 elie:v4.1-3 elie:v4.1-2 elie:v4.1-1 elie:v4.0-1 elie:v3.8-1 elie:v3.7-1 elie:v3.6-1 elie:v3.5-1 elie:v3.4-1 elie:v3.3-1 elie:v3.2-2 elie:v3.2-1 elie:v3.2-0 elie:v3.1-6 elie:v3.1-5 elie:v3.1-4 elie:v3.1-3 elie:v3.1-2 elie:v3.1-1 elie:v3.1-0 elie:v3.0-1 elie:v3.0 elie:v2.1-6 elie:v2.1-5 elie:v2.1-4 elie:v2.1-3 elie:v2.1-2 elie:v2.1-1 elie:v2.0-6 elie:v2.0-5 elie:v2.0-4 elie:v1.3-4 elie:v1.3-3 elie:v1.3-2 elie:v1.3 elie:v1.2-1 elie:v1.1-1
...
compare: elie:v3.2-0
Branches Tags
elie:damcava35/deb12_scripts_2 elie:damcava35/update_lib elie:damcava35/new_scripts elie:master elie:damcava35/issue_249 elie:damcava35/drop_debian10 elie:damcava35/is_ip_v6_enabled elie:damcava35/issue_195 elie:damcava35/fix_only elie:damcava35/fix_packaging elie:damcava35/set_version elie:damcava35/test_pre_commit elie:dev/thibault.dewailly/deb12 elie:dependabot/github_actions/luizm/action-sh-checker-0.9.0 elie:dev/thibault.dewailly/set_hardening_level elie:dev/thibault.dewailly/syslogng_remotecheck
elie:latest elie:v4.1-5 elie:v4.1-4 elie:v4.1-3 elie:v4.1-2 elie:v4.1-1 elie:v4.0-1 elie:v3.8-1 elie:v3.7-1 elie:v3.6-1 elie:v3.5-1 elie:v3.4-1 elie:v3.3-1 elie:v3.2-2 elie:v3.2-1 elie:v3.2-0 elie:v3.1-6 elie:v3.1-5 elie:v3.1-4 elie:v3.1-3 elie:v3.1-2 elie:v3.1-1 elie:v3.1-0 elie:v3.0-1 elie:v3.0 elie:v2.1-6 elie:v2.1-5 elie:v2.1-4 elie:v2.1-3 elie:v2.1-2 elie:v2.1-1 elie:v2.0-6 elie:v2.0-5 elie:v2.0-4 elie:v1.3-4 elie:v1.3-3 elie:v1.3-2 elie:v1.3 elie:v1.2-1 elie:v1.1-1

29 Commits
v3.1-1 ... v3.2-0

Author SHA1 Message Date
Sebastien BLAISOT
97914976c8 Skip NTP and Chrony config check if they are not installed (#120) 
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-12-01 10:49:08 +01:00
Sebastien BLAISOT
66c8ccf495 Fix 3.4.2 audit rule (#123) 
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-12-01 10:23:11 +01:00
Sebastien BLAISOT
b53bf1795c Fix grub detection (#119) 
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-12-01 08:58:32 +01:00
Sebastien BLAISOT
1a874b2b35 Allow grub.cfg permission to be 600 (#121) 
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-11-30 18:47:19 +01:00
Sebastien BLAISOT
7266ec7cb4 Honor --set-log-level parameter (#127) 
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-11-30 18:42:33 +01:00
Jan Schmidle
8f855ac159 fix: kernel module detection (#129) 
* fix: add filter to hfs

* fix is_kernel_option_enabled check

as the module in question could have dependencies which have been blacklisted as well we need to make sure that the comparison only checks for the module in question - the last line in the output.

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-10-20 14:51:29 +02:00
Sebastien BLAISOT
ad192c9457 Add silent mode and json summary (#128) 
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-10-20 13:22:59 +02:00
Sebastien BLAISOT
3d2d97a727 FIX(1.7.1.4): don't abort script in case of unconfined processes (#130) 2021-10-20 13:14:36 +02:00
Sebastien BLAISOT
6e2fb1570c FIX(2.2.1.4): Validate debian default ntp config (#118) 2021-10-15 16:19:51 +02:00
dependabot[bot]
faf5b155e5 Bump metcalfc/changelog-generator from v0.4.4 to v1.0.0 (#81) 
Bumps [metcalfc/changelog-generator](https://github.com/metcalfc/changelog-generator) from v0.4.4 to v1.0.0.
- [Release notes](https://github.com/metcalfc/changelog-generator/releases)
- [Changelog](https://github.com/metcalfc/changelog-generator/blob/main/release-notes.png)
- [Commits](https://github.com/metcalfc/changelog-generator/compare/v0.4.4...e5306b306fa2e34f05258789e0e5c526c1bd4352)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Thibault Ayanides <thibault.ayanides@ovhcloud.com>
 2021-08-10 13:57:13 +02:00
dependabot[bot]
43887d4165 Bump luizm/action-sh-checker from 0.1.13 to 0.3.0 (#111) 
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.1.13 to 0.3.0.
- [Release notes](https://github.com/luizm/action-sh-checker/releases)
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.1.13...v0.3.0)

---
updated-dependencies:
- dependency-name: luizm/action-sh-checker
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2021-08-10 13:47:31 +02:00
dependabot[bot]
499ebf2f9b Bump dev-drprasad/delete-tag-and-release from v0.1.3 to v0.2.0 (#72) 
Bumps [dev-drprasad/delete-tag-and-release](https://github.com/dev-drprasad/delete-tag-and-release) from v0.1.3 to v0.2.0.
- [Release notes](https://github.com/dev-drprasad/delete-tag-and-release/releases)
- [Commits](https://github.com/dev-drprasad/delete-tag-and-release/compare/v0.1.3...085c6969f18bad0de1b9f3fe6692a3cd01f64fe5)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Thibault Ayanides <thibault.ayanides@ovhcloud.com>
 2021-08-10 10:39:53 +02:00
Thibault Ayanides
afed5a9dce 99.5.4.5.2: fix bug where sha512 option rounds provoke KO (#112) 2021-08-10 10:30:35 +02:00
dependabot[bot]
01c3d1b98c Bump luizm/action-sh-checker from v0.1.12 to v0.1.13 (#73) 
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from v0.1.12 to v0.1.13.
- [Release notes](https://github.com/luizm/action-sh-checker/releases)
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.1.12...164368daf52a9126460854f9c0de00abc079a350)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Thibault Ayanides <thibault.ayanides@ovhcloud.com>
 2021-08-10 09:43:59 +02:00
dependabot[bot]
25e899168f Bump actions-ecosystem/action-get-latest-tag from 1 to 1.4.1 (#101) 
Bumps [actions-ecosystem/action-get-latest-tag](https://github.com/actions-ecosystem/action-get-latest-tag) from 1 to 1.4.1.
- [Release notes](https://github.com/actions-ecosystem/action-get-latest-tag/releases)
- [Commits](https://github.com/actions-ecosystem/action-get-latest-tag/compare/v1...v1.4.1)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Thibault Ayanides <thibault.ayanides@ovhcloud.com>
 2021-08-10 09:36:28 +02:00
Thibault Ayanides
9a2e3a0e0d Fix 5.4.5 pattern search (#108) 
fix #107
 2021-08-09 10:49:56 +02:00
Thibault Ayanides
334d743125 fix EXCEPTIONS management (#104) 
* FIX(1.1.21, 6.1.10) fix EXCEPTIONS management
* Update changelog
* Refactor test for 6.1.10-14
 2021-06-02 13:47:19 +02:00
Thibault Ayanides
4ed8adf790 Update changelog (#103) 2021-05-28 15:06:48 +02:00
Thibault Ayanides
f4328deeb2 Fix unbound variable (#102) 2021-05-28 15:00:58 +02:00
Thibault Ayanides
29505255ff Update changelog (#99) 2021-05-07 09:16:15 +02:00
Thibault Ayanides
9e6c9a0d8a Accept lower values (#95) 
* IMP(5.2.23): accept lower value as valid

* IMP(5.2.7): accept lower value as valid
 2021-04-27 16:04:13 +02:00
Thibault Ayanides
1cade2e375 FIX(2.2.1.2): custom func not working for systemd (#90) 
fix #87
 2021-04-27 13:49:05 +02:00
Thibault Ayanides
fc8a2b2561 FIX: add commands to sudoers (#91) 2021-04-27 13:31:59 +02:00
Thibault Ayanides
cadc25c28c Dir exceptions (#96) 
* IMP(1.1.21): add EXCEPTIONS
* IMP(6.1.10): add EXCEPTIONS
 2021-04-26 17:05:22 +02:00
Thibault Ayanides
8c6c9a7571 IMP(tests): checks that stderr is empty 
Fix #97
 2021-04-26 17:01:19 +02:00
Thibault Ayanides
dd41988933 Update changelog 2021-04-13 11:00:29 +02:00
Thibault Ayanides
f6c6e6a0a8 FIX(4.1.11): add SUDO to find suid files 2021-04-13 11:00:29 +02:00
Thibault Ayanides
d26ad48416 Update changelog 2021-04-02 09:25:41 +02:00
Thibault Ayanides
d110a2aa19 Ignore case for sshd conf 
fix #85
 2021-04-02 09:25:41 +02:00
54 changed files with 382 additions and 180 deletions
Expand all files Collapse all files

6
.github/workflows/pre-release.yml vendored
View File

@ -21,7 +21,7 @@ jobs:
find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
# DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
- name: Delete the tag latest and the release latest
uses: dev-drprasad/delete-tag-and-release@v0.1.3
uses: dev-drprasad/delete-tag-and-release@v0.2.0
with:
delete_release: true
tag_name: latest
@ -29,12 +29,12 @@ jobs:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# GET LATEST VERSION TAG
- name: Get latest version tag
uses: actions-ecosystem/action-get-latest-tag@v1
uses: actions-ecosystem/action-get-latest-tag@v1.4.1
id: get-latest-tag
# GENERATE CHANGELOG CORRESPONDING TO COMMIT BETWEEN HEAD AND COMPUTED LAST TAG
- name: Generate changelog
id: changelog
uses: metcalfc/changelog-generator@v0.4.4
uses: metcalfc/changelog-generator@v1.0.0
with:
myToken: ${{ secrets.GITHUB_TOKEN }}
head-ref: ${{ github.sha }}

2
.github/workflows/shellcheck_and_shellfmt.yml vendored
View File

@ -10,7 +10,7 @@ jobs:
- name: Checkout repo
uses: actions/checkout@v2
- name: Run the sh-checker
uses: luizm/action-sh-checker@v0.1.12
uses: luizm/action-sh-checker@v0.3.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Optional if sh_checker_comment is false.
SHFMT_OPTS: -l -i 4 -w # Optional: pass arguments to shfmt.

2
.github/workflows/tagged-release.yml vendored
View File

@ -35,7 +35,7 @@ jobs:
find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
# DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
- name: Delete the tag latest and the release latest
uses: dev-drprasad/delete-tag-and-release@v0.1.3
uses: dev-drprasad/delete-tag-and-release@v0.2.0
with:
delete_release: true
tag_name: latest

37
bin/hardening.sh
View File

@ -26,6 +26,7 @@ ALLOW_SERVICE_LIST=0
SET_HARDENING_LEVEL=0
SUDO_MODE=''
BATCH_MODE=''
SUMMARY_JSON=''
ASK_LOGLEVEL=''
ALLOW_UNSUPPORTED_DISTRIBUTION=0
@ -80,7 +81,7 @@ $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
Modifies the policy to allow a certain kind of services on the machine, such
as http, mail, etc. Can be specified multiple times to allow multiple services.
Use --allow-service-list to get a list of supported services.
--create-config-files-only
Create the config files in etc/conf.d
Must be run as root, before running the audit with user secaudit
@ -101,14 +102,18 @@ OPTIONS:
Finally note that '--sudo' mode only works for audit mode.
--set-log-level <level>
This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug.
This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug or silent.
Default value is : info
--summary-json
While performing system audit, this option sets LOGLEVEL to silent and
only output a json summary at the end
--batch
While performing system audit, this option sets LOGLEVEL to 'ok' and
captures all output to print only one line once the check is done, formatted like :
OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
--allow-unsupported-distribution
Must be specified manually in the command line to allow the run on non compatible
version or distribution. If you want to mute the warning change the LOGLEVEL
@ -165,6 +170,10 @@ while [[ $# -gt 0 ]]; do
--sudo)
SUDO_MODE='--sudo'
;;
--summary-json)
SUMMARY_JSON='--summary-json'
ASK_LOGLEVEL=silent
;;
--batch)
BATCH_MODE='--batch'
ASK_LOGLEVEL=ok
@ -299,19 +308,19 @@ for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
info "Treating $SCRIPT"
if [ "$CREATE_CONFIG" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only"
"$SCRIPT" --create-config-files-only "$BATCH_MODE"
LOGLEVEL=$LOGLEVEL "$SCRIPT" --create-config-files-only "$BATCH_MODE"
elif [ "$AUDIT" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
"$SCRIPT" --audit "$SUDO_MODE" "$BATCH_MODE"
LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit "$SUDO_MODE" "$BATCH_MODE"
elif [ "$AUDIT_ALL" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
"$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
elif [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
"$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
elif [ "$APPLY" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT"
"$SCRIPT"
LOGLEVEL=$LOGLEVEL "$SCRIPT"
fi
SCRIPT_EXITCODE=$?
@ -355,6 +364,18 @@ if [ "$BATCH_MODE" ]; then
BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0
fi
becho "$BATCH_SUMMARY"
elif [ "$SUMMARY_JSON" ]; then
if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
CONFORMITY_PERCENTAGE=$(div $((PASSED_CHECKS * 100)) $TOTAL_TREATED_CHECKS)
else
CONFORMITY_PERCENTAGE=0 # No check runned, avoid division by 0
fi
printf '{'
printf '"available_checks": %s, ' "$TOTAL_CHECKS"
printf '"run_checks": %s, ' "$TOTAL_TREATED_CHECKS"
printf '"passed_checks": %s, ' "$PASSED_CHECKS"
printf '"conformity_percentage": %s' "$CONFORMITY_PERCENTAGE"
printf '}\n'
else
printf "%40s\n" "################### SUMMARY ###################"
printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"

4
bin/hardening/1.1.1.3_disable_hfs.sh
View File

@ -26,7 +26,7 @@ audit() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
@ -41,7 +41,7 @@ apply() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else

4
bin/hardening/1.1.1.4_disable_hfsplus.sh
View File

@ -26,7 +26,7 @@ audit() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
@ -41,7 +41,7 @@ apply() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else

21
bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh
View File

@ -17,12 +17,20 @@ HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them."
EXCEPTIONS=''
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Checking if setuid is set on world writable Directories"
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
# shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
if [ -n "$EXCEPTIONS" ]; then
# shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null)
else
# shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
fi
if [ -n "$RESULT" ]; then
crit "Some world writable directories are not on sticky bit mode!"
# shellcheck disable=SC2001
@ -35,8 +43,15 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
if [ -n "$EXCEPTIONS" ]; then
# shellcheck disable=SC2086
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null)
else
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
fi
if [ -n "$RESULT" ]; then
warn "Setting sticky bit on world writable directories"
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
else
ok "All world writable directories have a sticky bit, nothing to apply"

7
bin/hardening/1.5.1_bootloader_ownership.sh
View File

@ -23,6 +23,7 @@ FILE='/boot/grub/grub.cfg'
USER='root'
GROUP='root'
PERMISSIONS='400'
PERMISSIONSOK='400 600'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -33,7 +34,7 @@ audit() {
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
@ -51,7 +52,7 @@ apply() {
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
@ -63,7 +64,7 @@ apply() {
# This function will check config parameters required
check_config() {
is_pkg_installed "grub-pc"
is_pkg_installed "grub-common"
if [ "$FNRET" != 0 ]; then
warn "Grub is not installed, not handling configuration"
exit 2

4
bin/hardening/1.5.2_bootloader_password.sh
View File

@ -55,9 +55,9 @@ apply() {
# This function will check config parameters required
check_config() {
is_pkg_installed "grub-pc"
is_pkg_installed "grub-common"
if [ "$FNRET" != 0 ]; then
warn "grub-pc is not installed, not handling configuration"
warn "Grub is not installed, not handling configuration"
exit 2
fi
if [ "$FNRET" != 0 ]; then

2
bin/hardening/1.7.1.2_enable_apparmor.sh
View File

@ -33,7 +33,7 @@ audit() {
done
if [ "$ERROR" = 0 ]; then
is_pkg_installed "grub-pc"
is_pkg_installed "grub-common"
if [ "$FNRET" != 0 ]; then
if [ "$IS_CONTAINER" -eq 1 ]; then
ok "Grub is not installed in container"

8
bin/hardening/1.7.1.4_enforcing_apparmor.sh
View File

@ -32,8 +32,8 @@ audit() {
fi
done
if [ "$ERROR" = 0 ]; then
RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode.")
RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined" || true)
RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode." || true)
if [ -n "$RESULT_UNCONFINED" ]; then
ok "No profiles are unconfined"
@ -61,8 +61,8 @@ apply() {
fi
done
RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined")
RESULT_COMPLAIN=$(apparmor_status | grep "^0 profiles are in complain mode.")
RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined" || true)
RESULT_COMPLAIN=$(apparmor_status | grep "^0 profiles are in complain mode." || true)
if [ -n "$RESULT_UNCONFINED" ]; then
ok "No profiles are unconfined"

4
bin/hardening/2.2.1.2_configure_systemd-timesyncd.sh
View File

@ -21,8 +21,8 @@ SERVICE_NAME="systemd-timesyncd"
# This function will be called if the script status is on enabled / audit mode
audit() {
is_service_enabled "$SERVICE_NAME"
if [ "$FNRET" = 0 ]; then
status=$(systemctl is-enabled "$SERVICE_NAME")
if [ "$status" = "enabled" ]; then
ok "$SERVICE_NAME is enabled"
else
crit "$SERVICE_NAME is disabled"

18
bin/hardening/2.2.1.3_configure_chrony.sh
View File

@ -25,17 +25,11 @@ CONF_FILE='/etc/chrony/chrony.conf'
# This function will be called if the script status is on enabled / audit mode
audit() {
is_pkg_installed "$PACKAGE"
does_pattern_exist_in_file "$CONF_FILE" "$CONF_DEFAULT_PATTERN"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE"
else
ok "$PACKAGE is installed, checking configuration"
does_pattern_exist_in_file "$CONF_FILE" "$CONF_DEFAULT_PATTERN"
if [ "$FNRET" != 0 ]; then
crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE"
else
ok "$CONF_DEFAULT_PATTERN found in $CONF_FILE"
fi
ok "$CONF_DEFAULT_PATTERN found in $CONF_FILE"
fi
}
@ -46,7 +40,11 @@ apply() {
# This function will check config parameters required
check_config() {
:
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
warn "$PACKAGE is not installed, not handling configuration"
exit 2
fi
}
# Source Root Dir Parameter

32
bin/hardening/2.2.1.4_configure_ntp.sh
View File

@ -20,30 +20,24 @@ DESCRIPTION="Configure Network Time Protocol (ntp). Check restrict parameters an
HARDENING_EXCEPTION=ntp
PACKAGE='ntp'
NTP_CONF_DEFAULT_PATTERN='^restrict -4 default (kod nomodify notrap nopeer noquery|ignore)'
NTP_CONF_DEFAULT_PATTERN='^restrict -4 default (kod nomodify notrap nopeer noquery|kod notrap nomodify nopeer noquery|ignore)'
NTP_CONF_FILE='/etc/ntp.conf'
NTP_INIT_PATTERN='RUNASUSER=ntp'
NTP_INIT_FILE='/etc/init.d/ntp'
# This function will be called if the script status is on enabled / audit mode
audit() {
is_pkg_installed "$PACKAGE"
does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE"
else
ok "$PACKAGE is installed, checking configuration"
does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN"
if [ "$FNRET" != 0 ]; then
crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE"
else
ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
fi
does_pattern_exist_in_file "$NTP_INIT_FILE" "^$NTP_INIT_PATTERN"
if [ "$FNRET" != 0 ]; then
crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE"
else
ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
fi
ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
fi
does_pattern_exist_in_file "$NTP_INIT_FILE" "^$NTP_INIT_PATTERN"
if [ "$FNRET" != 0 ]; then
crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE"
else
ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
fi
}
@ -77,7 +71,11 @@ apply() {
# This function will check config parameters required
check_config() {
:
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
warn "$PACKAGE is not installed, not handling configuration"
exit 2
fi
}
# Source Root Dir Parameter

2
bin/hardening/3.4.2_disable_sctp.sh
View File

@ -28,7 +28,7 @@ audit() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else

3
bin/hardening/4.1.11_record_privileged_commands.sh
View File

@ -17,8 +17,9 @@ HARDENING_LEVEL=4
# shellcheck disable=2034
DESCRIPTION="Collect use of privileged commands."
SUDO_CMD='sudo -n'
# Find all files with setuid or setgid set
AUDIT_PARAMS=$(find / -xdev \( -perm -4000 -o -perm -2000 \) -type f |
AUDIT_PARAMS=$($SUDO_CMD find / -xdev \( -perm -4000 -o -perm -2000 \) -type f |
awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }')
FILE='/etc/audit/audit.rules'

6
bin/hardening/5.2.10_disable_root_login.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^$SSH_PARAM"
does_pattern_exist_in_file_nocase "$FILE" "^$SSH_PARAM"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

6
bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

6
bin/hardening/5.2.12_disable_sshd_setenv.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

6
bin/hardening/5.2.13_sshd_ciphers.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

6
bin/hardening/5.2.16_sshd_idle_timeout.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

6
bin/hardening/5.2.17_sshd_login_grace_time.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
does_pattern_exist_in_file_nocase $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

6
bin/hardening/5.2.18_sshd_limit_access.sh
View File

@ -34,7 +34,7 @@ audit() {
# shellcheck disable=SC2001
SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE")
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
@ -59,12 +59,12 @@ apply() {
# shellcheck disable=SC2001
SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE")
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

6
bin/hardening/5.2.20_enable_ssh_pam.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
does_pattern_exist_in_file_nocase $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

6
bin/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
does_pattern_exist_in_file_nocase $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

6
bin/hardening/5.2.22_configure_ssh_max_startups.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
does_pattern_exist_in_file_nocase $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

27
bin/hardening/5.2.23_limit_ssh_max_sessions.sh
View File

@ -32,11 +32,21 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
does_pattern_exist_in_file_nocase $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in $FILE"
else
VALUE=$($SUDO_CMD grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2)
if [ "$VALUE" -gt "$SSH_VALUE" ]; then
crit "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM"
else
ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM"
fi
fi
fi
done
fi
@ -55,17 +65,22 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
VALUE=$(grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2)
if [ "$VALUE" -gt "$SSH_VALUE" ]; then
warn "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM, replacing it"
replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
else
ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM"
fi
fi
/etc/init.d/ssh reload
fi

6
bin/hardening/5.2.4_sshd_protocol.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

2
bin/hardening/5.2.5_sshd_loglevel.sh
View File

@ -61,7 +61,7 @@ apply() {
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

4
bin/hardening/5.2.6_disable_x11_forwarding.sh
View File

@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

29
bin/hardening/5.2.7_sshd_maxauthtries.sh
View File

@ -32,11 +32,21 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in $FILE"
else
VALUE=$($SUDO_CMD grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2)
if [ "$VALUE" -gt "$SSH_VALUE" ]; then
crit "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM"
else
ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM"
fi
fi
fi
done
fi
@ -55,17 +65,22 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
warn "$PATTERN is not present in $FILE"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
VALUE=$(grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2)
if [ "$VALUE" -gt "$SSH_VALUE" ]; then
warn "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM, replacing it"
replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
else
ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM"
fi
fi
/etc/init.d/ssh reload
fi

6
bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

6
bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh
View File

@ -32,7 +32,7 @@ audit() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
@ -55,12 +55,12 @@ apply() {
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
else

11
bin/hardening/5.4.5_default_timeout.sh
View File

@ -31,7 +31,7 @@ audit() {
debug "$FILE_SEARCHED is a directory"
# shellcheck disable=2044
for file_in_dir in $(find "$FILE_SEARCHED" -type f); do
does_pattern_exist_in_file "$file_in_dir" "^$PATTERN"
does_pattern_exist_in_file "$file_in_dir" "$PATTERN"
if [ "$FNRET" != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
else
@ -41,7 +41,7 @@ audit() {
fi
done
else
does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
does_pattern_exist_in_file "$FILE_SEARCHED" "$PATTERN"
if [ "$FNRET" != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED"
else
@ -64,7 +64,7 @@ apply() {
debug "$FILE_SEARCHED is a directory"
# shellcheck disable=2044
for file_in_dir in $(find "$FILE_SEARCHED" -type f); do
does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN"
does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "$PATTERN"
if [ "$FNRET" != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
else
@ -74,7 +74,7 @@ apply() {
fi
done
else
does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
does_pattern_exist_in_file "$FILE_SEARCHED" "$PATTERN"
if [ "$FNRET" != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED"
else
@ -87,8 +87,7 @@ apply() {
warn "$PATTERN is not present in $FILES_TO_SEARCH"
touch "$FILE"
chmod 644 "$FILE"
add_end_of_file "$FILE" "$PATTERN$VALUE"
add_end_of_file "$FILE" "readonly TMOUT"
add_end_of_file "$FILE" "readonly $PATTERN$VALUE"
add_end_of_file "$FILE" "export TMOUT"
else
ok "$PATTERN is present in $FILES_TO_SEARCH"

21
bin/hardening/6.1.10_find_world_writable_file.sh
View File

@ -17,12 +17,21 @@ HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure no world writable files exist"
EXCLUDED=''
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Checking if there are world writable files"
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
# shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null)
if [ -n "$EXCLUDED" ]; then
# shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
else
# shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null)
fi
if [ -n "$RESULT" ]; then
crit "Some world writable files are present"
# shellcheck disable=SC2001
@ -35,7 +44,13 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
if [ -n "$EXCLUDED" ]; then
# shellcheck disable=SC2086
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
else
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
fi
if [ -n "$RESULT" ]; then
warn "chmoding o-w all files in the system"
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null | xargs chmod o-w

5
bin/hardening/6.1.11_find_unowned_files.sh
View File

@ -26,7 +26,7 @@ audit() {
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
if [ -n "$EXCLUDED" ]; then
# shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
else
# shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -print 2>/dev/null)
@ -44,7 +44,8 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
if [ -n "$EXCLUDED" ]; then
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
# shellcheck disable=SC2086
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex $EXCLUDED -ls 2>/dev/null)
else
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
fi

5
bin/hardening/6.1.12_find_ungrouped_files.sh
View File

@ -26,7 +26,7 @@ audit() {
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
if [ -n "$EXCLUDED" ]; then
# shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
else
# shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -print 2>/dev/null)
@ -44,7 +44,8 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
if [ -n "$EXCLUDED" ]; then
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
# shellcheck disable=SC2086
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex $EXCLUDED -ls 2>/dev/null)
else
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
fi

2
bin/hardening/6.1.13_find_suid_files.sh
View File

@ -24,7 +24,7 @@ audit() {
FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
# shellcheck disable=2086
if [ -n "$IGNORED_PATH" ]; then
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
else
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -print)
fi

2
bin/hardening/6.1.14_find_sgid_files.sh
View File

@ -24,7 +24,7 @@ audit() {
FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
# shellcheck disable=2086
if [ -n "$IGNORED_PATH" ]; then
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
else
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print)
fi

1
bin/hardening/99.5.4.5.1_acc_logindefs_sha512.sh
View File

@ -49,7 +49,6 @@ apply() {
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file "$CONF_FILE" "^$(echo "$CONF_LINE" | cut -d ' ' -f1)[[:space:]]*.*" "$CONF_LINE"
fi
/etc/init.d/ssh reload >/dev/null 2>&1
fi
}

2
bin/hardening/99.5.4.5.2_acc_shadow_sha512.sh
View File

@ -37,7 +37,7 @@ audit() {
pw_found+="$user "
ok "User $user has a disabled password."
# Check password against $6$<salt>$<encrypted>, see `man 3 crypt`
elif [[ $passwd =~ ^\$6\$[a-zA-Z0-9./]{2,16}\$[a-zA-Z0-9./]{86}$ ]]; then
elif [[ $passwd =~ ^\$6(\$rounds=[0-9]+)?\$[a-zA-Z0-9./]{2,16}\$[a-zA-Z0-9./]{86}$ ]]; then
pw_found+="$user "
ok "User $user has suitable SHA512 hashed password."
else

4
cisharden.sudoers
View File

@ -20,6 +20,10 @@ Cmnd_Alias SCL_CMD = /bin/grep ,\
/sbin/sysctl -a,\
/bin/dmesg "",\
/bin/netstat,\
/usr/sbin/lsmod,\
/sbin/lsmod,\
/sbin/modprobe,\
/usr/sbin/modprobe -n -v*,\
/usr/sbin/apparmor_status
cisharden ALL = (root) NOPASSWD: SCL_CMD

34
debian/changelog vendored
View File

@ -1,3 +1,37 @@
cis-hardening (3.1-6) unstable; urgency=medium
* Improve EXCEPTIONS management (1.1.21,6.1.10)
* Fix bug linked with regex quoting (6.1.10-11-12-13-14)
-- Thibault Ayanides <thibault.ayanides@ovhcloud.com> Wed, 02 Jun 2021 09:45:40 +0200
cis-hardening (3.1-5) unstable; urgency=medium
* Fix unbound EXCEPTIONS variable in some cases
-- Thibault Ayanides <thibault.ayanides@ovhcloud.com> Fri, 28 May 2021 15:02:34 +0200
cis-hardening (3.1-4) unstable; urgency=medium
* Add test to check stderr is empty
* Fix 2.2.1.2 audit and apply
* Accept lower values as valid 5.2.7 and 5.2.23
* Add dir exceptions in 1.1.21 and 6.1.10
-- Thibault Ayanides <thibault.ayanides@ovhcloud.com> Thu, 06 May 2021 10:07:22 +0200
cis-hardening (3.1-3) unstable; urgency=medium
* Fix 4.1.11 permissions
-- Thibault Ayanides <thibault.ayanides@ovhcloud.com> Mon, 12 Apr 2021 12:17:16 +0200
cis-hardening (3.1-2) unstable; urgency=medium
* Fix case for sshd pattern searching
-- Thibault Ayanides <thibault.ayanides@ovhcloud.com> Fri, 02 Apr 2021 09:16:16 +0200
cis-hardening (3.1-1) unstable; urgency=medium
* Various mispeling fixes

3
lib/common.sh
View File

@ -25,6 +25,9 @@ backup_file() {
#
case $LOGLEVEL in
silent)
MACHINE_LOG_LEVEL=0
;;
error)
MACHINE_LOG_LEVEL=1
;;

7
lib/main.sh
View File

@ -10,9 +10,16 @@ BATCH_OUTPUT=""
status=""
forcedstatus=""
SUDO_CMD=""
SAVED_LOGLEVEL=""
if [ -n "${LOGLEVEL:-}" ]; then
SAVED_LOGLEVEL=$LOGLEVEL
fi
# shellcheck source=../etc/hardening.cfg
[ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
if [ -n "$SAVED_LOGLEVEL" ]; then
LOGLEVEL=$SAVED_LOGLEVEL
fi
# shellcheck source=../lib/common.sh
[ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
# shellcheck source=../lib/utils.sh

4
lib/utils.sh
View File

@ -384,9 +384,9 @@ is_kernel_option_enabled() {
fi
else
if [ "$MODPROBE_FILTER" != "" ]; then
DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | grep -E "$MODPROBE_FILTER" | xargs)"
DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | grep -E "$MODPROBE_FILTER" | tail -1 | xargs)"
else
DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | xargs)"
DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | tail -1 | xargs)"
fi
if [ "$DEF_MODULE" == "install /bin/true" ] || [ "$DEF_MODULE" == "install /bin/false" ]; then

42
tests/hardening/1.1.21_sticky_bit_world_writable_folder.sh
View File

@ -1,29 +1,35 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
describe Running void to generate the conf file that will later be edited
# shellcheck disable=2154
/opt/debian-cis/bin/hardening/"${script}".sh || true
# shellcheck disable=2016
echo 'EXCEPTIONS="$EXCEPTIONS /home/secaudit/exception"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
mkdir /home/secaudit/exception
chmod 777 /home/secaudit/exception
describe Running on blank host
register_test retvalshouldbe 0
register_test contain "All world writable directories have a sticky bit"
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
describe Tests purposely failing
local targetdir="/home/secaudit/world_writable_folder"
mkdir $targetdir || true
chmod 777 "$targetdir"
register_test retvalshouldbe 1
register_test contain "Some world writable directories are not on sticky bit mode"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
local targetdir="/home/secaudit/world_writable_folder"
mkdir $targetdir || true
chmod 777 "$targetdir"
register_test retvalshouldbe 1
register_test contain "Some world writable directories are not on sticky bit mode"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "All world writable directories have a sticky bit"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "All world writable directories have a sticky bit"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
}

16
tests/hardening/5.2.23_limit_ssh_max_sessions.sh
View File

@ -7,6 +7,22 @@ test_audit() {
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
echo "maxsessions 1" >>/etc/ssh/sshd_config
describe Running restrictive
register_test retvalshouldbe 0
register_test contain "[ OK ] 1 is lower than recommended 10"
run restrictive /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# delete last line
sed -i '$ d' /etc/ssh/sshd_config
echo "maxsessions 15" >>/etc/ssh/sshd_config
describe Running too permissive
register_test retvalshouldbe 1
register_test contain "[ KO ] 15 is higher than recommended 10"
run permissive /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Correcting situation
# `apply` performs a service reload after each change in the config file
# the service needs to be started for the reload to succeed

16
tests/hardening/5.2.7_sshd_maxauthtries.sh
View File

@ -7,6 +7,22 @@ test_audit() {
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
echo "MaxAuthTries 2" >>/etc/ssh/sshd_config
describe Running restrictive
register_test retvalshouldbe 0
register_test contain "[ OK ] 2 is lower than recommended 4"
run restrictive /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# delete last line
sed -i '$ d' /etc/ssh/sshd_config
echo "MaxAuthTries 6" >>/etc/ssh/sshd_config
describe Running too permissive
register_test retvalshouldbe 1
register_test contain "[ KO ] 6 is higher than recommended 4"
run permissive /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Correcting situation
# `apply` performs a service reload after each change in the config file
# the service needs to be started for the reload to succeed

49
tests/hardening/6.1.10_find_world_writable_file.sh
View File

@ -1,32 +1,33 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
describe Running void to generate the conf file that will later be edited
# shellcheck disable=2154
/opt/debian-cis/bin/hardening/"${script}".sh || true
# shellcheck disable=2016
echo 'EXCLUDED="$EXCLUDED ^/dev/.*"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
#run this test only if we're not in docker
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
describe Running on blank host
register_test retvalshouldbe 0
register_test contain "No world writable files found"
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Running on blank host
register_test retvalshouldbe 0
register_test contain "No world writable files found"
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Tests purposely failing
local targetfile="/home/secaudit/worldwritable"
touch "$targetfile"
chmod 777 "$targetfile"
register_test retvalshouldbe 1
register_test contain "Some world writable files are present"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Tests purposely failing
local targetfile="/home/secaudit/worldwritable"
touch "$targetfile"
chmod 777 "$targetfile"
register_test retvalshouldbe 1
register_test contain "Some world writable files are present"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "No world writable files found"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "No world writable files found"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
}

9
tests/hardening/6.1.11_find_unowned_files.sh
View File

@ -1,6 +1,15 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
describe Running void to generate the conf file that will later be edited
# shellcheck disable=2154
/opt/debian-cis/bin/hardening/"${script}".sh || true
# shellcheck disable=2016
echo 'EXCLUDED="$EXCLUDED ^/home/secaudit/6.1.11/.*"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
mkdir /home/secaudit/6.1.11/
touch /home/secaudit/6.1.11/test
chown 1200 /home/secaudit/6.1.11/test
describe Running on blank host
register_test retvalshouldbe 0
register_test contain "No unowned files found"

9
tests/hardening/6.1.12_find_ungrouped_files.sh
View File

@ -1,6 +1,15 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
describe Running void to generate the conf file that will later be edited
# shellcheck disable=2154
/opt/debian-cis/bin/hardening/"${script}".sh || true
# shellcheck disable=2016
echo 'EXCLUDED="$EXCLUDED ^/home/secaudit/6.1.12/.*"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
mkdir /home/secaudit/6.1.12/
touch /home/secaudit/6.1.12/test
chown 1200:1200 /home/secaudit/6.1.12/test
describe Running on blank host
register_test retvalshouldbe 0
register_test contain "No ungrouped files found"

8
tests/hardening/99.5.4.5.2_acc_shadow_sha512.sh
View File

@ -29,4 +29,12 @@ EOF
register_test retvalshouldbe 0
register_test contain "User secaudit has suitable SHA512 hashed password"
run sha512pass /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
chpasswd -c SHA512 -s 1000 <<EOF
secaudit:mypassword
EOF
describe Pass: Found properly hashed password with custom round number
register_test retvalshouldbe 0
register_test contain "User secaudit has suitable SHA512 hashed password"
run sha512pass /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

16
tests/launch_tests.sh
View File

@ -131,12 +131,12 @@ play_consistency_tests() {
fi
}
# Actually runs one signel audit script
# Actually runs one single audit script
_run() {
usecase_name=$1
shift
printf "\033[34m*** [%03d] %s \033[0m(%s)\n" "$testno" "$usecase_name" "$*"
bash -c "$*" >"$outdir/$usecase_name.log" && true
bash -c "$*" >"$outdir/$usecase_name.log" 2>"$outdir/${usecase_name}_err.log" && true
echo $? >"$outdir/$usecase_name.retval"
ret=$(<"$outdir"/"$usecase_name".retval)
get_stdout
@ -188,15 +188,25 @@ for test_file in $tests_list; do
echo ""
done
stderrunexpected=""
for file in "$outdir"/*_err.log; do
if [ -s "$file" ]; then
stderrunexpected="$stderrunexpected $(basename "$file")"
fi
done
printf "\033[1;36m###\n### %s \033[0m\n" "Test report"
if [ $((nbfailedret + nbfailedgrep + nbfailedconsist)) -eq 0 ]; then
if [ $((nbfailedret + nbfailedgrep + nbfailedconsist)) -eq 0 ] && [ -z "$stderrunexpected" ]; then
echo -e "\033[42m\033[30mAll tests succeeded :)\033[0m"
echo -e "\033[42m\033[30mStderr is empty :)\033[0m"
else
(
echo -e "\033[41mOne or more tests failed :(\033[0m"
echo -e "- $nbfailedret unexpected return values ${listfailedret}"
echo -e "- $nbfailedgrep unexpected text values $listfailedgrep"
echo -e "- $nbfailedconsist root/sudo consistency $listfailedconsist"
echo -e "- stderr detected on $stderrunexpected"
) | tee "$outdir"/summary
fi
echo