elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2025-07-16 22:02:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: elie:v3.1-5
Branches Tags
elie:master elie:damcava35/deb12_scripts_2 elie:damcava35/update_lib elie:damcava35/new_scripts elie:damcava35/issue_249 elie:damcava35/drop_debian10 elie:damcava35/is_ip_v6_enabled elie:damcava35/issue_195 elie:damcava35/fix_only elie:damcava35/fix_packaging elie:damcava35/set_version elie:damcava35/test_pre_commit elie:dev/thibault.dewailly/deb12 elie:dependabot/github_actions/luizm/action-sh-checker-0.9.0 elie:dev/thibault.dewailly/set_hardening_level elie:dev/thibault.dewailly/syslogng_remotecheck
elie:latest elie:v4.1-5 elie:v4.1-4 elie:v4.1-3 elie:v4.1-2 elie:v4.1-1 elie:v4.0-1 elie:v3.8-1 elie:v3.7-1 elie:v3.6-1 elie:v3.5-1 elie:v3.4-1 elie:v3.3-1 elie:v3.2-2 elie:v3.2-1 elie:v3.2-0 elie:v3.1-6 elie:v3.1-5 elie:v3.1-4 elie:v3.1-3 elie:v3.1-2 elie:v3.1-1 elie:v3.1-0 elie:v3.0-1 elie:v3.0 elie:v2.1-6 elie:v2.1-5 elie:v2.1-4 elie:v2.1-3 elie:v2.1-2 elie:v2.1-1 elie:v2.0-6 elie:v2.0-5 elie:v2.0-4 elie:v1.3-4 elie:v1.3-3 elie:v1.3-2 elie:v1.3 elie:v1.2-1 elie:v1.1-1
..
compare: elie:v4.0-1
Branches Tags
elie:damcava35/deb12_scripts_2 elie:damcava35/update_lib elie:damcava35/new_scripts elie:master elie:damcava35/issue_249 elie:damcava35/drop_debian10 elie:damcava35/is_ip_v6_enabled elie:damcava35/issue_195 elie:damcava35/fix_only elie:damcava35/fix_packaging elie:damcava35/set_version elie:damcava35/test_pre_commit elie:dev/thibault.dewailly/deb12 elie:dependabot/github_actions/luizm/action-sh-checker-0.9.0 elie:dev/thibault.dewailly/set_hardening_level elie:dev/thibault.dewailly/syslogng_remotecheck
elie:latest elie:v4.1-5 elie:v4.1-4 elie:v4.1-3 elie:v4.1-2 elie:v4.1-1 elie:v4.0-1 elie:v3.8-1 elie:v3.7-1 elie:v3.6-1 elie:v3.5-1 elie:v3.4-1 elie:v3.3-1 elie:v3.2-2 elie:v3.2-1 elie:v3.2-0 elie:v3.1-6 elie:v3.1-5 elie:v3.1-4 elie:v3.1-3 elie:v3.1-2 elie:v3.1-1 elie:v3.1-0 elie:v3.0-1 elie:v3.0 elie:v2.1-6 elie:v2.1-5 elie:v2.1-4 elie:v2.1-3 elie:v2.1-2 elie:v2.1-1 elie:v2.0-6 elie:v2.0-5 elie:v2.0-4 elie:v1.3-4 elie:v1.3-3 elie:v1.3-2 elie:v1.3 elie:v1.2-1 elie:v1.1-1

56 Commits
v3.1-5 ... v4.0-1

Author SHA1 Message Date
thibault.dewailly
bc98bedf73 bump to 4.0-1 2023-07-10 07:21:13 +00:00
Stéphane Lesimple
873ef8827d fix: 99.1.3_acc_sudoers_no_all: fix a race condition (#186) 
On systems where /etc/sudoers.d might be updated often by some automated means, this
check might raise a critical when a previously present file (during the ls) is no longer
present (during its attempted read), so before raising a critical, re-check that it
does exists first.
 2023-07-03 17:05:45 +02:00
GoldenKiwi
bd27cd0dae fix: change auditd file rule remediation (#179) 
Fixes #165
 2023-05-05 12:32:22 +02:00
GoldenKiwi
f28ffc244c fix: correct debian package compression override (#181) 2023-05-02 18:06:59 +02:00
GoldenKiwi
19ce790a27 fix: ensure mountpoints are properly detected (#177) 
Fixes #155
When real entries are present in fstab, system startup or runtime mountpoints are now properly detected
Add a supplementary check in case of partition not present in fstab
 2023-05-02 18:01:53 +02:00
GoldenKiwi
47cf86237b fix: correct search in 5.4.5_default_timeout in apply mode (#178) 
fixes #116
 2023-05-02 17:57:35 +02:00
GoldenKiwi
ccd9c1a7aa fix: force xz compression during .deb build (#180) 
zst compression is only available on Debian 12, since the release is built on Ubuntu latest, this was breaking release.
Fixes #175
 2023-05-02 15:24:32 +02:00
GoldenKiwi
04457e7df2 feat: official Debian 11 compatibility (#176) 
Introduce Debian 11 compatibility
Based on CIS_Debian_Linux_11_Benchmark_v1.0.0

After review, here are the notable changes :
 - Harden /var/log more (noexec,nodev,nosuid)
 - Harden /var/log/audit more (noexec,nodev,nosuid)
 - Harden /home more (nosuid)
 - Disable cramfs
 - Fix 5.3.4_acc_pam_sha512.sh
 - Deprecate Debian 9 and remove useless docker images

NB : more audit log rules have been introduced and will be inserted in the checks later
Fix #158
 2023-05-02 14:16:19 +02:00
dependabot[bot]
05521d5961 Bump luizm/action-sh-checker from 0.5.0 to 0.7.0 (#171) 
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.5.0 to 0.7.0.
- [Release notes](https://github.com/luizm/action-sh-checker/releases)
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.5.0...v0.7.0)

---
updated-dependencies:
- dependency-name: luizm/action-sh-checker
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-04-26 10:20:11 +02:00
thibault.dewailly
06525f06f9 bump to 3.8-1 2023-03-23 10:03:37 +00:00
dependabot[bot]
d5c1c63971 Bump luizm/action-sh-checker from 0.4.0 to 0.5.0 (#161) 
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.4.0 to 0.5.0.
- [Release notes](https://github.com/luizm/action-sh-checker/releases)
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.4.0...v0.5.0)

---
updated-dependencies:
- dependency-name: luizm/action-sh-checker
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2023-03-23 10:56:12 +01:00
dependabot[bot]
7d93ddeb86 Bump metcalfc/changelog-generator from 3.0.0 to 4.1.0 (#169) 
Bumps [metcalfc/changelog-generator](https://github.com/metcalfc/changelog-generator) from 3.0.0 to 4.1.0.
- [Release notes](https://github.com/metcalfc/changelog-generator/releases)
- [Changelog](https://github.com/metcalfc/changelog-generator/blob/main/release-notes.png)
- [Commits](https://github.com/metcalfc/changelog-generator/compare/v3.0.0...v4.1.0)

---
updated-dependencies:
- dependency-name: metcalfc/changelog-generator
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2023-03-23 10:50:46 +01:00
dependabot[bot]
a35ecab377 Bump dev-drprasad/delete-tag-and-release from 0.2.0 to 0.2.1 (#170) 
Bumps [dev-drprasad/delete-tag-and-release](https://github.com/dev-drprasad/delete-tag-and-release) from 0.2.0 to 0.2.1.
- [Release notes](https://github.com/dev-drprasad/delete-tag-and-release/releases)
- [Commits](https://github.com/dev-drprasad/delete-tag-and-release/compare/v0.2.0...v0.2.1)

---
updated-dependencies:
- dependency-name: dev-drprasad/delete-tag-and-release
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-03-23 10:47:09 +01:00
Stéphane Lesimple
dc952b90df fix: timeout of 99.1.3 (#168) 
The 99.1.3_acc_sudoers_no_all.sh script can sometimes timeout
on servers where /etc/sudoers.d/ has thousands of files.
This patch makes it run roughly 5x faster, as tested on a
server with 1500 files in sudoers.d/.

Closes #167.

Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>

Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>
 2022-12-22 09:47:35 +01:00
Tarik Megzari
82a217032d fix(6.2.9): Start from UID 1000 for home ownership check (#164) 
Rename 6.2.3 and 6.2.9 checks to be more accurate
Remove home existence check from 6.2.9 as it's handled by 6.2.3
Update tests accordingly
Fixes #163

Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
 2022-09-30 10:28:48 +02:00
ymartin-ovh
e478a89bad bump to 3.7-1 (#160) 2022-07-04 15:37:08 +02:00
ymartin-ovh
371c23cd52 feat: add FIND_IGNORE_NOSUCHFILE_ERR flag (#159) 
This flag can be used to prevent find-related checks to fail because one part of filesystem disappear (ie. ephemeral directories or files)
 2022-07-04 14:29:25 +02:00
Tarik Megzari
ea8334d516 bump to 3.6-1 (#157) 
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
 2022-06-27 12:13:01 +02:00
dependabot[bot]
987bb9c975 Bump luizm/action-sh-checker from 0.3.0 to 0.4.0 (#154) 
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.3.0 to 0.4.0.
- [Release notes](https://github.com/luizm/action-sh-checker/releases)
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.3.0...v0.4.0)

---
updated-dependencies:
- dependency-name: luizm/action-sh-checker
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-06-26 16:58:46 +02:00
dependabot[bot]
3031bb55d1 Bump actions-ecosystem/action-get-latest-tag from 1.5.0 to 1.6.0 (#153) 
Bumps [actions-ecosystem/action-get-latest-tag](https://github.com/actions-ecosystem/action-get-latest-tag) from 1.5.0 to 1.6.0.
- [Release notes](https://github.com/actions-ecosystem/action-get-latest-tag/releases)
- [Commits](https://github.com/actions-ecosystem/action-get-latest-tag/compare/v1.5.0...v1.6.0)

---
updated-dependencies:
- dependency-name: actions-ecosystem/action-get-latest-tag
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
 2022-06-24 17:55:26 +02:00
ymartin-ovh
66ccc6316a feat: Filter the filesystem to check when the list is built. (#156) 
* feat: Attempt to filter-out filesystem that match exclusion regex.
 2022-06-24 17:45:47 +02:00
Tarik Megzari
7a3145d7f1 bump to 3.5-1 (#152) 
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
 2022-03-23 18:40:25 +01:00
GoldenKiwi
5c072668d5 fix: add 10s wait timeout on iptables command (#151) 
When the tested server has its iptables heavily manipulated (e.g Kubernetes)
The lock aquirement can sometimes fail, hence generating false positives
The command will retry 10 times with a 1 second interval
 2022-03-23 16:56:38 +01:00
GoldenKiwi
d1bd1eb2e7 bump to 3.4-1 (#150) 2022-03-18 16:49:25 +01:00
GoldenKiwi
ad5c71c3ce fix: allow passwd-, group- and shadow- debian default permissions (#149) 2022-03-18 16:41:49 +01:00
dependabot[bot]
33964c0a3d Bump EndBug/add-and-commit from 8.0.2 to 9 (#148) 
Bumps [EndBug/add-and-commit](https://github.com/EndBug/add-and-commit) from 8.0.2 to 9.
- [Release notes](https://github.com/EndBug/add-and-commit/releases)
- [Changelog](https://github.com/EndBug/add-and-commit/blob/main/CHANGELOG.md)
- [Commits](https://github.com/EndBug/add-and-commit/compare/v8.0.2...v9)

---
updated-dependencies:
- dependency-name: EndBug/add-and-commit
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-03-14 15:36:48 +01:00
Tarik Megzari
8320d0eecc CI: Fix release action (#147) 
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
 2022-03-03 12:02:12 +01:00
Tarik Megzari
a0d33ab158 Update changelog for release 3.3-1 (#146) 
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
 2022-03-03 10:26:42 +01:00
Jan Schmidle
a6a22084e1 missing shadowtools backup files is ok (#132) 
* missing shadowtools backup files is ok

* update corresponding test cases
 2022-03-02 18:05:37 +01:00
Tarik Megzari
b962155a3c fix: Avoid find failures on too many files (#144) 
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2022-03-02 17:49:28 +01:00
dependabot[bot]
20bf51f65b Bump actions/checkout from 2 to 3 (#145) 
Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-03-02 00:14:50 +01:00
dependabot[bot]
adfe28470a Bump metcalfc/changelog-generator from 1.0.0 to 3.0.0 (#133) 
Bumps [metcalfc/changelog-generator](https://github.com/metcalfc/changelog-generator) from 1.0.0 to 3.0.0.
- [Release notes](https://github.com/metcalfc/changelog-generator/releases)
- [Changelog](https://github.com/metcalfc/changelog-generator/blob/main/release-notes.png)
- [Commits](https://github.com/metcalfc/changelog-generator/compare/v1.0.0...v3.0.0)

---
updated-dependencies:
- dependency-name: metcalfc/changelog-generator
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-03-01 23:48:57 +01:00
dependabot[bot]
c94ee10afe Bump EndBug/add-and-commit from 7 to 8.0.2 (#142) 
Bumps [EndBug/add-and-commit](https://github.com/EndBug/add-and-commit) from 7 to 8.0.2.
- [Release notes](https://github.com/EndBug/add-and-commit/releases)
- [Changelog](https://github.com/EndBug/add-and-commit/blob/main/CHANGELOG.md)
- [Commits](https://github.com/EndBug/add-and-commit/compare/v7...v8.0.2)

---
updated-dependencies:
- dependency-name: EndBug/add-and-commit
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-03-01 20:39:39 +01:00
dependabot[bot]
453a72b8c8 Bump actions-ecosystem/action-get-latest-tag from 1.4.1 to 1.5.0 (#143) 
Bumps [actions-ecosystem/action-get-latest-tag](https://github.com/actions-ecosystem/action-get-latest-tag) from 1.4.1 to 1.5.0.
- [Release notes](https://github.com/actions-ecosystem/action-get-latest-tag/releases)
- [Commits](https://github.com/actions-ecosystem/action-get-latest-tag/compare/v1.4.1...v1.5.0)

---
updated-dependencies:
- dependency-name: actions-ecosystem/action-get-latest-tag
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-03-01 20:28:33 +01:00
Tarik Megzari
bb03764918 fix: Catch unexpected failures (#140) 
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
 2022-01-31 15:38:38 +01:00
Tarik Megzari
17d272420a feat: Dissociate iptables pkg name from command (#137) 
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
 2021-12-27 15:40:55 +01:00
Tarik Megzari
f1c1517bd2 Update changelog for release 3.2-2 (#135) 
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
 2021-12-13 16:06:57 +01:00
tdenof
1341622335 Fix empty fstab test (#134) 
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Co-authored-by: Thibault Dewailly <thibault.dewailly@corp.ovh.com>
 2021-12-08 08:42:22 +01:00
thibault.dewailly
c8fcfed248 Update changelog for release 3.2-1 2021-12-01 11:04:56 +00:00
Sebastien BLAISOT
97914976c8 Skip NTP and Chrony config check if they are not installed (#120) 
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-12-01 10:49:08 +01:00
Sebastien BLAISOT
66c8ccf495 Fix 3.4.2 audit rule (#123) 
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-12-01 10:23:11 +01:00
Sebastien BLAISOT
b53bf1795c Fix grub detection (#119) 
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-12-01 08:58:32 +01:00
Sebastien BLAISOT
1a874b2b35 Allow grub.cfg permission to be 600 (#121) 
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-11-30 18:47:19 +01:00
Sebastien BLAISOT
7266ec7cb4 Honor --set-log-level parameter (#127) 
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-11-30 18:42:33 +01:00
Jan Schmidle
8f855ac159 fix: kernel module detection (#129) 
* fix: add filter to hfs

* fix is_kernel_option_enabled check

as the module in question could have dependencies which have been blacklisted as well we need to make sure that the comparison only checks for the module in question - the last line in the output.

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-10-20 14:51:29 +02:00
Sebastien BLAISOT
ad192c9457 Add silent mode and json summary (#128) 
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2021-10-20 13:22:59 +02:00
Sebastien BLAISOT
3d2d97a727 FIX(1.7.1.4): don't abort script in case of unconfined processes (#130) 2021-10-20 13:14:36 +02:00
Sebastien BLAISOT
6e2fb1570c FIX(2.2.1.4): Validate debian default ntp config (#118) 2021-10-15 16:19:51 +02:00
dependabot[bot]
faf5b155e5 Bump metcalfc/changelog-generator from v0.4.4 to v1.0.0 (#81) 
Bumps [metcalfc/changelog-generator](https://github.com/metcalfc/changelog-generator) from v0.4.4 to v1.0.0.
- [Release notes](https://github.com/metcalfc/changelog-generator/releases)
- [Changelog](https://github.com/metcalfc/changelog-generator/blob/main/release-notes.png)
- [Commits](https://github.com/metcalfc/changelog-generator/compare/v0.4.4...e5306b306fa2e34f05258789e0e5c526c1bd4352)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Thibault Ayanides <thibault.ayanides@ovhcloud.com>
 2021-08-10 13:57:13 +02:00
dependabot[bot]
43887d4165 Bump luizm/action-sh-checker from 0.1.13 to 0.3.0 (#111) 
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.1.13 to 0.3.0.
- [Release notes](https://github.com/luizm/action-sh-checker/releases)
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.1.13...v0.3.0)

---
updated-dependencies:
- dependency-name: luizm/action-sh-checker
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2021-08-10 13:47:31 +02:00
dependabot[bot]
499ebf2f9b Bump dev-drprasad/delete-tag-and-release from v0.1.3 to v0.2.0 (#72) 
Bumps [dev-drprasad/delete-tag-and-release](https://github.com/dev-drprasad/delete-tag-and-release) from v0.1.3 to v0.2.0.
- [Release notes](https://github.com/dev-drprasad/delete-tag-and-release/releases)
- [Commits](https://github.com/dev-drprasad/delete-tag-and-release/compare/v0.1.3...085c6969f18bad0de1b9f3fe6692a3cd01f64fe5)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Thibault Ayanides <thibault.ayanides@ovhcloud.com>
 2021-08-10 10:39:53 +02:00
Thibault Ayanides
afed5a9dce 99.5.4.5.2: fix bug where sha512 option rounds provoke KO (#112) 2021-08-10 10:30:35 +02:00
dependabot[bot]
01c3d1b98c Bump luizm/action-sh-checker from v0.1.12 to v0.1.13 (#73) 
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from v0.1.12 to v0.1.13.
- [Release notes](https://github.com/luizm/action-sh-checker/releases)
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.1.12...164368daf52a9126460854f9c0de00abc079a350)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Thibault Ayanides <thibault.ayanides@ovhcloud.com>
 2021-08-10 09:43:59 +02:00
dependabot[bot]
25e899168f Bump actions-ecosystem/action-get-latest-tag from 1 to 1.4.1 (#101) 
Bumps [actions-ecosystem/action-get-latest-tag](https://github.com/actions-ecosystem/action-get-latest-tag) from 1 to 1.4.1.
- [Release notes](https://github.com/actions-ecosystem/action-get-latest-tag/releases)
- [Commits](https://github.com/actions-ecosystem/action-get-latest-tag/compare/v1...v1.4.1)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Thibault Ayanides <thibault.ayanides@ovhcloud.com>
 2021-08-10 09:36:28 +02:00
Thibault Ayanides
9a2e3a0e0d Fix 5.4.5 pattern search (#108) 
fix #107
 2021-08-09 10:49:56 +02:00
Thibault Ayanides
334d743125 fix EXCEPTIONS management (#104) 
* FIX(1.1.21, 6.1.10) fix EXCEPTIONS management
* Update changelog
* Refactor test for 6.1.10-14
 2021-06-02 13:47:19 +02:00
112 changed files with 2492 additions and 701 deletions
Expand all files Collapse all files

4
.github/workflows/compile-manual.yml vendored
View File

@ -7,10 +7,10 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout repo - name: Checkout repo
uses: actions/checkout@v2 uses: actions/checkout@v3
- name: Produce debian man - name: Produce debian man
run: 'docker run --rm --volume "`pwd`:/data" --user `id -u`:`id -g` pandoc/latex:2.6 MANUAL.md -s -t man > debian/cis-hardening.8' run: 'docker run --rm --volume "`pwd`:/data" --user `id -u`:`id -g` pandoc/latex:2.6 MANUAL.md -s -t man > debian/cis-hardening.8'
- uses: EndBug/add-and-commit@v7 - uses: EndBug/add-and-commit@v9
with: with:
add: 'debian/cis-hardening.8' add: 'debian/cis-hardening.8'
message: 'Regenerate man pages (Github action)' message: 'Regenerate man pages (Github action)'

11
.github/workflows/functionnal-tests.yml vendored
View File

@ -4,24 +4,17 @@ on:
- pull_request - pull_request
- push - push
jobs: jobs:
functionnal-tests-docker-debian9:
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v2
- name: Run the tests debian9
run: ./tests/docker_build_and_run_tests.sh debian9
functionnal-tests-docker-debian10: functionnal-tests-docker-debian10:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout repo - name: Checkout repo
uses: actions/checkout@v2 uses: actions/checkout@v3
- name: Run the tests debian10 - name: Run the tests debian10
run: ./tests/docker_build_and_run_tests.sh debian10 run: ./tests/docker_build_and_run_tests.sh debian10
functionnal-tests-docker-debian11: functionnal-tests-docker-debian11:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout repo - name: Checkout repo
uses: actions/checkout@v2 uses: actions/checkout@v3
- name: Run the tests debian11 - name: Run the tests debian11
run: ./tests/docker_build_and_run_tests.sh debian11 run: ./tests/docker_build_and_run_tests.sh debian11

8
.github/workflows/pre-release.yml vendored
View File

@ -11,7 +11,7 @@ jobs:
steps: steps:
# CHECKOUT CODE # CHECKOUT CODE
- name: Checkout code - name: Checkout code
uses: actions/checkout@v2 uses: actions/checkout@v3
# BUILD THE .DEB PACKAGE # BUILD THE .DEB PACKAGE
- name: Build - name: Build
run: | run: |
@ -21,7 +21,7 @@ jobs:
find ../ -name "*.deb" -exec mv {} cis-hardening.deb \; find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
# DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
- name: Delete the tag latest and the release latest - name: Delete the tag latest and the release latest
uses: dev-drprasad/delete-tag-and-release@v0.1.3 uses: dev-drprasad/delete-tag-and-release@v0.2.1
with: with:
delete_release: true delete_release: true
tag_name: latest tag_name: latest
@ -29,12 +29,12 @@ jobs:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# GET LATEST VERSION TAG # GET LATEST VERSION TAG
- name: Get latest version tag - name: Get latest version tag
uses: actions-ecosystem/action-get-latest-tag@v1 uses: actions-ecosystem/action-get-latest-tag@v1.6.0
id: get-latest-tag id: get-latest-tag
# GENERATE CHANGELOG CORRESPONDING TO COMMIT BETWEEN HEAD AND COMPUTED LAST TAG # GENERATE CHANGELOG CORRESPONDING TO COMMIT BETWEEN HEAD AND COMPUTED LAST TAG
- name: Generate changelog - name: Generate changelog
id: changelog id: changelog
uses: metcalfc/changelog-generator@v0.4.4 uses: metcalfc/changelog-generator@v4.1.0
with: with:
myToken: ${{ secrets.GITHUB_TOKEN }} myToken: ${{ secrets.GITHUB_TOKEN }}
head-ref: ${{ github.sha }} head-ref: ${{ github.sha }}

6
.github/workflows/shellcheck_and_shellfmt.yml vendored
View File

@ -8,9 +8,9 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout repo - name: Checkout repo
uses: actions/checkout@v2 uses: actions/checkout@v3
- name: Run the sh-checker - name: Run the sh-checker
uses: luizm/action-sh-checker@v0.1.12 uses: luizm/action-sh-checker@v0.7.0
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Optional if sh_checker_comment is false. GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Optional if sh_checker_comment is false.
SHFMT_OPTS: -l -i 4 -w # Optional: pass arguments to shfmt. SHFMT_OPTS: -l -i 4 -w # Optional: pass arguments to shfmt.
@ -24,6 +24,6 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout repo - name: Checkout repo
uses: actions/checkout@v2 uses: actions/checkout@v3
- name: Run shellcheck - name: Run shellcheck
run: ./shellcheck/docker_build_and_run_shellcheck.sh run: ./shellcheck/docker_build_and_run_shellcheck.sh

6
.github/workflows/tagged-release.yml vendored
View File

@ -7,8 +7,6 @@ on:
jobs: jobs:
build: build:
name: Create Release name: Create Release
# only runs on master
if: github.event.base_ref == 'refs/heads/master'
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
# GET VERSION TAG # GET VERSION TAG
@ -17,7 +15,7 @@ jobs:
run: echo ::set-output name=tag::${GITHUB_REF#refs/*/} run: echo ::set-output name=tag::${GITHUB_REF#refs/*/}
# CHECKOUT CODE # CHECKOUT CODE
- name: Checkout code - name: Checkout code
uses: actions/checkout@v2 uses: actions/checkout@v3
with: with:
ref: ${{ steps.vars.outputs.tag }} ref: ${{ steps.vars.outputs.tag }}
# GENERATE CHANGELOG CORRESPONDING TO ENTRY IN DEBIAN/CHANGELOG # GENERATE CHANGELOG CORRESPONDING TO ENTRY IN DEBIAN/CHANGELOG
@ -35,7 +33,7 @@ jobs:
find ../ -name "*.deb" -exec mv {} cis-hardening.deb \; find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
# DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
- name: Delete the tag latest and the release latest - name: Delete the tag latest and the release latest
uses: dev-drprasad/delete-tag-and-release@v0.1.3 uses: dev-drprasad/delete-tag-and-release@v0.2.1
with: with:
delete_release: true delete_release: true
tag_name: latest tag_name: latest

9
README.md
View File

@ -1,7 +1,4 @@
# :lock: CIS Debian 9/10 Hardening # :lock: CIS Debian 10/11 Hardening
:tada: **News**: this project is back in the game and is from now on maintained. Be free to use and to
report issues if you find any!
<p align="center"> <p align="center">
@ -16,7 +13,7 @@ report issues if you find any!
![License](https://img.shields.io/github/license/ovh/debian-cis) ![License](https://img.shields.io/github/license/ovh/debian-cis)
--- ---
Modular Debian 9/10 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org) Modular Debian 10/11 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
recommendations. We use it at [OVHcloud](https://www.ovhcloud.com) to harden our PCI-DSS infrastructure. recommendations. We use it at [OVHcloud](https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
```console ```console
@ -172,7 +169,7 @@ Functional tests are available. They are to be run in a Docker environment.
$ ./tests/docker_build_and_run_tests.sh <target> [name of test script...] $ ./tests/docker_build_and_run_tests.sh <target> [name of test script...]
``` ```
With `target` being like `debian9` or `debian10`. With `target` being like `debian10` or `debian11`.
Running without script arguments will run all tests in `./tests/hardening/` directory. Running without script arguments will run all tests in `./tests/hardening/` directory.
Or you can specify one or several test script to be run. Or you can specify one or several test script to be run.

33
bin/hardening.sh
View File

@ -26,6 +26,7 @@ ALLOW_SERVICE_LIST=0
SET_HARDENING_LEVEL=0 SET_HARDENING_LEVEL=0
SUDO_MODE='' SUDO_MODE=''
BATCH_MODE='' BATCH_MODE=''
SUMMARY_JSON=''
ASK_LOGLEVEL='' ASK_LOGLEVEL=''
ALLOW_UNSUPPORTED_DISTRIBUTION=0 ALLOW_UNSUPPORTED_DISTRIBUTION=0
@ -101,9 +102,13 @@ OPTIONS:
Finally note that '--sudo' mode only works for audit mode. Finally note that '--sudo' mode only works for audit mode.
--set-log-level <level> --set-log-level <level>
This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug. This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug or silent.
Default value is : info Default value is : info
--summary-json
While performing system audit, this option sets LOGLEVEL to silent and
only output a json summary at the end
--batch --batch
While performing system audit, this option sets LOGLEVEL to 'ok' and While performing system audit, this option sets LOGLEVEL to 'ok' and
captures all output to print only one line once the check is done, formatted like : captures all output to print only one line once the check is done, formatted like :
@ -165,6 +170,10 @@ while [[ $# -gt 0 ]]; do
--sudo) --sudo)
SUDO_MODE='--sudo' SUDO_MODE='--sudo'
;; ;;
--summary-json)
SUMMARY_JSON='--summary-json'
ASK_LOGLEVEL=silent
;;
--batch) --batch)
BATCH_MODE='--batch' BATCH_MODE='--batch'
ASK_LOGLEVEL=ok ASK_LOGLEVEL=ok
@ -299,19 +308,19 @@ for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
info "Treating $SCRIPT" info "Treating $SCRIPT"
if [ "$CREATE_CONFIG" = 1 ]; then if [ "$CREATE_CONFIG" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only" debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only"
"$SCRIPT" --create-config-files-only "$BATCH_MODE" LOGLEVEL=$LOGLEVEL "$SCRIPT" --create-config-files-only "$BATCH_MODE"
elif [ "$AUDIT" = 1 ]; then elif [ "$AUDIT" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE" debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
"$SCRIPT" --audit "$SUDO_MODE" "$BATCH_MODE" LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit "$SUDO_MODE" "$BATCH_MODE"
elif [ "$AUDIT_ALL" = 1 ]; then elif [ "$AUDIT_ALL" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE" debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
"$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE" LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
elif [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then elif [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE" debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
"$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE" LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
elif [ "$APPLY" = 1 ]; then elif [ "$APPLY" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT" debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT"
"$SCRIPT" LOGLEVEL=$LOGLEVEL "$SCRIPT"
fi fi
SCRIPT_EXITCODE=$? SCRIPT_EXITCODE=$?
@ -355,6 +364,18 @@ if [ "$BATCH_MODE" ]; then
BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0 BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0
fi fi
becho "$BATCH_SUMMARY" becho "$BATCH_SUMMARY"
elif [ "$SUMMARY_JSON" ]; then
if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
CONFORMITY_PERCENTAGE=$(div $((PASSED_CHECKS * 100)) $TOTAL_TREATED_CHECKS)
else
CONFORMITY_PERCENTAGE=0 # No check runned, avoid division by 0
fi
printf '{'
printf '"available_checks": %s, ' "$TOTAL_CHECKS"
printf '"run_checks": %s, ' "$TOTAL_TREATED_CHECKS"
printf '"passed_checks": %s, ' "$PASSED_CHECKS"
printf '"conformity_percentage": %s' "$CONFORMITY_PERCENTAGE"
printf '}\n'
else else
printf "%40s\n" "################### SUMMARY ###################" printf "%40s\n" "################### SUMMARY ###################"
printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS" printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"

4
bin/hardening/1.1.1.3_disable_hfs.sh
View File

@ -26,7 +26,7 @@ audit() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!" ok "Container detected, consider host enforcing or disable this check!"
else else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!" crit "$MODULE_NAME is enabled!"
else else
@ -41,7 +41,7 @@ apply() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!" ok "Container detected, consider host enforcing!"
else else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)" warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else else

4
bin/hardening/1.1.1.4_disable_hfsplus.sh
View File

@ -26,7 +26,7 @@ audit() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!" ok "Container detected, consider host enforcing or disable this check!"
else else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!" crit "$MODULE_NAME is enabled!"
else else
@ -41,7 +41,7 @@ apply() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!" ok "Container detected, consider host enforcing!"
else else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)" warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else else

76
bin/hardening/1.1.1.8_disable_cramfs.sh Executable file
View File

@ -0,0 +1,76 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.1.1 Ensure Mounting of cramfs filesystems is disabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable mounting of cramfs filesystems."
KERNEL_OPTION="CONFIG_CRAMFS"
MODULE_NAME="cramfs"
# This function will be called if the script status is on enabled / audit mode
audit() {
if [ "$IS_CONTAINER" -eq 1 ]; then
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
ok "$MODULE_NAME is disabled"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$IS_CONTAINER" -eq 1 ]; then
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

92
bin/hardening/1.1.11.1_var_log_noexec.sh Executable file
View File

@ -0,0 +1,92 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.11.1 Ensure noexec option set on /var/log partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="/var/log partition with noexec option."
# Quick factoring as many script use the same logic
PARTITION="/var/log"
OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

92
bin/hardening/1.1.11.2_var_log_nosuid.sh Executable file
View File

@ -0,0 +1,92 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.11.2 Ensure nosuid option set on /var/log partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="/var/log partition with nosuid option."
# Quick factoring as many script use the same logic
PARTITION="/var/log"
OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

92
bin/hardening/1.1.11.3_var_log_nodev.sh Executable file
View File

@ -0,0 +1,92 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.11.3 ensure nodev option set on /var/log partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="/var/log partition with nodev option."
# Quick factoring as many script use the same logic
PARTITION="/var/log"
OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

92
bin/hardening/1.1.12.1_var_log_audit_noexec.sh Executable file
View File

@ -0,0 +1,92 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.12.1 Ensure noexec option set on /var/log/audit partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="/var/log/audit partition with noexec option."
# Quick factoring as many script use the same logic
PARTITION="/var/log/audit"
OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

92
bin/hardening/1.1.12.2_var_log_audit_nosuid.sh Executable file
View File

@ -0,0 +1,92 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.12.2 Ensure nosuid option set on /var/log/audit partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="/var/log/audit partition with nosuid option."
# Quick factoring as many script use the same logic
PARTITION="/var/log/audit"
OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

92
bin/hardening/1.1.12.3_var_log_audit_nodev.sh Executable file
View File

@ -0,0 +1,92 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.12.3 Ensure nodev option set on /var/log/audit partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="/var/log/audit partition with nodev option."
# Quick factoring as many script use the same logic
PARTITION="/var/log/audit"
OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

92
bin/hardening/1.1.14.1_home_nosuid.sh Executable file
View File

@ -0,0 +1,92 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.14.1 Ensure nosuid option set on /home partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="/home partition with nosuid option."
# Quick factoring as many script use the same logic
PARTITION="/home"
OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

64
bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh
View File

@ -19,25 +19,30 @@ DESCRIPTION="Set sticky bit on world writable directories to prevent users from
EXCEPTIONS='' EXCEPTIONS=''
# find emits following error if directory or file disappear during
# tree traversal: find: /tmp/xxx: No such file or directory
FIND_IGNORE_NOSUCHFILE_ERR=false
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
info "Checking if setuid is set on world writable Directories" info "Checking if setuid is set on world writable Directories"
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}') if [ -n "$EXCEPTIONS" ]; then
# maybe EXCEPTIONS allow us to filter out some FS
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCEPTIONS")
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=SC2086 # shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null)
IFS_BAK=$IFS [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
IFS=$'\n'
for LINE in $RESULT; do
debug "line : $LINE"
if echo "$EXCEPTIONS" | grep -q "$LINE"; then
debug "$LINE is confirmed as an exception"
# shellcheck disable=SC2001
RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
else else
debug "$LINE not found in exceptions" FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
fi fi
done
IFS=$IFS_BAK
if [ -n "$RESULT" ]; then if [ -n "$RESULT" ]; then
crit "Some world writable directories are not on sticky bit mode!" crit "Some world writable directories are not on sticky bit mode!"
# shellcheck disable=SC2001 # shellcheck disable=SC2001
@ -50,42 +55,25 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) if [ -n "$EXCEPTIONS" ]; then
IFS_BAK=$IFS # shellcheck disable=SC2086
IFS=$'\n' RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCEPTIONS" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex "$EXCEPTIONS" -print 2>/dev/null)
for LINE in $RESULT; do
debug "line : $LINE"
if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then
debug "$ACCOUNT is confirmed as an exception"
# shellcheck disable=SC2001
RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
else else
debug "$ACCOUNT not found in exceptions" RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
fi fi
done
IFS=$IFS_BAK
if [ -n "$RESULT" ]; then if [ -n "$RESULT" ]; then
warn "Setting sticky bit on world writable directories" warn "Setting sticky bit on world writable directories"
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d -perm -0002 2>/dev/null | xargs chmod a+t
else else
ok "All world writable directories have a sticky bit, nothing to apply" ok "All world writable directories have a sticky bit, nothing to apply"
fi fi
} }
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=audit
# Put here your exceptions separated by spaces
EXCEPTIONS=""
EOF
}
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
if [ -z "$EXCEPTIONS" ]; then # No param for this function
EXCEPTIONS="@" :
fi
} }
# Source Root Dir Parameter # Source Root Dir Parameter

92
bin/hardening/1.1.6.1_var_nodev.sh Executable file
View File

@ -0,0 +1,92 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.6.1 Ensure nodev option set for /var Partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="/var partition with nodev option."
# Quick factoring as many script use the same logic
PARTITION="/var"
OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

92
bin/hardening/1.1.6.2_var_nosuid.sh Executable file
View File

@ -0,0 +1,92 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.6.2 Ensure nosuid option set for /var Partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="/var partition with nosuid option."
# Quick factoring as many script use the same logic
PARTITION="/var"
OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

7
bin/hardening/1.5.1_bootloader_ownership.sh
View File

@ -23,6 +23,7 @@ FILE='/boot/grub/grub.cfg'
USER='root' USER='root'
GROUP='root' GROUP='root'
PERMISSIONS='400' PERMISSIONS='400'
PERMISSIONSOK='400 600'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
@ -33,7 +34,7 @@ audit() {
crit "$FILE ownership was not set to $USER:$GROUP" crit "$FILE ownership was not set to $USER:$GROUP"
fi fi
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
@ -51,7 +52,7 @@ apply() {
chown "$USER":"$GROUP" "$FILE" chown "$USER":"$GROUP" "$FILE"
fi fi
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
@ -63,7 +64,7 @@ apply() {
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
is_pkg_installed "grub-pc" is_pkg_installed "grub-common"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "Grub is not installed, not handling configuration" warn "Grub is not installed, not handling configuration"
exit 2 exit 2

4
bin/hardening/1.5.2_bootloader_password.sh
View File

@ -55,9 +55,9 @@ apply() {
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
is_pkg_installed "grub-pc" is_pkg_installed "grub-common"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "grub-pc is not installed, not handling configuration" warn "Grub is not installed, not handling configuration"
exit 2 exit 2
fi fi
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then

69
bin/hardening/1.6.3.1_disable_apport.sh Executable file
View File

@ -0,0 +1,69 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.6.3.1 Ensure apport is disabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable apport to avoid confidential data leaks."
PACKAGE='apport'
# This function will be called if the script status is on enabled / audit mode
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!"
else
ok "$PACKAGE is absent"
fi
:
}
# This function will be called if the script status is on enabled mode
apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge "$PACKAGE" -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
:
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

2
bin/hardening/1.7.1.2_enable_apparmor.sh
View File

@ -33,7 +33,7 @@ audit() {
done done
if [ "$ERROR" = 0 ]; then if [ "$ERROR" = 0 ]; then
is_pkg_installed "grub-pc" is_pkg_installed "grub-common"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
if [ "$IS_CONTAINER" -eq 1 ]; then if [ "$IS_CONTAINER" -eq 1 ]; then
ok "Grub is not installed in container" ok "Grub is not installed in container"

8
bin/hardening/1.7.1.4_enforcing_apparmor.sh
View File

@ -32,8 +32,8 @@ audit() {
fi fi
done done
if [ "$ERROR" = 0 ]; then if [ "$ERROR" = 0 ]; then
RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined") RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined" || true)
RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode.") RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode." || true)
if [ -n "$RESULT_UNCONFINED" ]; then if [ -n "$RESULT_UNCONFINED" ]; then
ok "No profiles are unconfined" ok "No profiles are unconfined"
@ -61,8 +61,8 @@ apply() {
fi fi
done done
RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined") RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined" || true)
RESULT_COMPLAIN=$(apparmor_status | grep "^0 profiles are in complain mode.") RESULT_COMPLAIN=$(apparmor_status | grep "^0 profiles are in complain mode." || true)
if [ -n "$RESULT_UNCONFINED" ]; then if [ -n "$RESULT_UNCONFINED" ]; then
ok "No profiles are unconfined" ok "No profiles are unconfined"

12
bin/hardening/2.2.1.3_configure_chrony.sh
View File

@ -25,18 +25,12 @@ CONF_FILE='/etc/chrony/chrony.conf'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed, checking configuration"
does_pattern_exist_in_file "$CONF_FILE" "$CONF_DEFAULT_PATTERN" does_pattern_exist_in_file "$CONF_FILE" "$CONF_DEFAULT_PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE" crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE"
else else
ok "$CONF_DEFAULT_PATTERN found in $CONF_FILE" ok "$CONF_DEFAULT_PATTERN found in $CONF_FILE"
fi fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
@ -46,7 +40,11 @@ apply() {
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
: is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
warn "$PACKAGE is not installed, not handling configuration"
exit 2
fi
} }
# Source Root Dir Parameter # Source Root Dir Parameter

14
bin/hardening/2.2.1.4_configure_ntp.sh
View File

@ -20,18 +20,13 @@ DESCRIPTION="Configure Network Time Protocol (ntp). Check restrict parameters an
HARDENING_EXCEPTION=ntp HARDENING_EXCEPTION=ntp
PACKAGE='ntp' PACKAGE='ntp'
NTP_CONF_DEFAULT_PATTERN='^restrict -4 default (kod nomodify notrap nopeer noquery|ignore)' NTP_CONF_DEFAULT_PATTERN='^restrict -4 default (kod nomodify notrap nopeer noquery|kod notrap nomodify nopeer noquery|ignore)'
NTP_CONF_FILE='/etc/ntp.conf' NTP_CONF_FILE='/etc/ntp.conf'
NTP_INIT_PATTERN='RUNASUSER=ntp' NTP_INIT_PATTERN='RUNASUSER=ntp'
NTP_INIT_FILE='/etc/init.d/ntp' NTP_INIT_FILE='/etc/init.d/ntp'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed, checking configuration"
does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN" does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE" crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE"
@ -44,7 +39,6 @@ audit() {
else else
ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE" ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
fi fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
@ -77,7 +71,11 @@ apply() {
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
: is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
warn "$PACKAGE is not installed, not handling configuration"
exit 2
fi
} }
# Source Root Dir Parameter # Source Root Dir Parameter

2
bin/hardening/3.4.2_disable_sctp.sh
View File

@ -28,7 +28,7 @@ audit() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!" ok "Container detected, consider host enforcing or disable this check!"
else else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!" crit "$MODULE_NAME is enabled!"
else else

6
bin/hardening/3.5.4.1.1_net_fw_default_policy_drop.sh
View File

@ -20,6 +20,8 @@ DESCRIPTION="Check iptables firewall default policy for DROP on INPUT and FORWAR
PACKAGE="iptables" PACKAGE="iptables"
FW_CHAINS="INPUT FORWARD" FW_CHAINS="INPUT FORWARD"
FW_POLICY="DROP" FW_POLICY="DROP"
FW_CMD="iptables"
FW_TIMEOUT="10"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
@ -27,9 +29,9 @@ audit() {
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!" crit "$PACKAGE is not installed!"
else else
ipt=$($SUDO_CMD "$PACKAGE" -nL 2>/dev/null || true) ipt=$($SUDO_CMD "$FW_CMD" -w "$FW_TIMEOUT" -nL 2>/dev/null || true)
if [[ -z "$ipt" ]]; then if [[ -z "$ipt" ]]; then
crit "Empty return from $PACKAGE command. Aborting..." crit "Empty return from $FW_CMD command. Aborting..."
return return
fi fi
for chain in $FW_CHAINS; do for chain in $FW_CHAINS; do

45
bin/hardening/4.1.10_record_failed_access_file.sh
View File

@ -21,7 +21,8 @@ AUDIT_PARAMS='-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
FILE='/etc/audit/audit.rules' FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
@ -30,14 +31,21 @@ audit() {
c_IFS=$'\n' c_IFS=$'\n'
IFS=$c_IFS IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi fi
done done
IFS=$d_IFS IFS=$d_IFS
@ -45,18 +53,31 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
IFS=$'\n' # define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi fi
done done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
fi
done
IFS=$d_IFS
} }
# This function will check config parameters required # This function will check config parameters required

47
bin/hardening/4.1.11_record_privileged_commands.sh
View File

@ -19,9 +19,10 @@ DESCRIPTION="Collect use of privileged commands."
SUDO_CMD='sudo -n' SUDO_CMD='sudo -n'
# Find all files with setuid or setgid set # Find all files with setuid or setgid set
AUDIT_PARAMS=$($SUDO_CMD find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | AUDIT_PARAMS=$($SUDO_CMD find / -xdev -ignore_readdir_race \( -perm -4000 -o -perm -2000 \) -type f |
awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }') awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }')
FILE='/etc/audit/audit.rules' FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
@ -30,14 +31,21 @@ audit() {
c_IFS=$'\n' c_IFS=$'\n'
IFS=$c_IFS IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi fi
done done
IFS=$d_IFS IFS=$d_IFS
@ -45,18 +53,31 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
IFS=$'\n' # define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi fi
done done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
fi
done
IFS=$d_IFS
} }
# This function will check config parameters required # This function will check config parameters required

45
bin/hardening/4.1.12_record_successful_mount.sh
View File

@ -19,7 +19,8 @@ DESCRIPTION="Collect sucessfull file system mounts."
AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts' -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts'
FILE='/etc/audit/audit.rules' FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
@ -28,14 +29,21 @@ audit() {
c_IFS=$'\n' c_IFS=$'\n'
IFS=$c_IFS IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi fi
done done
IFS=$d_IFS IFS=$d_IFS
@ -43,18 +51,31 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
IFS=$'\n' # define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi fi
done done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
fi
done
IFS=$d_IFS
} }
# This function will check config parameters required # This function will check config parameters required

45
bin/hardening/4.1.13_record_file_deletions.sh
View File

@ -19,7 +19,8 @@ DESCRIPTION="Collects file deletion events by users."
AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete' -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete'
FILE='/etc/audit/audit.rules' FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
@ -28,14 +29,21 @@ audit() {
c_IFS=$'\n' c_IFS=$'\n'
IFS=$c_IFS IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi fi
done done
IFS=$d_IFS IFS=$d_IFS
@ -43,18 +51,31 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
IFS=$'\n' # define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi fi
done done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
fi
done
IFS=$d_IFS
} }
# This function will check config parameters required # This function will check config parameters required

45
bin/hardening/4.1.14_record_sudoers_edit.sh
View File

@ -19,7 +19,8 @@ DESCRIPTION="Collect changes to system administration scopre."
AUDIT_PARAMS='-w /etc/sudoers -p wa -k sudoers AUDIT_PARAMS='-w /etc/sudoers -p wa -k sudoers
-w /etc/sudoers.d/ -p wa -k sudoers' -w /etc/sudoers.d/ -p wa -k sudoers'
FILE='/etc/audit/audit.rules' FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
@ -28,14 +29,21 @@ audit() {
c_IFS=$'\n' c_IFS=$'\n'
IFS=$c_IFS IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi fi
done done
IFS=$d_IFS IFS=$d_IFS
@ -43,18 +51,31 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
IFS=$'\n' # define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi fi
done done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
fi
done
IFS=$d_IFS
} }
# This function will check config parameters required # This function will check config parameters required

45
bin/hardening/4.1.15_record_sudo_usage.sh
View File

@ -18,7 +18,8 @@ HARDENING_LEVEL=4
DESCRIPTION="Collect system administration actions (sudolog)." DESCRIPTION="Collect system administration actions (sudolog)."
AUDIT_PARAMS='-w /var/log/auth.log -p wa -k sudoaction' AUDIT_PARAMS='-w /var/log/auth.log -p wa -k sudoaction'
FILE='/etc/audit/audit.rules' FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
@ -27,14 +28,21 @@ audit() {
c_IFS=$'\n' c_IFS=$'\n'
IFS=$c_IFS IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi fi
done done
IFS=$d_IFS IFS=$d_IFS
@ -42,18 +50,31 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
IFS=$'\n' # define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi fi
done done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
fi
done
IFS=$d_IFS
} }
# This function will check config parameters required # This function will check config parameters required

45
bin/hardening/4.1.16_record_kernel_modules.sh
View File

@ -21,7 +21,8 @@ AUDIT_PARAMS='-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules -w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules -w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules' -a always,exit -F arch=b64 -S init_module -S delete_module -k modules'
FILE='/etc/audit/audit.rules' FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
@ -30,14 +31,21 @@ audit() {
c_IFS=$'\n' c_IFS=$'\n'
IFS=$c_IFS IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi fi
done done
IFS=$d_IFS IFS=$d_IFS
@ -45,18 +53,31 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
IFS=$'\n' # define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi fi
done done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
fi
done
IFS=$d_IFS
} }
# This function will check config parameters required # This function will check config parameters required

45
bin/hardening/4.1.17_freeze_auditd_conf.sh
View File

@ -18,7 +18,8 @@ HARDENING_LEVEL=4
DESCRIPTION="Make the audit configuration immutable." DESCRIPTION="Make the audit configuration immutable."
AUDIT_PARAMS='-e 2' AUDIT_PARAMS='-e 2'
FILE='/etc/audit/audit.rules' FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
@ -27,14 +28,21 @@ audit() {
c_IFS=$'\n' c_IFS=$'\n'
IFS=$c_IFS IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi fi
done done
IFS=$d_IFS IFS=$d_IFS
@ -42,18 +50,31 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
IFS=$'\n' # define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi fi
done done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
fi
done
IFS=$d_IFS
} }
# This function will check config parameters required # This function will check config parameters required

45
bin/hardening/4.1.3_record_date_time_edit.sh
View File

@ -22,7 +22,8 @@ AUDIT_PARAMS='-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-cha
-a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change' -w /etc/localtime -p wa -k time-change'
FILE='/etc/audit/audit.rules' FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
@ -31,14 +32,21 @@ audit() {
c_IFS=$'\n' c_IFS=$'\n'
IFS=$c_IFS IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi fi
done done
IFS=$d_IFS IFS=$d_IFS
@ -46,18 +54,31 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
IFS=$'\n' # define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi fi
done done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
fi
done
IFS=$d_IFS
} }
# This function will check config parameters required # This function will check config parameters required

45
bin/hardening/4.1.4_record_user_group_edit.sh
View File

@ -22,7 +22,8 @@ AUDIT_PARAMS='-w /etc/group -p wa -k identity
-w /etc/gshadow -p wa -k identity -w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity -w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity' -w /etc/security/opasswd -p wa -k identity'
FILE='/etc/audit/audit.rules' FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
@ -31,14 +32,21 @@ audit() {
c_IFS=$'\n' c_IFS=$'\n'
IFS=$c_IFS IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi fi
done done
IFS=$d_IFS IFS=$d_IFS
@ -46,18 +54,31 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
IFS=$'\n' # define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi fi
done done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
fi
done
IFS=$d_IFS
} }
# This function will check config parameters required # This function will check config parameters required

45
bin/hardening/4.1.5_record_network_edit.sh
View File

@ -23,7 +23,8 @@ AUDIT_PARAMS='-a exit,always -F arch=b64 -S sethostname -S setdomainname -k syst
-w /etc/issue.net -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale -w /etc/hosts -p wa -k system-locale
-w /etc/network -p wa -k system-locale' -w /etc/network -p wa -k system-locale'
FILE='/etc/audit/audit.rules' FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
@ -32,14 +33,21 @@ audit() {
c_IFS=$'\n' c_IFS=$'\n'
IFS=$c_IFS IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi fi
done done
IFS=$d_IFS IFS=$d_IFS
@ -47,18 +55,31 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
IFS=$'\n' # define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi fi
done done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
fi
done
IFS=$d_IFS
} }
# This function will check config parameters required # This function will check config parameters required

45
bin/hardening/4.1.6_record_mac_edit.sh
View File

@ -18,7 +18,8 @@ HARDENING_LEVEL=4
DESCRIPTION="Record events that modify the system's mandatory access controls (MAC)." DESCRIPTION="Record events that modify the system's mandatory access controls (MAC)."
AUDIT_PARAMS='-w /etc/selinux/ -p wa -k MAC-policy' AUDIT_PARAMS='-w /etc/selinux/ -p wa -k MAC-policy'
FILE='/etc/audit/audit.rules' FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
@ -27,14 +28,21 @@ audit() {
c_IFS=$'\n' c_IFS=$'\n'
IFS=$c_IFS IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi fi
done done
IFS=$d_IFS IFS=$d_IFS
@ -42,18 +50,31 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
IFS=$'\n' # define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi fi
done done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
fi
done
IFS=$d_IFS
} }
# This function will check config parameters required # This function will check config parameters required

45
bin/hardening/4.1.7_record_login_logout.sh
View File

@ -20,7 +20,8 @@ DESCRIPTION="Collect login and logout events."
AUDIT_PARAMS='-w /var/log/faillog -p wa -k logins AUDIT_PARAMS='-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins -w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins' -w /var/log/tallylog -p wa -k logins'
FILE='/etc/audit/audit.rules' FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
@ -29,14 +30,21 @@ audit() {
c_IFS=$'\n' c_IFS=$'\n'
IFS=$c_IFS IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi fi
done done
IFS=$d_IFS IFS=$d_IFS
@ -44,18 +52,31 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
IFS=$'\n' # define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi fi
done done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
fi
done
IFS=$d_IFS
} }
# This function will check config parameters required # This function will check config parameters required

45
bin/hardening/4.1.8_record_session_init.sh
View File

@ -20,7 +20,8 @@ DESCRIPTION="Collec sessions initiation information."
AUDIT_PARAMS='-w /var/run/utmp -p wa -k session AUDIT_PARAMS='-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session -w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session' -w /var/log/btmp -p wa -k session'
FILE='/etc/audit/audit.rules' FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
@ -29,14 +30,21 @@ audit() {
c_IFS=$'\n' c_IFS=$'\n'
IFS=$c_IFS IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi fi
done done
IFS=$d_IFS IFS=$d_IFS
@ -44,18 +52,31 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
IFS=$'\n' # define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi fi
done done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
fi
done
IFS=$d_IFS
} }
# This function will check config parameters required # This function will check config parameters required

45
bin/hardening/4.1.9_record_dac_edit.sh
View File

@ -23,7 +23,8 @@ AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
FILE='/etc/audit/audit.rules' FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
@ -32,14 +33,21 @@ audit() {
c_IFS=$'\n' c_IFS=$'\n'
IFS=$c_IFS IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi fi
done done
IFS=$d_IFS IFS=$d_IFS
@ -47,18 +55,31 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
IFS=$'\n' # define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi fi
done done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
fi
done
IFS=$d_IFS
} }
# This function will check config parameters required # This function will check config parameters required

9
bin/hardening/5.3.4_acc_pam_sha512.sh
View File

@ -15,7 +15,7 @@ set -u # One variable unset, it's over
# shellcheck disable=2034 # shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Check that any password that may exist in /etc/shadow is SHA512 hashed and salted" DESCRIPTION="Check that any password that may exist in /etc/shadow is yescrypt (or SHA512 for debian 10) hashed and salted"
CONF_FILE="/etc/pam.d/common-password" CONF_FILE="/etc/pam.d/common-password"
CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*sha512" CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*sha512"
@ -26,6 +26,9 @@ audit() {
if $SUDO_CMD [ ! -r "$CONF_FILE" ]; then if $SUDO_CMD [ ! -r "$CONF_FILE" ]; then
crit "$CONF_FILE is not readable" crit "$CONF_FILE is not readable"
else else
if [ "$DEB_MAJ_VER" -ge "11" ]; then
CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*yescrypt" # https://github.com/ovh/debian-cis/issues/158
fi
# shellcheck disable=SC2001 # shellcheck disable=SC2001
does_pattern_exist_in_file "$CONF_FILE" "$(sed 's/ /[[:space:]]+/g' <<<"$CONF_LINE")" does_pattern_exist_in_file "$CONF_FILE" "$(sed 's/ /[[:space:]]+/g' <<<"$CONF_LINE")"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -47,9 +50,13 @@ apply() {
ok "$CONF_LINE is present in $CONF_FILE" ok "$CONF_LINE is present in $CONF_FILE"
else else
warn "$CONF_LINE is not present in $CONF_FILE" warn "$CONF_LINE is not present in $CONF_FILE"
if [ "$DEB_MAJ_VER" -ge "11" ]; then
add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so yescrypt" "# pam-auth-update(8) for details."
else
add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so sha512" "# pam-auth-update(8) for details." add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so sha512" "# pam-auth-update(8) for details."
fi fi
fi fi
fi
} }
# This function will check config parameters required # This function will check config parameters required

23
bin/hardening/5.4.5_default_timeout.sh
View File

@ -31,21 +31,21 @@ audit() {
debug "$FILE_SEARCHED is a directory" debug "$FILE_SEARCHED is a directory"
# shellcheck disable=2044 # shellcheck disable=2044
for file_in_dir in $(find "$FILE_SEARCHED" -type f); do for file_in_dir in $(find "$FILE_SEARCHED" -type f); do
does_pattern_exist_in_file "$file_in_dir" "^$PATTERN" does_pattern_exist_in_file "$file_in_dir" "$PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir" debug "$PATTERN is not present in $file_in_dir"
else else
ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir" ok "$PATTERN is present in $file_in_dir"
SEARCH_RES=1 SEARCH_RES=1
break break
fi fi
done done
else else
does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN" does_pattern_exist_in_file "$FILE_SEARCHED" "$PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED" debug "$PATTERN is not present in $FILE_SEARCHED"
else else
ok "$PATTERN is present in $FILES_TO_SEARCH" ok "$PATTERN is present in $FILE_SEARCHED"
SEARCH_RES=1 SEARCH_RES=1
fi fi
fi fi
@ -64,21 +64,21 @@ apply() {
debug "$FILE_SEARCHED is a directory" debug "$FILE_SEARCHED is a directory"
# shellcheck disable=2044 # shellcheck disable=2044
for file_in_dir in $(find "$FILE_SEARCHED" -type f); do for file_in_dir in $(find "$FILE_SEARCHED" -type f); do
does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN" does_pattern_exist_in_file "$file_in_dir" "$PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir" debug "$PATTERN is not present in $file_in_dir"
else else
ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir" ok "$PATTERN is present in $file_in_dir"
SEARCH_RES=1 SEARCH_RES=1
break break
fi fi
done done
else else
does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN" does_pattern_exist_in_file "$FILE_SEARCHED" "$PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED" debug "$PATTERN is not present in $FILE_SEARCHED"
else else
ok "$PATTERN is present in $FILES_TO_SEARCH" ok "$PATTERN is present in $FILE_SEARCHED"
SEARCH_RES=1 SEARCH_RES=1
fi fi
fi fi
@ -87,8 +87,7 @@ apply() {
warn "$PATTERN is not present in $FILES_TO_SEARCH" warn "$PATTERN is not present in $FILES_TO_SEARCH"
touch "$FILE" touch "$FILE"
chmod 644 "$FILE" chmod 644 "$FILE"
add_end_of_file "$FILE" "$PATTERN$VALUE" add_end_of_file "$FILE" "readonly $PATTERN$VALUE"
add_end_of_file "$FILE" "readonly TMOUT"
add_end_of_file "$FILE" "export TMOUT" add_end_of_file "$FILE" "export TMOUT"
else else
ok "$PATTERN is present in $FILES_TO_SEARCH" ok "$PATTERN is present in $FILES_TO_SEARCH"

66
bin/hardening/6.1.10_find_world_writable_file.sh
View File

@ -17,27 +17,32 @@ HARDENING_LEVEL=3
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Ensure no world writable files exist" DESCRIPTION="Ensure no world writable files exist"
EXCEPTIONS='' EXCLUDED=''
# find emits following error if directory or file disappear during
# tree traversal: find: /tmp/xxx: No such file or directory
FIND_IGNORE_NOSUCHFILE_ERR=false
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
info "Checking if there are world writable files" info "Checking if there are world writable files"
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}') if [ -n "$EXCLUDED" ]; then
# maybe EXCLUDED allow us to filter out some FS
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED")
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=SC2086 # shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null) RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
IFS_BAK=$IFS [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
IFS=$'\n'
for LINE in $RESULT; do
debug "line : $LINE"
if echo "$EXCEPTIONS" | grep -q "$LINE"; then
debug "$LINE is confirmed as an exception"
# shellcheck disable=SC2001
RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
else else
debug "$LINE not found in exceptions" FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -0002 -print 2>/dev/null)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
fi fi
done
IFS=$IFS_BAK
if [ -n "$RESULT" ]; then if [ -n "$RESULT" ]; then
crit "Some world writable files are present" crit "Some world writable files are present"
# shellcheck disable=SC2001 # shellcheck disable=SC2001
@ -50,42 +55,25 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null) if [ -n "$EXCLUDED" ]; then
IFS_BAK=$IFS # shellcheck disable=SC2086
IFS=$'\n' RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
for LINE in $RESULT; do
debug "line : $LINE"
if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then
debug "$ACCOUNT is confirmed as an exception"
# shellcheck disable=SC2001
RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
else else
debug "$ACCOUNT not found in exceptions" RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -print 2>/dev/null)
fi fi
done
IFS=$IFS_BAK
if [ -n "$RESULT" ]; then if [ -n "$RESULT" ]; then
warn "chmoding o-w all files in the system" warn "chmoding o-w all files in the system"
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null | xargs chmod o-w df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -print 2>/dev/null | xargs chmod o-w
else else
ok "No world writable files found, nothing to apply" ok "No world writable files found, nothing to apply"
fi fi
} }
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=audit
# Put here your exceptions separated by spaces
EXCEPTIONS=""
EOF
}
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
if [ -z "$EXCEPTIONS" ]; then # No param for this function
EXCEPTIONS="@" :
fi
} }
# Source Root Dir Parameter # Source Root Dir Parameter

26
bin/hardening/6.1.11_find_unowned_files.sh
View File

@ -20,17 +20,30 @@ DESCRIPTION="Ensure no unowned files or directories exist."
USER='root' USER='root'
EXCLUDED='' EXCLUDED=''
# find emits following error if directory or file disappear during
# tree traversal: find: /tmp/xxx: No such file or directory
FIND_IGNORE_NOSUCHFILE_ERR=false
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
info "Checking if there are unowned files" info "Checking if there are unowned files"
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
if [ -n "$EXCLUDED" ]; then if [ -n "$EXCLUDED" ]; then
# maybe EXCLUDED allow us to filter out some FS
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED")
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=SC2086 # shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null) RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nouser -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
else else
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=SC2086 # shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -print 2>/dev/null) RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nouser -print 2>/dev/null)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
fi fi
if [ -n "$RESULT" ]; then if [ -n "$RESULT" ]; then
crit "Some unowned files are present" crit "Some unowned files are present"
# shellcheck disable=SC2001 # shellcheck disable=SC2001
@ -44,13 +57,14 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
if [ -n "$EXCLUDED" ]; then if [ -n "$EXCLUDED" ]; then
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null) # shellcheck disable=SC2086
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
else else
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null) RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -ls 2>/dev/null)
fi fi
if [ -n "$RESULT" ]; then if [ -n "$RESULT" ]; then
warn "Applying chown on all unowned files in the system" warn "Applying chown on all unowned files in the system"
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown "$USER" df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -print 2>/dev/null | xargs chown "$USER"
else else
ok "No unowned files found, nothing to apply" ok "No unowned files found, nothing to apply"
fi fi

27
bin/hardening/6.1.12_find_ungrouped_files.sh
View File

@ -20,17 +20,31 @@ DESCRIPTION="Ensure no ungrouped files or directories exist"
GROUP='root' GROUP='root'
EXCLUDED='' EXCLUDED=''
# find emits following error if directory or file disappear during
# tree traversal: find: /tmp/xxx: No such file or directory
FIND_IGNORE_NOSUCHFILE_ERR=false
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
info "Checking if there are ungrouped files" info "Checking if there are ungrouped files"
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
if [ -n "$EXCLUDED" ]; then if [ -n "$EXCLUDED" ]; then
# maybe EXCLUDED allow us to filter out some FS
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED")
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=SC2086 # shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null) RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
else else
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=SC2086 # shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -print 2>/dev/null) RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nogroup -print 2>/dev/null)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
fi fi
if [ -n "$RESULT" ]; then if [ -n "$RESULT" ]; then
crit "Some ungrouped files are present" crit "Some ungrouped files are present"
# shellcheck disable=SC2001 # shellcheck disable=SC2001
@ -44,13 +58,14 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
if [ -n "$EXCLUDED" ]; then if [ -n "$EXCLUDED" ]; then
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null) # shellcheck disable=SC2086
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
else else
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null) RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -ls 2>/dev/null)
fi fi
if [ -n "$RESULT" ]; then if [ -n "$RESULT" ]; then
warn "Applying chgrp on all ungrouped files in the system" warn "Applying chgrp on all ungrouped files in the system"
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp "$GROUP" df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -print 2>/dev/null | xargs chgrp "$GROUP"
else else
ok "No ungrouped files found, nothing to apply" ok "No ungrouped files found, nothing to apply"
fi fi

22
bin/hardening/6.1.13_find_suid_files.sh
View File

@ -18,16 +18,30 @@ HARDENING_LEVEL=2
DESCRIPTION="Find SUID system executables." DESCRIPTION="Find SUID system executables."
IGNORED_PATH='' IGNORED_PATH=''
# find emits following error if directory or file disappear during
# tree traversal: find: /tmp/xxx: No such file or directory
FIND_IGNORE_NOSUCHFILE_ERR=false
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
info "Checking if there are suid files" info "Checking if there are suid files"
FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
# shellcheck disable=2086
if [ -n "$IGNORED_PATH" ]; then if [ -n "$IGNORED_PATH" ]; then
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print) # maybe IGNORED_PATH allow us to filter out some FS
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$IGNORED_PATH")
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=2086
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -4000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
else else
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -print) FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=2086
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -4000 -print)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
fi fi
BAD_BINARIES="" BAD_BINARIES=""
for BINARY in $FOUND_BINARIES; do for BINARY in $FOUND_BINARIES; do
if grep -qw "$BINARY" <<<"$EXCEPTIONS"; then if grep -qw "$BINARY" <<<"$EXCEPTIONS"; then

23
bin/hardening/6.1.14_find_sgid_files.sh
View File

@ -18,16 +18,31 @@ HARDENING_LEVEL=2
DESCRIPTION="Find SGID system executables." DESCRIPTION="Find SGID system executables."
IGNORED_PATH='' IGNORED_PATH=''
# find emits following error if directory or file disappear during
# tree traversal: find: /tmp/xxx: No such file or directory
FIND_IGNORE_NOSUCHFILE_ERR=false
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
info "Checking if there are sgid files" info "Checking if there are sgid files"
FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
# shellcheck disable=2086
if [ -n "$IGNORED_PATH" ]; then if [ -n "$IGNORED_PATH" ]; then
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print) # maybe IGNORED_PATH allow us to filter out some FS
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$IGNORED_PATH")
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=2086
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -2000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
else else
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print) FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=2086
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -2000 -print)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
fi fi
BAD_BINARIES="" BAD_BINARIES=""
for BINARY in $FOUND_BINARIES; do for BINARY in $FOUND_BINARIES; do
if grep -qw "$BINARY" <<<"$EXCEPTIONS"; then if grep -qw "$BINARY" <<<"$EXCEPTIONS"; then

10
bin/hardening/6.1.3_etc_gshadow-_permissions.sh
View File

@ -25,6 +25,10 @@ GROUPSOK='root shadow'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
ok "$FILE does not exist"
else
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
@ -37,10 +41,15 @@ audit() {
else else
crit "$FILE ownership was not set to $USER:$GROUPSOK" crit "$FILE ownership was not set to $USER:$GROUPSOK"
fi fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
ok "$FILE does not exist"
else
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
@ -55,6 +64,7 @@ apply() {
info "fixing $FILE ownership to $USER:$GROUP" info "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE" chown "$USER":"$GROUP" "$FILE"
fi fi
fi
} }
# This function will check config parameters required # This function will check config parameters required

13
bin/hardening/6.1.6_etc_passwd-_permissions.sh
View File

@ -19,12 +19,17 @@ DESCRIPTION="Check 600 permissions and root:root ownership on /etc/passwd-"
FILE='/etc/passwd-' FILE='/etc/passwd-'
PERMISSIONS='600' PERMISSIONS='600'
PERMISSIONSOK='644 640 600'
USER='root' USER='root'
GROUP='root' GROUP='root'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
has_file_correct_permissions "$FILE" "$PERMISSIONS" does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
ok "$FILE does not exist"
else
has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
@ -36,10 +41,15 @@ audit() {
else else
crit "$FILE ownership was not set to $USER:$GROUP" crit "$FILE ownership was not set to $USER:$GROUP"
fi fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
ok "$FILE does not exist"
else
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
@ -54,6 +64,7 @@ apply() {
info "fixing $FILE ownership to $USER:$GROUP" info "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE" chown "$USER":"$GROUP" "$FILE"
fi fi
fi
} }
# This function will check config parameters required # This function will check config parameters required

13
bin/hardening/6.1.7_etc_shadow-_permissions.sh
View File

@ -19,12 +19,17 @@ DESCRIPTION="Check 600 permissions and root:shadow ownership on /etc/shadow-"
FILE='/etc/shadow-' FILE='/etc/shadow-'
PERMISSIONS='600' PERMISSIONS='600'
PERMISSIONSOK='640 600'
USER='root' USER='root'
GROUP='shadow' GROUP='shadow'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
has_file_correct_permissions "$FILE" "$PERMISSIONS" does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
ok "$FILE does not exist"
else
has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
@ -36,10 +41,15 @@ audit() {
else else
crit "$FILE ownership was not set to $USER:$GROUP" crit "$FILE ownership was not set to $USER:$GROUP"
fi fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
ok "$FILE does not exist"
else
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
@ -54,6 +64,7 @@ apply() {
info "fixing $FILE ownership to $USER:$GROUP" info "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE" chown "$USER":"$GROUP" "$FILE"
fi fi
fi
} }
# This function will check config parameters required # This function will check config parameters required

13
bin/hardening/6.1.8_etc_group-_permissions.sh
View File

@ -19,12 +19,17 @@ DESCRIPTION="Check 600 permissions and root:root ownership on /etc/group-"
FILE='/etc/group-' FILE='/etc/group-'
PERMISSIONS='600' PERMISSIONS='600'
PERMISSIONSOK='644 640 600'
USER='root' USER='root'
GROUP='root' GROUP='root'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
has_file_correct_permissions "$FILE" "$PERMISSIONS" does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
ok "$FILE does not exist"
else
has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
@ -36,10 +41,15 @@ audit() {
else else
crit "$FILE ownership was not set to $USER:$GROUP" crit "$FILE ownership was not set to $USER:$GROUP"
fi fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
ok "$FILE does not exist"
else
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
@ -54,6 +64,7 @@ apply() {
info "fixing $FILE ownership to $USER:$GROUP" info "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE" chown "$USER":"$GROUP" "$FILE"
fi fi
fi
} }
# This function will check config parameters required # This function will check config parameters required

0
bin/hardening/6.2.3_users_valid_homedir.sh → bin/hardening/6.2.3_users_homedir_exist.sh
View File

19
bin/hardening/6.2.9_users_valid_homedir.sh → bin/hardening/6.2.9_users_homedir_ownership.sh
View File

@ -23,30 +23,13 @@ ERRORS=0
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
debug "Checking homedir exists"
RESULT=$(get_db passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
for LINE in $RESULT; do
debug "Working on $LINE"
USER=$(awk -F: '{print $1}' <<<"$LINE")
USERID=$(awk -F: '{print $2}' <<<"$LINE")
DIR=$(awk -F: '{print $3}' <<<"$LINE")
if [ "$USERID" -ge 1000 ] && [ ! -d "$DIR" ] && [ "$USER" != "nfsnobody" ] && [ "$USER" != "nobody" ] && [ "$DIR" != "/nonexistent" ]; then
crit "The home directory ($DIR) of user $USER does not exist."
ERRORS=$((ERRORS + 1))
fi
done
if [ "$ERRORS" = 0 ]; then
ok "All home directories exists"
fi
debug "Checking homedir ownership"
RESULT=$(awk -F: '{ print $1 ":" $3 ":" $6 }' /etc/passwd) RESULT=$(awk -F: '{ print $1 ":" $3 ":" $6 }' /etc/passwd)
for LINE in $RESULT; do for LINE in $RESULT; do
debug "Working on $LINE" debug "Working on $LINE"
USER=$(awk -F: '{print $1}' <<<"$LINE") USER=$(awk -F: '{print $1}' <<<"$LINE")
USERID=$(awk -F: '{print $2}' <<<"$LINE") USERID=$(awk -F: '{print $2}' <<<"$LINE")
DIR=$(awk -F: '{print $3}' <<<"$LINE") DIR=$(awk -F: '{print $3}' <<<"$LINE")
if [ "$USERID" -ge 500 ] && [ -d "$DIR" ] && [ "$USER" != "nfsnobody" ]; then if [ "$USERID" -ge 1000 ] && [ -d "$DIR" ] && [ "$USER" != "nfsnobody" ]; then
OWNER=$(stat -L -c "%U" "$DIR") OWNER=$(stat -L -c "%U" "$DIR")
if [ "$OWNER" != "$USER" ]; then if [ "$OWNER" != "$USER" ]; then
EXCEP_FOUND=0 EXCEP_FOUND=0

45
bin/hardening/99.1.3_acc_sudoers_no_all.sh
View File

@ -19,13 +19,32 @@ DESCRIPTION="Checks there are no carte-blanche authorization in sudoers file(s).
FILE="/etc/sudoers" FILE="/etc/sudoers"
DIRECTORY="/etc/sudoers.d" DIRECTORY="/etc/sudoers.d"
# spaces will be expanded to [:space:]* when using the regex # spaces will be expanded to [[:space:]]* when using the regex
# improves readability in audit report # improves readability in audit report
REGEX="ALL = \( ALL( : ALL)? \)( NOPASSWD:)? ALL" REGEX="ALL = \( ALL( : ALL)? \)( NOPASSWD:)? ALL"
EXCEPT="" EXCEPT=""
MAX_FILES_TO_LOG=0
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
# expand spaces to [[:space:]]*
# shellcheck disable=2001
REGEX="$(echo "$REGEX" | sed 's/ /[[:space:]]*/g')"
local skiplog
skiplog=0
if [ $MAX_FILES_TO_LOG != 0 ]; then
# if we have more than $MAX_FILES_TO_LOG files in $DIRECTORY, we'll reduce
# logging in the loop, to avoid flooding the logs and getting timed out
local nbfiles
# shellcheck disable=2012 # (find is too slow and calls fstatat() for each file)
nbfiles=$(ls -f "$DIRECTORY" | wc -l)
if [ "$nbfiles" -gt "$MAX_FILES_TO_LOG" ]; then
skiplog=1
info "Found $nbfiles files in $DIRECTORY (> $MAX_FILES_TO_LOG), we won't log every file we check"
fi
fi
FILES="" FILES=""
if $SUDO_CMD [ ! -r "$FILE" ]; then if $SUDO_CMD [ ! -r "$FILE" ]; then
crit "$FILE is not readable" crit "$FILE is not readable"
@ -41,14 +60,20 @@ audit() {
fi fi
for file in $FILES; do for file in $FILES; do
if $SUDO_CMD [ ! -r "$file" ]; then if $SUDO_CMD [ ! -r "$file" ]; then
debug "$file is not readable, but it might just have disappeared since we've listed the folder contents, re-check that it exists"
if $SUDO_CMD [ -e "$file" ]; then
crit "$file is not readable" crit "$file is not readable"
else else
# shellcheck disable=2001 debug "$file has disappeared, ignore it"
if ! $SUDO_CMD grep -E "$(echo "$REGEX" | sed 's/ /[[:space:]]*/g')" "$file" &>/dev/null; then continue
ok "There is no carte-blanche sudo permission in $file" fi
else else
# shellcheck disable=2001 if ! $SUDO_CMD grep -E "$REGEX" "$file" &>/dev/null; then
RET=$($SUDO_CMD grep -E "$(echo "$REGEX" | sed 's/ /[[:space:]]*/g')" "$file" | sed 's/\t/#/g;s/ /#/g') if [ $skiplog = 0 ]; then
ok "There is no carte-blanche sudo permission in $file"
fi
else
RET=$($SUDO_CMD grep -E "$REGEX" "$file" | sed 's/\t/#/g;s/ /#/g')
for line in $RET; do for line in $RET; do
if grep -q "$(echo "$line" | cut -d '#' -f 1)" <<<"$EXCEPT"; then if grep -q "$(echo "$line" | cut -d '#' -f 1)" <<<"$EXCEPT"; then
# shellcheck disable=2001 # shellcheck disable=2001
@ -73,8 +98,16 @@ apply() {
create_config() { create_config() {
cat <<EOF cat <<EOF
status=audit status=audit
# Put EXCEPTION account names here, space separated # Put EXCEPTION account names here, space separated
EXCEPT="root %root %sudo %wheel" EXCEPT="root %root %sudo %wheel"
# If we find more than this amount of files in sudoers.d/,
# we'll reduce the logging in the loop to avoid getting
# timed out because we spend too much time logging.
# Using 0 disables this feature and will never reduce the
# logging, regardless of the number of files.
MAX_FILES_TO_LOG=0
EOF EOF
} }
# This function will check config parameters required # This function will check config parameters required

4
bin/hardening/99.5.2.4_ssh_keys_from.sh
View File

@ -109,7 +109,7 @@ audit() {
crit "/etc/ssh/sshd_config is not readable." crit "/etc/ssh/sshd_config is not readable."
else else
ret=$($SUDO_CMD grep -iP "^AuthorizedKeysFile" /etc/ssh/sshd_config || echo '#KO') ret=$($SUDO_CMD grep -iP "^AuthorizedKeysFile" /etc/ssh/sshd_config || echo '#KO')
if [ "x$ret" = "x#KO" ]; then if [ "$ret" = "#KO" ]; then
debug "No AuthorizedKeysFile defined in sshd_config." debug "No AuthorizedKeysFile defined in sshd_config."
else else
AUTHKEYFILE_PATTERN=$(echo "$ret" | sed 's/AuthorizedKeysFile//i' | sed 's#%h/##' | tr -s "[:space:]") AUTHKEYFILE_PATTERN=$(echo "$ret" | sed 's/AuthorizedKeysFile//i' | sed 's#%h/##' | tr -s "[:space:]")
@ -137,7 +137,7 @@ audit() {
continue continue
else else
info "User $user has a valid shell ($shell)." info "User $user has a valid shell ($shell)."
if [ "x$user" = "xroot" ] && [ "$user" != "$EXCEPTION_USER" ]; then if [ "$user" = "root" ] && [ "$user" != "$EXCEPTION_USER" ]; then
check_dir /root check_dir /root
continue continue
elif $SUDO_CMD [ ! -d /home/"$user" ]; then elif $SUDO_CMD [ ! -d /home/"$user" ]; then

1
bin/hardening/99.5.4.5.1_acc_logindefs_sha512.sh
View File

@ -49,7 +49,6 @@ apply() {
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file "$CONF_FILE" "^$(echo "$CONF_LINE" | cut -d ' ' -f1)[[:space:]]*.*" "$CONF_LINE" replace_in_file "$CONF_FILE" "^$(echo "$CONF_LINE" | cut -d ' ' -f1)[[:space:]]*.*" "$CONF_LINE"
fi fi
/etc/init.d/ssh reload >/dev/null 2>&1
fi fi
} }

2
bin/hardening/99.5.4.5.2_acc_shadow_sha512.sh
View File

@ -37,7 +37,7 @@ audit() {
pw_found+="$user " pw_found+="$user "
ok "User $user has a disabled password." ok "User $user has a disabled password."
# Check password against $6$<salt>$<encrypted>, see `man 3 crypt` # Check password against $6$<salt>$<encrypted>, see `man 3 crypt`
elif [[ $passwd =~ ^\$6\$[a-zA-Z0-9./]{2,16}\$[a-zA-Z0-9./]{86}$ ]]; then elif [[ $passwd =~ ^\$6(\$rounds=[0-9]+)?\$[a-zA-Z0-9./]{2,16}\$[a-zA-Z0-9./]{86}$ ]]; then
pw_found+="$user " pw_found+="$user "
ok "User $user has suitable SHA512 hashed password." ok "User $user has suitable SHA512 hashed password."
else else

81
debian/changelog vendored
View File

@ -1,3 +1,84 @@
cis-hardening (4.0-1) unstable; urgency=medium
* fix: 99.1.3_acc_sudoers_no_all: fix a race condition (#186)
* fix: change auditd file rule remediation (#179)
* fix: correct debian package compression override (#181)
* fix: ensure mountpoints are properly detected (#177)
* fix: correct search in 5.4.5_default_timeout in apply mode (#178)
* fix: force xz compression during .deb build (#180)
* feat: official Debian 11 compatibility (#176)
* Bump luizm/action-sh-checker from 0.5.0 to 0.7.0 (#171)
-- Thibault Dewailly <thibault.dewailly@ovhcloud.com> Mon, 10 Jul 2023 07:18:55 +0000
cis-hardening (3.8-1) unstable; urgency=medium
* fix: timeout of 99.1.3 (#168)
-- Thibault Dewailly <thibault.dewailly@ovhcloud.com> Thu, 23 Mar 2023 10:00:06 +0000
cis-hardening (3.7-1) unstable; urgency=medium
* feat: add FIND_IGNORE_NOSUCHFILE_ERR flag (#159)
-- Yannick Martin <yannick.martin@ovhcloud.com> Mon, 04 Jul 2022 14:34:03 +0200
cis-hardening (3.6-1) unstable; urgency=medium
* feat: Filter the filesystem to check when the list is built. (#156)
-- Tarik Megzari <tarik.megzari@corp.ovh.com> Fri, 24 Jun 2022 15:49:00 +0000
cis-hardening (3.5-1) unstable; urgency=medium
* fix: add 10s wait timeout on iptables command (#151)
-- Tarik Megzari <tarik.megzari@corp.ovh.com> Wed, 23 Mar 2022 17:28:08 +0100
cis-hardening (3.4-1) unstable; urgency=medium
* fix: allow passwd-, group- and shadow- debian default permissions (#149)
-- Thibault Dewailly <thibault.dewailly@ovhcloud.com> Fri, 18 Mar 2022 15:43:24 +0000
cis-hardening (3.3-1) unstable; urgency=medium
* fix: missing shadowtools backup files is ok (#132)
* feat: Dissociate iptables pkg name from command (#137)
* fix: Catch unexpected failures (#140)
* fix: Avoid find failures on too many files (#144)
-- Tarik Megzari <tarik.megzari@corp.ovh.com> Wed, 02 Mar 2022 13:25:33 +0100
cis-hardening (3.2-2) unstable; urgency=medium
* Fix empty fstab test
-- Tarik Megzari <tarik.megzari@corp.ovh.com> Wed, 08 Dec 2021 13:59:49 +0100
cis-hardening (3.2-1) unstable; urgency=medium
- Skip NTP and Chrony config check if they are not installed (#120)
- Fix 3.4.2 audit rule (#123)
- Fix grub detection (#119)
- Allow grub.cfg permission to be 600 (#121)
- Honor --set-log-level parameter (#127)
- fix: kernel module detection (#129)
- Add silent mode and json summary (#128)
- FIX(1.7.1.4): don't abort script in case of unconfined processes (#130)
- FIX(2.2.1.4): Validate debian default ntp config (#118)
- 99.5.4.5.2: fix bug where sha512 option rounds provoke KO (#112)
- Fix 5.4.5 pattern search (#108)
-- Thibault Dewailly <thibault.dewailly@ovhcloud.com> Wed, 01 Dec 2021 10:56:47 +0000
cis-hardening (3.1-6) unstable; urgency=medium
* Improve EXCEPTIONS management (1.1.21,6.1.10)
* Fix bug linked with regex quoting (6.1.10-11-12-13-14)
-- Thibault Ayanides <thibault.ayanides@ovhcloud.com> Wed, 02 Jun 2021 09:45:40 +0200
cis-hardening (3.1-5) unstable; urgency=medium cis-hardening (3.1-5) unstable; urgency=medium
* Fix unbound EXCEPTIONS variable in some cases * Fix unbound EXCEPTIONS variable in some cases

3
debian/rules vendored
View File

@ -16,6 +16,9 @@ PACKAGE = $(shell dh_listpackages)
%: %:
dh $@ dh $@
override_dh_builddeb:
dh_builddeb -- -Zxz
override_dh_install: override_dh_install:
dh_install dh_install
mkdir -p $(CURDIR)/debian/$(PACKAGE)/opt/$(PACKAGE)/ mkdir -p $(CURDIR)/debian/$(PACKAGE)/opt/$(PACKAGE)/

17
lib/common.sh
View File

@ -25,6 +25,9 @@ backup_file() {
# #
case $LOGLEVEL in case $LOGLEVEL in
silent)
MACHINE_LOG_LEVEL=0
;;
error) error)
MACHINE_LOG_LEVEL=1 MACHINE_LOG_LEVEL=1
;; ;;
@ -100,6 +103,20 @@ debug() {
if [ "$MACHINE_LOG_LEVEL" -ge 5 ]; then _logger "$GRAY" "[DBG ] $*"; fi if [ "$MACHINE_LOG_LEVEL" -ge 5 ]; then _logger "$GRAY" "[DBG ] $*"; fi
} }
exception() {
# Trap exit code is the same as the trapped one unless we call an explicit exit
TRAP_CODE=$?
if [ "$ACTIONS_DONE" -ne 1 ]; then
if [ "$BATCH_MODE" -eq 1 ]; then
BATCH_OUTPUT="KO $SCRIPT_NAME $BATCH_OUTPUT KO{Unexpected exit code: $TRAP_CODE}"
becho "$BATCH_OUTPUT"
else
crit "Check failed with unexpected exit code: $TRAP_CODE"
fi
exit 1 # Means critical status
fi
}
# #
# sudo wrapper # sudo wrapper
# issue crit state if not allowed to perform sudo # issue crit state if not allowed to perform sudo

4
lib/constants.sh
View File

@ -57,6 +57,6 @@ get_distribution
get_debian_major_version get_debian_major_version
# shellcheck disable=SC2034 # shellcheck disable=SC2034
SMALLEST_SUPPORTED_DEBIAN_VERSION=9 SMALLEST_SUPPORTED_DEBIAN_VERSION=10
# shellcheck disable=SC2034 # shellcheck disable=SC2034
HIGHEST_SUPPORTED_DEBIAN_VERSION=10 HIGHEST_SUPPORTED_DEBIAN_VERSION=11

14
lib/main.sh
View File

@ -10,9 +10,17 @@ BATCH_OUTPUT=""
status="" status=""
forcedstatus="" forcedstatus=""
SUDO_CMD="" SUDO_CMD=""
SAVED_LOGLEVEL=""
ACTIONS_DONE=0
if [ -n "${LOGLEVEL:-}" ]; then
SAVED_LOGLEVEL=$LOGLEVEL
fi
# shellcheck source=../etc/hardening.cfg # shellcheck source=../etc/hardening.cfg
[ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg [ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
if [ -n "$SAVED_LOGLEVEL" ]; then
LOGLEVEL=$SAVED_LOGLEVEL
fi
# shellcheck source=../lib/common.sh # shellcheck source=../lib/common.sh
[ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh [ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
# shellcheck source=../lib/utils.sh # shellcheck source=../lib/utils.sh
@ -104,6 +112,9 @@ if [ -z "$status" ]; then
exit 2 exit 2
fi fi
# We want to trap unexpected failures in check scripts
trap exception EXIT
case $status in case $status in
enabled | true) enabled | true)
info "Checking Configuration" info "Checking Configuration"
@ -121,6 +132,7 @@ audit)
;; ;;
disabled | false) disabled | false)
info "$SCRIPT_NAME is disabled, ignoring" info "$SCRIPT_NAME is disabled, ignoring"
ACTIONS_DONE=1
exit 2 # Means unknown status exit 2 # Means unknown status
;; ;;
*) *)
@ -128,6 +140,8 @@ disabled | false)
;; ;;
esac esac
ACTIONS_DONE=1
if [ "$CRITICAL_ERRORS_NUMBER" -eq 0 ]; then if [ "$CRITICAL_ERRORS_NUMBER" -eq 0 ]; then
if [ "$BATCH_MODE" -eq 1 ]; then if [ "$BATCH_MODE" -eq 1 ]; then
BATCH_OUTPUT="OK $SCRIPT_NAME $BATCH_OUTPUT" BATCH_OUTPUT="OK $SCRIPT_NAME $BATCH_OUTPUT"

22
lib/utils.sh
View File

@ -349,10 +349,10 @@ is_kernel_option_enabled() {
fi fi
ANSWER=$(cut -d = -f 2 <<<"$RESULT") ANSWER=$(cut -d = -f 2 <<<"$RESULT")
if [ "x$ANSWER" = "xy" ]; then if [ "$ANSWER" = "y" ]; then
debug "Kernel option $KERNEL_OPTION enabled" debug "Kernel option $KERNEL_OPTION enabled"
FNRET=0 FNRET=0
elif [ "x$ANSWER" = "xn" ]; then elif [ "$ANSWER" = "n" ]; then
debug "Kernel option $KERNEL_OPTION disabled" debug "Kernel option $KERNEL_OPTION disabled"
FNRET=1 FNRET=1
else else
@ -384,9 +384,9 @@ is_kernel_option_enabled() {
fi fi
else else
if [ "$MODPROBE_FILTER" != "" ]; then if [ "$MODPROBE_FILTER" != "" ]; then
DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | grep -E "$MODPROBE_FILTER" | xargs)" DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | grep -E "$MODPROBE_FILTER" | tail -1 | xargs)"
else else
DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | xargs)" DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | tail -1 | xargs)"
fi fi
if [ "$DEF_MODULE" == "install /bin/true" ] || [ "$DEF_MODULE" == "install /bin/false" ]; then if [ "$DEF_MODULE" == "install /bin/true" ] || [ "$DEF_MODULE" == "install /bin/false" ]; then
@ -415,15 +415,18 @@ is_kernel_option_enabled() {
is_a_partition() { is_a_partition() {
local PARTITION=$1 local PARTITION=$1
FNRET=128 FNRET=128
if [ ! -f /etc/fstab ] || [ -n "$(sed '/^#/d' /etc/fstab)" ]; then if [ ! -f /etc/fstab ] || [ -z "$(sed '/^#/d' /etc/fstab)" ]; then
debug "/etc/fstab not found or empty, searching mountpoint" debug "/etc/fstab not found or empty, searching mountpoint"
if mountpoint "$PARTITION" | grep -qE ".*is a mountpoint.*"; then if mountpoint -q "$PARTITION"; then
FNRET=0 FNRET=0
fi fi
else else
if grep "[[:space:]]$1[[:space:]]" /etc/fstab | grep -vqE "^#"; then if grep "[[:space:]]$1[[:space:]]" /etc/fstab | grep -vqE "^#"; then
debug "$PARTITION found in fstab" debug "$PARTITION found in fstab"
FNRET=0 FNRET=0
elif mountpoint -q "$PARTITION"; then
debug "$PARTITION found in /proc fs"
FNRET=0
else else
debug "Unable to find $PARTITION in fstab" debug "Unable to find $PARTITION in fstab"
FNRET=1 FNRET=1
@ -448,8 +451,8 @@ is_mounted() {
has_mount_option() { has_mount_option() {
local PARTITION=$1 local PARTITION=$1
local OPTION=$2 local OPTION=$2
if [ ! -f /etc/fstab ] || [ -n "$(sed '/^#/d' /etc/fstab)" ]; then if [ ! -f /etc/fstab ] || [ -z "$(sed '/^#/d' /etc/fstab)" ]; then
debug "/etc/fstab not found or empty, readin current mount options" debug "/etc/fstab not found or empty, reading current mount options"
has_mounted_option "$PARTITION" "$OPTION" has_mounted_option "$PARTITION" "$OPTION"
else else
if grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk '{print $4}' | grep -q "bind"; then if grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk '{print $4}' | grep -q "bind"; then
@ -461,6 +464,9 @@ has_mount_option() {
if grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk '{print $4}' | grep -q "$OPTION"; then if grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk '{print $4}' | grep -q "$OPTION"; then
debug "$OPTION has been detected in fstab for partition $PARTITION" debug "$OPTION has been detected in fstab for partition $PARTITION"
FNRET=0 FNRET=0
elif mountpoint -q "$PARTITION"; then
debug "$OPTION not detected in fstab, but $PARTITION is a mount point searching in /proc fs"
has_mounted_option "$PARTITION" "$OPTION"
else else
debug "Unable to find $OPTION in fstab for partition $PARTITION" debug "Unable to find $OPTION in fstab for partition $PARTITION"
FNRET=1 FNRET=1

22
tests/docker/Dockerfile.debian8
View File

@ -1,22 +0,0 @@
FROM debian:jessie
LABEL vendor="OVH"
LABEL project="debian-cis"
LABEL url="https://github.com/ovh/debian-cis"
LABEL description="This image is used to run tests"
RUN groupadd -g 500 secaudit && useradd -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd
COPY --chown=500:500 . /opt/debian-cis/
COPY debian/default /etc/default/cis-hardening
RUN sed -i 's#cis-hardening#debian-cis#' /etc/default/cis-hardening
COPY cisharden.sudoers /etc/sudoers.d/secaudit
RUN sed -i 's#cisharden#secaudit#' /etc/sudoers.d/secaudit
ENTRYPOINT ["/opt/debian-cis/tests/launch_tests.sh"]

22
tests/docker/Dockerfile.debian9
View File

@ -1,22 +0,0 @@
FROM debian:stretch
LABEL vendor="OVH"
LABEL project="debian-cis"
LABEL url="https://github.com/ovh/debian-cis"
LABEL description="This image is used to run tests"
RUN groupadd -g 500 secaudit && useradd -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd
COPY --chown=500:500 . /opt/debian-cis/
COPY debian/default /etc/default/cis-hardening
RUN sed -i 's#cis-hardening#debian-cis#' /etc/default/cis-hardening
COPY cisharden.sudoers /etc/sudoers.d/secaudit
RUN sed -i 's#cisharden#secaudit#' /etc/sudoers.d/secaudit
ENTRYPOINT ["/opt/debian-cis/tests/launch_tests.sh"]

20
tests/hardening/1.1.1.8_disable_cramfs.sh Normal file
View File

@ -0,0 +1,20 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
}

16
tests/hardening/1.1.11.1_var_log_noexec.sh Normal file
View File

@ -0,0 +1,16 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
}

16
tests/hardening/1.1.11.2_var_log_nosuid.sh Normal file
View File

@ -0,0 +1,16 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
}

16
tests/hardening/1.1.11.3_var_log_nodev.sh Normal file
View File

@ -0,0 +1,16 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
}

16
tests/hardening/1.1.12.1_var_log_audit_noexec.sh Normal file
View File

@ -0,0 +1,16 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
}

16
tests/hardening/1.1.12.2_var_log_audit_nosuid.sh Normal file
View File

@ -0,0 +1,16 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
}

16
tests/hardening/1.1.12.3_var_log_audit_nodev.sh Normal file
View File

@ -0,0 +1,16 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
}

16
tests/hardening/1.1.14.1_home_nosuid.sh Normal file
View File

@ -0,0 +1,16 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
}

12
tests/hardening/1.1.15_run_shm_nodev.sh
View File

@ -2,19 +2,25 @@
# run-shellcheck # run-shellcheck
test_audit() { test_audit() {
describe Running on blank host describe Running on blank host
register_test retvalshouldbe 1 register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
ln -s /dev/shm /run/shm ln -s /dev/shm /run/shm
describe Partition symlink describe Partition symlink
register_test retvalshouldbe 1 register_test retvalshouldbe 0
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
echo "dummy entry" >>/etc/fstab
describe Fstab with a real entry to match runtime partitions
register_test retvalshouldbe 0
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# Cleanup # Cleanup
rm /run/shm rm /run/shm
sed "/dummy entry/d" /etc/fstab
################################################################## ##################################################################
# For this test, we only check that it runs properly on a blank # # For this test, we only check that it runs properly on a blank #

10
tests/hardening/1.1.16_run_shm_nosuid.sh
View File

@ -3,18 +3,24 @@
test_audit() { test_audit() {
describe Running on blank host describe Running on blank host
register_test retvalshouldbe 0 register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
ln -s /dev/shm /run/shm ln -s /dev/shm /run/shm
describe Partition symlink describe Partition symlink
register_test retvalshouldbe 1 register_test retvalshouldbe 0
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
echo "dummy entry" >>/etc/fstab
describe Fstab with a real entry to match runtime partitions
register_test retvalshouldbe 0
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# Cleanup # Cleanup
rm /run/shm rm /run/shm
sed "/dummy entry/d" /etc/fstab
################################################################## ##################################################################
# For this test, we only check that it runs properly on a blank # # For this test, we only check that it runs properly on a blank #

10
tests/hardening/1.1.17_run_shm_noexec.sh
View File

@ -3,18 +3,24 @@
test_audit() { test_audit() {
describe Running on blank host describe Running on blank host
register_test retvalshouldbe 0 register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
ln -s /dev/shm /run/shm ln -s /dev/shm /run/shm
describe Partition symlink describe Partition symlink
register_test retvalshouldbe 1 register_test retvalshouldbe 0
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
echo "dummy entry" >>/etc/fstab
describe Fstab with a real entry to match runtime partitions
register_test retvalshouldbe 0
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# Cleanup # Cleanup
rm /run/shm rm /run/shm
sed "/dummy entry/d" /etc/fstab
################################################################## ##################################################################
# For this test, we only check that it runs properly on a blank # # For this test, we only check that it runs properly on a blank #

20
tests/hardening/1.1.21_sticky_bit_world_writable_folder.sh
View File

@ -1,14 +1,20 @@
# shellcheck shell=bash # shellcheck shell=bash
# run-shellcheck # run-shellcheck
test_audit() { test_audit() {
describe Running void to generate the conf file that will later be edited
# shellcheck disable=2154
/opt/debian-cis/bin/hardening/"${script}".sh || true
# shellcheck disable=2016
echo 'EXCEPTIONS="$EXCEPTIONS /home/secaudit/exception"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
mkdir /home/secaudit/exception
chmod 777 /home/secaudit/exception
describe Running on blank host describe Running on blank host
register_test retvalshouldbe 0 register_test retvalshouldbe 0
register_test contain "All world writable directories have a sticky bit" register_test contain "All world writable directories have a sticky bit"
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
describe Tests purposely failing describe Tests purposely failing
local targetdir="/home/secaudit/world_writable_folder" local targetdir="/home/secaudit/world_writable_folder"
mkdir $targetdir || true mkdir $targetdir || true
@ -17,6 +23,12 @@ test_audit() {
register_test contain "Some world writable directories are not on sticky bit mode" register_test contain "Some world writable directories are not on sticky bit mode"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Tests failing with find ignore flag
echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
register_test retvalshouldbe 1
register_test contain "Some world writable directories are not on sticky bit mode"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
@ -25,5 +37,5 @@ test_audit() {
register_test retvalshouldbe 0 register_test retvalshouldbe 0
register_test contain "All world writable directories have a sticky bit" register_test contain "All world writable directories have a sticky bit"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
} }

16
tests/hardening/1.1.6.1_var_nodev.sh Normal file
View File

@ -0,0 +1,16 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
}

16
tests/hardening/1.1.6.2_var_nosuid.sh Normal file
View File

@ -0,0 +1,16 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
}

16
tests/hardening/1.6.3.1_disable_apport.sh Normal file
View File

@ -0,0 +1,16 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
}

8
tests/hardening/4.1.10_record_failed_access_file.sh
View File

@ -13,10 +13,10 @@ test_audit() {
describe Checking resolved state describe Checking resolved state
register_test retvalshouldbe 0 register_test retvalshouldbe 0
register_test contain "[ OK ] -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/audit.rules" register_test contain "[ OK ] -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/audit.rules" register_test contain "[ OK ] -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/audit.rules" register_test contain "[ OK ] -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/audit.rules" register_test contain "[ OK ] -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/rules.d/audit.rules"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
} }

4
tests/hardening/4.1.12_record_successful_mount.sh
View File

@ -13,7 +13,7 @@ test_audit() {
describe Checking resolved state describe Checking resolved state
register_test retvalshouldbe 0 register_test retvalshouldbe 0
register_test contain "[ OK ] -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts is present in /etc/audit/audit.rules" register_test contain "[ OK ] -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts is present in /etc/audit/audit.rules" register_test contain "[ OK ] -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts is present in /etc/audit/rules.d/audit.rules"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
} }

4
tests/hardening/4.1.13_record_file_deletions.sh
View File

@ -13,7 +13,7 @@ test_audit() {
describe Checking resolved state describe Checking resolved state
register_test retvalshouldbe 0 register_test retvalshouldbe 0
register_test contain "[ OK ] -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete is present in /etc/audit/audit.rules" register_test contain "[ OK ] -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete is present in /etc/audit/audit.rules" register_test contain "[ OK ] -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete is present in /etc/audit/rules.d/audit.rules"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
} }

4
tests/hardening/4.1.14_record_sudoers_edit.sh
View File

@ -13,7 +13,7 @@ test_audit() {
describe Checking resolved state describe Checking resolved state
register_test retvalshouldbe 0 register_test retvalshouldbe 0
register_test contain "[ OK ] -w /etc/sudoers -p wa -k sudoers is present in /etc/audit/audit.rules" register_test contain "[ OK ] -w /etc/sudoers -p wa -k sudoers is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -w /etc/sudoers.d/ -p wa -k sudoers is present in /etc/audit/audit.rules" register_test contain "[ OK ] -w /etc/sudoers.d/ -p wa -k sudoers is present in /etc/audit/rules.d/audit.rules"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
} }

2
tests/hardening/4.1.15_record_sudo_usage.sh
View File

@ -13,6 +13,6 @@ test_audit() {
describe Checking resolved state describe Checking resolved state
register_test retvalshouldbe 0 register_test retvalshouldbe 0
register_test contain "[ OK ] -w /var/log/auth.log -p wa -k sudoaction is present in /etc/audit/audit.rules" register_test contain "[ OK ] -w /var/log/auth.log -p wa -k sudoaction is present in /etc/audit/rules.d/audit.rules"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
} }

6
tests/hardening/4.1.16_record_kernel_modules.sh
View File

@ -13,8 +13,8 @@ test_audit() {
describe Checking resolved state describe Checking resolved state
register_test retvalshouldbe 0 register_test retvalshouldbe 0
register_test contain "[ OK ] -w /sbin/rmmod -p x -k modules is present in /etc/audit/audit.rules" register_test contain "[ OK ] -w /sbin/rmmod -p x -k modules is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -w /sbin/modprobe -p x -k modules is present in /etc/audit/audit.rules" register_test contain "[ OK ] -w /sbin/modprobe -p x -k modules is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b64 -S init_module -S delete_module -k modules is present in /etc/audit/audit.rules" register_test contain "[ OK ] -a always,exit -F arch=b64 -S init_module -S delete_module -k modules is present in /etc/audit/rules.d/audit.rules"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
} }

2
tests/hardening/4.1.17_freeze_auditd_conf.sh
View File

@ -13,6 +13,6 @@ test_audit() {
describe Checking resolved state describe Checking resolved state
register_test retvalshouldbe 0 register_test retvalshouldbe 0
register_test contain "[ OK ] -e 2 is present in /etc/audit/audit.rules" register_test contain "[ OK ] -e 2 is present in /etc/audit/rules.d/audit.rules"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
} }

10
tests/hardening/4.1.3_record_date_time_edit.sh
View File

@ -13,10 +13,10 @@ test_audit() {
describe Checking resolved state describe Checking resolved state
register_test retvalshouldbe 0 register_test retvalshouldbe 0
register_test contain "[ OK ] -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change is present in /etc/audit/audit.rules" register_test contain "[ OK ] -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change is present in /etc/audit/audit.rules" register_test contain "[ OK ] -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b64 -S clock_settime -k time-change is present in /etc/audit/audit.rules" register_test contain "[ OK ] -a always,exit -F arch=b64 -S clock_settime -k time-change is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b32 -S clock_settime -k time-change is present in /etc/audit/audit.rules" register_test contain "[ OK ] -a always,exit -F arch=b32 -S clock_settime -k time-change is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -w /etc/localtime -p wa -k time-change is present in /etc/audit/audit.rules" register_test contain "[ OK ] -w /etc/localtime -p wa -k time-change is present in /etc/audit/rules.d/audit.rules"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
} }

10
tests/hardening/4.1.4_record_user_group_edit.sh
View File

@ -13,10 +13,10 @@ test_audit() {
describe Checking resolved state describe Checking resolved state
register_test retvalshouldbe 0 register_test retvalshouldbe 0
register_test contain "[ OK ] -w /etc/group -p wa -k identity is present in /etc/audit/audit.rules" register_test contain "[ OK ] -w /etc/group -p wa -k identity is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -w /etc/passwd -p wa -k identity is present in /etc/audit/audit.rules" register_test contain "[ OK ] -w /etc/passwd -p wa -k identity is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -w /etc/gshadow -p wa -k identity is present in /etc/audit/audit.rules" register_test contain "[ OK ] -w /etc/gshadow -p wa -k identity is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -w /etc/shadow -p wa -k identity is present in /etc/audit/audit.rules" register_test contain "[ OK ] -w /etc/shadow -p wa -k identity is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -w /etc/security/opasswd -p wa -k identity is present in /etc/audit/audit.rules" register_test contain "[ OK ] -w /etc/security/opasswd -p wa -k identity is present in /etc/audit/rules.d/audit.rules"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
} }

12
tests/hardening/4.1.5_record_network_edit.sh
View File

@ -13,12 +13,12 @@ test_audit() {
describe Checking resolved state describe Checking resolved state
register_test retvalshouldbe 0 register_test retvalshouldbe 0
register_test contain "[ OK ] -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale is present in /etc/audit/audit.rules" register_test contain "[ OK ] -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale is present in /etc/audit/audit.rules" register_test contain "[ OK ] -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -w /etc/issue -p wa -k system-locale is present in /etc/audit/audit.rules" register_test contain "[ OK ] -w /etc/issue -p wa -k system-locale is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -w /etc/issue.net -p wa -k system-locale is present in /etc/audit/audit.rules" register_test contain "[ OK ] -w /etc/issue.net -p wa -k system-locale is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -w /etc/hosts -p wa -k system-locale is present in /etc/audit/audit.rules" register_test contain "[ OK ] -w /etc/hosts -p wa -k system-locale is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -w /etc/network -p wa -k system-locale is present in /etc/audit/audit.rules" register_test contain "[ OK ] -w /etc/network -p wa -k system-locale is present in /etc/audit/rules.d/audit.rules"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
} }

2
tests/hardening/4.1.6_record_mac_edit.sh
View File

@ -13,6 +13,6 @@ test_audit() {
describe Checking resolved state describe Checking resolved state
register_test retvalshouldbe 0 register_test retvalshouldbe 0
register_test contain "[ OK ] -w /etc/selinux/ -p wa -k MAC-policy is present in /etc/audit/audit.rules" register_test contain "[ OK ] -w /etc/selinux/ -p wa -k MAC-policy is present in /etc/audit/rules.d/audit.rules"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
} }

6
tests/hardening/4.1.7_record_login_logout.sh
View File

@ -13,8 +13,8 @@ test_audit() {
describe Checking resolved state describe Checking resolved state
register_test retvalshouldbe 0 register_test retvalshouldbe 0
register_test contain "[ OK ] -w /var/log/faillog -p wa -k logins is present in /etc/audit/audit.rules" register_test contain "[ OK ] -w /var/log/faillog -p wa -k logins is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -w /var/log/lastlog -p wa -k logins is present in /etc/audit/audit.rules" register_test contain "[ OK ] -w /var/log/lastlog -p wa -k logins is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -w /var/log/tallylog -p wa -k logins is present in /etc/audit/audit.rules" register_test contain "[ OK ] -w /var/log/tallylog -p wa -k logins is present in /etc/audit/rules.d/audit.rules"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
} }

6
tests/hardening/4.1.8_record_session_init.sh
View File

@ -13,8 +13,8 @@ test_audit() {
describe Checking resolved state describe Checking resolved state
register_test retvalshouldbe 0 register_test retvalshouldbe 0
register_test contain "[ OK ] -w /var/run/utmp -p wa -k session is present in /etc/audit/audit.rules" register_test contain "[ OK ] -w /var/run/utmp -p wa -k session is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -w /var/log/wtmp -p wa -k session is present in /etc/audit/audit.rules" register_test contain "[ OK ] -w /var/log/wtmp -p wa -k session is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -w /var/log/btmp -p wa -k session is present in /etc/audit/audit.rules" register_test contain "[ OK ] -w /var/log/btmp -p wa -k session is present in /etc/audit/rules.d/audit.rules"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
} }

12
tests/hardening/4.1.9_record_dac_edit.sh
View File

@ -13,11 +13,11 @@ test_audit() {
describe Checking resolved state describe Checking resolved state
register_test retvalshouldbe 0 register_test retvalshouldbe 0
register_test contain "[ OK ] -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules" register_test contain "[ OK ] -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules" register_test contain "[ OK ] -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules" register_test contain "[ OK ] -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules" register_test contain "[ OK ] -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules" register_test contain "[ OK ] -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules" register_test contain "[ OK ] -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/rules.d/audit.rules"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
} }

2
tests/hardening/5.3.4_acc_pam_sha512.sh
View File

@ -3,7 +3,7 @@
test_audit() { test_audit() {
describe Running on blank host describe Running on blank host
register_test retvalshouldbe 0 register_test retvalshouldbe 0
register_test contain "[ OK ] ^\s*password\s.+\s+pam_unix\.so\s+.*sha512 is present in /etc/pam.d/common-password" register_test contain REGEX "[ OK ] .*(sha512|yescrypt) is present in /etc/pam.d/common-password"
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
} }

19
tests/hardening/6.1.10_find_world_writable_file.sh
View File

@ -1,11 +1,14 @@
# shellcheck shell=bash # shellcheck shell=bash
# run-shellcheck # run-shellcheck
test_audit() { test_audit() {
describe Running void to generate the conf file that will later be edited
# shellcheck disable=2154
/opt/debian-cis/bin/hardening/"${script}".sh || true
# shellcheck disable=2016
echo 'EXCLUDED="$EXCLUDED ^/home/secaudit/thisfileisignored.*|^/dev/.*"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
touch /home/secaudit/thisfileisignored
chmod 777 /home/secaudit/thisfileisignored
#run this test only if we're not in docker
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
describe Running on blank host describe Running on blank host
register_test retvalshouldbe 0 register_test retvalshouldbe 0
register_test contain "No world writable files found" register_test contain "No world writable files found"
@ -20,6 +23,12 @@ test_audit() {
register_test contain "Some world writable files are present" register_test contain "Some world writable files are present"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Tests failing with find ignore flag
echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
register_test retvalshouldbe 1
register_test contain "Some world writable files are present"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
@ -28,5 +37,5 @@ test_audit() {
register_test retvalshouldbe 0 register_test retvalshouldbe 0
register_test contain "No world writable files found" register_test contain "No world writable files found"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
} }

Some files were not shown because too many files have changed in this diff Show More