mirror of
https://github.com/ovh/debian-cis.git
synced 2025-07-16 05:42:17 +02:00
Compare commits
16 Commits
Author | SHA1 | Date | |
---|---|---|---|
97914976c8 | |||
66c8ccf495 | |||
b53bf1795c | |||
1a874b2b35 | |||
7266ec7cb4 | |||
8f855ac159 | |||
ad192c9457 | |||
3d2d97a727 | |||
6e2fb1570c | |||
faf5b155e5 | |||
43887d4165 | |||
499ebf2f9b | |||
afed5a9dce | |||
01c3d1b98c | |||
25e899168f | |||
9a2e3a0e0d |
6
.github/workflows/pre-release.yml
vendored
6
.github/workflows/pre-release.yml
vendored
@ -21,7 +21,7 @@ jobs:
|
|||||||
find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
|
find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
|
||||||
# DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
|
# DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
|
||||||
- name: Delete the tag latest and the release latest
|
- name: Delete the tag latest and the release latest
|
||||||
uses: dev-drprasad/delete-tag-and-release@v0.1.3
|
uses: dev-drprasad/delete-tag-and-release@v0.2.0
|
||||||
with:
|
with:
|
||||||
delete_release: true
|
delete_release: true
|
||||||
tag_name: latest
|
tag_name: latest
|
||||||
@ -29,12 +29,12 @@ jobs:
|
|||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
# GET LATEST VERSION TAG
|
# GET LATEST VERSION TAG
|
||||||
- name: Get latest version tag
|
- name: Get latest version tag
|
||||||
uses: actions-ecosystem/action-get-latest-tag@v1
|
uses: actions-ecosystem/action-get-latest-tag@v1.4.1
|
||||||
id: get-latest-tag
|
id: get-latest-tag
|
||||||
# GENERATE CHANGELOG CORRESPONDING TO COMMIT BETWEEN HEAD AND COMPUTED LAST TAG
|
# GENERATE CHANGELOG CORRESPONDING TO COMMIT BETWEEN HEAD AND COMPUTED LAST TAG
|
||||||
- name: Generate changelog
|
- name: Generate changelog
|
||||||
id: changelog
|
id: changelog
|
||||||
uses: metcalfc/changelog-generator@v0.4.4
|
uses: metcalfc/changelog-generator@v1.0.0
|
||||||
with:
|
with:
|
||||||
myToken: ${{ secrets.GITHUB_TOKEN }}
|
myToken: ${{ secrets.GITHUB_TOKEN }}
|
||||||
head-ref: ${{ github.sha }}
|
head-ref: ${{ github.sha }}
|
||||||
|
@ -10,7 +10,7 @@ jobs:
|
|||||||
- name: Checkout repo
|
- name: Checkout repo
|
||||||
uses: actions/checkout@v2
|
uses: actions/checkout@v2
|
||||||
- name: Run the sh-checker
|
- name: Run the sh-checker
|
||||||
uses: luizm/action-sh-checker@v0.1.12
|
uses: luizm/action-sh-checker@v0.3.0
|
||||||
env:
|
env:
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Optional if sh_checker_comment is false.
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Optional if sh_checker_comment is false.
|
||||||
SHFMT_OPTS: -l -i 4 -w # Optional: pass arguments to shfmt.
|
SHFMT_OPTS: -l -i 4 -w # Optional: pass arguments to shfmt.
|
||||||
|
2
.github/workflows/tagged-release.yml
vendored
2
.github/workflows/tagged-release.yml
vendored
@ -35,7 +35,7 @@ jobs:
|
|||||||
find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
|
find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
|
||||||
# DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
|
# DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
|
||||||
- name: Delete the tag latest and the release latest
|
- name: Delete the tag latest and the release latest
|
||||||
uses: dev-drprasad/delete-tag-and-release@v0.1.3
|
uses: dev-drprasad/delete-tag-and-release@v0.2.0
|
||||||
with:
|
with:
|
||||||
delete_release: true
|
delete_release: true
|
||||||
tag_name: latest
|
tag_name: latest
|
||||||
|
@ -26,6 +26,7 @@ ALLOW_SERVICE_LIST=0
|
|||||||
SET_HARDENING_LEVEL=0
|
SET_HARDENING_LEVEL=0
|
||||||
SUDO_MODE=''
|
SUDO_MODE=''
|
||||||
BATCH_MODE=''
|
BATCH_MODE=''
|
||||||
|
SUMMARY_JSON=''
|
||||||
ASK_LOGLEVEL=''
|
ASK_LOGLEVEL=''
|
||||||
ALLOW_UNSUPPORTED_DISTRIBUTION=0
|
ALLOW_UNSUPPORTED_DISTRIBUTION=0
|
||||||
|
|
||||||
@ -80,7 +81,7 @@ $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
|
|||||||
Modifies the policy to allow a certain kind of services on the machine, such
|
Modifies the policy to allow a certain kind of services on the machine, such
|
||||||
as http, mail, etc. Can be specified multiple times to allow multiple services.
|
as http, mail, etc. Can be specified multiple times to allow multiple services.
|
||||||
Use --allow-service-list to get a list of supported services.
|
Use --allow-service-list to get a list of supported services.
|
||||||
|
|
||||||
--create-config-files-only
|
--create-config-files-only
|
||||||
Create the config files in etc/conf.d
|
Create the config files in etc/conf.d
|
||||||
Must be run as root, before running the audit with user secaudit
|
Must be run as root, before running the audit with user secaudit
|
||||||
@ -101,14 +102,18 @@ OPTIONS:
|
|||||||
Finally note that '--sudo' mode only works for audit mode.
|
Finally note that '--sudo' mode only works for audit mode.
|
||||||
|
|
||||||
--set-log-level <level>
|
--set-log-level <level>
|
||||||
This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug.
|
This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug or silent.
|
||||||
Default value is : info
|
Default value is : info
|
||||||
|
|
||||||
|
--summary-json
|
||||||
|
While performing system audit, this option sets LOGLEVEL to silent and
|
||||||
|
only output a json summary at the end
|
||||||
|
|
||||||
--batch
|
--batch
|
||||||
While performing system audit, this option sets LOGLEVEL to 'ok' and
|
While performing system audit, this option sets LOGLEVEL to 'ok' and
|
||||||
captures all output to print only one line once the check is done, formatted like :
|
captures all output to print only one line once the check is done, formatted like :
|
||||||
OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
|
OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
|
||||||
|
|
||||||
--allow-unsupported-distribution
|
--allow-unsupported-distribution
|
||||||
Must be specified manually in the command line to allow the run on non compatible
|
Must be specified manually in the command line to allow the run on non compatible
|
||||||
version or distribution. If you want to mute the warning change the LOGLEVEL
|
version or distribution. If you want to mute the warning change the LOGLEVEL
|
||||||
@ -165,6 +170,10 @@ while [[ $# -gt 0 ]]; do
|
|||||||
--sudo)
|
--sudo)
|
||||||
SUDO_MODE='--sudo'
|
SUDO_MODE='--sudo'
|
||||||
;;
|
;;
|
||||||
|
--summary-json)
|
||||||
|
SUMMARY_JSON='--summary-json'
|
||||||
|
ASK_LOGLEVEL=silent
|
||||||
|
;;
|
||||||
--batch)
|
--batch)
|
||||||
BATCH_MODE='--batch'
|
BATCH_MODE='--batch'
|
||||||
ASK_LOGLEVEL=ok
|
ASK_LOGLEVEL=ok
|
||||||
@ -299,19 +308,19 @@ for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
|
|||||||
info "Treating $SCRIPT"
|
info "Treating $SCRIPT"
|
||||||
if [ "$CREATE_CONFIG" = 1 ]; then
|
if [ "$CREATE_CONFIG" = 1 ]; then
|
||||||
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only"
|
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only"
|
||||||
"$SCRIPT" --create-config-files-only "$BATCH_MODE"
|
LOGLEVEL=$LOGLEVEL "$SCRIPT" --create-config-files-only "$BATCH_MODE"
|
||||||
elif [ "$AUDIT" = 1 ]; then
|
elif [ "$AUDIT" = 1 ]; then
|
||||||
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
|
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
|
||||||
"$SCRIPT" --audit "$SUDO_MODE" "$BATCH_MODE"
|
LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit "$SUDO_MODE" "$BATCH_MODE"
|
||||||
elif [ "$AUDIT_ALL" = 1 ]; then
|
elif [ "$AUDIT_ALL" = 1 ]; then
|
||||||
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
|
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
|
||||||
"$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
|
LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
|
||||||
elif [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then
|
elif [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then
|
||||||
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
|
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
|
||||||
"$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
|
LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
|
||||||
elif [ "$APPLY" = 1 ]; then
|
elif [ "$APPLY" = 1 ]; then
|
||||||
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT"
|
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT"
|
||||||
"$SCRIPT"
|
LOGLEVEL=$LOGLEVEL "$SCRIPT"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
SCRIPT_EXITCODE=$?
|
SCRIPT_EXITCODE=$?
|
||||||
@ -355,6 +364,18 @@ if [ "$BATCH_MODE" ]; then
|
|||||||
BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0
|
BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0
|
||||||
fi
|
fi
|
||||||
becho "$BATCH_SUMMARY"
|
becho "$BATCH_SUMMARY"
|
||||||
|
elif [ "$SUMMARY_JSON" ]; then
|
||||||
|
if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
|
||||||
|
CONFORMITY_PERCENTAGE=$(div $((PASSED_CHECKS * 100)) $TOTAL_TREATED_CHECKS)
|
||||||
|
else
|
||||||
|
CONFORMITY_PERCENTAGE=0 # No check runned, avoid division by 0
|
||||||
|
fi
|
||||||
|
printf '{'
|
||||||
|
printf '"available_checks": %s, ' "$TOTAL_CHECKS"
|
||||||
|
printf '"run_checks": %s, ' "$TOTAL_TREATED_CHECKS"
|
||||||
|
printf '"passed_checks": %s, ' "$PASSED_CHECKS"
|
||||||
|
printf '"conformity_percentage": %s' "$CONFORMITY_PERCENTAGE"
|
||||||
|
printf '}\n'
|
||||||
else
|
else
|
||||||
printf "%40s\n" "################### SUMMARY ###################"
|
printf "%40s\n" "################### SUMMARY ###################"
|
||||||
printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"
|
printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"
|
||||||
|
@ -26,7 +26,7 @@ audit() {
|
|||||||
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||||
ok "Container detected, consider host enforcing or disable this check!"
|
ok "Container detected, consider host enforcing or disable this check!"
|
||||||
else
|
else
|
||||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
|
||||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
crit "$MODULE_NAME is enabled!"
|
crit "$MODULE_NAME is enabled!"
|
||||||
else
|
else
|
||||||
@ -41,7 +41,7 @@ apply() {
|
|||||||
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||||
ok "Container detected, consider host enforcing!"
|
ok "Container detected, consider host enforcing!"
|
||||||
else
|
else
|
||||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
|
||||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
|
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
|
||||||
else
|
else
|
||||||
|
@ -26,7 +26,7 @@ audit() {
|
|||||||
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||||
ok "Container detected, consider host enforcing or disable this check!"
|
ok "Container detected, consider host enforcing or disable this check!"
|
||||||
else
|
else
|
||||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
|
||||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
crit "$MODULE_NAME is enabled!"
|
crit "$MODULE_NAME is enabled!"
|
||||||
else
|
else
|
||||||
@ -41,7 +41,7 @@ apply() {
|
|||||||
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||||
ok "Container detected, consider host enforcing!"
|
ok "Container detected, consider host enforcing!"
|
||||||
else
|
else
|
||||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
|
||||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
|
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
|
||||||
else
|
else
|
||||||
|
@ -23,6 +23,7 @@ FILE='/boot/grub/grub.cfg'
|
|||||||
USER='root'
|
USER='root'
|
||||||
GROUP='root'
|
GROUP='root'
|
||||||
PERMISSIONS='400'
|
PERMISSIONS='400'
|
||||||
|
PERMISSIONSOK='400 600'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
@ -33,7 +34,7 @@ audit() {
|
|||||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$FILE has correct permissions"
|
ok "$FILE has correct permissions"
|
||||||
else
|
else
|
||||||
@ -51,7 +52,7 @@ apply() {
|
|||||||
chown "$USER":"$GROUP" "$FILE"
|
chown "$USER":"$GROUP" "$FILE"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$FILE has correct permissions"
|
ok "$FILE has correct permissions"
|
||||||
else
|
else
|
||||||
@ -63,7 +64,7 @@ apply() {
|
|||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
||||||
check_config() {
|
check_config() {
|
||||||
|
|
||||||
is_pkg_installed "grub-pc"
|
is_pkg_installed "grub-common"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
warn "Grub is not installed, not handling configuration"
|
warn "Grub is not installed, not handling configuration"
|
||||||
exit 2
|
exit 2
|
||||||
|
@ -55,9 +55,9 @@ apply() {
|
|||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
||||||
check_config() {
|
check_config() {
|
||||||
is_pkg_installed "grub-pc"
|
is_pkg_installed "grub-common"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
warn "grub-pc is not installed, not handling configuration"
|
warn "Grub is not installed, not handling configuration"
|
||||||
exit 2
|
exit 2
|
||||||
fi
|
fi
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
|
@ -33,7 +33,7 @@ audit() {
|
|||||||
done
|
done
|
||||||
|
|
||||||
if [ "$ERROR" = 0 ]; then
|
if [ "$ERROR" = 0 ]; then
|
||||||
is_pkg_installed "grub-pc"
|
is_pkg_installed "grub-common"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
if [ "$IS_CONTAINER" -eq 1 ]; then
|
if [ "$IS_CONTAINER" -eq 1 ]; then
|
||||||
ok "Grub is not installed in container"
|
ok "Grub is not installed in container"
|
||||||
|
@ -32,8 +32,8 @@ audit() {
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
if [ "$ERROR" = 0 ]; then
|
if [ "$ERROR" = 0 ]; then
|
||||||
RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
|
RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined" || true)
|
||||||
RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode.")
|
RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode." || true)
|
||||||
|
|
||||||
if [ -n "$RESULT_UNCONFINED" ]; then
|
if [ -n "$RESULT_UNCONFINED" ]; then
|
||||||
ok "No profiles are unconfined"
|
ok "No profiles are unconfined"
|
||||||
@ -61,8 +61,8 @@ apply() {
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined")
|
RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined" || true)
|
||||||
RESULT_COMPLAIN=$(apparmor_status | grep "^0 profiles are in complain mode.")
|
RESULT_COMPLAIN=$(apparmor_status | grep "^0 profiles are in complain mode." || true)
|
||||||
|
|
||||||
if [ -n "$RESULT_UNCONFINED" ]; then
|
if [ -n "$RESULT_UNCONFINED" ]; then
|
||||||
ok "No profiles are unconfined"
|
ok "No profiles are unconfined"
|
||||||
|
@ -25,17 +25,11 @@ CONF_FILE='/etc/chrony/chrony.conf'
|
|||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
is_pkg_installed "$PACKAGE"
|
does_pattern_exist_in_file "$CONF_FILE" "$CONF_DEFAULT_PATTERN"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PACKAGE is not installed!"
|
crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE"
|
||||||
else
|
else
|
||||||
ok "$PACKAGE is installed, checking configuration"
|
ok "$CONF_DEFAULT_PATTERN found in $CONF_FILE"
|
||||||
does_pattern_exist_in_file "$CONF_FILE" "$CONF_DEFAULT_PATTERN"
|
|
||||||
if [ "$FNRET" != 0 ]; then
|
|
||||||
crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE"
|
|
||||||
else
|
|
||||||
ok "$CONF_DEFAULT_PATTERN found in $CONF_FILE"
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -46,7 +40,11 @@ apply() {
|
|||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
||||||
check_config() {
|
check_config() {
|
||||||
:
|
is_pkg_installed "$PACKAGE"
|
||||||
|
if [ "$FNRET" != 0 ]; then
|
||||||
|
warn "$PACKAGE is not installed, not handling configuration"
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
|
@ -20,30 +20,24 @@ DESCRIPTION="Configure Network Time Protocol (ntp). Check restrict parameters an
|
|||||||
HARDENING_EXCEPTION=ntp
|
HARDENING_EXCEPTION=ntp
|
||||||
|
|
||||||
PACKAGE='ntp'
|
PACKAGE='ntp'
|
||||||
NTP_CONF_DEFAULT_PATTERN='^restrict -4 default (kod nomodify notrap nopeer noquery|ignore)'
|
NTP_CONF_DEFAULT_PATTERN='^restrict -4 default (kod nomodify notrap nopeer noquery|kod notrap nomodify nopeer noquery|ignore)'
|
||||||
NTP_CONF_FILE='/etc/ntp.conf'
|
NTP_CONF_FILE='/etc/ntp.conf'
|
||||||
NTP_INIT_PATTERN='RUNASUSER=ntp'
|
NTP_INIT_PATTERN='RUNASUSER=ntp'
|
||||||
NTP_INIT_FILE='/etc/init.d/ntp'
|
NTP_INIT_FILE='/etc/init.d/ntp'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
is_pkg_installed "$PACKAGE"
|
does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PACKAGE is not installed!"
|
crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE"
|
||||||
else
|
else
|
||||||
ok "$PACKAGE is installed, checking configuration"
|
ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
|
||||||
does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN"
|
fi
|
||||||
if [ "$FNRET" != 0 ]; then
|
does_pattern_exist_in_file "$NTP_INIT_FILE" "^$NTP_INIT_PATTERN"
|
||||||
crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE"
|
if [ "$FNRET" != 0 ]; then
|
||||||
else
|
crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE"
|
||||||
ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
|
else
|
||||||
fi
|
ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
|
||||||
does_pattern_exist_in_file "$NTP_INIT_FILE" "^$NTP_INIT_PATTERN"
|
|
||||||
if [ "$FNRET" != 0 ]; then
|
|
||||||
crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE"
|
|
||||||
else
|
|
||||||
ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -77,7 +71,11 @@ apply() {
|
|||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
||||||
check_config() {
|
check_config() {
|
||||||
:
|
is_pkg_installed "$PACKAGE"
|
||||||
|
if [ "$FNRET" != 0 ]; then
|
||||||
|
warn "$PACKAGE is not installed, not handling configuration"
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
|
@ -28,7 +28,7 @@ audit() {
|
|||||||
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||||
ok "Container detected, consider host enforcing or disable this check!"
|
ok "Container detected, consider host enforcing or disable this check!"
|
||||||
else
|
else
|
||||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
|
||||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
crit "$MODULE_NAME is enabled!"
|
crit "$MODULE_NAME is enabled!"
|
||||||
else
|
else
|
||||||
|
@ -31,7 +31,7 @@ audit() {
|
|||||||
debug "$FILE_SEARCHED is a directory"
|
debug "$FILE_SEARCHED is a directory"
|
||||||
# shellcheck disable=2044
|
# shellcheck disable=2044
|
||||||
for file_in_dir in $(find "$FILE_SEARCHED" -type f); do
|
for file_in_dir in $(find "$FILE_SEARCHED" -type f); do
|
||||||
does_pattern_exist_in_file "$file_in_dir" "^$PATTERN"
|
does_pattern_exist_in_file "$file_in_dir" "$PATTERN"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
|
debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
|
||||||
else
|
else
|
||||||
@ -41,7 +41,7 @@ audit() {
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
else
|
else
|
||||||
does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
|
does_pattern_exist_in_file "$FILE_SEARCHED" "$PATTERN"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
debug "$PATTERN is not present in $FILE_SEARCHED"
|
debug "$PATTERN is not present in $FILE_SEARCHED"
|
||||||
else
|
else
|
||||||
@ -64,7 +64,7 @@ apply() {
|
|||||||
debug "$FILE_SEARCHED is a directory"
|
debug "$FILE_SEARCHED is a directory"
|
||||||
# shellcheck disable=2044
|
# shellcheck disable=2044
|
||||||
for file_in_dir in $(find "$FILE_SEARCHED" -type f); do
|
for file_in_dir in $(find "$FILE_SEARCHED" -type f); do
|
||||||
does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN"
|
does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "$PATTERN"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
|
debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
|
||||||
else
|
else
|
||||||
@ -74,7 +74,7 @@ apply() {
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
else
|
else
|
||||||
does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
|
does_pattern_exist_in_file "$FILE_SEARCHED" "$PATTERN"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
debug "$PATTERN is not present in $FILE_SEARCHED"
|
debug "$PATTERN is not present in $FILE_SEARCHED"
|
||||||
else
|
else
|
||||||
@ -87,8 +87,7 @@ apply() {
|
|||||||
warn "$PATTERN is not present in $FILES_TO_SEARCH"
|
warn "$PATTERN is not present in $FILES_TO_SEARCH"
|
||||||
touch "$FILE"
|
touch "$FILE"
|
||||||
chmod 644 "$FILE"
|
chmod 644 "$FILE"
|
||||||
add_end_of_file "$FILE" "$PATTERN$VALUE"
|
add_end_of_file "$FILE" "readonly $PATTERN$VALUE"
|
||||||
add_end_of_file "$FILE" "readonly TMOUT"
|
|
||||||
add_end_of_file "$FILE" "export TMOUT"
|
add_end_of_file "$FILE" "export TMOUT"
|
||||||
else
|
else
|
||||||
ok "$PATTERN is present in $FILES_TO_SEARCH"
|
ok "$PATTERN is present in $FILES_TO_SEARCH"
|
||||||
|
@ -49,7 +49,6 @@ apply() {
|
|||||||
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
|
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
|
||||||
replace_in_file "$CONF_FILE" "^$(echo "$CONF_LINE" | cut -d ' ' -f1)[[:space:]]*.*" "$CONF_LINE"
|
replace_in_file "$CONF_FILE" "^$(echo "$CONF_LINE" | cut -d ' ' -f1)[[:space:]]*.*" "$CONF_LINE"
|
||||||
fi
|
fi
|
||||||
/etc/init.d/ssh reload >/dev/null 2>&1
|
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -37,7 +37,7 @@ audit() {
|
|||||||
pw_found+="$user "
|
pw_found+="$user "
|
||||||
ok "User $user has a disabled password."
|
ok "User $user has a disabled password."
|
||||||
# Check password against $6$<salt>$<encrypted>, see `man 3 crypt`
|
# Check password against $6$<salt>$<encrypted>, see `man 3 crypt`
|
||||||
elif [[ $passwd =~ ^\$6\$[a-zA-Z0-9./]{2,16}\$[a-zA-Z0-9./]{86}$ ]]; then
|
elif [[ $passwd =~ ^\$6(\$rounds=[0-9]+)?\$[a-zA-Z0-9./]{2,16}\$[a-zA-Z0-9./]{86}$ ]]; then
|
||||||
pw_found+="$user "
|
pw_found+="$user "
|
||||||
ok "User $user has suitable SHA512 hashed password."
|
ok "User $user has suitable SHA512 hashed password."
|
||||||
else
|
else
|
||||||
|
@ -25,6 +25,9 @@ backup_file() {
|
|||||||
#
|
#
|
||||||
|
|
||||||
case $LOGLEVEL in
|
case $LOGLEVEL in
|
||||||
|
silent)
|
||||||
|
MACHINE_LOG_LEVEL=0
|
||||||
|
;;
|
||||||
error)
|
error)
|
||||||
MACHINE_LOG_LEVEL=1
|
MACHINE_LOG_LEVEL=1
|
||||||
;;
|
;;
|
||||||
|
@ -10,9 +10,16 @@ BATCH_OUTPUT=""
|
|||||||
status=""
|
status=""
|
||||||
forcedstatus=""
|
forcedstatus=""
|
||||||
SUDO_CMD=""
|
SUDO_CMD=""
|
||||||
|
SAVED_LOGLEVEL=""
|
||||||
|
|
||||||
|
if [ -n "${LOGLEVEL:-}" ]; then
|
||||||
|
SAVED_LOGLEVEL=$LOGLEVEL
|
||||||
|
fi
|
||||||
# shellcheck source=../etc/hardening.cfg
|
# shellcheck source=../etc/hardening.cfg
|
||||||
[ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
|
[ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
|
||||||
|
if [ -n "$SAVED_LOGLEVEL" ]; then
|
||||||
|
LOGLEVEL=$SAVED_LOGLEVEL
|
||||||
|
fi
|
||||||
# shellcheck source=../lib/common.sh
|
# shellcheck source=../lib/common.sh
|
||||||
[ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
|
[ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
|
||||||
# shellcheck source=../lib/utils.sh
|
# shellcheck source=../lib/utils.sh
|
||||||
|
@ -384,9 +384,9 @@ is_kernel_option_enabled() {
|
|||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
if [ "$MODPROBE_FILTER" != "" ]; then
|
if [ "$MODPROBE_FILTER" != "" ]; then
|
||||||
DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | grep -E "$MODPROBE_FILTER" | xargs)"
|
DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | grep -E "$MODPROBE_FILTER" | tail -1 | xargs)"
|
||||||
else
|
else
|
||||||
DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | xargs)"
|
DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | tail -1 | xargs)"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$DEF_MODULE" == "install /bin/true" ] || [ "$DEF_MODULE" == "install /bin/false" ]; then
|
if [ "$DEF_MODULE" == "install /bin/true" ] || [ "$DEF_MODULE" == "install /bin/false" ]; then
|
||||||
|
@ -29,4 +29,12 @@ EOF
|
|||||||
register_test retvalshouldbe 0
|
register_test retvalshouldbe 0
|
||||||
register_test contain "User secaudit has suitable SHA512 hashed password"
|
register_test contain "User secaudit has suitable SHA512 hashed password"
|
||||||
run sha512pass /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run sha512pass /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
chpasswd -c SHA512 -s 1000 <<EOF
|
||||||
|
secaudit:mypassword
|
||||||
|
EOF
|
||||||
|
describe Pass: Found properly hashed password with custom round number
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
register_test contain "User secaudit has suitable SHA512 hashed password"
|
||||||
|
run sha512pass /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
}
|
}
|
||||||
|
Reference in New Issue
Block a user