elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2025-07-16 13:52:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: elie:v3.5-1
Branches Tags
elie:master elie:damcava35/deb12_scripts_2 elie:damcava35/update_lib elie:damcava35/new_scripts elie:damcava35/issue_249 elie:damcava35/drop_debian10 elie:damcava35/is_ip_v6_enabled elie:damcava35/issue_195 elie:damcava35/fix_only elie:damcava35/fix_packaging elie:damcava35/set_version elie:damcava35/test_pre_commit elie:dev/thibault.dewailly/deb12 elie:dependabot/github_actions/luizm/action-sh-checker-0.9.0 elie:dev/thibault.dewailly/set_hardening_level elie:dev/thibault.dewailly/syslogng_remotecheck
elie:latest elie:v4.1-5 elie:v4.1-4 elie:v4.1-3 elie:v4.1-2 elie:v4.1-1 elie:v4.0-1 elie:v3.8-1 elie:v3.7-1 elie:v3.6-1 elie:v3.5-1 elie:v3.4-1 elie:v3.3-1 elie:v3.2-2 elie:v3.2-1 elie:v3.2-0 elie:v3.1-6 elie:v3.1-5 elie:v3.1-4 elie:v3.1-3 elie:v3.1-2 elie:v3.1-1 elie:v3.1-0 elie:v3.0-1 elie:v3.0 elie:v2.1-6 elie:v2.1-5 elie:v2.1-4 elie:v2.1-3 elie:v2.1-2 elie:v2.1-1 elie:v2.0-6 elie:v2.0-5 elie:v2.0-4 elie:v1.3-4 elie:v1.3-3 elie:v1.3-2 elie:v1.3 elie:v1.2-1 elie:v1.1-1
...
compare: elie:v4.0-1
Branches Tags
elie:damcava35/deb12_scripts_2 elie:damcava35/update_lib elie:damcava35/new_scripts elie:master elie:damcava35/issue_249 elie:damcava35/drop_debian10 elie:damcava35/is_ip_v6_enabled elie:damcava35/issue_195 elie:damcava35/fix_only elie:damcava35/fix_packaging elie:damcava35/set_version elie:damcava35/test_pre_commit elie:dev/thibault.dewailly/deb12 elie:dependabot/github_actions/luizm/action-sh-checker-0.9.0 elie:dev/thibault.dewailly/set_hardening_level elie:dev/thibault.dewailly/syslogng_remotecheck
elie:latest elie:v4.1-5 elie:v4.1-4 elie:v4.1-3 elie:v4.1-2 elie:v4.1-1 elie:v4.0-1 elie:v3.8-1 elie:v3.7-1 elie:v3.6-1 elie:v3.5-1 elie:v3.4-1 elie:v3.3-1 elie:v3.2-2 elie:v3.2-1 elie:v3.2-0 elie:v3.1-6 elie:v3.1-5 elie:v3.1-4 elie:v3.1-3 elie:v3.1-2 elie:v3.1-1 elie:v3.1-0 elie:v3.0-1 elie:v3.0 elie:v2.1-6 elie:v2.1-5 elie:v2.1-4 elie:v2.1-3 elie:v2.1-2 elie:v2.1-1 elie:v2.0-6 elie:v2.0-5 elie:v2.0-4 elie:v1.3-4 elie:v1.3-3 elie:v1.3-2 elie:v1.3 elie:v1.2-1 elie:v1.1-1

21 Commits
v3.5-1 ... v4.0-1

Author SHA1 Message Date
thibault.dewailly
bc98bedf73 bump to 4.0-1 2023-07-10 07:21:13 +00:00
Stéphane Lesimple
873ef8827d fix: 99.1.3_acc_sudoers_no_all: fix a race condition (#186) 
On systems where /etc/sudoers.d might be updated often by some automated means, this
check might raise a critical when a previously present file (during the ls) is no longer
present (during its attempted read), so before raising a critical, re-check that it
does exists first.
 2023-07-03 17:05:45 +02:00
GoldenKiwi
bd27cd0dae fix: change auditd file rule remediation (#179) 
Fixes #165
 2023-05-05 12:32:22 +02:00
GoldenKiwi
f28ffc244c fix: correct debian package compression override (#181) 2023-05-02 18:06:59 +02:00
GoldenKiwi
19ce790a27 fix: ensure mountpoints are properly detected (#177) 
Fixes #155
When real entries are present in fstab, system startup or runtime mountpoints are now properly detected
Add a supplementary check in case of partition not present in fstab
 2023-05-02 18:01:53 +02:00
GoldenKiwi
47cf86237b fix: correct search in 5.4.5_default_timeout in apply mode (#178) 
fixes #116
 2023-05-02 17:57:35 +02:00
GoldenKiwi
ccd9c1a7aa fix: force xz compression during .deb build (#180) 
zst compression is only available on Debian 12, since the release is built on Ubuntu latest, this was breaking release.
Fixes #175
 2023-05-02 15:24:32 +02:00
GoldenKiwi
04457e7df2 feat: official Debian 11 compatibility (#176) 
Introduce Debian 11 compatibility
Based on CIS_Debian_Linux_11_Benchmark_v1.0.0

After review, here are the notable changes :
 - Harden /var/log more (noexec,nodev,nosuid)
 - Harden /var/log/audit more (noexec,nodev,nosuid)
 - Harden /home more (nosuid)
 - Disable cramfs
 - Fix 5.3.4_acc_pam_sha512.sh
 - Deprecate Debian 9 and remove useless docker images

NB : more audit log rules have been introduced and will be inserted in the checks later
Fix #158
 2023-05-02 14:16:19 +02:00
dependabot[bot]
05521d5961 Bump luizm/action-sh-checker from 0.5.0 to 0.7.0 (#171) 
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.5.0 to 0.7.0.
- [Release notes](https://github.com/luizm/action-sh-checker/releases)
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.5.0...v0.7.0)

---
updated-dependencies:
- dependency-name: luizm/action-sh-checker
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-04-26 10:20:11 +02:00
thibault.dewailly
06525f06f9 bump to 3.8-1 2023-03-23 10:03:37 +00:00
dependabot[bot]
d5c1c63971 Bump luizm/action-sh-checker from 0.4.0 to 0.5.0 (#161) 
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.4.0 to 0.5.0.
- [Release notes](https://github.com/luizm/action-sh-checker/releases)
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.4.0...v0.5.0)

---
updated-dependencies:
- dependency-name: luizm/action-sh-checker
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2023-03-23 10:56:12 +01:00
dependabot[bot]
7d93ddeb86 Bump metcalfc/changelog-generator from 3.0.0 to 4.1.0 (#169) 
Bumps [metcalfc/changelog-generator](https://github.com/metcalfc/changelog-generator) from 3.0.0 to 4.1.0.
- [Release notes](https://github.com/metcalfc/changelog-generator/releases)
- [Changelog](https://github.com/metcalfc/changelog-generator/blob/main/release-notes.png)
- [Commits](https://github.com/metcalfc/changelog-generator/compare/v3.0.0...v4.1.0)

---
updated-dependencies:
- dependency-name: metcalfc/changelog-generator
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2023-03-23 10:50:46 +01:00
dependabot[bot]
a35ecab377 Bump dev-drprasad/delete-tag-and-release from 0.2.0 to 0.2.1 (#170) 
Bumps [dev-drprasad/delete-tag-and-release](https://github.com/dev-drprasad/delete-tag-and-release) from 0.2.0 to 0.2.1.
- [Release notes](https://github.com/dev-drprasad/delete-tag-and-release/releases)
- [Commits](https://github.com/dev-drprasad/delete-tag-and-release/compare/v0.2.0...v0.2.1)

---
updated-dependencies:
- dependency-name: dev-drprasad/delete-tag-and-release
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-03-23 10:47:09 +01:00
Stéphane Lesimple
dc952b90df fix: timeout of 99.1.3 (#168) 
The 99.1.3_acc_sudoers_no_all.sh script can sometimes timeout
on servers where /etc/sudoers.d/ has thousands of files.
This patch makes it run roughly 5x faster, as tested on a
server with 1500 files in sudoers.d/.

Closes #167.

Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>

Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>
 2022-12-22 09:47:35 +01:00
Tarik Megzari
82a217032d fix(6.2.9): Start from UID 1000 for home ownership check (#164) 
Rename 6.2.3 and 6.2.9 checks to be more accurate
Remove home existence check from 6.2.9 as it's handled by 6.2.3
Update tests accordingly
Fixes #163

Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
 2022-09-30 10:28:48 +02:00
ymartin-ovh
e478a89bad bump to 3.7-1 (#160) 2022-07-04 15:37:08 +02:00
ymartin-ovh
371c23cd52 feat: add FIND_IGNORE_NOSUCHFILE_ERR flag (#159) 
This flag can be used to prevent find-related checks to fail because one part of filesystem disappear (ie. ephemeral directories or files)
 2022-07-04 14:29:25 +02:00
Tarik Megzari
ea8334d516 bump to 3.6-1 (#157) 
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
 2022-06-27 12:13:01 +02:00
dependabot[bot]
987bb9c975 Bump luizm/action-sh-checker from 0.3.0 to 0.4.0 (#154) 
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.3.0 to 0.4.0.
- [Release notes](https://github.com/luizm/action-sh-checker/releases)
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.3.0...v0.4.0)

---
updated-dependencies:
- dependency-name: luizm/action-sh-checker
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-06-26 16:58:46 +02:00
dependabot[bot]
3031bb55d1 Bump actions-ecosystem/action-get-latest-tag from 1.5.0 to 1.6.0 (#153) 
Bumps [actions-ecosystem/action-get-latest-tag](https://github.com/actions-ecosystem/action-get-latest-tag) from 1.5.0 to 1.6.0.
- [Release notes](https://github.com/actions-ecosystem/action-get-latest-tag/releases)
- [Commits](https://github.com/actions-ecosystem/action-get-latest-tag/compare/v1.5.0...v1.6.0)

---
updated-dependencies:
- dependency-name: actions-ecosystem/action-get-latest-tag
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
 2022-06-24 17:55:26 +02:00
ymartin-ovh
66ccc6316a feat: Filter the filesystem to check when the list is built. (#156) 
* feat: Attempt to filter-out filesystem that match exclusion regex.
 2022-06-24 17:45:47 +02:00
87 changed files with 2016 additions and 395 deletions
Expand all files Collapse all files

7
.github/workflows/functionnal-tests.yml vendored
View File

@ -4,13 +4,6 @@ on:
- pull_request
- push
jobs:
functionnal-tests-docker-debian9:
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v3
- name: Run the tests debian9
run: ./tests/docker_build_and_run_tests.sh debian9
functionnal-tests-docker-debian10:
runs-on: ubuntu-latest
steps:

6
.github/workflows/pre-release.yml vendored
View File

@ -21,7 +21,7 @@ jobs:
find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
# DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
- name: Delete the tag latest and the release latest
uses: dev-drprasad/delete-tag-and-release@v0.2.0
uses: dev-drprasad/delete-tag-and-release@v0.2.1
with:
delete_release: true
tag_name: latest
@ -29,12 +29,12 @@ jobs:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# GET LATEST VERSION TAG
- name: Get latest version tag
uses: actions-ecosystem/action-get-latest-tag@v1.5.0
uses: actions-ecosystem/action-get-latest-tag@v1.6.0
id: get-latest-tag
# GENERATE CHANGELOG CORRESPONDING TO COMMIT BETWEEN HEAD AND COMPUTED LAST TAG
- name: Generate changelog
id: changelog
uses: metcalfc/changelog-generator@v3.0.0
uses: metcalfc/changelog-generator@v4.1.0
with:
myToken: ${{ secrets.GITHUB_TOKEN }}
head-ref: ${{ github.sha }}

2
.github/workflows/shellcheck_and_shellfmt.yml vendored
View File

@ -10,7 +10,7 @@ jobs:
- name: Checkout repo
uses: actions/checkout@v3
- name: Run the sh-checker
uses: luizm/action-sh-checker@v0.3.0
uses: luizm/action-sh-checker@v0.7.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Optional if sh_checker_comment is false.
SHFMT_OPTS: -l -i 4 -w # Optional: pass arguments to shfmt.

2
.github/workflows/tagged-release.yml vendored
View File

@ -33,7 +33,7 @@ jobs:
find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
# DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
- name: Delete the tag latest and the release latest
uses: dev-drprasad/delete-tag-and-release@v0.2.0
uses: dev-drprasad/delete-tag-and-release@v0.2.1
with:
delete_release: true
tag_name: latest

9
README.md
View File

@ -1,7 +1,4 @@
# :lock: CIS Debian 9/10 Hardening
:tada: **News**: this project is back in the game and is from now on maintained. Be free to use and to
report issues if you find any!
# :lock: CIS Debian 10/11 Hardening
<p align="center">
@ -16,7 +13,7 @@ report issues if you find any!
![License](https://img.shields.io/github/license/ovh/debian-cis)
---
Modular Debian 9/10 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
Modular Debian 10/11 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
recommendations. We use it at [OVHcloud](https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
```console
@ -172,7 +169,7 @@ Functional tests are available. They are to be run in a Docker environment.
$ ./tests/docker_build_and_run_tests.sh <target> [name of test script...]
```
With `target` being like `debian9` or `debian10`.
With `target` being like `debian10` or `debian11`.
Running without script arguments will run all tests in `./tests/hardening/` directory.
Or you can specify one or several test script to be run.

76
bin/hardening/1.1.1.8_disable_cramfs.sh Executable file
View File

@ -0,0 +1,76 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.1.1 Ensure Mounting of cramfs filesystems is disabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable mounting of cramfs filesystems."
KERNEL_OPTION="CONFIG_CRAMFS"
MODULE_NAME="cramfs"
# This function will be called if the script status is on enabled / audit mode
audit() {
if [ "$IS_CONTAINER" -eq 1 ]; then
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
ok "$MODULE_NAME is disabled"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$IS_CONTAINER" -eq 1 ]; then
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

92
bin/hardening/1.1.11.1_var_log_noexec.sh Executable file
View File

@ -0,0 +1,92 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.11.1 Ensure noexec option set on /var/log partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="/var/log partition with noexec option."
# Quick factoring as many script use the same logic
PARTITION="/var/log"
OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

92
bin/hardening/1.1.11.2_var_log_nosuid.sh Executable file
View File

@ -0,0 +1,92 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.11.2 Ensure nosuid option set on /var/log partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="/var/log partition with nosuid option."
# Quick factoring as many script use the same logic
PARTITION="/var/log"
OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

92
bin/hardening/1.1.11.3_var_log_nodev.sh Executable file
View File

@ -0,0 +1,92 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.11.3 ensure nodev option set on /var/log partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="/var/log partition with nodev option."
# Quick factoring as many script use the same logic
PARTITION="/var/log"
OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

92
bin/hardening/1.1.12.1_var_log_audit_noexec.sh Executable file
View File

@ -0,0 +1,92 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.12.1 Ensure noexec option set on /var/log/audit partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="/var/log/audit partition with noexec option."
# Quick factoring as many script use the same logic
PARTITION="/var/log/audit"
OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

92
bin/hardening/1.1.12.2_var_log_audit_nosuid.sh Executable file
View File

@ -0,0 +1,92 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.12.2 Ensure nosuid option set on /var/log/audit partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="/var/log/audit partition with nosuid option."
# Quick factoring as many script use the same logic
PARTITION="/var/log/audit"
OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

92
bin/hardening/1.1.12.3_var_log_audit_nodev.sh Executable file
View File

@ -0,0 +1,92 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.12.3 Ensure nodev option set on /var/log/audit partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="/var/log/audit partition with nodev option."
# Quick factoring as many script use the same logic
PARTITION="/var/log/audit"
OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

92
bin/hardening/1.1.14.1_home_nosuid.sh Executable file
View File

@ -0,0 +1,92 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.14.1 Ensure nosuid option set on /home partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="/home partition with nosuid option."
# Quick factoring as many script use the same logic
PARTITION="/home"
OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

16
bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh
View File

@ -19,16 +19,28 @@ DESCRIPTION="Set sticky bit on world writable directories to prevent users from
EXCEPTIONS=''
# find emits following error if directory or file disappear during
# tree traversal: find: /tmp/xxx: No such file or directory
FIND_IGNORE_NOSUCHFILE_ERR=false
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Checking if setuid is set on world writable Directories"
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
if [ -n "$EXCEPTIONS" ]; then
# maybe EXCEPTIONS allow us to filter out some FS
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCEPTIONS")
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
else
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
fi
if [ -n "$RESULT" ]; then
@ -45,7 +57,7 @@ audit() {
apply() {
if [ -n "$EXCEPTIONS" ]; then
# shellcheck disable=SC2086
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null)
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCEPTIONS" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex "$EXCEPTIONS" -print 2>/dev/null)
else
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
fi

92
bin/hardening/1.1.6.1_var_nodev.sh Executable file
View File

@ -0,0 +1,92 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.6.1 Ensure nodev option set for /var Partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="/var partition with nodev option."
# Quick factoring as many script use the same logic
PARTITION="/var"
OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

92
bin/hardening/1.1.6.2_var_nosuid.sh Executable file
View File

@ -0,0 +1,92 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.1.6.2 Ensure nosuid option set for /var Partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="/var partition with nosuid option."
# Quick factoring as many script use the same logic
PARTITION="/var"
OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option "$PARTITION" "$OPTION"
if [ "$FNRET" -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ "$FNRET" = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab "$PARTITION" "$OPTION"
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

69
bin/hardening/1.6.3.1_disable_apport.sh Executable file
View File

@ -0,0 +1,69 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.6.3.1 Ensure apport is disabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable apport to avoid confidential data leaks."
PACKAGE='apport'
# This function will be called if the script status is on enabled / audit mode
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!"
else
ok "$PACKAGE is absent"
fi
:
}
# This function will be called if the script status is on enabled mode
apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge "$PACKAGE" -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
:
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

51
bin/hardening/4.1.10_record_failed_access_file.sh
View File

@ -21,7 +21,8 @@ AUDIT_PARAMS='-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
FILE='/etc/audit/audit.rules'
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -30,14 +31,21 @@ audit() {
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi
done
IFS=$d_IFS
@ -45,18 +53,31 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required

51
bin/hardening/4.1.11_record_privileged_commands.sh
View File

@ -21,7 +21,8 @@ SUDO_CMD='sudo -n'
# Find all files with setuid or setgid set
AUDIT_PARAMS=$($SUDO_CMD find / -xdev -ignore_readdir_race \( -perm -4000 -o -perm -2000 \) -type f |
awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }')
FILE='/etc/audit/audit.rules'
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -30,14 +31,21 @@ audit() {
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi
done
IFS=$d_IFS
@ -45,18 +53,31 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required

51
bin/hardening/4.1.12_record_successful_mount.sh
View File

@ -19,7 +19,8 @@ DESCRIPTION="Collect sucessfull file system mounts."
AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts'
FILE='/etc/audit/audit.rules'
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -28,14 +29,21 @@ audit() {
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi
done
IFS=$d_IFS
@ -43,18 +51,31 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required

51
bin/hardening/4.1.13_record_file_deletions.sh
View File

@ -19,7 +19,8 @@ DESCRIPTION="Collects file deletion events by users."
AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete'
FILE='/etc/audit/audit.rules'
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -28,14 +29,21 @@ audit() {
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi
done
IFS=$d_IFS
@ -43,18 +51,31 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required

51
bin/hardening/4.1.14_record_sudoers_edit.sh
View File

@ -19,7 +19,8 @@ DESCRIPTION="Collect changes to system administration scopre."
AUDIT_PARAMS='-w /etc/sudoers -p wa -k sudoers
-w /etc/sudoers.d/ -p wa -k sudoers'
FILE='/etc/audit/audit.rules'
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -28,14 +29,21 @@ audit() {
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi
done
IFS=$d_IFS
@ -43,18 +51,31 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required

51
bin/hardening/4.1.15_record_sudo_usage.sh
View File

@ -18,7 +18,8 @@ HARDENING_LEVEL=4
DESCRIPTION="Collect system administration actions (sudolog)."
AUDIT_PARAMS='-w /var/log/auth.log -p wa -k sudoaction'
FILE='/etc/audit/audit.rules'
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -27,14 +28,21 @@ audit() {
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi
done
IFS=$d_IFS
@ -42,18 +50,31 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required

51
bin/hardening/4.1.16_record_kernel_modules.sh
View File

@ -21,7 +21,8 @@ AUDIT_PARAMS='-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules'
FILE='/etc/audit/audit.rules'
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -30,14 +31,21 @@ audit() {
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi
done
IFS=$d_IFS
@ -45,18 +53,31 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required

51
bin/hardening/4.1.17_freeze_auditd_conf.sh
View File

@ -18,7 +18,8 @@ HARDENING_LEVEL=4
DESCRIPTION="Make the audit configuration immutable."
AUDIT_PARAMS='-e 2'
FILE='/etc/audit/audit.rules'
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -27,14 +28,21 @@ audit() {
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi
done
IFS=$d_IFS
@ -42,18 +50,31 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required

51
bin/hardening/4.1.3_record_date_time_edit.sh
View File

@ -22,7 +22,8 @@ AUDIT_PARAMS='-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-cha
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change'
FILE='/etc/audit/audit.rules'
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -31,14 +32,21 @@ audit() {
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi
done
IFS=$d_IFS
@ -46,18 +54,31 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required

51
bin/hardening/4.1.4_record_user_group_edit.sh
View File

@ -22,7 +22,8 @@ AUDIT_PARAMS='-w /etc/group -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity'
FILE='/etc/audit/audit.rules'
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -31,14 +32,21 @@ audit() {
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi
done
IFS=$d_IFS
@ -46,18 +54,31 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required

51
bin/hardening/4.1.5_record_network_edit.sh
View File

@ -23,7 +23,8 @@ AUDIT_PARAMS='-a exit,always -F arch=b64 -S sethostname -S setdomainname -k syst
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/network -p wa -k system-locale'
FILE='/etc/audit/audit.rules'
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -32,14 +33,21 @@ audit() {
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi
done
IFS=$d_IFS
@ -47,18 +55,31 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required

51
bin/hardening/4.1.6_record_mac_edit.sh
View File

@ -18,7 +18,8 @@ HARDENING_LEVEL=4
DESCRIPTION="Record events that modify the system's mandatory access controls (MAC)."
AUDIT_PARAMS='-w /etc/selinux/ -p wa -k MAC-policy'
FILE='/etc/audit/audit.rules'
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -27,14 +28,21 @@ audit() {
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi
done
IFS=$d_IFS
@ -42,18 +50,31 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required

51
bin/hardening/4.1.7_record_login_logout.sh
View File

@ -20,7 +20,8 @@ DESCRIPTION="Collect login and logout events."
AUDIT_PARAMS='-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins'
FILE='/etc/audit/audit.rules'
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -29,14 +30,21 @@ audit() {
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi
done
IFS=$d_IFS
@ -44,18 +52,31 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required

51
bin/hardening/4.1.8_record_session_init.sh
View File

@ -20,7 +20,8 @@ DESCRIPTION="Collec sessions initiation information."
AUDIT_PARAMS='-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session'
FILE='/etc/audit/audit.rules'
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -29,14 +30,21 @@ audit() {
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi
done
IFS=$d_IFS
@ -44,18 +52,31 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required

51
bin/hardening/4.1.9_record_dac_edit.sh
View File

@ -23,7 +23,8 @@ AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
FILE='/etc/audit/audit.rules'
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -32,14 +33,21 @@ audit() {
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi
done
IFS=$d_IFS
@ -47,18 +55,31 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required

11
bin/hardening/5.3.4_acc_pam_sha512.sh
View File

@ -15,7 +15,7 @@ set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Check that any password that may exist in /etc/shadow is SHA512 hashed and salted"
DESCRIPTION="Check that any password that may exist in /etc/shadow is yescrypt (or SHA512 for debian 10) hashed and salted"
CONF_FILE="/etc/pam.d/common-password"
CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*sha512"
@ -26,6 +26,9 @@ audit() {
if $SUDO_CMD [ ! -r "$CONF_FILE" ]; then
crit "$CONF_FILE is not readable"
else
if [ "$DEB_MAJ_VER" -ge "11" ]; then
CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*yescrypt" # https://github.com/ovh/debian-cis/issues/158
fi
# shellcheck disable=SC2001
does_pattern_exist_in_file "$CONF_FILE" "$(sed 's/ /[[:space:]]+/g' <<<"$CONF_LINE")"
if [ "$FNRET" = 0 ]; then
@ -47,7 +50,11 @@ apply() {
ok "$CONF_LINE is present in $CONF_FILE"
else
warn "$CONF_LINE is not present in $CONF_FILE"
add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so sha512" "# pam-auth-update(8) for details."
if [ "$DEB_MAJ_VER" -ge "11" ]; then
add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so yescrypt" "# pam-auth-update(8) for details."
else
add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so sha512" "# pam-auth-update(8) for details."
fi
fi
fi
}

14
bin/hardening/5.4.5_default_timeout.sh
View File

@ -33,9 +33,9 @@ audit() {
for file_in_dir in $(find "$FILE_SEARCHED" -type f); do
does_pattern_exist_in_file "$file_in_dir" "$PATTERN"
if [ "$FNRET" != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
debug "$PATTERN is not present in $file_in_dir"
else
ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir"
ok "$PATTERN is present in $file_in_dir"
SEARCH_RES=1
break
fi
@ -45,7 +45,7 @@ audit() {
if [ "$FNRET" != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED"
else
ok "$PATTERN is present in $FILES_TO_SEARCH"
ok "$PATTERN is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
fi
@ -64,11 +64,11 @@ apply() {
debug "$FILE_SEARCHED is a directory"
# shellcheck disable=2044
for file_in_dir in $(find "$FILE_SEARCHED" -type f); do
does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "$PATTERN"
does_pattern_exist_in_file "$file_in_dir" "$PATTERN"
if [ "$FNRET" != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
debug "$PATTERN is not present in $file_in_dir"
else
ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir"
ok "$PATTERN is present in $file_in_dir"
SEARCH_RES=1
break
fi
@ -78,7 +78,7 @@ apply() {
if [ "$FNRET" != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED"
else
ok "$PATTERN is present in $FILES_TO_SEARCH"
ok "$PATTERN is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
fi

17
bin/hardening/6.1.10_find_world_writable_file.sh
View File

@ -19,17 +19,28 @@ DESCRIPTION="Ensure no world writable files exist"
EXCLUDED=''
# find emits following error if directory or file disappear during
# tree traversal: find: /tmp/xxx: No such file or directory
FIND_IGNORE_NOSUCHFILE_ERR=false
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Checking if there are world writable files"
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
if [ -n "$EXCLUDED" ]; then
# maybe EXCLUDED allow us to filter out some FS
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED")
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
else
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -0002 -print 2>/dev/null)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
fi
if [ -n "$RESULT" ]; then
@ -46,7 +57,7 @@ audit() {
apply() {
if [ -n "$EXCLUDED" ]; then
# shellcheck disable=SC2086
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
else
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -print 2>/dev/null)
fi

17
bin/hardening/6.1.11_find_unowned_files.sh
View File

@ -20,17 +20,30 @@ DESCRIPTION="Ensure no unowned files or directories exist."
USER='root'
EXCLUDED=''
# find emits following error if directory or file disappear during
# tree traversal: find: /tmp/xxx: No such file or directory
FIND_IGNORE_NOSUCHFILE_ERR=false
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Checking if there are unowned files"
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
if [ -n "$EXCLUDED" ]; then
# maybe EXCLUDED allow us to filter out some FS
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED")
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nouser -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
else
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nouser -print 2>/dev/null)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
fi
if [ -n "$RESULT" ]; then
crit "Some unowned files are present"
# shellcheck disable=SC2001
@ -45,7 +58,7 @@ audit() {
apply() {
if [ -n "$EXCLUDED" ]; then
# shellcheck disable=SC2086
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -regextype 'egrep' ! -regex $EXCLUDED -ls 2>/dev/null)
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
else
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -ls 2>/dev/null)
fi

18
bin/hardening/6.1.12_find_ungrouped_files.sh
View File

@ -20,17 +20,31 @@ DESCRIPTION="Ensure no ungrouped files or directories exist"
GROUP='root'
EXCLUDED=''
# find emits following error if directory or file disappear during
# tree traversal: find: /tmp/xxx: No such file or directory
FIND_IGNORE_NOSUCHFILE_ERR=false
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Checking if there are ungrouped files"
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
if [ -n "$EXCLUDED" ]; then
# maybe EXCLUDED allow us to filter out some FS
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED")
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
else
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nogroup -print 2>/dev/null)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
fi
if [ -n "$RESULT" ]; then
crit "Some ungrouped files are present"
# shellcheck disable=SC2001
@ -45,7 +59,7 @@ audit() {
apply() {
if [ -n "$EXCLUDED" ]; then
# shellcheck disable=SC2086
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex $EXCLUDED -ls 2>/dev/null)
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
else
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -ls 2>/dev/null)
fi

18
bin/hardening/6.1.13_find_suid_files.sh
View File

@ -18,16 +18,30 @@ HARDENING_LEVEL=2
DESCRIPTION="Find SUID system executables."
IGNORED_PATH=''
# find emits following error if directory or file disappear during
# tree traversal: find: /tmp/xxx: No such file or directory
FIND_IGNORE_NOSUCHFILE_ERR=false
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Checking if there are suid files"
FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
# shellcheck disable=2086
if [ -n "$IGNORED_PATH" ]; then
# maybe IGNORED_PATH allow us to filter out some FS
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$IGNORED_PATH")
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=2086
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -4000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
else
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=2086
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -4000 -print)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
fi
BAD_BINARIES=""
for BINARY in $FOUND_BINARIES; do
if grep -qw "$BINARY" <<<"$EXCEPTIONS"; then

19
bin/hardening/6.1.14_find_sgid_files.sh
View File

@ -18,16 +18,31 @@ HARDENING_LEVEL=2
DESCRIPTION="Find SGID system executables."
IGNORED_PATH=''
# find emits following error if directory or file disappear during
# tree traversal: find: /tmp/xxx: No such file or directory
FIND_IGNORE_NOSUCHFILE_ERR=false
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Checking if there are sgid files"
FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
# shellcheck disable=2086
if [ -n "$IGNORED_PATH" ]; then
# maybe IGNORED_PATH allow us to filter out some FS
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$IGNORED_PATH")
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=2086
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -2000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
else
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=2086
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -2000 -print)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
fi
BAD_BINARIES=""
for BINARY in $FOUND_BINARIES; do
if grep -qw "$BINARY" <<<"$EXCEPTIONS"; then

0
bin/hardening/6.2.3_users_valid_homedir.sh → bin/hardening/6.2.3_users_homedir_exist.sh
View File

19
bin/hardening/6.2.9_users_valid_homedir.sh → bin/hardening/6.2.9_users_homedir_ownership.sh
View File

@ -23,30 +23,13 @@ ERRORS=0
# This function will be called if the script status is on enabled / audit mode
audit() {
debug "Checking homedir exists"
RESULT=$(get_db passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
for LINE in $RESULT; do
debug "Working on $LINE"
USER=$(awk -F: '{print $1}' <<<"$LINE")
USERID=$(awk -F: '{print $2}' <<<"$LINE")
DIR=$(awk -F: '{print $3}' <<<"$LINE")
if [ "$USERID" -ge 1000 ] && [ ! -d "$DIR" ] && [ "$USER" != "nfsnobody" ] && [ "$USER" != "nobody" ] && [ "$DIR" != "/nonexistent" ]; then
crit "The home directory ($DIR) of user $USER does not exist."
ERRORS=$((ERRORS + 1))
fi
done
if [ "$ERRORS" = 0 ]; then
ok "All home directories exists"
fi
debug "Checking homedir ownership"
RESULT=$(awk -F: '{ print $1 ":" $3 ":" $6 }' /etc/passwd)
for LINE in $RESULT; do
debug "Working on $LINE"
USER=$(awk -F: '{print $1}' <<<"$LINE")
USERID=$(awk -F: '{print $2}' <<<"$LINE")
DIR=$(awk -F: '{print $3}' <<<"$LINE")
if [ "$USERID" -ge 500 ] && [ -d "$DIR" ] && [ "$USER" != "nfsnobody" ]; then
if [ "$USERID" -ge 1000 ] && [ -d "$DIR" ] && [ "$USER" != "nfsnobody" ]; then
OWNER=$(stat -L -c "%U" "$DIR")
if [ "$OWNER" != "$USER" ]; then
EXCEP_FOUND=0

49
bin/hardening/99.1.3_acc_sudoers_no_all.sh
View File

@ -19,13 +19,32 @@ DESCRIPTION="Checks there are no carte-blanche authorization in sudoers file(s).
FILE="/etc/sudoers"
DIRECTORY="/etc/sudoers.d"
# spaces will be expanded to [:space:]* when using the regex
# spaces will be expanded to [[:space:]]* when using the regex
# improves readability in audit report
REGEX="ALL = \( ALL( : ALL)? \)( NOPASSWD:)? ALL"
EXCEPT=""
MAX_FILES_TO_LOG=0
# This function will be called if the script status is on enabled / audit mode
audit() {
# expand spaces to [[:space:]]*
# shellcheck disable=2001
REGEX="$(echo "$REGEX" | sed 's/ /[[:space:]]*/g')"
local skiplog
skiplog=0
if [ $MAX_FILES_TO_LOG != 0 ]; then
# if we have more than $MAX_FILES_TO_LOG files in $DIRECTORY, we'll reduce
# logging in the loop, to avoid flooding the logs and getting timed out
local nbfiles
# shellcheck disable=2012 # (find is too slow and calls fstatat() for each file)
nbfiles=$(ls -f "$DIRECTORY" | wc -l)
if [ "$nbfiles" -gt "$MAX_FILES_TO_LOG" ]; then
skiplog=1
info "Found $nbfiles files in $DIRECTORY (> $MAX_FILES_TO_LOG), we won't log every file we check"
fi
fi
FILES=""
if $SUDO_CMD [ ! -r "$FILE" ]; then
crit "$FILE is not readable"
@ -41,14 +60,20 @@ audit() {
fi
for file in $FILES; do
if $SUDO_CMD [ ! -r "$file" ]; then
crit "$file is not readable"
else
# shellcheck disable=2001
if ! $SUDO_CMD grep -E "$(echo "$REGEX" | sed 's/ /[[:space:]]*/g')" "$file" &>/dev/null; then
ok "There is no carte-blanche sudo permission in $file"
debug "$file is not readable, but it might just have disappeared since we've listed the folder contents, re-check that it exists"
if $SUDO_CMD [ -e "$file" ]; then
crit "$file is not readable"
else
# shellcheck disable=2001
RET=$($SUDO_CMD grep -E "$(echo "$REGEX" | sed 's/ /[[:space:]]*/g')" "$file" | sed 's/\t/#/g;s/ /#/g')
debug "$file has disappeared, ignore it"
continue
fi
else
if ! $SUDO_CMD grep -E "$REGEX" "$file" &>/dev/null; then
if [ $skiplog = 0 ]; then
ok "There is no carte-blanche sudo permission in $file"
fi
else
RET=$($SUDO_CMD grep -E "$REGEX" "$file" | sed 's/\t/#/g;s/ /#/g')
for line in $RET; do
if grep -q "$(echo "$line" | cut -d '#' -f 1)" <<<"$EXCEPT"; then
# shellcheck disable=2001
@ -73,8 +98,16 @@ apply() {
create_config() {
cat <<EOF
status=audit
# Put EXCEPTION account names here, space separated
EXCEPT="root %root %sudo %wheel"
# If we find more than this amount of files in sudoers.d/,
# we'll reduce the logging in the loop to avoid getting
# timed out because we spend too much time logging.
# Using 0 disables this feature and will never reduce the
# logging, regardless of the number of files.
MAX_FILES_TO_LOG=0
EOF
}
# This function will check config parameters required

4
bin/hardening/99.5.2.4_ssh_keys_from.sh
View File

@ -109,7 +109,7 @@ audit() {
crit "/etc/ssh/sshd_config is not readable."
else
ret=$($SUDO_CMD grep -iP "^AuthorizedKeysFile" /etc/ssh/sshd_config || echo '#KO')
if [ "x$ret" = "x#KO" ]; then
if [ "$ret" = "#KO" ]; then
debug "No AuthorizedKeysFile defined in sshd_config."
else
AUTHKEYFILE_PATTERN=$(echo "$ret" | sed 's/AuthorizedKeysFile//i' | sed 's#%h/##' | tr -s "[:space:]")
@ -137,7 +137,7 @@ audit() {
continue
else
info "User $user has a valid shell ($shell)."
if [ "x$user" = "xroot" ] && [ "$user" != "$EXCEPTION_USER" ]; then
if [ "$user" = "root" ] && [ "$user" != "$EXCEPTION_USER" ]; then
check_dir /root
continue
elif $SUDO_CMD [ ! -d /home/"$user" ]; then

31
debian/changelog vendored
View File

@ -1,3 +1,34 @@
cis-hardening (4.0-1) unstable; urgency=medium
* fix: 99.1.3_acc_sudoers_no_all: fix a race condition (#186)
* fix: change auditd file rule remediation (#179)
* fix: correct debian package compression override (#181)
* fix: ensure mountpoints are properly detected (#177)
* fix: correct search in 5.4.5_default_timeout in apply mode (#178)
* fix: force xz compression during .deb build (#180)
* feat: official Debian 11 compatibility (#176)
* Bump luizm/action-sh-checker from 0.5.0 to 0.7.0 (#171)
-- Thibault Dewailly <thibault.dewailly@ovhcloud.com> Mon, 10 Jul 2023 07:18:55 +0000
cis-hardening (3.8-1) unstable; urgency=medium
* fix: timeout of 99.1.3 (#168)
-- Thibault Dewailly <thibault.dewailly@ovhcloud.com> Thu, 23 Mar 2023 10:00:06 +0000
cis-hardening (3.7-1) unstable; urgency=medium
* feat: add FIND_IGNORE_NOSUCHFILE_ERR flag (#159)
-- Yannick Martin <yannick.martin@ovhcloud.com> Mon, 04 Jul 2022 14:34:03 +0200
cis-hardening (3.6-1) unstable; urgency=medium
* feat: Filter the filesystem to check when the list is built. (#156)
-- Tarik Megzari <tarik.megzari@corp.ovh.com> Fri, 24 Jun 2022 15:49:00 +0000
cis-hardening (3.5-1) unstable; urgency=medium
* fix: add 10s wait timeout on iptables command (#151)

3
debian/rules vendored
View File

@ -16,6 +16,9 @@ PACKAGE = $(shell dh_listpackages)
%:
dh $@
override_dh_builddeb:
dh_builddeb -- -Zxz
override_dh_install:
dh_install
mkdir -p $(CURDIR)/debian/$(PACKAGE)/opt/$(PACKAGE)/

4
lib/constants.sh
View File

@ -57,6 +57,6 @@ get_distribution
get_debian_major_version
# shellcheck disable=SC2034
SMALLEST_SUPPORTED_DEBIAN_VERSION=9
SMALLEST_SUPPORTED_DEBIAN_VERSION=10
# shellcheck disable=SC2034
HIGHEST_SUPPORTED_DEBIAN_VERSION=10
HIGHEST_SUPPORTED_DEBIAN_VERSION=11

10
lib/utils.sh
View File

@ -349,10 +349,10 @@ is_kernel_option_enabled() {
fi
ANSWER=$(cut -d = -f 2 <<<"$RESULT")
if [ "x$ANSWER" = "xy" ]; then
if [ "$ANSWER" = "y" ]; then
debug "Kernel option $KERNEL_OPTION enabled"
FNRET=0
elif [ "x$ANSWER" = "xn" ]; then
elif [ "$ANSWER" = "n" ]; then
debug "Kernel option $KERNEL_OPTION disabled"
FNRET=1
else
@ -424,6 +424,9 @@ is_a_partition() {
if grep "[[:space:]]$1[[:space:]]" /etc/fstab | grep -vqE "^#"; then
debug "$PARTITION found in fstab"
FNRET=0
elif mountpoint -q "$PARTITION"; then
debug "$PARTITION found in /proc fs"
FNRET=0
else
debug "Unable to find $PARTITION in fstab"
FNRET=1
@ -461,6 +464,9 @@ has_mount_option() {
if grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk '{print $4}' | grep -q "$OPTION"; then
debug "$OPTION has been detected in fstab for partition $PARTITION"
FNRET=0
elif mountpoint -q "$PARTITION"; then
debug "$OPTION not detected in fstab, but $PARTITION is a mount point searching in /proc fs"
has_mounted_option "$PARTITION" "$OPTION"
else
debug "Unable to find $OPTION in fstab for partition $PARTITION"
FNRET=1

22
tests/docker/Dockerfile.debian8
View File

@ -1,22 +0,0 @@
FROM debian:jessie
LABEL vendor="OVH"
LABEL project="debian-cis"
LABEL url="https://github.com/ovh/debian-cis"
LABEL description="This image is used to run tests"
RUN groupadd -g 500 secaudit && useradd -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd
COPY --chown=500:500 . /opt/debian-cis/
COPY debian/default /etc/default/cis-hardening
RUN sed -i 's#cis-hardening#debian-cis#' /etc/default/cis-hardening
COPY cisharden.sudoers /etc/sudoers.d/secaudit
RUN sed -i 's#cisharden#secaudit#' /etc/sudoers.d/secaudit
ENTRYPOINT ["/opt/debian-cis/tests/launch_tests.sh"]

22
tests/docker/Dockerfile.debian9
View File

@ -1,22 +0,0 @@
FROM debian:stretch
LABEL vendor="OVH"
LABEL project="debian-cis"
LABEL url="https://github.com/ovh/debian-cis"
LABEL description="This image is used to run tests"
RUN groupadd -g 500 secaudit && useradd -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd
COPY --chown=500:500 . /opt/debian-cis/
COPY debian/default /etc/default/cis-hardening
RUN sed -i 's#cis-hardening#debian-cis#' /etc/default/cis-hardening
COPY cisharden.sudoers /etc/sudoers.d/secaudit
RUN sed -i 's#cisharden#secaudit#' /etc/sudoers.d/secaudit
ENTRYPOINT ["/opt/debian-cis/tests/launch_tests.sh"]

20
tests/hardening/1.1.1.8_disable_cramfs.sh Normal file
View File

@ -0,0 +1,20 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
}

16
tests/hardening/1.1.11.1_var_log_noexec.sh Normal file
View File

@ -0,0 +1,16 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
}

16
tests/hardening/1.1.11.2_var_log_nosuid.sh Normal file
View File

@ -0,0 +1,16 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
}

16
tests/hardening/1.1.11.3_var_log_nodev.sh Normal file
View File

@ -0,0 +1,16 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
}

16
tests/hardening/1.1.12.1_var_log_audit_noexec.sh Normal file
View File

@ -0,0 +1,16 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
}

16
tests/hardening/1.1.12.2_var_log_audit_nosuid.sh Normal file
View File

@ -0,0 +1,16 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
}

16
tests/hardening/1.1.12.3_var_log_audit_nodev.sh Normal file
View File

@ -0,0 +1,16 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
}

16
tests/hardening/1.1.14.1_home_nosuid.sh Normal file
View File

@ -0,0 +1,16 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
}

7
tests/hardening/1.1.15_run_shm_nodev.sh
View File

@ -12,8 +12,15 @@ test_audit() {
register_test retvalshouldbe 0
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
echo "dummy entry" >>/etc/fstab
describe Fstab with a real entry to match runtime partitions
register_test retvalshouldbe 0
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# Cleanup
rm /run/shm
sed "/dummy entry/d" /etc/fstab
##################################################################
# For this test, we only check that it runs properly on a blank #

7
tests/hardening/1.1.16_run_shm_nosuid.sh
View File

@ -12,8 +12,15 @@ test_audit() {
register_test retvalshouldbe 0
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
echo "dummy entry" >>/etc/fstab
describe Fstab with a real entry to match runtime partitions
register_test retvalshouldbe 0
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# Cleanup
rm /run/shm
sed "/dummy entry/d" /etc/fstab
##################################################################
# For this test, we only check that it runs properly on a blank #

7
tests/hardening/1.1.17_run_shm_noexec.sh
View File

@ -12,8 +12,15 @@ test_audit() {
register_test retvalshouldbe 0
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
echo "dummy entry" >>/etc/fstab
describe Fstab with a real entry to match runtime partitions
register_test retvalshouldbe 0
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# Cleanup
rm /run/shm
sed "/dummy entry/d" /etc/fstab
##################################################################
# For this test, we only check that it runs properly on a blank #

6
tests/hardening/1.1.21_sticky_bit_world_writable_folder.sh
View File

@ -23,6 +23,12 @@ test_audit() {
register_test contain "Some world writable directories are not on sticky bit mode"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Tests failing with find ignore flag
echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
register_test retvalshouldbe 1
register_test contain "Some world writable directories are not on sticky bit mode"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true

16
tests/hardening/1.1.6.1_var_nodev.sh Normal file
View File

@ -0,0 +1,16 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
}

16
tests/hardening/1.1.6.2_var_nosuid.sh Normal file
View File

@ -0,0 +1,16 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
}

16
tests/hardening/1.6.3.1_disable_apport.sh Normal file
View File

@ -0,0 +1,16 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
}

8
tests/hardening/4.1.10_record_failed_access_file.sh
View File

@ -13,10 +13,10 @@ test_audit() {
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "[ OK ] -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/rules.d/audit.rules"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

4
tests/hardening/4.1.12_record_successful_mount.sh
View File

@ -13,7 +13,7 @@ test_audit() {
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "[ OK ] -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts is present in /etc/audit/rules.d/audit.rules"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

4
tests/hardening/4.1.13_record_file_deletions.sh
View File

@ -13,7 +13,7 @@ test_audit() {
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "[ OK ] -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete is present in /etc/audit/rules.d/audit.rules"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

4
tests/hardening/4.1.14_record_sudoers_edit.sh
View File

@ -13,7 +13,7 @@ test_audit() {
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "[ OK ] -w /etc/sudoers -p wa -k sudoers is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /etc/sudoers.d/ -p wa -k sudoers is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /etc/sudoers -p wa -k sudoers is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -w /etc/sudoers.d/ -p wa -k sudoers is present in /etc/audit/rules.d/audit.rules"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

2
tests/hardening/4.1.15_record_sudo_usage.sh
View File

@ -13,6 +13,6 @@ test_audit() {
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "[ OK ] -w /var/log/auth.log -p wa -k sudoaction is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /var/log/auth.log -p wa -k sudoaction is present in /etc/audit/rules.d/audit.rules"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

6
tests/hardening/4.1.16_record_kernel_modules.sh
View File

@ -13,8 +13,8 @@ test_audit() {
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "[ OK ] -w /sbin/rmmod -p x -k modules is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /sbin/modprobe -p x -k modules is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b64 -S init_module -S delete_module -k modules is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /sbin/rmmod -p x -k modules is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -w /sbin/modprobe -p x -k modules is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b64 -S init_module -S delete_module -k modules is present in /etc/audit/rules.d/audit.rules"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

2
tests/hardening/4.1.17_freeze_auditd_conf.sh
View File

@ -13,6 +13,6 @@ test_audit() {
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "[ OK ] -e 2 is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -e 2 is present in /etc/audit/rules.d/audit.rules"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

10
tests/hardening/4.1.3_record_date_time_edit.sh
View File

@ -13,10 +13,10 @@ test_audit() {
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "[ OK ] -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b64 -S clock_settime -k time-change is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b32 -S clock_settime -k time-change is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /etc/localtime -p wa -k time-change is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b64 -S clock_settime -k time-change is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b32 -S clock_settime -k time-change is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -w /etc/localtime -p wa -k time-change is present in /etc/audit/rules.d/audit.rules"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

10
tests/hardening/4.1.4_record_user_group_edit.sh
View File

@ -13,10 +13,10 @@ test_audit() {
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "[ OK ] -w /etc/group -p wa -k identity is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /etc/passwd -p wa -k identity is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /etc/gshadow -p wa -k identity is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /etc/shadow -p wa -k identity is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /etc/security/opasswd -p wa -k identity is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /etc/group -p wa -k identity is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -w /etc/passwd -p wa -k identity is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -w /etc/gshadow -p wa -k identity is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -w /etc/shadow -p wa -k identity is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -w /etc/security/opasswd -p wa -k identity is present in /etc/audit/rules.d/audit.rules"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

12
tests/hardening/4.1.5_record_network_edit.sh
View File

@ -13,12 +13,12 @@ test_audit() {
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "[ OK ] -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /etc/issue -p wa -k system-locale is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /etc/issue.net -p wa -k system-locale is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /etc/hosts -p wa -k system-locale is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /etc/network -p wa -k system-locale is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -w /etc/issue -p wa -k system-locale is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -w /etc/issue.net -p wa -k system-locale is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -w /etc/hosts -p wa -k system-locale is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -w /etc/network -p wa -k system-locale is present in /etc/audit/rules.d/audit.rules"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

2
tests/hardening/4.1.6_record_mac_edit.sh
View File

@ -13,6 +13,6 @@ test_audit() {
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "[ OK ] -w /etc/selinux/ -p wa -k MAC-policy is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /etc/selinux/ -p wa -k MAC-policy is present in /etc/audit/rules.d/audit.rules"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

6
tests/hardening/4.1.7_record_login_logout.sh
View File

@ -13,8 +13,8 @@ test_audit() {
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "[ OK ] -w /var/log/faillog -p wa -k logins is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /var/log/lastlog -p wa -k logins is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /var/log/tallylog -p wa -k logins is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /var/log/faillog -p wa -k logins is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -w /var/log/lastlog -p wa -k logins is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -w /var/log/tallylog -p wa -k logins is present in /etc/audit/rules.d/audit.rules"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

6
tests/hardening/4.1.8_record_session_init.sh
View File

@ -13,8 +13,8 @@ test_audit() {
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "[ OK ] -w /var/run/utmp -p wa -k session is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /var/log/wtmp -p wa -k session is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /var/log/btmp -p wa -k session is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /var/run/utmp -p wa -k session is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -w /var/log/wtmp -p wa -k session is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -w /var/log/btmp -p wa -k session is present in /etc/audit/rules.d/audit.rules"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

12
tests/hardening/4.1.9_record_dac_edit.sh
View File

@ -13,11 +13,11 @@ test_audit() {
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "[ OK ] -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/rules.d/audit.rules"
register_test contain "[ OK ] -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/rules.d/audit.rules"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

2
tests/hardening/5.3.4_acc_pam_sha512.sh
View File

@ -3,7 +3,7 @@
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
register_test contain "[ OK ] ^\s*password\s.+\s+pam_unix\.so\s+.*sha512 is present in /etc/pam.d/common-password"
register_test contain REGEX "[ OK ] .*(sha512|yescrypt) is present in /etc/pam.d/common-password"
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

10
tests/hardening/6.1.10_find_world_writable_file.sh
View File

@ -5,7 +5,9 @@ test_audit() {
# shellcheck disable=2154
/opt/debian-cis/bin/hardening/"${script}".sh || true
# shellcheck disable=2016
echo 'EXCLUDED="$EXCLUDED ^/dev/.*"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
echo 'EXCLUDED="$EXCLUDED ^/home/secaudit/thisfileisignored.*|^/dev/.*"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
touch /home/secaudit/thisfileisignored
chmod 777 /home/secaudit/thisfileisignored
describe Running on blank host
register_test retvalshouldbe 0
@ -21,6 +23,12 @@ test_audit() {
register_test contain "Some world writable files are present"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Tests failing with find ignore flag
echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
register_test retvalshouldbe 1
register_test contain "Some world writable files are present"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true

6
tests/hardening/6.1.11_find_unowned_files.sh
View File

@ -24,6 +24,12 @@ test_audit() {
register_test contain "Some unowned files are present"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Tests failing with find ignore flag
echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
register_test retvalshouldbe 1
register_test contain "Some unowned files are present"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh || true

6
tests/hardening/6.1.12_find_ungrouped_files.sh
View File

@ -24,6 +24,12 @@ test_audit() {
register_test contain "Some ungrouped files are present"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Tests failing with find ignore flag
echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
register_test retvalshouldbe 1
register_test contain "Some ungrouped files are present"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true

6
tests/hardening/6.1.13_find_suid_files.sh
View File

@ -21,6 +21,12 @@ test_audit() {
register_test contain "$targetfile"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Tests failing with find ignore flag
echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
register_test retvalshouldbe 1
register_test contain "Some suid files are present"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
chmod 700 $targetfile

6
tests/hardening/6.1.14_find_sgid_files.sh
View File

@ -22,6 +22,12 @@ test_audit() {
register_test contain "$targetfile"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Tests failing with find ignore flag
echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
register_test retvalshouldbe 1
register_test contain "Some sgid files are present"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
chmod 700 $targetfile

1
tests/hardening/6.2.3_users_valid_homedir.sh → tests/hardening/6.2.3_users_homedir_exist.sh
View File

@ -3,7 +3,6 @@
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

8
tests/hardening/6.2.9_users_valid_homedir.sh → tests/hardening/6.2.9_users_homedir_ownership.sh
View File

@ -1,14 +1,8 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
describe Running void to generate the conf file that will later be edited
# shellcheck disable=2154
/opt/debian-cis/bin/hardening/"${script}".sh || true
echo "EXCEPTIONS=\"/:systemd-coredump:root\"" >>/opt/debian-cis/etc/conf.d/"${script}".cfg
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
@ -22,7 +16,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
echo "EXCEPTIONS=\"/:systemd-coredump:root /home/$test_user:$test_user:root\"" >/opt/debian-cis/etc/conf.d/"${script}".cfg
echo "EXCEPTIONS=\"/home/$test_user:$test_user:root\"" >/opt/debian-cis/etc/conf.d/"${script}".cfg
describe Checking resolved state
register_test retvalshouldbe 0

13
tests/hardening/99.1.3_acc_sudoers_no_all.sh
View File

@ -28,6 +28,19 @@ test_audit() {
register_test contain "[ OK ] jeantestuser ALL = (ALL) NOPASSWD:ALL is present in /etc/sudoers.d/jeantestuser but was EXCUSED because jeantestuser is part of exceptions"
run userexcept /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# testing the MAX_FILES_TO_LOG config option
echo 'MAX_FILES_TO_LOG=1' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
describe Testing with MAX_FILES_TO_LOG=1
register_test retvalshouldbe 0
register_test contain "won't log every file we check"
run maxlogfiles_1 /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
echo 'MAX_FILES_TO_LOG=9999' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
describe Testing with MAX_FILES_TO_LOG=9999
register_test retvalshouldbe 0
register_test contain "There is no carte-blanche sudo permission in"
run maxlogfiles_9999 /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
rm -f /etc/sudoers.d/jeantestuser
userdel jeantestuser
}