From 0bc369003cb5437aab4a0cc685800f2ecc56c3f8 Mon Sep 17 00:00:00 2001 From: Samson-W Date: Wed, 23 Jun 2021 01:43:21 +0800 Subject: [PATCH] Delete unimplemented items: 8.2.3 8.3.3 8.6 9.4 --- bin/hardening/8.2.3_configure_rsyslog.sh | 65 ------------------- ... => 8.2.3_set_logfile_perm_cfg_rsyslog.sh} | 2 +- ...e_host.sh => 8.2.4_rsyslog_remote_host.sh} | 2 +- bin/hardening/8.3.3_configure_syslog-ng.sh | 63 ------------------ ...file_perm.sh => 8.3.3_set_logfile_perm.sh} | 2 +- ...host.sh => 8.3.4_syslog-ng_remote_host.sh} | 2 +- ...g_acl.sh => 8.3.5_remote_syslog-ng_acl.sh} | 2 +- bin/hardening/8.6_configure_logrotate.sh | 52 --------------- ...es.sh => 8.6_verify_integrity_packages.sh} | 2 +- ..._restrict_su.sh => 9.4_pam_restrict_su.sh} | 2 +- bin/hardening/9.4_secure_tty.sh | 51 --------------- 11 files changed, 7 insertions(+), 238 deletions(-) delete mode 100755 bin/hardening/8.2.3_configure_rsyslog.sh rename bin/hardening/{8.2.4_set_logfile_perm_cfg_rsyslog.sh => 8.2.3_set_logfile_perm_cfg_rsyslog.sh} (98%) rename bin/hardening/{8.2.5_rsyslog_remote_host.sh => 8.2.4_rsyslog_remote_host.sh} (97%) delete mode 100755 bin/hardening/8.3.3_configure_syslog-ng.sh rename bin/hardening/{8.3.4_set_logfile_perm.sh => 8.3.3_set_logfile_perm.sh} (98%) rename bin/hardening/{8.3.5_syslog-ng_remote_host.sh => 8.3.4_syslog-ng_remote_host.sh} (97%) rename bin/hardening/{8.3.6_remote_syslog-ng_acl.sh => 8.3.5_remote_syslog-ng_acl.sh} (95%) delete mode 100755 bin/hardening/8.6_configure_logrotate.sh rename bin/hardening/{8.7_verify_integrity_packages.sh => 8.6_verify_integrity_packages.sh} (96%) rename bin/hardening/{9.5_pam_restrict_su.sh => 9.4_pam_restrict_su.sh} (97%) delete mode 100755 bin/hardening/9.4_secure_tty.sh diff --git a/bin/hardening/8.2.3_configure_rsyslog.sh b/bin/hardening/8.2.3_configure_rsyslog.sh deleted file mode 100755 index 469f9b2..0000000 --- a/bin/hardening/8.2.3_configure_rsyslog.sh +++ /dev/null @@ -1,65 +0,0 @@ -#!/bin/bash - -# -# harbian-audit for Debian GNU/Linux 7/8/9 Hardening -# - -# -# 8.2.3 Configure /etc/rsyslog.conf (Not Scored) -# Author : Samson wen, Samson -# - -set -e # One error, it's over -set -u # One variable unset, it's over - -HARDENING_LEVEL=3 - -SERVICE_NAME="rsyslog" -PACKAGE_NG='syslog-ng' - -# This function will be called if the script status is on enabled / audit mode -audit () { - is_pkg_installed $PACKAGE_NG - if [ $FNRET = 0 ]; then - ok "$PACKAGE_NG has installed, so pass." - FNRET=0 - else - info "Ensure default and local facilities are preserved on the system" - info "No measure here, please review the file by yourself" - fi -} - -# This function will be called if the script status is on enabled mode -apply () { - is_pkg_installed $PACKAGE_NG - if [ $FNRET = 0 ]; then - ok "$PACKAGE_NG has installed, so pass." - FNRET=0 - else - info "Ensure default and local facilities are preserved on the system" - info "No measure here, please review the file by yourself" - fi -} - -# This function will check config parameters required -check_config() { - : -} - -# Source Root Dir Parameter -if [ -r /etc/default/cis-hardening ]; then - . /etc/default/cis-hardening -fi -if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." - exit 128 -fi - -# Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then - . $CIS_ROOT_DIR/lib/main.sh -else - echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" - exit 128 -fi diff --git a/bin/hardening/8.2.4_set_logfile_perm_cfg_rsyslog.sh b/bin/hardening/8.2.3_set_logfile_perm_cfg_rsyslog.sh similarity index 98% rename from bin/hardening/8.2.4_set_logfile_perm_cfg_rsyslog.sh rename to bin/hardening/8.2.3_set_logfile_perm_cfg_rsyslog.sh index d9888bc..9a156b4 100755 --- a/bin/hardening/8.2.4_set_logfile_perm_cfg_rsyslog.sh +++ b/bin/hardening/8.2.3_set_logfile_perm_cfg_rsyslog.sh @@ -5,7 +5,7 @@ # # -# 8.2.4 Create and Set Permissions on rsyslog Log Files by conf file (Scored) +# 8.2.3 Create and Set Permissions on rsyslog Log Files by conf file (Scored) # Author : Samson wen, Samson # diff --git a/bin/hardening/8.2.5_rsyslog_remote_host.sh b/bin/hardening/8.2.4_rsyslog_remote_host.sh similarity index 97% rename from bin/hardening/8.2.5_rsyslog_remote_host.sh rename to bin/hardening/8.2.4_rsyslog_remote_host.sh index 9f7a4af..8a69437 100755 --- a/bin/hardening/8.2.5_rsyslog_remote_host.sh +++ b/bin/hardening/8.2.4_rsyslog_remote_host.sh @@ -5,7 +5,7 @@ # # -# 8.2.5 Configure rsyslog to Send Logs to a Remote Log Host (Scored) +# 8.2.4 Configure rsyslog to Send Logs to a Remote Log Host (Scored) # Author : Samson wen, Samson # diff --git a/bin/hardening/8.3.3_configure_syslog-ng.sh b/bin/hardening/8.3.3_configure_syslog-ng.sh deleted file mode 100755 index d23ebaa..0000000 --- a/bin/hardening/8.3.3_configure_syslog-ng.sh +++ /dev/null @@ -1,63 +0,0 @@ -#!/bin/bash - -# -# harbian-audit for Debian GNU/Linux 7/8/9 Hardening -# - -# -# 8.3.3 Configure /etc/syslog-ng/syslog-ng.conf (Not Scored) -# - -set -e # One error, it's over -set -u # One variable unset, it's over - -HARDENING_LEVEL=3 - -SERVICE_NAME="syslog-ng" -PACKAGE_R='rsyslog' - -# This function will be called if the script status is on enabled / audit mode -audit () { - is_pkg_installed $PACKAGE_R - if [ $FNRET = 0 ]; then - ok "$PACKAGE_R has installed, so pass." - FNRET=0 - else - info "Ensure default and local facilities are preserved on the system" - info "No measure here, please review the file by yourself" - fi -} - -# This function will be called if the script status is on enabled mode -apply () { - is_pkg_installed $PACKAGE_R - if [ $FNRET = 0 ]; then - ok "$PACKAGE_R has installed, so pass." - else - info "Ensure default and local facilities are preserved on the system" - info "No measure here, please review the file by yourself" - fi -} - -# This function will check config parameters required -check_config() { - : -} - -# Source Root Dir Parameter -if [ -r /etc/default/cis-hardening ]; then - . /etc/default/cis-hardening -fi -if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." - exit 128 -fi - -# Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then - . $CIS_ROOT_DIR/lib/main.sh -else - echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" - exit 128 -fi diff --git a/bin/hardening/8.3.4_set_logfile_perm.sh b/bin/hardening/8.3.3_set_logfile_perm.sh similarity index 98% rename from bin/hardening/8.3.4_set_logfile_perm.sh rename to bin/hardening/8.3.3_set_logfile_perm.sh index 30d06c2..4a18496 100755 --- a/bin/hardening/8.3.4_set_logfile_perm.sh +++ b/bin/hardening/8.3.3_set_logfile_perm.sh @@ -5,7 +5,7 @@ # # -# 8.3.4 Create and Set Permissions on syslog-ng Log Files (Scored) +# 8.3.3 Create and Set Permissions on syslog-ng Log Files (Scored) # set -e # One error, it's over diff --git a/bin/hardening/8.3.5_syslog-ng_remote_host.sh b/bin/hardening/8.3.4_syslog-ng_remote_host.sh similarity index 97% rename from bin/hardening/8.3.5_syslog-ng_remote_host.sh rename to bin/hardening/8.3.4_syslog-ng_remote_host.sh index c852ce3..f6f6cc2 100755 --- a/bin/hardening/8.3.5_syslog-ng_remote_host.sh +++ b/bin/hardening/8.3.4_syslog-ng_remote_host.sh @@ -5,7 +5,7 @@ # # -# 8.3.5 Configure syslog-ng to Send Logs to a Remote Log Host (Not Scored) +# 8.3.4 Configure syslog-ng to Send Logs to a Remote Log Host (Not Scored) # set -e # One error, it's over diff --git a/bin/hardening/8.3.6_remote_syslog-ng_acl.sh b/bin/hardening/8.3.5_remote_syslog-ng_acl.sh similarity index 95% rename from bin/hardening/8.3.6_remote_syslog-ng_acl.sh rename to bin/hardening/8.3.5_remote_syslog-ng_acl.sh index f7a2fdf..55f2b84 100755 --- a/bin/hardening/8.3.6_remote_syslog-ng_acl.sh +++ b/bin/hardening/8.3.5_remote_syslog-ng_acl.sh @@ -5,7 +5,7 @@ # # -# 8.3.6 Accept Remote rsyslog Messages Only on Designated Log Hosts (Not Scored) +# 8.3.5 Accept Remote rsyslog Messages Only on Designated Log Hosts (Not Scored) # set -e # One error, it's over diff --git a/bin/hardening/8.6_configure_logrotate.sh b/bin/hardening/8.6_configure_logrotate.sh deleted file mode 100755 index efbfe6f..0000000 --- a/bin/hardening/8.6_configure_logrotate.sh +++ /dev/null @@ -1,52 +0,0 @@ -#!/bin/bash - -# -# harbian-audit for Debian GNU/Linux 7/8/9 Hardening -# - -# -# 8.6 Configure logrotate (Not Scored) -# todo delete this or ... -# - -set -e # One error, it's over -set -u # One variable unset, it's over - -HARDENING_LEVEL=3 - -SERVICE_NAME="syslog-ng" - -# This function will be called if the script status is on enabled / audit mode -audit () { - info "Ensure logs are properly rotated (especially syslog-ng)" - info "No measure here, please review the files by yourself" -} - -# This function will be called if the script status is on enabled mode -apply () { - info "Ensure logs are properly rotated (especially syslog-ng)" - info "No measure here, please review the file by yourself" -} - -# This function will check config parameters required -check_config() { - : -} - -# Source Root Dir Parameter -if [ -r /etc/default/cis-hardening ]; then - . /etc/default/cis-hardening -fi -if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." - exit 128 -fi - -# Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then - . $CIS_ROOT_DIR/lib/main.sh -else - echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" - exit 128 -fi diff --git a/bin/hardening/8.7_verify_integrity_packages.sh b/bin/hardening/8.6_verify_integrity_packages.sh similarity index 96% rename from bin/hardening/8.7_verify_integrity_packages.sh rename to bin/hardening/8.6_verify_integrity_packages.sh index 391177c..63d660d 100755 --- a/bin/hardening/8.7_verify_integrity_packages.sh +++ b/bin/hardening/8.6_verify_integrity_packages.sh @@ -4,7 +4,7 @@ # harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening # # -# 8.7 Verifies integrity all packages (Scored) +# 8.6 Verifies integrity all packages (Scored) # Author : Samson wen, Samson # diff --git a/bin/hardening/9.5_pam_restrict_su.sh b/bin/hardening/9.4_pam_restrict_su.sh similarity index 97% rename from bin/hardening/9.5_pam_restrict_su.sh rename to bin/hardening/9.4_pam_restrict_su.sh index e5197f6..7085170 100755 --- a/bin/hardening/9.5_pam_restrict_su.sh +++ b/bin/hardening/9.4_pam_restrict_su.sh @@ -5,7 +5,7 @@ # # -# 9.5 Restrict Access to the su Command (Scored) +# 9.4 Restrict Access to the su Command (Scored) # set -e # One error, it's over diff --git a/bin/hardening/9.4_secure_tty.sh b/bin/hardening/9.4_secure_tty.sh deleted file mode 100755 index f6acbce..0000000 --- a/bin/hardening/9.4_secure_tty.sh +++ /dev/null @@ -1,51 +0,0 @@ -#!/bin/bash - -# -# harbian-audit for Debian GNU/Linux 7/8/9 Hardening -# - -# -# 9.4 Restrict root Login to System Console (Not Scored) -# - -set -e # One error, it's over -set -u # One variable unset, it's over - -HARDENING_LEVEL=3 - -FILE='/etc/securetty' - -# This function will be called if the script status is on enabled / audit mode -audit () { - info "Remove terminal entries in $FILE for any consoles that are not in a physically secure location." - info "No measure here, please review the file by yourself" -} - -# This function will be called if the script status is on enabled mode -apply () { - info "Remove terminal entries in $FILE for any consoles that are not in a physically secure location." - info "No measure here, please review the file by yourself" -} - -# This function will check config parameters required -check_config() { - : -} - -# Source Root Dir Parameter -if [ -r /etc/default/cis-hardening ]; then - . /etc/default/cis-hardening -fi -if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." - exit 128 -fi - -# Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then - . $CIS_ROOT_DIR/lib/main.sh -else - echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" - exit 128 -fi