mirror of
https://github.com/hardenedlinux/harbian-audit.git
synced 2025-07-29 16:45:50 +02:00
Modify variable name: *REDHAT to *CENTOS.
This commit is contained in:
Samson-W
parent
3b61a0e406
commit
0989b9f4e3
@ -18,7 +18,7 @@ set -u # One variable unset, it's over
|
||||
HARDENING_LEVEL=3
|
||||
|
||||
OPTIONS='INACTIVE=30'
|
||||
OPTIONS_REDHAT='INACTIVE=0'
|
||||
OPTIONS_CENTOS='INACTIVE=0'
|
||||
SHA_FILE='/etc/shadow'
|
||||
DISABLE_V='-1'
|
||||
FILE='/etc/default/useradd'
|
||||
@ -158,7 +158,7 @@ check_config() {
|
||||
if [ $OS_RELEASE -eq 1 ]; then
|
||||
:
|
||||
elif [ $OS_RELEASE -eq 2 ]; then
|
||||
OPTIONS=$OPTIONS_REDHAT
|
||||
OPTIONS=$OPTIONS_CENTOS
|
||||
else
|
||||
warn "Current OS is not support!"
|
||||
fi
|
||||
|
||||
@ -16,16 +16,16 @@ HARDENING_LEVEL=1
|
||||
|
||||
FILE='/etc/gshadow-'
|
||||
PERMISSIONS='600'
|
||||
PERMISSIONS_REDHAT='0'
|
||||
PERMISSIONS_CENTOS='0'
|
||||
USER='root'
|
||||
GROUP='shadow'
|
||||
GROUP_REDHAT='root'
|
||||
GROUP_CENTOS='root'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
PERMISSIONS=$PERMISSIONS_REDHAT
|
||||
GROUP=$GROUP_REDHAT
|
||||
PERMISSIONS=$PERMISSIONS_CENTOS
|
||||
GROUP=$GROUP_CENTOS
|
||||
else
|
||||
:
|
||||
fi
|
||||
@ -46,8 +46,8 @@ audit () {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
PERMISSIONS=$PERMISSIONS_REDHAT
|
||||
GROUP=$GROUP_REDHAT
|
||||
PERMISSIONS=$PERMISSIONS_CENTOS
|
||||
GROUP=$GROUP_CENTOS
|
||||
else
|
||||
:
|
||||
fi
|
||||
|
||||
@ -16,16 +16,16 @@ HARDENING_LEVEL=1
|
||||
|
||||
FILE='/etc/shadow'
|
||||
PERMISSIONS='640'
|
||||
PERMISSIONS_REDHAT='0'
|
||||
PERMISSIONS_CENTOS='0'
|
||||
USER='root'
|
||||
GROUP='shadow'
|
||||
GROUP_REDHAT='root'
|
||||
GROUP_CENTOS='root'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
PERMISSIONS=$PERMISSIONS_REDHAT
|
||||
GROUP=$GROUP_REDHAT
|
||||
PERMISSIONS=$PERMISSIONS_CENTOS
|
||||
GROUP=$GROUP_CENTOS
|
||||
else
|
||||
:
|
||||
fi
|
||||
@ -46,8 +46,8 @@ audit () {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
PERMISSIONS=$PERMISSIONS_REDHAT
|
||||
GROUP=$GROUP_REDHAT
|
||||
PERMISSIONS=$PERMISSIONS_CENTOS
|
||||
GROUP=$GROUP_CENTOS
|
||||
else
|
||||
:
|
||||
fi
|
||||
|
||||
@ -16,16 +16,16 @@ HARDENING_LEVEL=1
|
||||
|
||||
FILE='/etc/gshadow'
|
||||
PERMISSIONS='640'
|
||||
PERMISSIONS_REDHAT='0'
|
||||
PERMISSIONS_CENTOS='0'
|
||||
USER='root'
|
||||
GROUP='shadow'
|
||||
GROUP_REDHAT='root'
|
||||
GROUP_CENTOS='root'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
PERMISSIONS=$PERMISSIONS_REDHAT
|
||||
GROUP=$GROUP_REDHAT
|
||||
PERMISSIONS=$PERMISSIONS_CENTOS
|
||||
GROUP=$GROUP_CENTOS
|
||||
else
|
||||
:
|
||||
fi
|
||||
@ -46,8 +46,8 @@ audit () {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
PERMISSIONS=$PERMISSIONS_REDHAT
|
||||
GROUP=$GROUP_REDHAT
|
||||
PERMISSIONS=$PERMISSIONS_CENTOS
|
||||
GROUP=$GROUP_CENTOS
|
||||
else
|
||||
:
|
||||
fi
|
||||
|
||||
@ -16,16 +16,16 @@ HARDENING_LEVEL=1
|
||||
|
||||
FILE='/etc/shadow-'
|
||||
PERMISSIONS='600'
|
||||
PERMISSIONS_REDHAT='0'
|
||||
PERMISSIONS_CENTOS='0'
|
||||
USER='root'
|
||||
GROUP='shadow'
|
||||
GROUP_REDHAT='root'
|
||||
GROUP_CENTOS='root'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
PERMISSIONS=$PERMISSIONS_REDHAT
|
||||
GROUP=$GROUP_REDHAT
|
||||
PERMISSIONS=$PERMISSIONS_CENTOS
|
||||
GROUP=$GROUP_CENTOS
|
||||
else
|
||||
:
|
||||
fi
|
||||
@ -46,8 +46,8 @@ audit () {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
PERMISSIONS=$PERMISSIONS_REDHAT
|
||||
GROUP=$GROUP_REDHAT
|
||||
PERMISSIONS=$PERMISSIONS_CENTOS
|
||||
GROUP=$GROUP_CENTOS
|
||||
else
|
||||
:
|
||||
fi
|
||||
|
||||
@ -18,7 +18,7 @@ HARDENING_LEVEL=2
|
||||
PARTITION="/tmp"
|
||||
SERVICENAME="tmp.mount"
|
||||
SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount"
|
||||
REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
|
||||
CENTOS_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
|
||||
DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
@ -75,12 +75,12 @@ apply () {
|
||||
fi
|
||||
fi
|
||||
elif [ $OS_RELEASE -eq 2 ]; then
|
||||
if [ -e $REDHAT_SERVICEPATH ]; then
|
||||
if [ -e $CENTOS_SERVICEPATH ]; then
|
||||
$SUDO_CMD systemctl enable "$SERVICENAME"
|
||||
$SUDO_CMD systemctl daemon-reload
|
||||
$SUDO_CMD systemctl start "$SERVICENAME"
|
||||
else
|
||||
crit "System unit file $REDHAT_SERVICEPATH is not exist!"
|
||||
crit "System unit file $CENTOS_SERVICEPATH is not exist!"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
@ -19,7 +19,7 @@ PARTITION="/tmp"
|
||||
OPTION="nodev"
|
||||
SERVICENAME="tmp.mount"
|
||||
SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount"
|
||||
REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
|
||||
CENTOS_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
|
||||
DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
@ -50,7 +50,7 @@ audit () {
|
||||
if [ $OS_RELEASE -eq 1 ]; then
|
||||
UNITSERVICEPATH=$DEBIAN_SERVICEPATH
|
||||
elif [ $OS_RELEASE -eq 2 ]; then
|
||||
UNITSERVICEPATH=$REDHAT_SERVICEPATH
|
||||
UNITSERVICEPATH=$CENTOS_SERVICEPATH
|
||||
fi
|
||||
if [ -e $UNITSERVICEPATH ]; then
|
||||
has_mount_option_systemd $UNITSERVICEPATH $OPTION
|
||||
@ -80,7 +80,7 @@ apply () {
|
||||
if [ $OS_RELEASE -eq 1 ]; then
|
||||
UNITSERVICEPATH=$DEBIAN_SERVICEPATH
|
||||
elif [ $OS_RELEASE -eq 2 ]; then
|
||||
UNITSERVICEPATH=$REDHAT_SERVICEPATH
|
||||
UNITSERVICEPATH=$CENTOS_SERVICEPATH
|
||||
fi
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
|
||||
@ -19,7 +19,7 @@ PARTITION="/tmp"
|
||||
OPTION="nosuid"
|
||||
SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount"
|
||||
SERVICENAME="tmp.mount"
|
||||
REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
|
||||
CENTOS_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
|
||||
DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
@ -50,7 +50,7 @@ audit () {
|
||||
if [ $OS_RELEASE -eq 1 ]; then
|
||||
UNITSERVICEPATH=$DEBIAN_SERVICEPATH
|
||||
elif [ $OS_RELEASE -eq 2 ]; then
|
||||
UNITSERVICEPATH=$REDHAT_SERVICEPATH
|
||||
UNITSERVICEPATH=$CENTOS_SERVICEPATH
|
||||
fi
|
||||
if [ -e $UNITSERVICEPATH ]; then
|
||||
has_mount_option_systemd $UNITSERVICEPATH $OPTION
|
||||
@ -80,7 +80,7 @@ apply () {
|
||||
if [ $OS_RELEASE -eq 1 ]; then
|
||||
UNITSERVICEPATH=$DEBIAN_SERVICEPATH
|
||||
elif [ $OS_RELEASE -eq 2 ]; then
|
||||
UNITSERVICEPATH=$REDHAT_SERVICEPATH
|
||||
UNITSERVICEPATH=$CENTOS_SERVICEPATH
|
||||
fi
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
|
||||
@ -19,7 +19,7 @@ PARTITION="/tmp"
|
||||
OPTION="noexec"
|
||||
SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount"
|
||||
SERVICENAME="tmp.mount"
|
||||
REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
|
||||
CENTOS_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
|
||||
DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
@ -50,7 +50,7 @@ audit () {
|
||||
if [ $OS_RELEASE -eq 1 ]; then
|
||||
UNITSERVICEPATH=$DEBIAN_SERVICEPATH
|
||||
elif [ $OS_RELEASE -eq 2 ]; then
|
||||
UNITSERVICEPATH=$REDHAT_SERVICEPATH
|
||||
UNITSERVICEPATH=$CENTOS_SERVICEPATH
|
||||
fi
|
||||
if [ -e $UNITSERVICEPATH ]; then
|
||||
has_mount_option_systemd $UNITSERVICEPATH $OPTION
|
||||
@ -80,7 +80,7 @@ apply () {
|
||||
if [ $OS_RELEASE -eq 1 ]; then
|
||||
UNITSERVICEPATH=$DEBIAN_SERVICEPATH
|
||||
elif [ $OS_RELEASE -eq 2 ]; then
|
||||
UNITSERVICEPATH=$REDHAT_SERVICEPATH
|
||||
UNITSERVICEPATH=$CENTOS_SERVICEPATH
|
||||
fi
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
|
||||
@ -15,12 +15,12 @@ set -u # One variable unset, it's over
|
||||
HARDENING_LEVEL=3
|
||||
|
||||
PACKAGE='nis'
|
||||
PACKAGE_REDHAT='ypserv'
|
||||
PACKAGE_CENTOS='ypserv'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
PACKAGE=$PACKAGE_REDHAT
|
||||
PACKAGE=$PACKAGE_CENTOS
|
||||
fi
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
@ -34,7 +34,7 @@ audit () {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
PACKAGE=$PACKAGE_REDHAT
|
||||
PACKAGE=$PACKAGE_CENTOS
|
||||
fi
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
|
||||
@ -16,7 +16,7 @@ HARDENING_LEVEL=2
|
||||
|
||||
# Based on aptitude search '~Prsh-server'
|
||||
PACKAGES='rsh-server rsh-redone-server heimdal-servers'
|
||||
PACKAGE_REDHAT='rsh-server'
|
||||
PACKAGE_CENTOS='rsh-server'
|
||||
FILE='/etc/inetd.conf'
|
||||
PATTERN='^(shell|login|exec)'
|
||||
|
||||
@ -43,11 +43,11 @@ audit_debian () {
|
||||
}
|
||||
|
||||
audit_centos () {
|
||||
is_pkg_installed $PACKAGE_REDHAT
|
||||
is_pkg_installed $PACKAGE_CENTOS
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PACKAGE_REDHAT is installed!"
|
||||
crit "$PACKAGE_CENTOS is installed!"
|
||||
else
|
||||
ok "$PACKAGE_REDHAT is absent"
|
||||
ok "$PACKAGE_CENTOS is absent"
|
||||
fi
|
||||
}
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
@ -91,12 +91,12 @@ apply_debian () {
|
||||
}
|
||||
|
||||
apply_centos () {
|
||||
is_pkg_installed $PACKAGE_REDHAT
|
||||
is_pkg_installed $PACKAGE_CENTOS
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PACKAGE_REDHAT is installed, purging it"
|
||||
yum -y remove $PACKAGE_REDHAT
|
||||
crit "$PACKAGE_CENTOS is installed, purging it"
|
||||
yum -y remove $PACKAGE_CENTOS
|
||||
else
|
||||
ok "$PACKAGE_REDHAT is absent"
|
||||
ok "$PACKAGE_CENTOS is absent"
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
@ -17,7 +17,7 @@ HARDENING_LEVEL=2
|
||||
PACKAGES='inetutils-talkd talkd'
|
||||
FILE='/etc/inetd.conf'
|
||||
PATTERN='^(talk|ntalk)'
|
||||
PACKAGES_REDHAT='talk-server'
|
||||
PACKAGES_CENTOS='talk-server'
|
||||
|
||||
audit_debian () {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
@ -42,7 +42,7 @@ audit_debian () {
|
||||
}
|
||||
|
||||
audit_centos () {
|
||||
for PACKAGE in $PACKAGES_REDHAT; do
|
||||
for PACKAGE in $PACKAGES_CENTOS; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PACKAGE is installed"
|
||||
@ -93,7 +93,7 @@ apply_debian () {
|
||||
}
|
||||
|
||||
apply_centos () {
|
||||
for PACKAGE in $PACKAGES_REDHAT; do
|
||||
for PACKAGE in $PACKAGES_CENTOS; do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PACKAGE is installed, purging it"
|
||||
|
||||
@ -15,12 +15,12 @@ set -u # One variable unset, it's over
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
PACKAGES='talk inetutils-talk'
|
||||
PACKAGES_REDHAT='talk'
|
||||
PACKAGES_CENTOS='talk'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
PACKAGES=$PACKAGES_REDHAT
|
||||
PACKAGES=$PACKAGES_CENTOS
|
||||
fi
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
@ -35,7 +35,7 @@ audit () {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
PACKAGES=$PACKAGES_REDHAT
|
||||
PACKAGES=$PACKAGES_CENTOS
|
||||
fi
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
|
||||
@ -18,7 +18,7 @@ HARDENING_LEVEL=2
|
||||
PACKAGES='telnetd inetutils-telnetd telnetd-ssl krb5-telnetd heimdal-servers'
|
||||
FILE='/etc/inetd.conf'
|
||||
PATTERN='^telnet'
|
||||
PACKAGE_REDHAT='telnet-server'
|
||||
PACKAGE_CENTOS='telnet-server'
|
||||
|
||||
audit_debian () {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
@ -43,11 +43,11 @@ audit_debian () {
|
||||
}
|
||||
|
||||
audit_centos () {
|
||||
is_pkg_installed $PACKAGE_REDHAT
|
||||
is_pkg_installed $PACKAGE_CENTOS
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PACKAGE_REDHAT is installed"
|
||||
crit "$PACKAGE_CENTOS is installed"
|
||||
else
|
||||
ok "$PACKAGE_REDHAT is absent"
|
||||
ok "$PACKAGE_CENTOS is absent"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -92,12 +92,12 @@ apply_debian () {
|
||||
}
|
||||
|
||||
apply_centos () {
|
||||
is_pkg_installed $PACKAGE_REDHAT
|
||||
is_pkg_installed $PACKAGE_CENTOS
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PACKAGE_REDHAT is installed, purging it"
|
||||
yum remove $PACKAGE_REDHAT -y
|
||||
crit "$PACKAGE_CENTOS is installed, purging it"
|
||||
yum remove $PACKAGE_CENTOS -y
|
||||
else
|
||||
ok "$PACKAGE_REDHAT is absent"
|
||||
ok "$PACKAGE_CENTOS is absent"
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
@ -15,12 +15,12 @@ set -u # One variable unset, it's over
|
||||
HARDENING_LEVEL=3
|
||||
|
||||
PACKAGES='openbsd-inetd xinetd rlinetd'
|
||||
PACKAGES_REDHAT='xinetd'
|
||||
PACKAGES_CENTOS='xinetd'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
PACKAGES=$PACKAGES_REDHAT
|
||||
PACKAGES=$PACKAGES_CENTOS
|
||||
fi
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
@ -35,7 +35,7 @@ audit () {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
PACKAGES=$PACKAGES_REDHAT
|
||||
PACKAGES=$PACKAGES_CENTOS
|
||||
fi
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
|
||||
@ -16,7 +16,7 @@ HARDENING_LEVEL=2
|
||||
|
||||
PACKAGES='openssh-server openssh-client'
|
||||
SERVICE_NAME='ssh.service'
|
||||
SERVICE_NAME_REDHAT='sshd.service'
|
||||
SERVICE_NAME_CENTOS='sshd.service'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
@ -30,7 +30,7 @@ audit () {
|
||||
fi
|
||||
done
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
SERVICE_NAME=$SERVICE_NAME_REDHAT
|
||||
SERVICE_NAME=$SERVICE_NAME_CENTOS
|
||||
fi
|
||||
is_service_active $SERVICE_NAME
|
||||
if [ $FNRET = 0 ]; then
|
||||
@ -57,7 +57,7 @@ apply () {
|
||||
fi
|
||||
done
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
SERVICE_NAME=$SERVICE_NAME_REDHAT
|
||||
SERVICE_NAME=$SERVICE_NAME_CENTOS
|
||||
fi
|
||||
is_service_active $SERVICE_NAME
|
||||
if [ $FNRET = 0 ]; then
|
||||
|
||||
@ -17,12 +17,12 @@ HARDENING_EXCEPTION=http
|
||||
|
||||
# Based on aptitude search '~Phttpd'
|
||||
PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd'
|
||||
PACKAGES_REDHAT='httpd pcp-pmda-nginx'
|
||||
PACKAGES_CENTOS='httpd pcp-pmda-nginx'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
PACKAGES=$PACKAGES_REDHAT
|
||||
PACKAGES=$PACKAGES_CENTOS
|
||||
fi
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
@ -41,7 +41,7 @@ audit () {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
PACKAGES=$PACKAGES_REDHAT
|
||||
PACKAGES=$PACKAGES_CENTOS
|
||||
fi
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
|
||||
@ -16,12 +16,12 @@ HARDENING_LEVEL=3
|
||||
HARDENING_EXCEPTION=http
|
||||
|
||||
PACKAGES='squid3 squid'
|
||||
PACKAGES_REDHAT='squid gssproxy haproxy'
|
||||
PACKAGES_CENTOS='squid gssproxy haproxy'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
PACKAGES=$PACKAGES_REDHAT
|
||||
PACKAGES=$PACKAGES_CENTOS
|
||||
fi
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
@ -40,7 +40,7 @@ audit () {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
PACKAGES=$PACKAGES_REDHAT
|
||||
PACKAGES=$PACKAGES_CENTOS
|
||||
fi
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
|
||||
@ -14,7 +14,7 @@ set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=4
|
||||
VIRULSERVER='clamav-daemon'
|
||||
VIRULSERVER_REDHAT='clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd'
|
||||
VIRULSERVER_CENTOS='clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
@ -58,10 +58,10 @@ apply () {
|
||||
fi
|
||||
elif [ $OS_RELEASE -eq 2 ]; then
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$VIRULSERVER_REDHAT is enable"
|
||||
ok "$VIRULSERVER_CENTOS is enable"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
warn "Install $VIRULSERVER_REDHAT"
|
||||
yum install -y $VIRULSERVER_REDHAT
|
||||
warn "Install $VIRULSERVER_CENTOS"
|
||||
yum install -y $VIRULSERVER_CENTOS
|
||||
else
|
||||
warn "Start server $VIRULSERVER"
|
||||
systemctl start $VIRULSERVER
|
||||
|
||||
@ -16,12 +16,12 @@ HARDENING_LEVEL=3
|
||||
HARDENING_EXCEPTION=dns
|
||||
|
||||
PACKAGES='avahi-daemon libavahi-common-data libavahi-common3 libavahi-core7'
|
||||
PKGS_PATTERN_REDHAT='avahi'
|
||||
PKGS_PATTERN_CENTOS='avahi'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
PACKAGES=$PKGS_PATTERN_REDHAT
|
||||
PACKAGES=$PKGS_PATTERN_CENTOS
|
||||
fi
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
@ -40,7 +40,7 @@ audit () {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
PACKAGES=$PKGS_PATTERN_REDHAT
|
||||
PACKAGES=$PKGS_PATTERN_CENTOS
|
||||
fi
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
|
||||
@ -16,12 +16,12 @@ HARDENING_LEVEL=3
|
||||
HARDENING_EXCEPTION=cups
|
||||
|
||||
PACKAGES='libcups2 libcupscgi1 libcupsimage2 libcupsmime1 libcupsppdc1 cups-common cups-client cups-ppdc libcupsfilters1 cups-filters cups'
|
||||
PACKAGES_REDHAT='cups'
|
||||
PACKAGES_CENTOS='cups'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
PACKAGES=$PACKAGES_REDHAT
|
||||
PACKAGES=$PACKAGES_CENTOS
|
||||
fi
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
@ -40,7 +40,7 @@ audit () {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
PACKAGES=$PACKAGES_REDHAT
|
||||
PACKAGES=$PACKAGES_CENTOS
|
||||
fi
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
|
||||
@ -16,12 +16,12 @@ HARDENING_LEVEL=3
|
||||
HARDENING_EXCEPTION=dhcp
|
||||
|
||||
PACKAGES='udhcpd isc-dhcp-server'
|
||||
PACKAGES_REDHAT='dnsmasq'
|
||||
PACKAGES_CENTOS='dnsmasq'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
PACKAGES=$PACKAGES_REDHAT
|
||||
PACKAGES=$PACKAGES_CENTOS
|
||||
fi
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
@ -40,7 +40,7 @@ audit () {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
PACKAGES=$PACKAGES_REDHAT
|
||||
PACKAGES=$PACKAGES_CENTOS
|
||||
fi
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
|
||||
@ -16,12 +16,12 @@ HARDENING_LEVEL=3
|
||||
HARDENING_EXCEPTION=ldap
|
||||
|
||||
PACKAGES='slapd'
|
||||
PACKAGES_REDHAT='openldap-servers'
|
||||
PACKAGES_CENTOS='openldap-servers'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
PACKAGES=$PACKAGES_REDHAT
|
||||
PACKAGES=$PACKAGES_CENTOS
|
||||
fi
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
@ -40,7 +40,7 @@ audit () {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
PACKAGES=$PACKAGES_REDHAT
|
||||
PACKAGES=$PACKAGES_CENTOS
|
||||
fi
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
|
||||
@ -16,12 +16,12 @@ HARDENING_LEVEL=3
|
||||
HARDENING_EXCEPTION=dns
|
||||
|
||||
PACKAGES='bind9 unbound'
|
||||
PACKAGES_REDHAT='bind unbound bind-utils'
|
||||
PACKAGES_CENTOS='bind unbound bind-utils'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
PACKAGES=$PACKAGES_REDHAT
|
||||
PACKAGES=$PACKAGES_CENTOS
|
||||
fi
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
@ -40,7 +40,7 @@ audit () {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
PACKAGES=$PACKAGES_REDHAT
|
||||
PACKAGES=$PACKAGES_CENTOS
|
||||
fi
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
|
||||
@ -17,12 +17,12 @@ HARDENING_EXCEPTION=ftp
|
||||
|
||||
# Based on aptitude search '~Pftp-server'
|
||||
PACKAGES='ftpd ftpd-ssl heimdal-servers inetutils-ftpd krb5-ftpd muddleftpd proftpd-basic pure-ftpd pure-ftpd-ldap pure-ftpd-mysql pure-ftpd-postgresql twoftpd-run vsftpd wzdftpd'
|
||||
PACKAGE_REDHAT='tftp-server vsftpd'
|
||||
PACKAGE_CENTOS='tftp-server vsftpd'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
PACKAGES=$PACKAGE_REDHAT
|
||||
PACKAGES=$PACKAGE_CENTOS
|
||||
fi
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
@ -41,7 +41,7 @@ audit () {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
PACKAGES=$PACKAGE_REDHAT
|
||||
PACKAGES=$PACKAGE_CENTOS
|
||||
fi
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed $PACKAGE
|
||||
|
||||
@ -15,7 +15,7 @@ set -u # One variable unset, it's over
|
||||
HARDENING_LEVEL=3
|
||||
|
||||
PACKAGE='tcpd'
|
||||
PACKAGE_REDHAT='tcp_wrappers'
|
||||
PACKAGE_CENTOS='tcp_wrappers'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
@ -26,7 +26,7 @@ audit () {
|
||||
ok "So PASS."
|
||||
return 0
|
||||
else
|
||||
PACKAGE=$PACKAGE_REDHAT
|
||||
PACKAGE=$PACKAGE_CENTOS
|
||||
fi
|
||||
fi
|
||||
is_pkg_installed $PACKAGE
|
||||
@ -46,7 +46,7 @@ apply () {
|
||||
ok "So PASS."
|
||||
return 0
|
||||
else
|
||||
PACKAGE=$PACKAGE_REDHAT
|
||||
PACKAGE=$PACKAGE_CENTOS
|
||||
fi
|
||||
fi
|
||||
is_pkg_installed $PACKAGE
|
||||
|
||||
@ -19,9 +19,9 @@ HARDENING_LEVEL=2
|
||||
# Do as you want, but this script does not handle this
|
||||
|
||||
PACKAGES='iptables iptables-persistent'
|
||||
PACKAGES_REDHAT='iptables iptables-services nftables firewalld'
|
||||
PACKAGES_CENTOS='iptables iptables-services nftables firewalld'
|
||||
SERVICENAME='netfilter-persistent'
|
||||
SERVICENAME_REDHAT='iptables ip6tables'
|
||||
SERVICENAME_CENTOS='iptables ip6tables'
|
||||
|
||||
audit_debian () {
|
||||
for PACKAGE in $PACKAGES
|
||||
@ -48,7 +48,7 @@ audit_debian () {
|
||||
}
|
||||
|
||||
audit_centos () {
|
||||
for PACKAGE in $PACKAGES_REDHAT
|
||||
for PACKAGE in $PACKAGES_CENTOS
|
||||
do
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET != 0 ]; then
|
||||
@ -61,7 +61,7 @@ audit_centos () {
|
||||
fi
|
||||
done
|
||||
if [ $FNRET = 0 ]; then
|
||||
for SERVICENAME in $SERVICENAME_REDHAT
|
||||
for SERVICENAME in $SERVICENAME_CENTOS
|
||||
do
|
||||
if [ $(systemctl status ${SERVICENAME} | grep -c "Active:.active") -ne 1 ]; then
|
||||
crit "${SERVICENAME} service is not actived"
|
||||
@ -110,16 +110,16 @@ apply_debian () {
|
||||
|
||||
apply_centos () {
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PACKAGES_REDHAT is installed"
|
||||
ok "$PACKAGES_CENTOS is installed"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
for PACKAGE in $PACKAGES_REDHAT
|
||||
for PACKAGE in $PACKAGES_CENTOS
|
||||
do
|
||||
warn "$PACKAGE is absent, installing it"
|
||||
yum_install $PACKAGE
|
||||
done
|
||||
elif [ $FNRET = 2 ]; then
|
||||
warn "Enable ${SERVICENAME_REDHAT} service to actived"
|
||||
for SERVICENAME in ${SERVICENAME_REDHAT}
|
||||
warn "Enable ${SERVICENAME_CENTOS} service to actived"
|
||||
for SERVICENAME in ${SERVICENAME_CENTOS}
|
||||
do
|
||||
is_service_enabled ${SERVICENAME}
|
||||
if [ $FNRET = 1 ]; then
|
||||
|
||||
@ -17,7 +17,7 @@ FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
|
||||
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
|
||||
AUDIT_PARAMS_REDHAT="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
|
||||
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
|
||||
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
|
||||
|
||||
AUDIT_PARAMS=""
|
||||
@ -75,7 +75,7 @@ check_config() {
|
||||
if [ $OS_RELEASE -eq 1 ]; then
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
|
||||
elif [ $OS_RELEASE -eq 2 ]; then
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
@ -19,7 +19,7 @@ AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1
|
||||
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
|
||||
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
|
||||
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
|
||||
AUDIT_PARAMS_REDHAT="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
|
||||
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
|
||||
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
|
||||
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
|
||||
-a always,exit -F path=/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
|
||||
@ -79,7 +79,7 @@ check_config() {
|
||||
if [ $OS_RELEASE -eq 1 ]; then
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
|
||||
elif [ $OS_RELEASE -eq 2 ]; then
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
@ -21,7 +21,7 @@ AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F a
|
||||
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change"
|
||||
AUDIT_PARAMS_REDHAT="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
-a always,exit -F path=/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
-a always,exit -F path=/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
-a always,exit -F path=/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
@ -83,7 +83,7 @@ check_config() {
|
||||
if [ $OS_RELEASE -eq 1 ]; then
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
|
||||
elif [ $OS_RELEASE -eq 2 ]; then
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
@ -17,7 +17,7 @@ FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
|
||||
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
|
||||
AUDIT_PARAMS_REDHAT='-a always,exit -F path=/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
|
||||
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
|
||||
-a always,exit -F path=/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
|
||||
|
||||
AUDIT_PARAMS=""
|
||||
@ -75,7 +75,7 @@ check_config() {
|
||||
if [ $OS_RELEASE -eq 1 ]; then
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
|
||||
elif [ $OS_RELEASE -eq 2 ]; then
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
@ -16,7 +16,7 @@ HARDENING_LEVEL=4
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
|
||||
AUDIT_PARAMS_REDHAT='-a always,exit -F path=/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
|
||||
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
|
||||
AUDIT_PARAMS=""
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
@ -72,7 +72,7 @@ check_config() {
|
||||
if [ $OS_RELEASE -eq 1 ]; then
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
|
||||
elif [ $OS_RELEASE -eq 2 ]; then
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
@ -16,7 +16,7 @@ HARDENING_LEVEL=4
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
|
||||
AUDIT_PARAMS_REDHAT='-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
|
||||
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
|
||||
AUDIT_PARAMS=""
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
@ -72,7 +72,7 @@ check_config() {
|
||||
if [ $OS_RELEASE -eq 1 ]; then
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
|
||||
elif [ $OS_RELEASE -eq 2 ]; then
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
@ -16,7 +16,7 @@ FILE='/etc/audit/rules.d/audit.rules'
|
||||
HARDENING_LEVEL=4
|
||||
|
||||
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod'
|
||||
AUDIT_PARAMS_REDHAT='-a always,exit -F path=/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod'
|
||||
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod'
|
||||
AUDIT_PARAMS=""
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
@ -72,7 +72,7 @@ check_config() {
|
||||
if [ $OS_RELEASE -eq 1 ]; then
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
|
||||
elif [ $OS_RELEASE -eq 2 ]; then
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
@ -15,13 +15,13 @@ set -u # One variable unset, it's over
|
||||
HARDENING_LEVEL=4
|
||||
|
||||
PACKAGE='auditd'
|
||||
PACKAGE_REDHAT='audit'
|
||||
PACKAGE_CENTOS='audit'
|
||||
SERVICE_NAME='auditd'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
PACKAGE=$PACKAGE_REDHAT
|
||||
PACKAGE=$PACKAGE_CENTOS
|
||||
fi
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET != 0 ]; then
|
||||
@ -40,7 +40,7 @@ audit () {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
PACKAGE=$PACKAGE_REDHAT
|
||||
PACKAGE=$PACKAGE_CENTOS
|
||||
fi
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
|
||||
@ -16,7 +16,7 @@ set -e # One error, it's over
|
||||
HARDENING_LEVEL=4
|
||||
|
||||
SELINUX_PKG="selinux-basics"
|
||||
SELINUX_PKG_REDHAT="selinux-policy"
|
||||
SELINUX_PKG_CENTOS="selinux-policy"
|
||||
|
||||
SE_AUDIT_PARAMS="-a always,exit -F dir=/etc/selinux/ -F perm=wa -k MAC-policy
|
||||
-a always,exit -F dir=/usr/share/selinux/ -F perm=wa -k MAC-policy
|
||||
@ -40,7 +40,7 @@ audit () {
|
||||
d_IFS=$IFS
|
||||
IFS=$'\n'
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
SELINUX_PKG=$SELINUX_PKG_REDHAT
|
||||
SELINUX_PKG=$SELINUX_PKG_CENTOS
|
||||
fi
|
||||
is_pkg_installed $SELINUX_PKG
|
||||
if [ $FNRET = 0 ]; then
|
||||
@ -72,7 +72,7 @@ apply () {
|
||||
d_IFS=$IFS
|
||||
IFS=$'\n'
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
SELINUX_PKG=$SELINUX_PKG_REDHAT
|
||||
SELINUX_PKG=$SELINUX_PKG_CENTOS
|
||||
fi
|
||||
is_pkg_installed $SELINUX_PKG
|
||||
if [ $FNRET = 0 ]; then
|
||||
|
||||
@ -18,14 +18,14 @@ HARDENING_LEVEL=4
|
||||
AUDIT_PARAMS='-w /var/log/faillog -p wa -k logins
|
||||
-w /var/log/lastlog -p wa -k logins
|
||||
-w /var/log/tallylog -p wa -k logins'
|
||||
AUDIT_PARAMS_REDHAT='-w /var/log/lastlog -p wa -k logins
|
||||
AUDIT_PARAMS_CENTOS='-w /var/log/lastlog -p wa -k logins
|
||||
-w /var/log/tallylog -p wa -k logins'
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
|
||||
fi
|
||||
# define custom IFS and save default one
|
||||
d_IFS=$IFS
|
||||
@ -45,7 +45,7 @@ audit () {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
|
||||
fi
|
||||
d_IFS=$IFS
|
||||
IFS=$'\n'
|
||||
|
||||
@ -17,14 +17,14 @@ HARDENING_LEVEL=4
|
||||
AUDIT_PARAMS='-w /var/run/utmp -p wa -k session
|
||||
-w /var/log/wtmp -p wa -k session
|
||||
-w /var/log/btmp -p wa -k session'
|
||||
AUDIT_PARAMS_REDHAT='-w /var/log/wtmp -p wa -k session
|
||||
AUDIT_PARAMS_CENTOS='-w /var/log/wtmp -p wa -k session
|
||||
-w /var/log/btmp -p wa -k session'
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
|
||||
fi
|
||||
# define custom IFS and save default one
|
||||
d_IFS=$IFS
|
||||
@ -44,7 +44,7 @@ audit () {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
|
||||
fi
|
||||
d_IFS=$IFS
|
||||
IFS=$'\n'
|
||||
|
||||
@ -17,14 +17,14 @@ HARDENING_LEVEL=3
|
||||
PACKAGE="cron"
|
||||
SERVICE_NAME="cron"
|
||||
|
||||
PACKAGE_REDHAT="cronie"
|
||||
SERVICE_NAME_REDHAT="crond"
|
||||
PACKAGE_CENTOS="cronie"
|
||||
SERVICE_NAME_CENTOS="crond"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
PACKAGE=$PACKAGE_REDHAT
|
||||
SERVICE_NAME=$SERVICE_NAME_REDHAT
|
||||
PACKAGE=$PACKAGE_CENTOS
|
||||
SERVICE_NAME=$SERVICE_NAME_CENTOS
|
||||
fi
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET != 0 ]; then
|
||||
@ -43,8 +43,8 @@ audit () {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
PACKAGE=$PACKAGE_REDHAT
|
||||
SERVICE_NAME=$SERVICE_NAME_REDHAT
|
||||
PACKAGE=$PACKAGE_CENTOS
|
||||
SERVICE_NAME=$SERVICE_NAME_CENTOS
|
||||
fi
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
|
||||
@ -20,7 +20,7 @@ PATTERN='^password.*pam_cracklib.so'
|
||||
FILE='/etc/pam.d/common-password'
|
||||
|
||||
# Redhat/CentOS default use pam_pwquality
|
||||
FILE_REDHAT='/etc/security/pwquality.conf'
|
||||
FILE_CENTOS='/etc/security/pwquality.conf'
|
||||
|
||||
OPTIONNAME='maxclassrepeat'
|
||||
|
||||
@ -52,15 +52,15 @@ audit_debian () {
|
||||
}
|
||||
|
||||
audit_centos () {
|
||||
check_param_pair_by_value $FILE_REDHAT $OPTIONNAME le $CONDT_VAL
|
||||
check_param_pair_by_value $FILE_CENTOS $OPTIONNAME le $CONDT_VAL
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT"
|
||||
ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_REDHAT"
|
||||
crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_CENTOS"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
crit "Option $OPTIONNAME is not conf in $FILE_REDHAT"
|
||||
crit "Option $OPTIONNAME is not conf in $FILE_CENTOS"
|
||||
elif [ $FNRET = 3 ]; then
|
||||
crit "Config file $FILE_REDHAT is not exist!"
|
||||
crit "Config file $FILE_CENTOS is not exist!"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -98,15 +98,15 @@ apply_debian () {
|
||||
|
||||
apply_centos () {
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT"
|
||||
ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_REDHAT"
|
||||
replace_in_file $FILE_REDHAT "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL"
|
||||
warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_CENTOS"
|
||||
replace_in_file $FILE_CENTOS "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
warn "$OPTIONNAME is not conf, add to $FILE_REDHAT"
|
||||
add_end_of_file $FILE_REDHAT "$OPTIONNAME = $CONDT_VAL"
|
||||
warn "$OPTIONNAME is not conf, add to $FILE_CENTOS"
|
||||
add_end_of_file $FILE_CENTOS "$OPTIONNAME = $CONDT_VAL"
|
||||
elif [ $FNRET = 3 ]; then
|
||||
crit "Config file $FILE_REDHAT is not exist!"
|
||||
crit "Config file $FILE_CENTOS is not exist!"
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
@ -20,10 +20,10 @@ PATTERN='^password.*pam_cracklib.so'
|
||||
FILE='/etc/pam.d/common-password'
|
||||
|
||||
# Redhat/CentOS default use pam_pwquality
|
||||
PACKAGE_REDHAT='libpwquality'
|
||||
PAMLIBNAME_REDHAT='pam_pwquality.so'
|
||||
PATTERN_REDHAT='^password.*pam_pwquality.so'
|
||||
FILE_REDHAT='/etc/pam.d/system-auth'
|
||||
PACKAGE_CENTOS='libpwquality'
|
||||
PAMLIBNAME_CENTOS='pam_pwquality.so'
|
||||
PATTERN_CENTOS='^password.*pam_pwquality.so'
|
||||
FILE_CENTOS='/etc/pam.d/system-auth'
|
||||
|
||||
OPTIONNAME='retry'
|
||||
|
||||
@ -33,10 +33,10 @@ CONDT_VAL=3
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
PACKAGE=$PACKAGE_REDHAT
|
||||
PAMLIBNAME=$PAMLIBNAME_REDHAT
|
||||
PATTERN=$PATTERN_REDHAT
|
||||
FILE=$FILE_REDHAT
|
||||
PACKAGE=$PACKAGE_CENTOS
|
||||
PAMLIBNAME=$PAMLIBNAME_CENTOS
|
||||
PATTERN=$PATTERN_CENTOS
|
||||
FILE=$FILE_CENTOS
|
||||
fi
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET != 0 ]; then
|
||||
@ -64,10 +64,10 @@ audit () {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
PACKAGE=$PACKAGE_REDHAT
|
||||
PAMLIBNAME=$PAMLIBNAME_REDHAT
|
||||
PATTERN=$PATTERN_REDHAT
|
||||
FILE=$FILE_REDHAT
|
||||
PACKAGE=$PACKAGE_CENTOS
|
||||
PAMLIBNAME=$PAMLIBNAME_CENTOS
|
||||
PATTERN=$PATTERN_CENTOS
|
||||
FILE=$FILE_CENTOS
|
||||
fi
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PACKAGE is installed"
|
||||
|
||||
@ -20,7 +20,7 @@ PATTERN='^password.*pam_cracklib.so'
|
||||
FILE='/etc/pam.d/common-password'
|
||||
|
||||
# Redhat/CentOS default use pam_pwquality
|
||||
FILE_REDHAT='/etc/security/pwquality.conf'
|
||||
FILE_CENTOS='/etc/security/pwquality.conf'
|
||||
|
||||
OPTIONNAME='minlen'
|
||||
|
||||
@ -52,15 +52,15 @@ audit_debian () {
|
||||
}
|
||||
|
||||
audit_centos () {
|
||||
check_param_pair_by_value $FILE_REDHAT $OPTIONNAME ge $CONDT_VAL
|
||||
check_param_pair_by_value $FILE_CENTOS $OPTIONNAME ge $CONDT_VAL
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "Option $OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_REDHAT"
|
||||
ok "Option $OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_CENTOS"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
crit "Option $OPTIONNAME set condition is less than $CONDT_VAL in $FILE_REDHAT"
|
||||
crit "Option $OPTIONNAME set condition is less than $CONDT_VAL in $FILE_CENTOS"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
crit "Option $OPTIONNAME is not conf in $FILE_REDHAT"
|
||||
crit "Option $OPTIONNAME is not conf in $FILE_CENTOS"
|
||||
elif [ $FNRET = 3 ]; then
|
||||
crit "Config file $FILE_REDHAT is not exist!"
|
||||
crit "Config file $FILE_CENTOS is not exist!"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -98,15 +98,15 @@ apply_debian () {
|
||||
|
||||
apply_centos () {
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_REDHAT"
|
||||
ok "$OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_CENTOS"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
warn "Set option $OPTIONNAME to $CONDT_VAL in $FILE_REDHAT"
|
||||
replace_in_file $FILE_REDHAT "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL"
|
||||
warn "Set option $OPTIONNAME to $CONDT_VAL in $FILE_CENTOS"
|
||||
replace_in_file $FILE_CENTOS "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
warn "$OPTIONNAME is not conf, add to $FILE_REDHAT"
|
||||
add_end_of_file $FILE_REDHAT "$OPTIONNAME = $CONDT_VAL"
|
||||
warn "$OPTIONNAME is not conf, add to $FILE_CENTOS"
|
||||
add_end_of_file $FILE_CENTOS "$OPTIONNAME = $CONDT_VAL"
|
||||
elif [ $FNRET = 3 ]; then
|
||||
crit "Config file $FILE_REDHAT is not exist!"
|
||||
crit "Config file $FILE_CENTOS is not exist!"
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
@ -20,7 +20,7 @@ PATTERN='^password.*pam_cracklib.so'
|
||||
FILE='/etc/pam.d/common-password'
|
||||
|
||||
# Redhat/CentOS default use pam_pwquality
|
||||
FILE_REDHAT='/etc/security/pwquality.conf'
|
||||
FILE_CENTOS='/etc/security/pwquality.conf'
|
||||
|
||||
OPTIONNAME='dcredit'
|
||||
|
||||
@ -52,15 +52,15 @@ audit_debian () {
|
||||
}
|
||||
|
||||
audit_centos () {
|
||||
check_param_pair_by_value $FILE_REDHAT $OPTIONNAME le $CONDT_VAL
|
||||
check_param_pair_by_value $FILE_CENTOS $OPTIONNAME le $CONDT_VAL
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT"
|
||||
ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
crit "Option $OPTIONNAME set condition is not set greater than $CONDT_VAL in $FILE_REDHAT"
|
||||
crit "Option $OPTIONNAME set condition is not set greater than $CONDT_VAL in $FILE_CENTOS"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
crit "Option $OPTIONNAME is not conf in $FILE_REDHAT"
|
||||
crit "Option $OPTIONNAME is not conf in $FILE_CENTOS"
|
||||
elif [ $FNRET = 3 ]; then
|
||||
crit "Config file $FILE_REDHAT is not exist!"
|
||||
crit "Config file $FILE_CENTOS is not exist!"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -98,15 +98,15 @@ apply_debian () {
|
||||
|
||||
apply_centos () {
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT"
|
||||
ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
warn "Set option $OPTIONNAME to $CONDT_VAL in $FILE_REDHAT"
|
||||
replace_in_file $FILE_REDHAT "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL"
|
||||
warn "Set option $OPTIONNAME to $CONDT_VAL in $FILE_CENTOS"
|
||||
replace_in_file $FILE_CENTOS "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
warn "$OPTIONNAME is not conf, add to $FILE_REDHAT"
|
||||
add_end_of_file $FILE_REDHAT "$OPTIONNAME = $CONDT_VAL"
|
||||
warn "$OPTIONNAME is not conf, add to $FILE_CENTOS"
|
||||
add_end_of_file $FILE_CENTOS "$OPTIONNAME = $CONDT_VAL"
|
||||
elif [ $FNRET = 3 ]; then
|
||||
crit "Config file $FILE_REDHAT is not exist!"
|
||||
crit "Config file $FILE_CENTOS is not exist!"
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
@ -20,7 +20,7 @@ PATTERN='^password.*pam_cracklib.so'
|
||||
FILE='/etc/pam.d/common-password'
|
||||
|
||||
# Redhat/CentOS default use pam_pwquality
|
||||
FILE_REDHAT='/etc/security/pwquality.conf'
|
||||
FILE_CENTOS='/etc/security/pwquality.conf'
|
||||
|
||||
OPTIONNAME='ucredit'
|
||||
|
||||
@ -52,15 +52,15 @@ audit_debian () {
|
||||
}
|
||||
|
||||
audit_centos () {
|
||||
check_param_pair_by_value $FILE_REDHAT $OPTIONNAME le $CONDT_VAL
|
||||
check_param_pair_by_value $FILE_CENTOS $OPTIONNAME le $CONDT_VAL
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT"
|
||||
ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_REDHAT"
|
||||
crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_CENTOS"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
crit "Option $OPTIONNAME is not conf in $FILE_REDHAT"
|
||||
crit "Option $OPTIONNAME is not conf in $FILE_CENTOS"
|
||||
elif [ $FNRET = 3 ]; then
|
||||
crit "Config file $FILE_REDHAT is not exist!"
|
||||
crit "Config file $FILE_CENTOS is not exist!"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -99,15 +99,15 @@ apply_debian () {
|
||||
|
||||
apply_centos () {
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT"
|
||||
ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
warn "Set option $OPTIONNAME to $CONDT_VAL in $FILE_REDHAT"
|
||||
replace_in_file $FILE_REDHAT "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL"
|
||||
warn "Set option $OPTIONNAME to $CONDT_VAL in $FILE_CENTOS"
|
||||
replace_in_file $FILE_CENTOS "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
warn "$OPTIONNAME is not conf, add to $FILE_REDHAT"
|
||||
add_end_of_file $FILE_REDHAT "$OPTIONNAME = $CONDT_VAL"
|
||||
warn "$OPTIONNAME is not conf, add to $FILE_CENTOS"
|
||||
add_end_of_file $FILE_CENTOS "$OPTIONNAME = $CONDT_VAL"
|
||||
elif [ $FNRET = 3 ]; then
|
||||
crit "Config file $FILE_REDHAT is not exist!"
|
||||
crit "Config file $FILE_CENTOS is not exist!"
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
@ -20,7 +20,7 @@ PATTERN='^password.*pam_cracklib.so'
|
||||
FILE='/etc/pam.d/common-password'
|
||||
|
||||
# Redhat/CentOS default use pam_pwquality
|
||||
FILE_REDHAT='/etc/security/pwquality.conf'
|
||||
FILE_CENTOS='/etc/security/pwquality.conf'
|
||||
|
||||
OPTIONNAME='ocredit'
|
||||
|
||||
@ -52,15 +52,15 @@ audit_debian () {
|
||||
}
|
||||
|
||||
audit_centos () {
|
||||
check_param_pair_by_value $FILE_REDHAT $OPTIONNAME le $CONDT_VAL
|
||||
check_param_pair_by_value $FILE_CENTOS $OPTIONNAME le $CONDT_VAL
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT"
|
||||
ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_REDHAT"
|
||||
crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_CENTOS"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
crit "Option $OPTIONNAME is not conf in $FILE_REDHAT"
|
||||
crit "Option $OPTIONNAME is not conf in $FILE_CENTOS"
|
||||
elif [ $FNRET = 3 ]; then
|
||||
crit "Config file $FILE_REDHAT is not exist!"
|
||||
crit "Config file $FILE_CENTOS is not exist!"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -98,15 +98,15 @@ apply_debian () {
|
||||
|
||||
apply_centos () {
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT"
|
||||
ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_REDHAT"
|
||||
replace_in_file $FILE_REDHAT "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL"
|
||||
warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_CENTOS"
|
||||
replace_in_file $FILE_CENTOS "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
warn "$OPTIONNAME is not conf, add to $FILE_REDHAT"
|
||||
add_end_of_file $FILE_REDHAT "$OPTIONNAME = $CONDT_VAL"
|
||||
warn "$OPTIONNAME is not conf, add to $FILE_CENTOS"
|
||||
add_end_of_file $FILE_CENTOS "$OPTIONNAME = $CONDT_VAL"
|
||||
elif [ $FNRET = 3 ]; then
|
||||
crit "Config file $FILE_REDHAT is not exist!"
|
||||
crit "Config file $FILE_CENTOS is not exist!"
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
@ -20,7 +20,7 @@ PATTERN='^password.*pam_cracklib.so'
|
||||
FILE='/etc/pam.d/common-password'
|
||||
|
||||
# Redhat/CentOS default use pam_pwquality
|
||||
FILE_REDHAT='/etc/security/pwquality.conf'
|
||||
FILE_CENTOS='/etc/security/pwquality.conf'
|
||||
|
||||
OPTIONNAME='lcredit'
|
||||
|
||||
@ -52,15 +52,15 @@ audit_debian () {
|
||||
}
|
||||
|
||||
audit_centos () {
|
||||
check_param_pair_by_value $FILE_REDHAT $OPTIONNAME le $CONDT_VAL
|
||||
check_param_pair_by_value $FILE_CENTOS $OPTIONNAME le $CONDT_VAL
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT"
|
||||
ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_REDHAT"
|
||||
crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_CENTOS"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
crit "Option $OPTIONNAME is not conf in $FILE_REDHAT"
|
||||
crit "Option $OPTIONNAME is not conf in $FILE_CENTOS"
|
||||
elif [ $FNRET = 3 ]; then
|
||||
crit "Config file $FILE_REDHAT is not exist!"
|
||||
crit "Config file $FILE_CENTOS is not exist!"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -98,15 +98,15 @@ apply_debian () {
|
||||
|
||||
apply_centos () {
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT"
|
||||
ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_REDHAT"
|
||||
replace_in_file $FILE_REDHAT "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL"
|
||||
warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_CENTOS"
|
||||
replace_in_file $FILE_CENTOS "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
warn "$OPTIONNAME is not conf, add to $FILE_REDHAT"
|
||||
add_end_of_file $FILE_REDHAT "$OPTIONNAME = $CONDT_VAL"
|
||||
warn "$OPTIONNAME is not conf, add to $FILE_CENTOS"
|
||||
add_end_of_file $FILE_CENTOS "$OPTIONNAME = $CONDT_VAL"
|
||||
elif [ $FNRET = 3 ]; then
|
||||
crit "Config file $FILE_REDHAT is not exist!"
|
||||
crit "Config file $FILE_CENTOS is not exist!"
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
@ -20,7 +20,7 @@ PATTERN='^password.*pam_cracklib.so'
|
||||
FILE='/etc/pam.d/common-password'
|
||||
|
||||
# Redhat/CentOS default use pam_pwquality
|
||||
FILE_REDHAT='/etc/security/pwquality.conf'
|
||||
FILE_CENTOS='/etc/security/pwquality.conf'
|
||||
|
||||
OPTIONNAME='difok'
|
||||
|
||||
@ -52,15 +52,15 @@ audit_debian () {
|
||||
}
|
||||
|
||||
audit_centos () {
|
||||
check_param_pair_by_value $FILE_REDHAT $OPTIONNAME ge $CONDT_VAL
|
||||
check_param_pair_by_value $FILE_CENTOS $OPTIONNAME ge $CONDT_VAL
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "Option $OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_REDHAT"
|
||||
ok "Option $OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_CENTOS"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
crit "Option $OPTIONNAME set condition is less than $CONDT_VAL in $FILE_REDHAT"
|
||||
crit "Option $OPTIONNAME set condition is less than $CONDT_VAL in $FILE_CENTOS"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
crit "Option $OPTIONNAME is not conf in $FILE_REDHAT"
|
||||
crit "Option $OPTIONNAME is not conf in $FILE_CENTOS"
|
||||
elif [ $FNRET = 3 ]; then
|
||||
crit "Config file $FILE_REDHAT is not exist!"
|
||||
crit "Config file $FILE_CENTOS is not exist!"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -98,15 +98,15 @@ apply_debian () {
|
||||
|
||||
apply_centos () {
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_REDHAT"
|
||||
ok "$OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_CENTOS"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_REDHAT"
|
||||
replace_in_file $FILE_REDHAT "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL"
|
||||
warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_CENTOS"
|
||||
replace_in_file $FILE_CENTOS "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
warn "$OPTIONNAME is not conf, add to $FILE_REDHAT"
|
||||
add_end_of_file $FILE_REDHAT "$OPTIONNAME = $CONDT_VAL"
|
||||
warn "$OPTIONNAME is not conf, add to $FILE_CENTOS"
|
||||
add_end_of_file $FILE_CENTOS "$OPTIONNAME = $CONDT_VAL"
|
||||
elif [ $FNRET = 3 ]; then
|
||||
crit "Config file $FILE_REDHAT is not exist!"
|
||||
crit "Config file $FILE_CENTOS is not exist!"
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
@ -20,7 +20,7 @@ PATTERN='^password.*pam_cracklib.so'
|
||||
FILE='/etc/pam.d/common-password'
|
||||
|
||||
# Redhat/CentOS default use pam_pwquality
|
||||
FILE_REDHAT='/etc/security/pwquality.conf'
|
||||
FILE_CENTOS='/etc/security/pwquality.conf'
|
||||
|
||||
OPTIONNAME='minclass'
|
||||
|
||||
@ -52,15 +52,15 @@ audit_debian () {
|
||||
}
|
||||
|
||||
audit_centos () {
|
||||
check_param_pair_by_value $FILE_REDHAT $OPTIONNAME ge $CONDT_VAL
|
||||
check_param_pair_by_value $FILE_CENTOS $OPTIONNAME ge $CONDT_VAL
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "Option $OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_REDHAT"
|
||||
ok "Option $OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_CENTOS"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
crit "Option $OPTIONNAME set condition is less than $CONDT_VAL in $FILE_REDHAT"
|
||||
crit "Option $OPTIONNAME set condition is less than $CONDT_VAL in $FILE_CENTOS"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
crit "Option $OPTIONNAME is not conf in $FILE_REDHAT"
|
||||
crit "Option $OPTIONNAME is not conf in $FILE_CENTOS"
|
||||
elif [ $FNRET = 3 ]; then
|
||||
crit "Config file $FILE_REDHAT is not exist!"
|
||||
crit "Config file $FILE_CENTOS is not exist!"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -98,15 +98,15 @@ apply_debian () {
|
||||
|
||||
apply_centos () {
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_REDHAT"
|
||||
ok "$OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_CENTOS"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_REDHAT"
|
||||
replace_in_file $FILE_REDHAT "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL"
|
||||
warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_CENTOS"
|
||||
replace_in_file $FILE_CENTOS "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
warn "$OPTIONNAME is not conf, add to $FILE_REDHAT"
|
||||
add_end_of_file $FILE_REDHAT "$OPTIONNAME = $CONDT_VAL"
|
||||
warn "$OPTIONNAME is not conf, add to $FILE_CENTOS"
|
||||
add_end_of_file $FILE_CENTOS "$OPTIONNAME = $CONDT_VAL"
|
||||
elif [ $FNRET = 3 ]; then
|
||||
crit "Config file $FILE_REDHAT is not exist!"
|
||||
crit "Config file $FILE_CENTOS is not exist!"
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
@ -20,7 +20,7 @@ PATTERN='^password.*pam_cracklib.so'
|
||||
FILE='/etc/pam.d/common-password'
|
||||
|
||||
# Redhat/CentOS default use pam_pwquality
|
||||
FILE_REDHAT='/etc/security/pwquality.conf'
|
||||
FILE_CENTOS='/etc/security/pwquality.conf'
|
||||
|
||||
OPTIONNAME='maxrepeat'
|
||||
|
||||
@ -52,15 +52,15 @@ audit_debian () {
|
||||
}
|
||||
|
||||
audit_centos () {
|
||||
check_param_pair_by_value $FILE_REDHAT $OPTIONNAME le $CONDT_VAL
|
||||
check_param_pair_by_value $FILE_CENTOS $OPTIONNAME le $CONDT_VAL
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT"
|
||||
ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_REDHAT"
|
||||
crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_CENTOS"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
crit "Option $OPTIONNAME is not conf in $FILE_REDHAT"
|
||||
crit "Option $OPTIONNAME is not conf in $FILE_CENTOS"
|
||||
elif [ $FNRET = 3 ]; then
|
||||
crit "Config file $FILE_REDHAT is not exist!"
|
||||
crit "Config file $FILE_CENTOS is not exist!"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -98,15 +98,15 @@ apply_debian () {
|
||||
|
||||
apply_centos () {
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT"
|
||||
ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS"
|
||||
elif [ $FNRET = 1 ]; then
|
||||
warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_REDHAT"
|
||||
replace_in_file $FILE_REDHAT "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL"
|
||||
warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_CENTOS"
|
||||
replace_in_file $FILE_CENTOS "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL"
|
||||
elif [ $FNRET = 2 ]; then
|
||||
warn "$OPTIONNAME is not conf, add to $FILE_REDHAT"
|
||||
add_end_of_file $FILE_REDHAT "$OPTIONNAME = $CONDT_VAL"
|
||||
warn "$OPTIONNAME is not conf, add to $FILE_CENTOS"
|
||||
add_end_of_file $FILE_CENTOS "$OPTIONNAME = $CONDT_VAL"
|
||||
elif [ $FNRET = 3 ]; then
|
||||
crit "Config file $FILE_REDHAT is not exist!"
|
||||
crit "Config file $FILE_CENTOS is not exist!"
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
@ -14,14 +14,14 @@ set -u # One variable unset, it's over
|
||||
HARDENING_LEVEL=3
|
||||
|
||||
PACKAGE='login'
|
||||
PACKAGE_REDHAT='util-linux'
|
||||
PACKAGE_CENTOS='util-linux'
|
||||
PATTERN='^auth[[:space:]]*required[[:space:]]*pam_wheel.so'
|
||||
FILE='/etc/pam.d/su'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
PACKAGE=$PACKAGE_REDHAT
|
||||
PACKAGE=$PACKAGE_CENTOS
|
||||
else
|
||||
:
|
||||
fi
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user