tyler.durden/harbian-audit
1
0
Fork 0
mirror of https://github.com/hardenedlinux/harbian-audit.git synced 2025-07-31 01:24:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

Modify variable name: *REDHAT to *CENTOS.

Browse Source
This commit is contained in:
Samson-W 2020-03-06 16:02:11 +08:00
parent 3b61a0e406
commit 0989b9f4e3
50 changed files with 262 additions and 262 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
bin/hardening/10.1.5_set_password_lock_inactive_user.sh
View File

@ -18,7 +18,7 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=3 HARDENING_LEVEL=3
OPTIONS='INACTIVE=30' OPTIONS='INACTIVE=30'
OPTIONS_REDHAT='INACTIVE=0' OPTIONS_CENTOS='INACTIVE=0'
SHA_FILE='/etc/shadow' SHA_FILE='/etc/shadow'
DISABLE_V='-1' DISABLE_V='-1'
FILE='/etc/default/useradd' FILE='/etc/default/useradd'
@ -158,7 +158,7 @@ check_config() {
if [ $OS_RELEASE -eq 1 ]; then if [ $OS_RELEASE -eq 1 ]; then
: :
elif [ $OS_RELEASE -eq 2 ]; then elif [ $OS_RELEASE -eq 2 ]; then
OPTIONS=$OPTIONS_REDHAT OPTIONS=$OPTIONS_CENTOS
else else
warn "Current OS is not support!" warn "Current OS is not support!"
fi fi

12
bin/hardening/12.13_etc_gshadow_backup_permissions.sh
View File

@ -16,16 +16,16 @@ HARDENING_LEVEL=1
FILE='/etc/gshadow-' FILE='/etc/gshadow-'
PERMISSIONS='600' PERMISSIONS='600'
PERMISSIONS_REDHAT='0' PERMISSIONS_CENTOS='0'
USER='root' USER='root'
GROUP='shadow' GROUP='shadow'
GROUP_REDHAT='root' GROUP_CENTOS='root'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
PERMISSIONS=$PERMISSIONS_REDHAT PERMISSIONS=$PERMISSIONS_CENTOS
GROUP=$GROUP_REDHAT GROUP=$GROUP_CENTOS
else else
: :
fi fi
@ -46,8 +46,8 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
PERMISSIONS=$PERMISSIONS_REDHAT PERMISSIONS=$PERMISSIONS_CENTOS
GROUP=$GROUP_REDHAT GROUP=$GROUP_CENTOS
else else
: :
fi fi

12
bin/hardening/12.2_etc_shadow_permissions.sh
View File

@ -16,16 +16,16 @@ HARDENING_LEVEL=1
FILE='/etc/shadow' FILE='/etc/shadow'
PERMISSIONS='640' PERMISSIONS='640'
PERMISSIONS_REDHAT='0' PERMISSIONS_CENTOS='0'
USER='root' USER='root'
GROUP='shadow' GROUP='shadow'
GROUP_REDHAT='root' GROUP_CENTOS='root'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
PERMISSIONS=$PERMISSIONS_REDHAT PERMISSIONS=$PERMISSIONS_CENTOS
GROUP=$GROUP_REDHAT GROUP=$GROUP_CENTOS
else else
: :
fi fi
@ -46,8 +46,8 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
PERMISSIONS=$PERMISSIONS_REDHAT PERMISSIONS=$PERMISSIONS_CENTOS
GROUP=$GROUP_REDHAT GROUP=$GROUP_CENTOS
else else
: :
fi fi

12
bin/hardening/12.4_etc_gshadow_permissions.sh
View File

@ -16,16 +16,16 @@ HARDENING_LEVEL=1
FILE='/etc/gshadow' FILE='/etc/gshadow'
PERMISSIONS='640' PERMISSIONS='640'
PERMISSIONS_REDHAT='0' PERMISSIONS_CENTOS='0'
USER='root' USER='root'
GROUP='shadow' GROUP='shadow'
GROUP_REDHAT='root' GROUP_CENTOS='root'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
PERMISSIONS=$PERMISSIONS_REDHAT PERMISSIONS=$PERMISSIONS_CENTOS
GROUP=$GROUP_REDHAT GROUP=$GROUP_CENTOS
else else
: :
fi fi
@ -46,8 +46,8 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
PERMISSIONS=$PERMISSIONS_REDHAT PERMISSIONS=$PERMISSIONS_CENTOS
GROUP=$GROUP_REDHAT GROUP=$GROUP_CENTOS
else else
: :
fi fi

12
bin/hardening/12.6_etc_shadow_backup_permissions.sh
View File

@ -16,16 +16,16 @@ HARDENING_LEVEL=1
FILE='/etc/shadow-' FILE='/etc/shadow-'
PERMISSIONS='600' PERMISSIONS='600'
PERMISSIONS_REDHAT='0' PERMISSIONS_CENTOS='0'
USER='root' USER='root'
GROUP='shadow' GROUP='shadow'
GROUP_REDHAT='root' GROUP_CENTOS='root'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
PERMISSIONS=$PERMISSIONS_REDHAT PERMISSIONS=$PERMISSIONS_CENTOS
GROUP=$GROUP_REDHAT GROUP=$GROUP_CENTOS
else else
: :
fi fi
@ -46,8 +46,8 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
PERMISSIONS=$PERMISSIONS_REDHAT PERMISSIONS=$PERMISSIONS_CENTOS
GROUP=$GROUP_REDHAT GROUP=$GROUP_CENTOS
else else
: :
fi fi

6
bin/hardening/2.1_tmp_partition.sh
View File

@ -18,7 +18,7 @@ HARDENING_LEVEL=2
PARTITION="/tmp" PARTITION="/tmp"
SERVICENAME="tmp.mount" SERVICENAME="tmp.mount"
SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount" SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount"
REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount" CENTOS_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount" DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
@ -75,12 +75,12 @@ apply () {
fi fi
fi fi
elif [ $OS_RELEASE -eq 2 ]; then elif [ $OS_RELEASE -eq 2 ]; then
if [ -e $REDHAT_SERVICEPATH ]; then if [ -e $CENTOS_SERVICEPATH ]; then
$SUDO_CMD systemctl enable "$SERVICENAME" $SUDO_CMD systemctl enable "$SERVICENAME"
$SUDO_CMD systemctl daemon-reload $SUDO_CMD systemctl daemon-reload
$SUDO_CMD systemctl start "$SERVICENAME" $SUDO_CMD systemctl start "$SERVICENAME"
else else
crit "System unit file $REDHAT_SERVICEPATH is not exist!" crit "System unit file $CENTOS_SERVICEPATH is not exist!"
fi fi
fi fi
fi fi

6
bin/hardening/2.2_tmp_nodev.sh
View File

@ -19,7 +19,7 @@ PARTITION="/tmp"
OPTION="nodev" OPTION="nodev"
SERVICENAME="tmp.mount" SERVICENAME="tmp.mount"
SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount" SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount"
REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount" CENTOS_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount" DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
@ -50,7 +50,7 @@ audit () {
if [ $OS_RELEASE -eq 1 ]; then if [ $OS_RELEASE -eq 1 ]; then
UNITSERVICEPATH=$DEBIAN_SERVICEPATH UNITSERVICEPATH=$DEBIAN_SERVICEPATH
elif [ $OS_RELEASE -eq 2 ]; then elif [ $OS_RELEASE -eq 2 ]; then
UNITSERVICEPATH=$REDHAT_SERVICEPATH UNITSERVICEPATH=$CENTOS_SERVICEPATH
fi fi
if [ -e $UNITSERVICEPATH ]; then if [ -e $UNITSERVICEPATH ]; then
has_mount_option_systemd $UNITSERVICEPATH $OPTION has_mount_option_systemd $UNITSERVICEPATH $OPTION
@ -80,7 +80,7 @@ apply () {
if [ $OS_RELEASE -eq 1 ]; then if [ $OS_RELEASE -eq 1 ]; then
UNITSERVICEPATH=$DEBIAN_SERVICEPATH UNITSERVICEPATH=$DEBIAN_SERVICEPATH
elif [ $OS_RELEASE -eq 2 ]; then elif [ $OS_RELEASE -eq 2 ]; then
UNITSERVICEPATH=$REDHAT_SERVICEPATH UNITSERVICEPATH=$CENTOS_SERVICEPATH
fi fi
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"

6
bin/hardening/2.3_tmp_nosuid.sh
View File

@ -19,7 +19,7 @@ PARTITION="/tmp"
OPTION="nosuid" OPTION="nosuid"
SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount" SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount"
SERVICENAME="tmp.mount" SERVICENAME="tmp.mount"
REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount" CENTOS_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount" DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
@ -50,7 +50,7 @@ audit () {
if [ $OS_RELEASE -eq 1 ]; then if [ $OS_RELEASE -eq 1 ]; then
UNITSERVICEPATH=$DEBIAN_SERVICEPATH UNITSERVICEPATH=$DEBIAN_SERVICEPATH
elif [ $OS_RELEASE -eq 2 ]; then elif [ $OS_RELEASE -eq 2 ]; then
UNITSERVICEPATH=$REDHAT_SERVICEPATH UNITSERVICEPATH=$CENTOS_SERVICEPATH
fi fi
if [ -e $UNITSERVICEPATH ]; then if [ -e $UNITSERVICEPATH ]; then
has_mount_option_systemd $UNITSERVICEPATH $OPTION has_mount_option_systemd $UNITSERVICEPATH $OPTION
@ -80,7 +80,7 @@ apply () {
if [ $OS_RELEASE -eq 1 ]; then if [ $OS_RELEASE -eq 1 ]; then
UNITSERVICEPATH=$DEBIAN_SERVICEPATH UNITSERVICEPATH=$DEBIAN_SERVICEPATH
elif [ $OS_RELEASE -eq 2 ]; then elif [ $OS_RELEASE -eq 2 ]; then
UNITSERVICEPATH=$REDHAT_SERVICEPATH UNITSERVICEPATH=$CENTOS_SERVICEPATH
fi fi
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"

6
bin/hardening/2.4_tmp_noexec.sh
View File

@ -19,7 +19,7 @@ PARTITION="/tmp"
OPTION="noexec" OPTION="noexec"
SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount" SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount"
SERVICENAME="tmp.mount" SERVICENAME="tmp.mount"
REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount" CENTOS_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount" DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
@ -50,7 +50,7 @@ audit () {
if [ $OS_RELEASE -eq 1 ]; then if [ $OS_RELEASE -eq 1 ]; then
UNITSERVICEPATH=$DEBIAN_SERVICEPATH UNITSERVICEPATH=$DEBIAN_SERVICEPATH
elif [ $OS_RELEASE -eq 2 ]; then elif [ $OS_RELEASE -eq 2 ]; then
UNITSERVICEPATH=$REDHAT_SERVICEPATH UNITSERVICEPATH=$CENTOS_SERVICEPATH
fi fi
if [ -e $UNITSERVICEPATH ]; then if [ -e $UNITSERVICEPATH ]; then
has_mount_option_systemd $UNITSERVICEPATH $OPTION has_mount_option_systemd $UNITSERVICEPATH $OPTION
@ -80,7 +80,7 @@ apply () {
if [ $OS_RELEASE -eq 1 ]; then if [ $OS_RELEASE -eq 1 ]; then
UNITSERVICEPATH=$DEBIAN_SERVICEPATH UNITSERVICEPATH=$DEBIAN_SERVICEPATH
elif [ $OS_RELEASE -eq 2 ]; then elif [ $OS_RELEASE -eq 2 ]; then
UNITSERVICEPATH=$REDHAT_SERVICEPATH UNITSERVICEPATH=$CENTOS_SERVICEPATH
fi fi
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"

6
bin/hardening/5.1.1_disable_nis.sh
View File

@ -15,12 +15,12 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=3 HARDENING_LEVEL=3
PACKAGE='nis' PACKAGE='nis'
PACKAGE_REDHAT='ypserv' PACKAGE_CENTOS='ypserv'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
PACKAGE=$PACKAGE_REDHAT PACKAGE=$PACKAGE_CENTOS
fi fi
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -34,7 +34,7 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
PACKAGE=$PACKAGE_REDHAT PACKAGE=$PACKAGE_CENTOS
fi fi
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then

16
bin/hardening/5.1.2_disable_rsh.sh
View File

@ -16,7 +16,7 @@ HARDENING_LEVEL=2
# Based on aptitude search '~Prsh-server' # Based on aptitude search '~Prsh-server'
PACKAGES='rsh-server rsh-redone-server heimdal-servers' PACKAGES='rsh-server rsh-redone-server heimdal-servers'
PACKAGE_REDHAT='rsh-server' PACKAGE_CENTOS='rsh-server'
FILE='/etc/inetd.conf' FILE='/etc/inetd.conf'
PATTERN='^(shell|login|exec)' PATTERN='^(shell|login|exec)'
@ -43,11 +43,11 @@ audit_debian () {
} }
audit_centos () { audit_centos () {
is_pkg_installed $PACKAGE_REDHAT is_pkg_installed $PACKAGE_CENTOS
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE_REDHAT is installed!" crit "$PACKAGE_CENTOS is installed!"
else else
ok "$PACKAGE_REDHAT is absent" ok "$PACKAGE_CENTOS is absent"
fi fi
} }
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
@ -91,12 +91,12 @@ apply_debian () {
} }
apply_centos () { apply_centos () {
is_pkg_installed $PACKAGE_REDHAT is_pkg_installed $PACKAGE_CENTOS
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE_REDHAT is installed, purging it" crit "$PACKAGE_CENTOS is installed, purging it"
yum -y remove $PACKAGE_REDHAT yum -y remove $PACKAGE_CENTOS
else else
ok "$PACKAGE_REDHAT is absent" ok "$PACKAGE_CENTOS is absent"
fi fi
} }

6
bin/hardening/5.1.4_disable_talk.sh
View File

@ -17,7 +17,7 @@ HARDENING_LEVEL=2
PACKAGES='inetutils-talkd talkd' PACKAGES='inetutils-talkd talkd'
FILE='/etc/inetd.conf' FILE='/etc/inetd.conf'
PATTERN='^(talk|ntalk)' PATTERN='^(talk|ntalk)'
PACKAGES_REDHAT='talk-server' PACKAGES_CENTOS='talk-server'
audit_debian () { audit_debian () {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
@ -42,7 +42,7 @@ audit_debian () {
} }
audit_centos () { audit_centos () {
for PACKAGE in $PACKAGES_REDHAT; do for PACKAGE in $PACKAGES_CENTOS; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed" crit "$PACKAGE is installed"
@ -93,7 +93,7 @@ apply_debian () {
} }
apply_centos () { apply_centos () {
for PACKAGE in $PACKAGES_REDHAT; do for PACKAGE in $PACKAGES_CENTOS; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"

6
bin/hardening/5.1.5_disable_talk_client.sh
View File

@ -15,12 +15,12 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2 HARDENING_LEVEL=2
PACKAGES='talk inetutils-talk' PACKAGES='talk inetutils-talk'
PACKAGES_REDHAT='talk' PACKAGES_CENTOS='talk'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT PACKAGES=$PACKAGES_CENTOS
fi fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
@ -35,7 +35,7 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT PACKAGES=$PACKAGES_CENTOS
fi fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE

16
bin/hardening/5.1.6_disable_telnet_server.sh
View File

@ -18,7 +18,7 @@ HARDENING_LEVEL=2
PACKAGES='telnetd inetutils-telnetd telnetd-ssl krb5-telnetd heimdal-servers' PACKAGES='telnetd inetutils-telnetd telnetd-ssl krb5-telnetd heimdal-servers'
FILE='/etc/inetd.conf' FILE='/etc/inetd.conf'
PATTERN='^telnet' PATTERN='^telnet'
PACKAGE_REDHAT='telnet-server' PACKAGE_CENTOS='telnet-server'
audit_debian () { audit_debian () {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
@ -43,11 +43,11 @@ audit_debian () {
} }
audit_centos () { audit_centos () {
is_pkg_installed $PACKAGE_REDHAT is_pkg_installed $PACKAGE_CENTOS
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE_REDHAT is installed" crit "$PACKAGE_CENTOS is installed"
else else
ok "$PACKAGE_REDHAT is absent" ok "$PACKAGE_CENTOS is absent"
fi fi
} }
@ -92,12 +92,12 @@ apply_debian () {
} }
apply_centos () { apply_centos () {
is_pkg_installed $PACKAGE_REDHAT is_pkg_installed $PACKAGE_CENTOS
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE_REDHAT is installed, purging it" crit "$PACKAGE_CENTOS is installed, purging it"
yum remove $PACKAGE_REDHAT -y yum remove $PACKAGE_CENTOS -y
else else
ok "$PACKAGE_REDHAT is absent" ok "$PACKAGE_CENTOS is absent"
fi fi
} }

6
bin/hardening/5.1.7_disable_inetd.sh
View File

@ -15,12 +15,12 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=3 HARDENING_LEVEL=3
PACKAGES='openbsd-inetd xinetd rlinetd' PACKAGES='openbsd-inetd xinetd rlinetd'
PACKAGES_REDHAT='xinetd' PACKAGES_CENTOS='xinetd'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT PACKAGES=$PACKAGES_CENTOS
fi fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
@ -35,7 +35,7 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT PACKAGES=$PACKAGES_CENTOS
fi fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE

6
bin/hardening/5.3_enable_openssh_server.sh
View File

@ -16,7 +16,7 @@ HARDENING_LEVEL=2
PACKAGES='openssh-server openssh-client' PACKAGES='openssh-server openssh-client'
SERVICE_NAME='ssh.service' SERVICE_NAME='ssh.service'
SERVICE_NAME_REDHAT='sshd.service' SERVICE_NAME_CENTOS='sshd.service'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
@ -30,7 +30,7 @@ audit () {
fi fi
done done
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
SERVICE_NAME=$SERVICE_NAME_REDHAT SERVICE_NAME=$SERVICE_NAME_CENTOS
fi fi
is_service_active $SERVICE_NAME is_service_active $SERVICE_NAME
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -57,7 +57,7 @@ apply () {
fi fi
done done
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
SERVICE_NAME=$SERVICE_NAME_REDHAT SERVICE_NAME=$SERVICE_NAME_CENTOS
fi fi
is_service_active $SERVICE_NAME is_service_active $SERVICE_NAME
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then

6
bin/hardening/6.10_disable_http_server.sh
View File

@ -17,12 +17,12 @@ HARDENING_EXCEPTION=http
# Based on aptitude search '~Phttpd' # Based on aptitude search '~Phttpd'
PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd' PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd'
PACKAGES_REDHAT='httpd pcp-pmda-nginx' PACKAGES_CENTOS='httpd pcp-pmda-nginx'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT PACKAGES=$PACKAGES_CENTOS
fi fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
@ -41,7 +41,7 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT PACKAGES=$PACKAGES_CENTOS
fi fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE

6
bin/hardening/6.13_disable_http_proxy.sh
View File

@ -16,12 +16,12 @@ HARDENING_LEVEL=3
HARDENING_EXCEPTION=http HARDENING_EXCEPTION=http
PACKAGES='squid3 squid' PACKAGES='squid3 squid'
PACKAGES_REDHAT='squid gssproxy haproxy' PACKAGES_CENTOS='squid gssproxy haproxy'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT PACKAGES=$PACKAGES_CENTOS
fi fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
@ -40,7 +40,7 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT PACKAGES=$PACKAGES_CENTOS
fi fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE

8
bin/hardening/6.17_ensure_virul_scan_server_is_enabled.sh
View File

@ -14,7 +14,7 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4 HARDENING_LEVEL=4
VIRULSERVER='clamav-daemon' VIRULSERVER='clamav-daemon'
VIRULSERVER_REDHAT='clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd' VIRULSERVER_CENTOS='clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
@ -58,10 +58,10 @@ apply () {
fi fi
elif [ $OS_RELEASE -eq 2 ]; then elif [ $OS_RELEASE -eq 2 ]; then
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$VIRULSERVER_REDHAT is enable" ok "$VIRULSERVER_CENTOS is enable"
elif [ $FNRET = 1 ]; then elif [ $FNRET = 1 ]; then
warn "Install $VIRULSERVER_REDHAT" warn "Install $VIRULSERVER_CENTOS"
yum install -y $VIRULSERVER_REDHAT yum install -y $VIRULSERVER_CENTOS
else else
warn "Start server $VIRULSERVER" warn "Start server $VIRULSERVER"
systemctl start $VIRULSERVER systemctl start $VIRULSERVER

6
bin/hardening/6.2_disable_avahi_server.sh
View File

@ -16,12 +16,12 @@ HARDENING_LEVEL=3
HARDENING_EXCEPTION=dns HARDENING_EXCEPTION=dns
PACKAGES='avahi-daemon libavahi-common-data libavahi-common3 libavahi-core7' PACKAGES='avahi-daemon libavahi-common-data libavahi-common3 libavahi-core7'
PKGS_PATTERN_REDHAT='avahi' PKGS_PATTERN_CENTOS='avahi'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PKGS_PATTERN_REDHAT PACKAGES=$PKGS_PATTERN_CENTOS
fi fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
@ -40,7 +40,7 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PKGS_PATTERN_REDHAT PACKAGES=$PKGS_PATTERN_CENTOS
fi fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE

6
bin/hardening/6.3_disable_print_server.sh
View File

@ -16,12 +16,12 @@ HARDENING_LEVEL=3
HARDENING_EXCEPTION=cups HARDENING_EXCEPTION=cups
PACKAGES='libcups2 libcupscgi1 libcupsimage2 libcupsmime1 libcupsppdc1 cups-common cups-client cups-ppdc libcupsfilters1 cups-filters cups' PACKAGES='libcups2 libcupscgi1 libcupsimage2 libcupsmime1 libcupsppdc1 cups-common cups-client cups-ppdc libcupsfilters1 cups-filters cups'
PACKAGES_REDHAT='cups' PACKAGES_CENTOS='cups'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT PACKAGES=$PACKAGES_CENTOS
fi fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
@ -40,7 +40,7 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT PACKAGES=$PACKAGES_CENTOS
fi fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE

6
bin/hardening/6.4_disable_dhcp.sh
View File

@ -16,12 +16,12 @@ HARDENING_LEVEL=3
HARDENING_EXCEPTION=dhcp HARDENING_EXCEPTION=dhcp
PACKAGES='udhcpd isc-dhcp-server' PACKAGES='udhcpd isc-dhcp-server'
PACKAGES_REDHAT='dnsmasq' PACKAGES_CENTOS='dnsmasq'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT PACKAGES=$PACKAGES_CENTOS
fi fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
@ -40,7 +40,7 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT PACKAGES=$PACKAGES_CENTOS
fi fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE

6
bin/hardening/6.6_disable_ldap.sh
View File

@ -16,12 +16,12 @@ HARDENING_LEVEL=3
HARDENING_EXCEPTION=ldap HARDENING_EXCEPTION=ldap
PACKAGES='slapd' PACKAGES='slapd'
PACKAGES_REDHAT='openldap-servers' PACKAGES_CENTOS='openldap-servers'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT PACKAGES=$PACKAGES_CENTOS
fi fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
@ -40,7 +40,7 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT PACKAGES=$PACKAGES_CENTOS
fi fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE

6
bin/hardening/6.8_disable_dns_server.sh
View File

@ -16,12 +16,12 @@ HARDENING_LEVEL=3
HARDENING_EXCEPTION=dns HARDENING_EXCEPTION=dns
PACKAGES='bind9 unbound' PACKAGES='bind9 unbound'
PACKAGES_REDHAT='bind unbound bind-utils' PACKAGES_CENTOS='bind unbound bind-utils'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT PACKAGES=$PACKAGES_CENTOS
fi fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
@ -40,7 +40,7 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT PACKAGES=$PACKAGES_CENTOS
fi fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE

6
bin/hardening/6.9_disable_ftp.sh
View File

@ -17,12 +17,12 @@ HARDENING_EXCEPTION=ftp
# Based on aptitude search '~Pftp-server' # Based on aptitude search '~Pftp-server'
PACKAGES='ftpd ftpd-ssl heimdal-servers inetutils-ftpd krb5-ftpd muddleftpd proftpd-basic pure-ftpd pure-ftpd-ldap pure-ftpd-mysql pure-ftpd-postgresql twoftpd-run vsftpd wzdftpd' PACKAGES='ftpd ftpd-ssl heimdal-servers inetutils-ftpd krb5-ftpd muddleftpd proftpd-basic pure-ftpd pure-ftpd-ldap pure-ftpd-mysql pure-ftpd-postgresql twoftpd-run vsftpd wzdftpd'
PACKAGE_REDHAT='tftp-server vsftpd' PACKAGE_CENTOS='tftp-server vsftpd'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGE_REDHAT PACKAGES=$PACKAGE_CENTOS
fi fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
@ -41,7 +41,7 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGE_REDHAT PACKAGES=$PACKAGE_CENTOS
fi fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE

6
bin/hardening/7.4.1_install_tcp_wrapper.sh
View File

@ -15,7 +15,7 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=3 HARDENING_LEVEL=3
PACKAGE='tcpd' PACKAGE='tcpd'
PACKAGE_REDHAT='tcp_wrappers' PACKAGE_CENTOS='tcp_wrappers'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
@ -26,7 +26,7 @@ audit () {
ok "So PASS." ok "So PASS."
return 0 return 0
else else
PACKAGE=$PACKAGE_REDHAT PACKAGE=$PACKAGE_CENTOS
fi fi
fi fi
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
@ -46,7 +46,7 @@ apply () {
ok "So PASS." ok "So PASS."
return 0 return 0
else else
PACKAGE=$PACKAGE_REDHAT PACKAGE=$PACKAGE_CENTOS
fi fi
fi fi
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE

16
bin/hardening/7.7.1_enable_firewall.sh
View File

@ -19,9 +19,9 @@ HARDENING_LEVEL=2
# Do as you want, but this script does not handle this # Do as you want, but this script does not handle this
PACKAGES='iptables iptables-persistent' PACKAGES='iptables iptables-persistent'
PACKAGES_REDHAT='iptables iptables-services nftables firewalld' PACKAGES_CENTOS='iptables iptables-services nftables firewalld'
SERVICENAME='netfilter-persistent' SERVICENAME='netfilter-persistent'
SERVICENAME_REDHAT='iptables ip6tables' SERVICENAME_CENTOS='iptables ip6tables'
audit_debian () { audit_debian () {
for PACKAGE in $PACKAGES for PACKAGE in $PACKAGES
@ -48,7 +48,7 @@ audit_debian () {
} }
audit_centos () { audit_centos () {
for PACKAGE in $PACKAGES_REDHAT for PACKAGE in $PACKAGES_CENTOS
do do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
@ -61,7 +61,7 @@ audit_centos () {
fi fi
done done
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
for SERVICENAME in $SERVICENAME_REDHAT for SERVICENAME in $SERVICENAME_CENTOS
do do
if [ $(systemctl status ${SERVICENAME} | grep -c "Active:.active") -ne 1 ]; then if [ $(systemctl status ${SERVICENAME} | grep -c "Active:.active") -ne 1 ]; then
crit "${SERVICENAME} service is not actived" crit "${SERVICENAME} service is not actived"
@ -110,16 +110,16 @@ apply_debian () {
apply_centos () { apply_centos () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PACKAGES_REDHAT is installed" ok "$PACKAGES_CENTOS is installed"
elif [ $FNRET = 1 ]; then elif [ $FNRET = 1 ]; then
for PACKAGE in $PACKAGES_REDHAT for PACKAGE in $PACKAGES_CENTOS
do do
warn "$PACKAGE is absent, installing it" warn "$PACKAGE is absent, installing it"
yum_install $PACKAGE yum_install $PACKAGE
done done
elif [ $FNRET = 2 ]; then elif [ $FNRET = 2 ]; then
warn "Enable ${SERVICENAME_REDHAT} service to actived" warn "Enable ${SERVICENAME_CENTOS} service to actived"
for SERVICENAME in ${SERVICENAME_REDHAT} for SERVICENAME in ${SERVICENAME_CENTOS}
do do
is_service_enabled ${SERVICENAME} is_service_enabled ${SERVICENAME}
if [ $FNRET = 1 ]; then if [ $FNRET = 1 ]; then

4
bin/hardening/8.1.19_record_sshkeysign_usage.sh
View File

@ -17,7 +17,7 @@ FILE='/etc/audit/rules.d/audit.rules'
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh" -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
AUDIT_PARAMS_REDHAT="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh" -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
AUDIT_PARAMS="" AUDIT_PARAMS=""
@ -75,7 +75,7 @@ check_config() {
if [ $OS_RELEASE -eq 1 ]; then if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then elif [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
fi fi
} }

4
bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh
View File

@ -19,7 +19,7 @@ AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd -a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd" -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
AUDIT_PARAMS_REDHAT="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd" -a always,exit -F path=/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
@ -79,7 +79,7 @@ check_config() {
if [ $OS_RELEASE -eq 1 ]; then if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then elif [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
fi fi
} }

4
bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh
View File

@ -21,7 +21,7 @@ AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F a
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change" -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change"
AUDIT_PARAMS_REDHAT="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change AUDIT_PARAMS_CENTOS="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
@ -83,7 +83,7 @@ check_config() {
if [ $OS_RELEASE -eq 1 ]; then if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then elif [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
fi fi
} }

4
bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh
View File

@ -17,7 +17,7 @@ FILE='/etc/audit/rules.d/audit.rules'
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix' -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
AUDIT_PARAMS_REDHAT='-a always,exit -F path=/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
-a always,exit -F path=/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix' -a always,exit -F path=/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
AUDIT_PARAMS="" AUDIT_PARAMS=""
@ -75,7 +75,7 @@ check_config() {
if [ $OS_RELEASE -eq 1 ]; then if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then elif [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
fi fi
} }

4
bin/hardening/8.1.24_record_crontab_cmd_usage.sh
View File

@ -16,7 +16,7 @@ HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules' FILE='/etc/audit/rules.d/audit.rules'
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron' AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
AUDIT_PARAMS_REDHAT='-a always,exit -F path=/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron' AUDIT_PARAMS_CENTOS='-a always,exit -F path=/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
AUDIT_PARAMS="" AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
@ -72,7 +72,7 @@ check_config() {
if [ $OS_RELEASE -eq 1 ]; then if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then elif [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
fi fi
} }

4
bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh
View File

@ -16,7 +16,7 @@ HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules' FILE='/etc/audit/rules.d/audit.rules'
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam' AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
AUDIT_PARAMS_REDHAT='-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam' AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
AUDIT_PARAMS="" AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
@ -72,7 +72,7 @@ check_config() {
if [ $OS_RELEASE -eq 1 ]; then if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then elif [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
fi fi
} }

4
bin/hardening/8.1.29_record_usermod_cmd_usage.sh
View File

@ -16,7 +16,7 @@ FILE='/etc/audit/rules.d/audit.rules'
HARDENING_LEVEL=4 HARDENING_LEVEL=4
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod' AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod'
AUDIT_PARAMS_REDHAT='-a always,exit -F path=/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod' AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod'
AUDIT_PARAMS="" AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
@ -72,7 +72,7 @@ check_config() {
if [ $OS_RELEASE -eq 1 ]; then if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then elif [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
fi fi
} }

6
bin/hardening/8.1.2_enable_auditd.sh
View File

@ -15,13 +15,13 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4 HARDENING_LEVEL=4
PACKAGE='auditd' PACKAGE='auditd'
PACKAGE_REDHAT='audit' PACKAGE_CENTOS='audit'
SERVICE_NAME='auditd' SERVICE_NAME='auditd'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
PACKAGE=$PACKAGE_REDHAT PACKAGE=$PACKAGE_CENTOS
fi fi
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
@ -40,7 +40,7 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
PACKAGE=$PACKAGE_REDHAT PACKAGE=$PACKAGE_CENTOS
fi fi
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then

6
bin/hardening/8.1.7_record_mac_edit.sh
View File

@ -16,7 +16,7 @@ set -e # One error, it's over
HARDENING_LEVEL=4 HARDENING_LEVEL=4
SELINUX_PKG="selinux-basics" SELINUX_PKG="selinux-basics"
SELINUX_PKG_REDHAT="selinux-policy" SELINUX_PKG_CENTOS="selinux-policy"
SE_AUDIT_PARAMS="-a always,exit -F dir=/etc/selinux/ -F perm=wa -k MAC-policy SE_AUDIT_PARAMS="-a always,exit -F dir=/etc/selinux/ -F perm=wa -k MAC-policy
-a always,exit -F dir=/usr/share/selinux/ -F perm=wa -k MAC-policy -a always,exit -F dir=/usr/share/selinux/ -F perm=wa -k MAC-policy
@ -40,7 +40,7 @@ audit () {
d_IFS=$IFS d_IFS=$IFS
IFS=$'\n' IFS=$'\n'
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
SELINUX_PKG=$SELINUX_PKG_REDHAT SELINUX_PKG=$SELINUX_PKG_CENTOS
fi fi
is_pkg_installed $SELINUX_PKG is_pkg_installed $SELINUX_PKG
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -72,7 +72,7 @@ apply () {
d_IFS=$IFS d_IFS=$IFS
IFS=$'\n' IFS=$'\n'
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
SELINUX_PKG=$SELINUX_PKG_REDHAT SELINUX_PKG=$SELINUX_PKG_CENTOS
fi fi
is_pkg_installed $SELINUX_PKG is_pkg_installed $SELINUX_PKG
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then

6
bin/hardening/8.1.8_record_login_logout.sh
View File

@ -18,14 +18,14 @@ HARDENING_LEVEL=4
AUDIT_PARAMS='-w /var/log/faillog -p wa -k logins AUDIT_PARAMS='-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins -w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins' -w /var/log/tallylog -p wa -k logins'
AUDIT_PARAMS_REDHAT='-w /var/log/lastlog -p wa -k logins AUDIT_PARAMS_CENTOS='-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins' -w /var/log/tallylog -p wa -k logins'
FILE='/etc/audit/rules.d/audit.rules' FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
fi fi
# define custom IFS and save default one # define custom IFS and save default one
d_IFS=$IFS d_IFS=$IFS
@ -45,7 +45,7 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
fi fi
d_IFS=$IFS d_IFS=$IFS
IFS=$'\n' IFS=$'\n'

6
bin/hardening/8.1.9_record_session_init.sh
View File

@ -17,14 +17,14 @@ HARDENING_LEVEL=4
AUDIT_PARAMS='-w /var/run/utmp -p wa -k session AUDIT_PARAMS='-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session -w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session' -w /var/log/btmp -p wa -k session'
AUDIT_PARAMS_REDHAT='-w /var/log/wtmp -p wa -k session AUDIT_PARAMS_CENTOS='-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session' -w /var/log/btmp -p wa -k session'
FILE='/etc/audit/rules.d/audit.rules' FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
fi fi
# define custom IFS and save default one # define custom IFS and save default one
d_IFS=$IFS d_IFS=$IFS
@ -44,7 +44,7 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
fi fi
d_IFS=$IFS d_IFS=$IFS
IFS=$'\n' IFS=$'\n'

12
bin/hardening/9.1.1_enable_cron.sh
View File

@ -17,14 +17,14 @@ HARDENING_LEVEL=3
PACKAGE="cron" PACKAGE="cron"
SERVICE_NAME="cron" SERVICE_NAME="cron"
PACKAGE_REDHAT="cronie" PACKAGE_CENTOS="cronie"
SERVICE_NAME_REDHAT="crond" SERVICE_NAME_CENTOS="crond"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
PACKAGE=$PACKAGE_REDHAT PACKAGE=$PACKAGE_CENTOS
SERVICE_NAME=$SERVICE_NAME_REDHAT SERVICE_NAME=$SERVICE_NAME_CENTOS
fi fi
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
@ -43,8 +43,8 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
PACKAGE=$PACKAGE_REDHAT PACKAGE=$PACKAGE_CENTOS
SERVICE_NAME=$SERVICE_NAME_REDHAT SERVICE_NAME=$SERVICE_NAME_CENTOS
fi fi
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then

24
bin/hardening/9.2.10_pam_maxclassrepeat_cracklib.sh
View File

@ -20,7 +20,7 @@ PATTERN='^password.*pam_cracklib.so'
FILE='/etc/pam.d/common-password' FILE='/etc/pam.d/common-password'
# Redhat/CentOS default use pam_pwquality # Redhat/CentOS default use pam_pwquality
FILE_REDHAT='/etc/security/pwquality.conf' FILE_CENTOS='/etc/security/pwquality.conf'
OPTIONNAME='maxclassrepeat' OPTIONNAME='maxclassrepeat'
@ -52,15 +52,15 @@ audit_debian () {
} }
audit_centos () { audit_centos () {
check_param_pair_by_value $FILE_REDHAT $OPTIONNAME le $CONDT_VAL check_param_pair_by_value $FILE_CENTOS $OPTIONNAME le $CONDT_VAL
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT" ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 1 ]; then elif [ $FNRET = 1 ]; then
crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_REDHAT" crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 2 ]; then elif [ $FNRET = 2 ]; then
crit "Option $OPTIONNAME is not conf in $FILE_REDHAT" crit "Option $OPTIONNAME is not conf in $FILE_CENTOS"
elif [ $FNRET = 3 ]; then elif [ $FNRET = 3 ]; then
crit "Config file $FILE_REDHAT is not exist!" crit "Config file $FILE_CENTOS is not exist!"
fi fi
} }
@ -98,15 +98,15 @@ apply_debian () {
apply_centos () { apply_centos () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT" ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 1 ]; then elif [ $FNRET = 1 ]; then
warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_REDHAT" warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_CENTOS"
replace_in_file $FILE_REDHAT "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL" replace_in_file $FILE_CENTOS "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL"
elif [ $FNRET = 2 ]; then elif [ $FNRET = 2 ]; then
warn "$OPTIONNAME is not conf, add to $FILE_REDHAT" warn "$OPTIONNAME is not conf, add to $FILE_CENTOS"
add_end_of_file $FILE_REDHAT "$OPTIONNAME = $CONDT_VAL" add_end_of_file $FILE_CENTOS "$OPTIONNAME = $CONDT_VAL"
elif [ $FNRET = 3 ]; then elif [ $FNRET = 3 ]; then
crit "Config file $FILE_REDHAT is not exist!" crit "Config file $FILE_CENTOS is not exist!"
fi fi
} }

24
bin/hardening/9.2.1_pam_retry_cracklib.sh
View File

@ -20,10 +20,10 @@ PATTERN='^password.*pam_cracklib.so'
FILE='/etc/pam.d/common-password' FILE='/etc/pam.d/common-password'
# Redhat/CentOS default use pam_pwquality # Redhat/CentOS default use pam_pwquality
PACKAGE_REDHAT='libpwquality' PACKAGE_CENTOS='libpwquality'
PAMLIBNAME_REDHAT='pam_pwquality.so' PAMLIBNAME_CENTOS='pam_pwquality.so'
PATTERN_REDHAT='^password.*pam_pwquality.so' PATTERN_CENTOS='^password.*pam_pwquality.so'
FILE_REDHAT='/etc/pam.d/system-auth' FILE_CENTOS='/etc/pam.d/system-auth'
OPTIONNAME='retry' OPTIONNAME='retry'
@ -33,10 +33,10 @@ CONDT_VAL=3
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
PACKAGE=$PACKAGE_REDHAT PACKAGE=$PACKAGE_CENTOS
PAMLIBNAME=$PAMLIBNAME_REDHAT PAMLIBNAME=$PAMLIBNAME_CENTOS
PATTERN=$PATTERN_REDHAT PATTERN=$PATTERN_CENTOS
FILE=$FILE_REDHAT FILE=$FILE_CENTOS
fi fi
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
@ -64,10 +64,10 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
PACKAGE=$PACKAGE_REDHAT PACKAGE=$PACKAGE_CENTOS
PAMLIBNAME=$PAMLIBNAME_REDHAT PAMLIBNAME=$PAMLIBNAME_CENTOS
PATTERN=$PATTERN_REDHAT PATTERN=$PATTERN_CENTOS
FILE=$FILE_REDHAT FILE=$FILE_CENTOS
fi fi
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed" ok "$PACKAGE is installed"

24
bin/hardening/9.2.2_pam_minlen_cracklib.sh
View File

@ -20,7 +20,7 @@ PATTERN='^password.*pam_cracklib.so'
FILE='/etc/pam.d/common-password' FILE='/etc/pam.d/common-password'
# Redhat/CentOS default use pam_pwquality # Redhat/CentOS default use pam_pwquality
FILE_REDHAT='/etc/security/pwquality.conf' FILE_CENTOS='/etc/security/pwquality.conf'
OPTIONNAME='minlen' OPTIONNAME='minlen'
@ -52,15 +52,15 @@ audit_debian () {
} }
audit_centos () { audit_centos () {
check_param_pair_by_value $FILE_REDHAT $OPTIONNAME ge $CONDT_VAL check_param_pair_by_value $FILE_CENTOS $OPTIONNAME ge $CONDT_VAL
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "Option $OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_REDHAT" ok "Option $OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 1 ]; then elif [ $FNRET = 1 ]; then
crit "Option $OPTIONNAME set condition is less than $CONDT_VAL in $FILE_REDHAT" crit "Option $OPTIONNAME set condition is less than $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 2 ]; then elif [ $FNRET = 2 ]; then
crit "Option $OPTIONNAME is not conf in $FILE_REDHAT" crit "Option $OPTIONNAME is not conf in $FILE_CENTOS"
elif [ $FNRET = 3 ]; then elif [ $FNRET = 3 ]; then
crit "Config file $FILE_REDHAT is not exist!" crit "Config file $FILE_CENTOS is not exist!"
fi fi
} }
@ -98,15 +98,15 @@ apply_debian () {
apply_centos () { apply_centos () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_REDHAT" ok "$OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 1 ]; then elif [ $FNRET = 1 ]; then
warn "Set option $OPTIONNAME to $CONDT_VAL in $FILE_REDHAT" warn "Set option $OPTIONNAME to $CONDT_VAL in $FILE_CENTOS"
replace_in_file $FILE_REDHAT "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL" replace_in_file $FILE_CENTOS "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL"
elif [ $FNRET = 2 ]; then elif [ $FNRET = 2 ]; then
warn "$OPTIONNAME is not conf, add to $FILE_REDHAT" warn "$OPTIONNAME is not conf, add to $FILE_CENTOS"
add_end_of_file $FILE_REDHAT "$OPTIONNAME = $CONDT_VAL" add_end_of_file $FILE_CENTOS "$OPTIONNAME = $CONDT_VAL"
elif [ $FNRET = 3 ]; then elif [ $FNRET = 3 ]; then
crit "Config file $FILE_REDHAT is not exist!" crit "Config file $FILE_CENTOS is not exist!"
fi fi
} }

24
bin/hardening/9.2.3_pam_dcredit_cracklib.sh
View File

@ -20,7 +20,7 @@ PATTERN='^password.*pam_cracklib.so'
FILE='/etc/pam.d/common-password' FILE='/etc/pam.d/common-password'
# Redhat/CentOS default use pam_pwquality # Redhat/CentOS default use pam_pwquality
FILE_REDHAT='/etc/security/pwquality.conf' FILE_CENTOS='/etc/security/pwquality.conf'
OPTIONNAME='dcredit' OPTIONNAME='dcredit'
@ -52,15 +52,15 @@ audit_debian () {
} }
audit_centos () { audit_centos () {
check_param_pair_by_value $FILE_REDHAT $OPTIONNAME le $CONDT_VAL check_param_pair_by_value $FILE_CENTOS $OPTIONNAME le $CONDT_VAL
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT" ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 1 ]; then elif [ $FNRET = 1 ]; then
crit "Option $OPTIONNAME set condition is not set greater than $CONDT_VAL in $FILE_REDHAT" crit "Option $OPTIONNAME set condition is not set greater than $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 2 ]; then elif [ $FNRET = 2 ]; then
crit "Option $OPTIONNAME is not conf in $FILE_REDHAT" crit "Option $OPTIONNAME is not conf in $FILE_CENTOS"
elif [ $FNRET = 3 ]; then elif [ $FNRET = 3 ]; then
crit "Config file $FILE_REDHAT is not exist!" crit "Config file $FILE_CENTOS is not exist!"
fi fi
} }
@ -98,15 +98,15 @@ apply_debian () {
apply_centos () { apply_centos () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT" ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 1 ]; then elif [ $FNRET = 1 ]; then
warn "Set option $OPTIONNAME to $CONDT_VAL in $FILE_REDHAT" warn "Set option $OPTIONNAME to $CONDT_VAL in $FILE_CENTOS"
replace_in_file $FILE_REDHAT "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL" replace_in_file $FILE_CENTOS "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL"
elif [ $FNRET = 2 ]; then elif [ $FNRET = 2 ]; then
warn "$OPTIONNAME is not conf, add to $FILE_REDHAT" warn "$OPTIONNAME is not conf, add to $FILE_CENTOS"
add_end_of_file $FILE_REDHAT "$OPTIONNAME = $CONDT_VAL" add_end_of_file $FILE_CENTOS "$OPTIONNAME = $CONDT_VAL"
elif [ $FNRET = 3 ]; then elif [ $FNRET = 3 ]; then
crit "Config file $FILE_REDHAT is not exist!" crit "Config file $FILE_CENTOS is not exist!"
fi fi
} }

24
bin/hardening/9.2.4_pam_ucredit_cracklib.sh
View File

@ -20,7 +20,7 @@ PATTERN='^password.*pam_cracklib.so'
FILE='/etc/pam.d/common-password' FILE='/etc/pam.d/common-password'
# Redhat/CentOS default use pam_pwquality # Redhat/CentOS default use pam_pwquality
FILE_REDHAT='/etc/security/pwquality.conf' FILE_CENTOS='/etc/security/pwquality.conf'
OPTIONNAME='ucredit' OPTIONNAME='ucredit'
@ -52,15 +52,15 @@ audit_debian () {
} }
audit_centos () { audit_centos () {
check_param_pair_by_value $FILE_REDHAT $OPTIONNAME le $CONDT_VAL check_param_pair_by_value $FILE_CENTOS $OPTIONNAME le $CONDT_VAL
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT" ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 1 ]; then elif [ $FNRET = 1 ]; then
crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_REDHAT" crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 2 ]; then elif [ $FNRET = 2 ]; then
crit "Option $OPTIONNAME is not conf in $FILE_REDHAT" crit "Option $OPTIONNAME is not conf in $FILE_CENTOS"
elif [ $FNRET = 3 ]; then elif [ $FNRET = 3 ]; then
crit "Config file $FILE_REDHAT is not exist!" crit "Config file $FILE_CENTOS is not exist!"
fi fi
} }
@ -99,15 +99,15 @@ apply_debian () {
apply_centos () { apply_centos () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT" ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 1 ]; then elif [ $FNRET = 1 ]; then
warn "Set option $OPTIONNAME to $CONDT_VAL in $FILE_REDHAT" warn "Set option $OPTIONNAME to $CONDT_VAL in $FILE_CENTOS"
replace_in_file $FILE_REDHAT "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL" replace_in_file $FILE_CENTOS "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL"
elif [ $FNRET = 2 ]; then elif [ $FNRET = 2 ]; then
warn "$OPTIONNAME is not conf, add to $FILE_REDHAT" warn "$OPTIONNAME is not conf, add to $FILE_CENTOS"
add_end_of_file $FILE_REDHAT "$OPTIONNAME = $CONDT_VAL" add_end_of_file $FILE_CENTOS "$OPTIONNAME = $CONDT_VAL"
elif [ $FNRET = 3 ]; then elif [ $FNRET = 3 ]; then
crit "Config file $FILE_REDHAT is not exist!" crit "Config file $FILE_CENTOS is not exist!"
fi fi
} }

24
bin/hardening/9.2.5_pam_ocredit_cracklib.sh
View File

@ -20,7 +20,7 @@ PATTERN='^password.*pam_cracklib.so'
FILE='/etc/pam.d/common-password' FILE='/etc/pam.d/common-password'
# Redhat/CentOS default use pam_pwquality # Redhat/CentOS default use pam_pwquality
FILE_REDHAT='/etc/security/pwquality.conf' FILE_CENTOS='/etc/security/pwquality.conf'
OPTIONNAME='ocredit' OPTIONNAME='ocredit'
@ -52,15 +52,15 @@ audit_debian () {
} }
audit_centos () { audit_centos () {
check_param_pair_by_value $FILE_REDHAT $OPTIONNAME le $CONDT_VAL check_param_pair_by_value $FILE_CENTOS $OPTIONNAME le $CONDT_VAL
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT" ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 1 ]; then elif [ $FNRET = 1 ]; then
crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_REDHAT" crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 2 ]; then elif [ $FNRET = 2 ]; then
crit "Option $OPTIONNAME is not conf in $FILE_REDHAT" crit "Option $OPTIONNAME is not conf in $FILE_CENTOS"
elif [ $FNRET = 3 ]; then elif [ $FNRET = 3 ]; then
crit "Config file $FILE_REDHAT is not exist!" crit "Config file $FILE_CENTOS is not exist!"
fi fi
} }
@ -98,15 +98,15 @@ apply_debian () {
apply_centos () { apply_centos () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT" ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 1 ]; then elif [ $FNRET = 1 ]; then
warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_REDHAT" warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_CENTOS"
replace_in_file $FILE_REDHAT "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL" replace_in_file $FILE_CENTOS "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL"
elif [ $FNRET = 2 ]; then elif [ $FNRET = 2 ]; then
warn "$OPTIONNAME is not conf, add to $FILE_REDHAT" warn "$OPTIONNAME is not conf, add to $FILE_CENTOS"
add_end_of_file $FILE_REDHAT "$OPTIONNAME = $CONDT_VAL" add_end_of_file $FILE_CENTOS "$OPTIONNAME = $CONDT_VAL"
elif [ $FNRET = 3 ]; then elif [ $FNRET = 3 ]; then
crit "Config file $FILE_REDHAT is not exist!" crit "Config file $FILE_CENTOS is not exist!"
fi fi
} }

24
bin/hardening/9.2.6_pam_lcredit_cracklib.sh
View File

@ -20,7 +20,7 @@ PATTERN='^password.*pam_cracklib.so'
FILE='/etc/pam.d/common-password' FILE='/etc/pam.d/common-password'
# Redhat/CentOS default use pam_pwquality # Redhat/CentOS default use pam_pwquality
FILE_REDHAT='/etc/security/pwquality.conf' FILE_CENTOS='/etc/security/pwquality.conf'
OPTIONNAME='lcredit' OPTIONNAME='lcredit'
@ -52,15 +52,15 @@ audit_debian () {
} }
audit_centos () { audit_centos () {
check_param_pair_by_value $FILE_REDHAT $OPTIONNAME le $CONDT_VAL check_param_pair_by_value $FILE_CENTOS $OPTIONNAME le $CONDT_VAL
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT" ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 1 ]; then elif [ $FNRET = 1 ]; then
crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_REDHAT" crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 2 ]; then elif [ $FNRET = 2 ]; then
crit "Option $OPTIONNAME is not conf in $FILE_REDHAT" crit "Option $OPTIONNAME is not conf in $FILE_CENTOS"
elif [ $FNRET = 3 ]; then elif [ $FNRET = 3 ]; then
crit "Config file $FILE_REDHAT is not exist!" crit "Config file $FILE_CENTOS is not exist!"
fi fi
} }
@ -98,15 +98,15 @@ apply_debian () {
apply_centos () { apply_centos () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT" ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 1 ]; then elif [ $FNRET = 1 ]; then
warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_REDHAT" warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_CENTOS"
replace_in_file $FILE_REDHAT "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL" replace_in_file $FILE_CENTOS "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL"
elif [ $FNRET = 2 ]; then elif [ $FNRET = 2 ]; then
warn "$OPTIONNAME is not conf, add to $FILE_REDHAT" warn "$OPTIONNAME is not conf, add to $FILE_CENTOS"
add_end_of_file $FILE_REDHAT "$OPTIONNAME = $CONDT_VAL" add_end_of_file $FILE_CENTOS "$OPTIONNAME = $CONDT_VAL"
elif [ $FNRET = 3 ]; then elif [ $FNRET = 3 ]; then
crit "Config file $FILE_REDHAT is not exist!" crit "Config file $FILE_CENTOS is not exist!"
fi fi
} }

24
bin/hardening/9.2.7_pam_difok_cracklib.sh
View File

@ -20,7 +20,7 @@ PATTERN='^password.*pam_cracklib.so'
FILE='/etc/pam.d/common-password' FILE='/etc/pam.d/common-password'
# Redhat/CentOS default use pam_pwquality # Redhat/CentOS default use pam_pwquality
FILE_REDHAT='/etc/security/pwquality.conf' FILE_CENTOS='/etc/security/pwquality.conf'
OPTIONNAME='difok' OPTIONNAME='difok'
@ -52,15 +52,15 @@ audit_debian () {
} }
audit_centos () { audit_centos () {
check_param_pair_by_value $FILE_REDHAT $OPTIONNAME ge $CONDT_VAL check_param_pair_by_value $FILE_CENTOS $OPTIONNAME ge $CONDT_VAL
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "Option $OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_REDHAT" ok "Option $OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 1 ]; then elif [ $FNRET = 1 ]; then
crit "Option $OPTIONNAME set condition is less than $CONDT_VAL in $FILE_REDHAT" crit "Option $OPTIONNAME set condition is less than $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 2 ]; then elif [ $FNRET = 2 ]; then
crit "Option $OPTIONNAME is not conf in $FILE_REDHAT" crit "Option $OPTIONNAME is not conf in $FILE_CENTOS"
elif [ $FNRET = 3 ]; then elif [ $FNRET = 3 ]; then
crit "Config file $FILE_REDHAT is not exist!" crit "Config file $FILE_CENTOS is not exist!"
fi fi
} }
@ -98,15 +98,15 @@ apply_debian () {
apply_centos () { apply_centos () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_REDHAT" ok "$OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 1 ]; then elif [ $FNRET = 1 ]; then
warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_REDHAT" warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_CENTOS"
replace_in_file $FILE_REDHAT "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL" replace_in_file $FILE_CENTOS "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL"
elif [ $FNRET = 2 ]; then elif [ $FNRET = 2 ]; then
warn "$OPTIONNAME is not conf, add to $FILE_REDHAT" warn "$OPTIONNAME is not conf, add to $FILE_CENTOS"
add_end_of_file $FILE_REDHAT "$OPTIONNAME = $CONDT_VAL" add_end_of_file $FILE_CENTOS "$OPTIONNAME = $CONDT_VAL"
elif [ $FNRET = 3 ]; then elif [ $FNRET = 3 ]; then
crit "Config file $FILE_REDHAT is not exist!" crit "Config file $FILE_CENTOS is not exist!"
fi fi
} }

24
bin/hardening/9.2.8_pam_minclass_cracklib.sh
View File

@ -20,7 +20,7 @@ PATTERN='^password.*pam_cracklib.so'
FILE='/etc/pam.d/common-password' FILE='/etc/pam.d/common-password'
# Redhat/CentOS default use pam_pwquality # Redhat/CentOS default use pam_pwquality
FILE_REDHAT='/etc/security/pwquality.conf' FILE_CENTOS='/etc/security/pwquality.conf'
OPTIONNAME='minclass' OPTIONNAME='minclass'
@ -52,15 +52,15 @@ audit_debian () {
} }
audit_centos () { audit_centos () {
check_param_pair_by_value $FILE_REDHAT $OPTIONNAME ge $CONDT_VAL check_param_pair_by_value $FILE_CENTOS $OPTIONNAME ge $CONDT_VAL
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "Option $OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_REDHAT" ok "Option $OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 1 ]; then elif [ $FNRET = 1 ]; then
crit "Option $OPTIONNAME set condition is less than $CONDT_VAL in $FILE_REDHAT" crit "Option $OPTIONNAME set condition is less than $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 2 ]; then elif [ $FNRET = 2 ]; then
crit "Option $OPTIONNAME is not conf in $FILE_REDHAT" crit "Option $OPTIONNAME is not conf in $FILE_CENTOS"
elif [ $FNRET = 3 ]; then elif [ $FNRET = 3 ]; then
crit "Config file $FILE_REDHAT is not exist!" crit "Config file $FILE_CENTOS is not exist!"
fi fi
} }
@ -98,15 +98,15 @@ apply_debian () {
apply_centos () { apply_centos () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_REDHAT" ok "$OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 1 ]; then elif [ $FNRET = 1 ]; then
warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_REDHAT" warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_CENTOS"
replace_in_file $FILE_REDHAT "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL" replace_in_file $FILE_CENTOS "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL"
elif [ $FNRET = 2 ]; then elif [ $FNRET = 2 ]; then
warn "$OPTIONNAME is not conf, add to $FILE_REDHAT" warn "$OPTIONNAME is not conf, add to $FILE_CENTOS"
add_end_of_file $FILE_REDHAT "$OPTIONNAME = $CONDT_VAL" add_end_of_file $FILE_CENTOS "$OPTIONNAME = $CONDT_VAL"
elif [ $FNRET = 3 ]; then elif [ $FNRET = 3 ]; then
crit "Config file $FILE_REDHAT is not exist!" crit "Config file $FILE_CENTOS is not exist!"
fi fi
} }

24
bin/hardening/9.2.9_pam_maxrepeat_cracklib.sh
View File

@ -20,7 +20,7 @@ PATTERN='^password.*pam_cracklib.so'
FILE='/etc/pam.d/common-password' FILE='/etc/pam.d/common-password'
# Redhat/CentOS default use pam_pwquality # Redhat/CentOS default use pam_pwquality
FILE_REDHAT='/etc/security/pwquality.conf' FILE_CENTOS='/etc/security/pwquality.conf'
OPTIONNAME='maxrepeat' OPTIONNAME='maxrepeat'
@ -52,15 +52,15 @@ audit_debian () {
} }
audit_centos () { audit_centos () {
check_param_pair_by_value $FILE_REDHAT $OPTIONNAME le $CONDT_VAL check_param_pair_by_value $FILE_CENTOS $OPTIONNAME le $CONDT_VAL
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT" ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 1 ]; then elif [ $FNRET = 1 ]; then
crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_REDHAT" crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 2 ]; then elif [ $FNRET = 2 ]; then
crit "Option $OPTIONNAME is not conf in $FILE_REDHAT" crit "Option $OPTIONNAME is not conf in $FILE_CENTOS"
elif [ $FNRET = 3 ]; then elif [ $FNRET = 3 ]; then
crit "Config file $FILE_REDHAT is not exist!" crit "Config file $FILE_CENTOS is not exist!"
fi fi
} }
@ -98,15 +98,15 @@ apply_debian () {
apply_centos () { apply_centos () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT" ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 1 ]; then elif [ $FNRET = 1 ]; then
warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_REDHAT" warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_CENTOS"
replace_in_file $FILE_REDHAT "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL" replace_in_file $FILE_CENTOS "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL"
elif [ $FNRET = 2 ]; then elif [ $FNRET = 2 ]; then
warn "$OPTIONNAME is not conf, add to $FILE_REDHAT" warn "$OPTIONNAME is not conf, add to $FILE_CENTOS"
add_end_of_file $FILE_REDHAT "$OPTIONNAME = $CONDT_VAL" add_end_of_file $FILE_CENTOS "$OPTIONNAME = $CONDT_VAL"
elif [ $FNRET = 3 ]; then elif [ $FNRET = 3 ]; then
crit "Config file $FILE_REDHAT is not exist!" crit "Config file $FILE_CENTOS is not exist!"
fi fi
} }

4
bin/hardening/9.5_pam_restrict_su.sh
View File

@ -14,14 +14,14 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=3 HARDENING_LEVEL=3
PACKAGE='login' PACKAGE='login'
PACKAGE_REDHAT='util-linux' PACKAGE_CENTOS='util-linux'
PATTERN='^auth[[:space:]]*required[[:space:]]*pam_wheel.so' PATTERN='^auth[[:space:]]*required[[:space:]]*pam_wheel.so'
FILE='/etc/pam.d/su' FILE='/etc/pam.d/su'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
PACKAGE=$PACKAGE_REDHAT PACKAGE=$PACKAGE_CENTOS
else else
: :
fi fi