tyler.durden/harbian-audit
1
0
Fork 0
mirror of https://github.com/hardenedlinux/harbian-audit.git synced 2025-07-31 01:24:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix #39: Need extra check on blacklisted Linux kernel modules. Update 2.18 2.19 2.20 2.21 2.22 2.23 2.24 14.1

Browse Source
This commit is contained in:
Samson-W 2023-06-14 01:40:47 +08:00
parent 4699911078
commit 14b396769a
8 changed files with 185 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
bin/hardening/14.1_security_related_NAT_slipstreaming.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash #!/bin/bash
# #
# harbian-audit for Debian GNU/Linux 9/10 Hardening # harbian-audit for Debian GNU/Linux 9/10/11/12 Hardening
# Author: Samson-W (samson@hardenedlinux.org)
# #
# #

32
bin/hardening/2.18_disable_cramfs.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash #!/bin/bash
# #
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening # harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
# #
# #
@ -13,6 +14,7 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2 HARDENING_LEVEL=2
HARBIAN_SEC_CONF_FILE='/etc/modprobe.d/harbian-security-workaround.conf'
KERNEL_OPTION="CONFIG_CRAMFS" KERNEL_OPTION="CONFIG_CRAMFS"
MODULE_NAME="cramfs" MODULE_NAME="cramfs"
@ -21,22 +23,38 @@ MODULE_NAME="cramfs"
audit () { audit () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!" debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
crit "$MODULE_NAME is not set to blacklist"
fi
else else
ok "$KERNEL_OPTION is disabled" ok "$MODULE_NAME's kernel option is disabled"
fi fi
:
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
is_kernel_option_enabled $KERNEL_OPTION is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
warn "$MODULE_NAME is not set to blacklist, add to config file $HARBIAN_SEC_CONF_FILE"
if [ -w $HARBIAN_SEC_CONF_FILE ]; then
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
else
touch $HARBIAN_SEC_CONF_FILE
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
fi
fi
else else
ok "$KERNEL_OPTION is disabled, nothing to do" ok "$KERNEL_OPTION is disabled, nothing to do"
fi fi
:
} }
# This function will check config parameters required # This function will check config parameters required

32
bin/hardening/2.19_disable_freevxfs.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash #!/bin/bash
# #
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening # harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
# #
# #
@ -13,6 +14,7 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2 HARDENING_LEVEL=2
HARBIAN_SEC_CONF_FILE='/etc/modprobe.d/harbian-security-workaround.conf'
KERNEL_OPTION="CONFIG_VXFS_FS" KERNEL_OPTION="CONFIG_VXFS_FS"
MODULE_NAME="freevxfs" MODULE_NAME="freevxfs"
@ -21,22 +23,38 @@ MODULE_NAME="freevxfs"
audit () { audit () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!" debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
crit "$MODULE_NAME is not set to blacklist"
fi
else else
ok "$KERNEL_OPTION is disabled" ok "$MODULE_NAME's kernel option is disabled"
fi fi
:
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
is_kernel_option_enabled $KERNEL_OPTION is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
warn "$MODULE_NAME is not set to blacklist, add to config file $HARBIAN_SEC_CONF_FILE"
if [ -w $HARBIAN_SEC_CONF_FILE ]; then
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
else
touch $HARBIAN_SEC_CONF_FILE
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
fi
fi
else else
ok "$KERNEL_OPTION is disabled, nothing to do" ok "$KERNEL_OPTION is disabled, nothing to do"
fi fi
:
} }
# This function will check config parameters required # This function will check config parameters required

33
bin/hardening/2.20_disable_jffs2.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash #!/bin/bash
# #
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening # harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
# #
# #
@ -13,30 +14,46 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2 HARDENING_LEVEL=2
HARBIAN_SEC_CONF_FILE='/etc/modprobe.d/harbian-security-workaround.conf'
KERNEL_OPTION="CONFIG_JFFS2_FS" KERNEL_OPTION="CONFIG_JFFS2_FS"
MODULE_NAME="jffs2" MODULE_NAME="jffs2"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!" debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
crit "$MODULE_NAME is not set to blacklist"
fi
else else
ok "$KERNEL_OPTION is disabled" ok "$MODULE_NAME's kernel option is disabled"
fi fi
:
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
is_kernel_option_enabled $KERNEL_OPTION is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
warn "$MODULE_NAME is not set to blacklist, add to config file $HARBIAN_SEC_CONF_FILE"
if [ -w $HARBIAN_SEC_CONF_FILE ]; then
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
else
touch $HARBIAN_SEC_CONF_FILE
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
fi
fi
else else
ok "$KERNEL_OPTION is disabled, nothing to do" ok "$KERNEL_OPTION is disabled, nothing to do"
fi fi
:
} }
# This function will check config parameters required # This function will check config parameters required

37
bin/hardening/2.21_disable_hfs.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash #!/bin/bash
# #
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening # harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
# #
# #
@ -13,30 +14,46 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2 HARDENING_LEVEL=2
HARBIAN_SEC_CONF_FILE='/etc/modprobe.d/harbian-security-workaround.conf'
KERNEL_OPTION="CONFIG_HFS_FS" KERNEL_OPTION="CONFIG_HFS_FS"
MODULE_FILE="hfs" MODULE_NAME="hfs"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!" debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
crit "$MODULE_NAME is not set to blacklist"
fi
else else
ok "$KERNEL_OPTION is disabled" ok "$MODULE_NAME's kernel option is disabled"
fi fi
:
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
is_kernel_option_enabled $KERNEL_OPTION is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
warn "$MODULE_NAME is not set to blacklist, add to config file $HARBIAN_SEC_CONF_FILE"
if [ -w $HARBIAN_SEC_CONF_FILE ]; then
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
else
touch $HARBIAN_SEC_CONF_FILE
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
fi
fi
else else
ok "$KERNEL_OPTION is disabled, nothing to do" ok "$KERNEL_OPTION is disabled, nothing to do"
fi fi
:
} }
# This function will check config parameters required # This function will check config parameters required

37
bin/hardening/2.22_disable_hfsplus.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash #!/bin/bash
# #
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening # harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
# #
# #
@ -13,30 +14,46 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2 HARDENING_LEVEL=2
HARBIAN_SEC_CONF_FILE='/etc/modprobe.d/harbian-security-workaround.conf'
KERNEL_OPTION="CONFIG_HFSPLUS_FS" KERNEL_OPTION="CONFIG_HFSPLUS_FS"
MODULE_FILE="hfsplus" MODULE_NAME="hfsplus"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!" debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
crit "$MODULE_NAME is not set to blacklist"
fi
else else
ok "$KERNEL_OPTION is disabled" ok "$MODULE_NAME's kernel option is disabled"
fi fi
:
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
is_kernel_option_enabled $KERNEL_OPTION is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
warn "$MODULE_NAME is not set to blacklist, add to config file $HARBIAN_SEC_CONF_FILE"
if [ -w $HARBIAN_SEC_CONF_FILE ]; then
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
else
touch $HARBIAN_SEC_CONF_FILE
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
fi
fi
else else
ok "$KERNEL_OPTION is disabled, nothing to do" ok "$KERNEL_OPTION is disabled, nothing to do"
fi fi
:
} }
# This function will check config parameters required # This function will check config parameters required

37
bin/hardening/2.23_disable_squashfs.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash #!/bin/bash
# #
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening # harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
# #
# #
@ -13,30 +14,46 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2 HARDENING_LEVEL=2
HARBIAN_SEC_CONF_FILE='/etc/modprobe.d/harbian-security-workaround.conf'
KERNEL_OPTION="CONFIG_SQUASHFS" KERNEL_OPTION="CONFIG_SQUASHFS"
MODULE_FILE="squashfs" MODULE_NAME="squashfs"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!" debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
crit "$MODULE_NAME is not set to blacklist"
fi
else else
ok "$KERNEL_OPTION is disabled" ok "$MODULE_NAME's kernel option is disabled"
fi fi
:
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
is_kernel_option_enabled $KERNEL_OPTION is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
warn "$MODULE_NAME is not set to blacklist, add to config file $HARBIAN_SEC_CONF_FILE"
if [ -w $HARBIAN_SEC_CONF_FILE ]; then
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
else
touch $HARBIAN_SEC_CONF_FILE
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
fi
fi
else else
ok "$KERNEL_OPTION is disabled, nothing to do" ok "$KERNEL_OPTION is disabled, nothing to do"
fi fi
:
} }
# This function will check config parameters required # This function will check config parameters required

37
bin/hardening/2.24_disable_udf.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash #!/bin/bash
# #
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening # harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
# #
# #
@ -13,30 +14,46 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2 HARDENING_LEVEL=2
HARBIAN_SEC_CONF_FILE='/etc/modprobe.d/harbian-security-workaround.conf'
KERNEL_OPTION="CONFIG_UDF_FS" KERNEL_OPTION="CONFIG_UDF_FS"
MODULE_FILE="udf" MODULE_NAME="udf"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!" debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
crit "$MODULE_NAME is not set to blacklist"
fi
else else
ok "$KERNEL_OPTION is disabled" ok "$MODULE_NAME's kernel option is disabled"
fi fi
:
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
is_kernel_option_enabled $KERNEL_OPTION is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
warn "$MODULE_NAME is not set to blacklist, add to config file $HARBIAN_SEC_CONF_FILE"
if [ -w $HARBIAN_SEC_CONF_FILE ]; then
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
else
touch $HARBIAN_SEC_CONF_FILE
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
fi
fi
else else
ok "$KERNEL_OPTION is disabled, nothing to do" ok "$KERNEL_OPTION is disabled, nothing to do"
fi fi
:
} }
# This function will check config parameters required # This function will check config parameters required