tyler.durden/harbian-audit
1
0
Fork 0
mirror of https://github.com/hardenedlinux/harbian-audit.git synced 2025-07-30 00:55:49 +02:00
Code Issues Packages Projects Releases Wiki Activity

Modified 6.7~6.20 to be compatible with CentOS.

Browse Source
This commit is contained in:
Samson-W 2019-08-08 05:13:55 +08:00
parent d0a730c321
commit 19b3831baf
13 changed files with 240 additions and 158 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
bin/hardening/6.10_disable_http_server.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
# #
# #
@ -16,9 +17,13 @@ HARDENING_EXCEPTION=http
# Based on aptitude search '~Phttpd' # Based on aptitude search '~Phttpd'
PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd' PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd'
PACKAGES_REDHAT='httpd pcp-pmda-nginx'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -35,6 +40,9 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -42,8 +50,12 @@ apply () {
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate." warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else else
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE if [ $OS_RELEASE -eq 2 ]; then
apt-get autoremove yum autoremove $PACKAGE
else
apt-get purge $PACKAGE
apt-get autoremove
fi
fi fi
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"

62
bin/hardening/6.11_disable_imap_pop.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9 or CentOS Hardening
# #
# #
@ -19,36 +19,44 @@ PACKAGES='citadel-server courier-imap cyrus-imapd-2.4 dovecot-imapd mailutils-im
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
for PACKAGE in $PACKAGES; do if [ $OS_RELEASE -eq 2 ]; then
is_pkg_installed $PACKAGE ok "Redhat or CentOS does not have this check, so PASS"
if [ $FNRET = 0 ]; then else
if [ $ISEXCEPTION -eq 1 ]; then for PACKAGE in $PACKAGES; do
warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!" is_pkg_installed $PACKAGE
else if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed!" if [ $ISEXCEPTION -eq 1 ]; then
fi warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!"
else else
ok "$PACKAGE is absent" crit "$PACKAGE is installed!"
fi fi
done else
ok "$PACKAGE is absent"
fi
done
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
for PACKAGE in $PACKAGES; do if [ $OS_RELEASE -eq 2 ]; then
is_pkg_installed $PACKAGE ok "Redhat or CentOS does not have this check, so PASS"
if [ $FNRET = 0 ]; then else
if [ $ISEXCEPTION -eq 1 ]; then for PACKAGE in $PACKAGES; do
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate." is_pkg_installed $PACKAGE
else if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it" if [ $ISEXCEPTION -eq 1 ]; then
apt-get purge $PACKAGE -y warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
apt-get autoremove else
fi crit "$PACKAGE is installed, purging it"
else apt-get purge $PACKAGE -y
ok "$PACKAGE is absent" apt-get autoremove
fi fi
done else
ok "$PACKAGE is absent"
fi
done
fi
} }
# This function will create the config file for this check with default values # This function will create the config file for this check with default values

11
bin/hardening/6.12_disable_samba.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
# #
# #
@ -41,8 +42,12 @@ apply () {
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate." warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else else
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y if [ $OS_RELEASE -eq 2 ]; then
apt-get autoremove yum autoremove $PACKAGE -y
else
apt-get purge $PACKAGE -y
apt-get autoremove
fi
fi fi
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"

18
bin/hardening/6.13_disable_http_proxy.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
# #
# #
@ -15,9 +16,13 @@ HARDENING_LEVEL=3
HARDENING_EXCEPTION=http HARDENING_EXCEPTION=http
PACKAGES='squid3 squid' PACKAGES='squid3 squid'
PACKAGES_REDHAT='squid gssproxy haproxy'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -34,6 +39,9 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -41,8 +49,12 @@ apply () {
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate." warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else else
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y if [ $OS_RELEASE -eq 2 ]; then
apt-get autoremove yum autoremove $PACKAGE -y
else
apt-get purge $PACKAGE -y
apt-get autoremove
fi
fi fi
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"

60
bin/hardening/6.14_disable_snmp_server.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9 or CentOS Hardening
# #
# #
@ -18,35 +18,43 @@ PACKAGES='snmpd'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
for PACKAGE in $PACKAGES; do if [ $OS_RELEASE -eq 2 ]; then
is_pkg_installed $PACKAGE ok "Redhat or CentOS does not have this check, so PASS"
if [ $FNRET = 0 ]; then else
if [ $ISEXCEPTION -eq 1 ]; then for PACKAGE in $PACKAGES; do
warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!" is_pkg_installed $PACKAGE
else if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed!" if [ $ISEXCEPTION -eq 1 ]; then
fi warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!"
else else
ok "$PACKAGE is absent" crit "$PACKAGE is installed!"
fi fi
done else
ok "$PACKAGE is absent"
fi
done
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
for PACKAGE in $PACKAGES; do if [ $OS_RELEASE -eq 2 ]; then
is_pkg_installed $PACKAGE ok "Redhat or CentOS does not have this check, so PASS"
if [ $FNRET = 0 ]; then else
if [ $ISEXCEPTION -eq 1 ]; then for PACKAGE in $PACKAGES; do
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate." is_pkg_installed $PACKAGE
else if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it" if [ $ISEXCEPTION -eq 1 ]; then
apt-get purge $PACKAGE -y warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
fi else
else crit "$PACKAGE is installed, purging it"
ok "$PACKAGE is absent" apt-get purge $PACKAGE -y
fi fi
done else
ok "$PACKAGE is absent"
fi
done
fi
} }
# This function will create the config file for this check with default values # This function will create the config file for this check with default values

62
bin/hardening/6.16_disable_rsync.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9 or CentOS Hardening
# #
# #
@ -21,36 +21,44 @@ RSYNC_DEFAULT_PATTERN_TO_SEARCH='RSYNC_ENABLE=true'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
is_pkg_installed $PACKAGE if [ $OS_RELEASE -eq 2 ]; then
if [ $FNRET != 0 ]; then ok "Redhat or CentOS does not have this check, so PASS"
ok "$PACKAGE is not installed" else
else is_pkg_installed $PACKAGE
ok "$PACKAGE is installed, checking configuration" if [ $FNRET != 0 ]; then
does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN" ok "$PACKAGE is not installed"
if [ $FNRET != 0 ]; then else
crit "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE" ok "$PACKAGE is installed, checking configuration"
else does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN"
ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE" if [ $FNRET != 0 ]; then
fi crit "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE"
fi else
ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE"
fi
fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
is_pkg_installed $PACKAGE if [ $OS_RELEASE -eq 2 ]; then
if [ $FNRET != 0 ]; then ok "Redhat or CentOS does not have this check, so PASS"
ok "$PACKAGE is not installed" else
else is_pkg_installed $PACKAGE
ok "$PACKAGE is installed, checking configuration" if [ $FNRET != 0 ]; then
does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN" ok "$PACKAGE is not installed"
if [ $FNRET != 0 ]; then else
warn "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE, adding it" ok "$PACKAGE is installed, checking configuration"
backup_file $RSYNC_DEFAULT_FILE does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN"
replace_in_file $RSYNC_DEFAULT_FILE $RSYNC_DEFAULT_PATTERN_TO_SEARCH $RSYNC_DEFAULT_PATTERN if [ $FNRET != 0 ]; then
else warn "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE, adding it"
ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE" backup_file $RSYNC_DEFAULT_FILE
fi replace_in_file $RSYNC_DEFAULT_FILE $RSYNC_DEFAULT_PATTERN_TO_SEARCH $RSYNC_DEFAULT_PATTERN
fi else
ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE"
fi
fi
fi
} }
# This function will check config parameters required # This function will check config parameters required

2
bin/hardening/6.17_ensure_virul_scan_server_is_enabled.sh
View File

@ -2,7 +2,7 @@
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9 Hardening
# # todo test for centos
# #
# 6.17 Ensure virul scan Server is enabled (Scored) # 6.17 Ensure virul scan Server is enabled (Scored)

2
bin/hardening/6.18_ensure_virusscan_program_update_is_enabled.sh
View File

@ -2,7 +2,7 @@
# #
# harbian audit 9 Hardening # harbian audit 9 Hardening
# # todo test for centos
# #
# 6.18 Ensure virul scan Server update is enabled (Scored) # 6.18 Ensure virul scan Server update is enabled (Scored)

6
bin/hardening/6.19_configure_ntp.sh
View File

@ -1,11 +1,11 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9 or CentOS Hardening
# # todo base redhat7 v2r3 of STIG
# #
# 6.5 Configure Network Time Protocol (NTP) (Scored) # 6.19 Configure Network Time Protocol (NTP) (Scored)
# Modify Author : Samson wen, Samson <sccxboy@gmail.com> # Modify Author : Samson wen, Samson <sccxboy@gmail.com>
# #

74
bin/hardening/6.20_configure_chrony.sh
View File

@ -23,48 +23,56 @@ NTP_POOL_CFG='pool 2.debian.pool.ntp.org iburst'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
is_pkg_installed $ANALOGONS_PKG if [ $OS_RELEASE -eq 2 ]; then
if [ $FNRET = 0 ]; then ok "Redhat or CentOS does not have this check, so PASS"
ok "Analogons pagkage $ANALOGONS_PKG is installed. So pass check."
else else
is_pkg_installed $PACKAGE is_pkg_installed $ANALOGONS_PKG
if [ $FNRET != 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is not installed!" ok "Analogons pagkage $ANALOGONS_PKG is installed. So pass check."
else else
ok "$PACKAGE is installed, checking configuration" is_pkg_installed $PACKAGE
does_pattern_exist_in_file $NTP_CONF_FILE $NTP_SERVER_PATTERN if [ $FNRET != 0 ]; then
if [ $FNRET != 0 ]; then crit "$PACKAGE is not installed!"
crit "$NTP_SERVER_PATTERN not found in $NTP_CONF_FILE" else
else ok "$PACKAGE is installed, checking configuration"
ok "$NTP_SERVER_PATTERN found in $NTP_CONF_FILE" does_pattern_exist_in_file $NTP_CONF_FILE $NTP_SERVER_PATTERN
fi if [ $FNRET != 0 ]; then
fi crit "$NTP_SERVER_PATTERN not found in $NTP_CONF_FILE"
else
ok "$NTP_SERVER_PATTERN found in $NTP_CONF_FILE"
fi
fi
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
is_pkg_installed $ANALOGONS_PKG if [ $OS_RELEASE -eq 2 ]; then
if [ $FNRET = 0 ]; then ok "Redhat or CentOS does not have this check, so PASS"
ok "Analogons pagkage $ANALOGONS_PKG is installed. So pass check."
else else
is_pkg_installed $PACKAGE is_pkg_installed $ANALOGONS_PKG
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed" ok "Analogons pagkage $ANALOGONS_PKG is installed. So pass check."
else else
crit "$PACKAGE is absent, installing it" is_pkg_installed $PACKAGE
apt_install $PACKAGE if [ $FNRET = 0 ]; then
info "Checking $PACKAGE configuration" ok "$PACKAGE is installed"
does_pattern_exist_in_file $NTP_CONF_FILE $NTP_SERVER_PATTERN
if [ $FNRET != 0 ]; then
warn "$NTP_SERVER_PATTERN not found in $NTP_CONF_FILE, adding it"
backup_file $NTP_CONF_FILE
add_end_of_file $NTP_CONF_FILE $NTP_POOL_CFG
else else
ok "$NTP_SERVER_PATTERN found in $NTP_CONF_FILE" crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE
info "Checking $PACKAGE configuration"
does_pattern_exist_in_file $NTP_CONF_FILE $NTP_SERVER_PATTERN
if [ $FNRET != 0 ]; then
warn "$NTP_SERVER_PATTERN not found in $NTP_CONF_FILE, adding it"
backup_file $NTP_CONF_FILE
add_end_of_file $NTP_CONF_FILE $NTP_POOL_CFG
else
ok "$NTP_SERVER_PATTERN found in $NTP_CONF_FILE"
fi
exit 1
fi fi
exit 1 fi
fi
fi fi
} }

63
bin/hardening/6.7_disable_nfs_rpc.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
# #
# #
@ -18,36 +19,44 @@ PACKAGES='rpcbind nfs-kernel-server'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
for PACKAGE in $PACKAGES; do if [ $OS_RELEASE -eq 2 ]; then
is_pkg_installed $PACKAGE ok "Redhat or CentOS does not have this check, so PASS"
if [ $FNRET = 0 ]; then else
if [ $ISEXCEPTION -eq 1 ]; then for PACKAGE in $PACKAGES; do
warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!" is_pkg_installed $PACKAGE
else if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed!" if [ $ISEXCEPTION -eq 1 ]; then
fi warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!"
else else
ok "$PACKAGE is absent" crit "$PACKAGE is installed!"
fi fi
done else
ok "$PACKAGE is absent"
fi
done
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
for PACKAGE in $PACKAGES; do if [ $OS_RELEASE -eq 2 ]; then
is_pkg_installed $PACKAGE ok "Redhat or CentOS does not have this check, so PASS"
if [ $FNRET = 0 ]; then else
if [ $ISEXCEPTION -eq 1 ]; then for PACKAGE in $PACKAGES; do
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate." is_pkg_installed $PACKAGE
else if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it" if [ $ISEXCEPTION -eq 1 ]; then
apt-get purge $PACKAGE -y warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
apt-get autoremove else
fi crit "$PACKAGE is installed, purging it"
else apt-get purge $PACKAGE -y
ok "$PACKAGE is absent" apt-get autoremove
fi fi
done else
ok "$PACKAGE is absent"
fi
done
fi
} }
# This function will create the config file for this check with default values # This function will create the config file for this check with default values

18
bin/hardening/6.8_disable_dns_server.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
# #
# #
@ -15,9 +16,13 @@ HARDENING_LEVEL=3
HARDENING_EXCEPTION=dns HARDENING_EXCEPTION=dns
PACKAGES='bind9 unbound' PACKAGES='bind9 unbound'
PACKAGES_REDHAT='bind unbound'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -34,6 +39,9 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -41,8 +49,12 @@ apply () {
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate." warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else else
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y if [ $OS_RELEASE -eq 2 ]; then
apt-get autoremove yum autoremove $PACKAGE -y
else
apt-get purge $PACKAGE -y
apt-get autoremove
fi
fi fi
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"

2
bin/hardening/6.9_disable_ftp.sh
View File

@ -51,7 +51,7 @@ apply () {
else else
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
if [ $OS_RELEASE -eq 2 ]; then if [ $OS_RELEASE -eq 2 ]; then
yum remove $PACKAGE -y yum autoremove $PACKAGE -y
else else
apt-get purge $PACKAGE -y apt-get purge $PACKAGE -y
apt-get autoremove apt-get autoremove