diff --git a/bin/hardening/4.6_disable_usb_devices.sh b/bin/hardening/4.6_disable_usb_devices.sh index 4dfc158..ec95f7e 100755 --- a/bin/hardening/4.6_disable_usb_devices.sh +++ b/bin/hardening/4.6_disable_usb_devices.sh @@ -1,11 +1,13 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening / +# harbian audit 7/8/9/10 or CentOS Hardening +# Modify by: Samson-W (samson@hardenedlinux.org) # # # 4.6 Disable USB Devices +# TODO test # set -e # One error, it's over @@ -18,8 +20,11 @@ PATTERN='ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{auth FILES_TO_SEARCH='/etc/udev/rules.d' FILE='/etc/udev/rules.d/CIS_4.6_usb_devices.conf' -# This function will be called if the script status is on enabled / audit mode -audit () { +BLACKRULEPATTERN='^blacklist[[:blank:]].*usb-storage' +BLACKRULE='blacklist usb-storage' +BLACKCONFILE='/etc/modprobe.d/blacklist.conf' + +audit_debian () { SEARCH_RES=0 for FILE_SEARCHED in $FILES_TO_SEARCH; do if [ $SEARCH_RES = 1 ]; then break; fi @@ -50,6 +55,22 @@ audit () { fi } +audit_redhat () { + : +} + +# This function will be called if the script status is on enabled / audit mode +audit () { + if [ $OS_RELEASE -eq 1 ]; then + audit_debian + elif [ $OS_RELEASE -eq 2 ]; then + audit_redhat + else + crit "Current OS is not support!" + FNRET=44 + fi +} + # This function will be called if the script status is on enabled mode apply () { SEARCH_RES=0 diff --git a/bin/hardening/5.1.1_disable_nis.sh b/bin/hardening/5.1.1_disable_nis.sh index d3552f3..5481934 100755 --- a/bin/hardening/5.1.1_disable_nis.sh +++ b/bin/hardening/5.1.1_disable_nis.sh @@ -1,7 +1,8 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening +# Modify by: Samson-W (samson@hardenedlinux.org) # # @@ -14,10 +15,14 @@ set -u # One variable unset, it's over HARDENING_LEVEL=3 PACKAGE='nis' +PACKAGE_REDHAT='ypserv' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE + if [ $OS_RELEASE -eq 2 ]; then + PACKAGE=$PACKAGE_REDHAT + fi + is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then crit "$PACKAGE is installed!" else @@ -28,11 +33,18 @@ audit () { # This function will be called if the script status is on enabled mode apply () { + if [ $OS_RELEASE -eq 2 ]; then + PACKAGE=$PACKAGE_REDHAT + fi is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then crit "$PACKAGE is installed, purging it" - apt-get purge $PACKAGE -y - apt-get autoremove + if [ $OS_RELEASE -eq 2 ]; then + yum -y autoremove $PACKAGE + else + apt-get purge $PACKAGE -y + apt-get autoremove + fi else ok "$PACKAGE is absent" fi diff --git a/bin/hardening/5.1.2_disable_rsh.sh b/bin/hardening/5.1.2_disable_rsh.sh index 8810f87..5c90436 100755 --- a/bin/hardening/5.1.2_disable_rsh.sh +++ b/bin/hardening/5.1.2_disable_rsh.sh @@ -1,7 +1,8 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening +# Modify by: Samson-W (samson@hardenedlinux.org) # # @@ -15,11 +16,11 @@ HARDENING_LEVEL=2 # Based on aptitude search '~Prsh-server' PACKAGES='rsh-server rsh-redone-server heimdal-servers' +PACKAGE_REDHAT='rsh-server' FILE='/etc/inetd.conf' PATTERN='^(shell|login|exec)' -# This function will be called if the script status is on enabled / audit mode -audit () { +audit_debian () { for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then @@ -41,8 +42,27 @@ audit () { done } -# This function will be called if the script status is on enabled mode -apply () { +audit_redhat () { + is_pkg_installed $PACKAGE_REDHAT + if [ $FNRET = 0 ]; then + crit "$PACKAGE_REDHAT is installed!" + else + ok "$PACKAGE_REDHAT is absent" + fi +} +# This function will be called if the script status is on enabled / audit mode +audit () { + if [ $OS_RELEASE -eq 1 ]; then + audit_debian + elif [ $OS_RELEASE -eq 2 ]; then + audit_redhat + else + crit "Current OS is not support!" + FNRET=44 + fi +} + +apply_debian () { for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then @@ -70,6 +90,27 @@ apply () { done } +apply_redhat () { + is_pkg_installed $PACKAGE_REDHAT + if [ $FNRET = 0 ]; then + crit "$$PACKAGE_REDHAT is installed, purging it" + yum -y remove $PACKAGE_REDHAT + else + ok "$PACKAGE_REDHAT is absent" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $OS_RELEASE -eq 1 ]; then + apply_debian + elif [ $OS_RELEASE -eq 2 ]; then + apply_redhat + else + crit "Current OS is not support!" + fi +} + # This function will check config parameters required check_config() { : diff --git a/bin/hardening/5.1.3_disable_rsh_client.sh b/bin/hardening/5.1.3_disable_rsh_client.sh index 79bb1ae..4bf7501 100755 --- a/bin/hardening/5.1.3_disable_rsh_client.sh +++ b/bin/hardening/5.1.3_disable_rsh_client.sh @@ -1,7 +1,8 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening +# Modify by: Samson-W (samson@hardenedlinux.org) # # @@ -18,28 +19,36 @@ PACKAGES='rsh-client rsh-redone-client heimdal-clients' # This function will be called if the script status is on enabled / audit mode audit () { - for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - crit "$PACKAGE is installed" - else - ok "$PACKAGE is absent" - fi - done + if [ $OS_RELEASE -eq 2 ]; then + ok "Redhat or CentOS does not have this check, so PASS" + else + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed" + else + ok "$PACKAGE is absent" + fi + done + fi } # This function will be called if the script status is on enabled mode apply () { - for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - warn "$PACKAGE is installed, purging" - apt-get purge $PACKAGE -y - apt-get autoremove - else - ok "$PACKAGE is absent" - fi - done + if [ $OS_RELEASE -eq 2 ]; then + ok "Redhat or CentOS does not have this check, so PASS" + else + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + warn "$PACKAGE is installed, purging" + apt-get purge $PACKAGE -y + apt-get autoremove + else + ok "$PACKAGE is absent" + fi + done + fi } # This function will check config parameters required diff --git a/bin/hardening/5.1.4_disable_talk.sh b/bin/hardening/5.1.4_disable_talk.sh index d9de3eb..d0968dd 100755 --- a/bin/hardening/5.1.4_disable_talk.sh +++ b/bin/hardening/5.1.4_disable_talk.sh @@ -1,7 +1,8 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening +# Modify by: Samson-W (samson@hardenedlinux.org) # # @@ -16,9 +17,9 @@ HARDENING_LEVEL=2 PACKAGES='inetutils-talkd talkd' FILE='/etc/inetd.conf' PATTERN='^(talk|ntalk)' +PACKAGES_REDHAT='talk-server' -# This function will be called if the script status is on enabled / audit mode -audit () { +audit_debian () { for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then @@ -40,8 +41,30 @@ audit () { done } -# This function will be called if the script status is on enabled mode -apply () { +audit_redhat () { + for PACKAGE in $PACKAGES_REDHAT; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed" + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled / audit mode +audit () { + if [ $OS_RELEASE -eq 1 ]; then + audit_debian + elif [ $OS_RELEASE -eq 2 ]; then + audit_redhat + else + crit "Current OS is not support!" + FNRET=44 + fi +} + +apply_debian () { for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then @@ -69,6 +92,28 @@ apply () { done } +apply_redhat () { + for PACKAGE in $PACKAGES_REDHAT; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + yum remove $PACKAGE -y + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $OS_RELEASE -eq 1 ]; then + apply_debian + elif [ $OS_RELEASE -eq 2 ]; then + apply_redhat + else + crit "Current OS is not support!" + fi +} # This function will check config parameters required check_config() { : diff --git a/bin/hardening/5.1.5_disable_talk_client.sh b/bin/hardening/5.1.5_disable_talk_client.sh index e161822..6056df3 100755 --- a/bin/hardening/5.1.5_disable_talk_client.sh +++ b/bin/hardening/5.1.5_disable_talk_client.sh @@ -1,7 +1,8 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening +# Modify by: Samson-W (samson@hardenedlinux.org) # # @@ -14,9 +15,13 @@ set -u # One variable unset, it's over HARDENING_LEVEL=2 PACKAGES='talk inetutils-talk' +PACKAGES_REDHAT='talk' # This function will be called if the script status is on enabled / audit mode audit () { + if [ $OS_RELEASE -eq 2 ]; then + PACKAGES=$PACKAGES_REDHAT + fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then @@ -29,12 +34,19 @@ audit () { # This function will be called if the script status is on enabled mode apply () { + if [ $OS_RELEASE -eq 2 ]; then + PACKAGES=$PACKAGES_REDHAT + fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then warn "$PACKAGE is installed, purging" - apt-get purge $PACKAGE -y - apt-get autoremove + if [ $OS_RELEASE -eq 2 ]; then + yum remove $PACKAGE -y + else + apt-get purge $PACKAGE -y + apt-get autoremove + fi else ok "$PACKAGE is absent" fi diff --git a/bin/hardening/5.1.6_disable_telnet_server.sh b/bin/hardening/5.1.6_disable_telnet_server.sh index d13eab0..2ed0118 100755 --- a/bin/hardening/5.1.6_disable_telnet_server.sh +++ b/bin/hardening/5.1.6_disable_telnet_server.sh @@ -1,7 +1,8 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening +# Modify by: Samson-W (samson@hardenedlinux.org) # # @@ -17,9 +18,9 @@ HARDENING_LEVEL=2 PACKAGES='telnetd inetutils-telnetd telnetd-ssl krb5-telnetd heimdal-servers' FILE='/etc/inetd.conf' PATTERN='^telnet' +PACKAGE_REDHAT='telnet-server' -# This function will be called if the script status is on enabled / audit mode -audit () { +audit_debian () { for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then @@ -41,8 +42,28 @@ audit () { done } -# This function will be called if the script status is on enabled mode -apply () { +audit_redhat () { + is_pkg_installed $PACKAGE_REDHAT + if [ $FNRET = 0 ]; then + crit "$PACKAGE_REDHAT is installed" + else + ok "$PACKAGE_REDHAT is absent" + fi +} + +# This function will be called if the script status is on enabled / audit mode +audit () { + if [ $OS_RELEASE -eq 1 ]; then + audit_debian + elif [ $OS_RELEASE -eq 2 ]; then + audit_redhat + else + crit "Current OS is not support!" + FNRET=44 + fi +} + +apply_debian () { for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then @@ -70,6 +91,27 @@ apply () { done } +apply_redhat () { + is_pkg_installed $PACKAGE_REDHAT + if [ $FNRET = 0 ]; then + crit "$PACKAGE_REDHAT is installed, purging it" + yum remove $PACKAGE_REDHAT -y + else + ok "$PACKAGE_REDHAT is absent" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $OS_RELEASE -eq 1 ]; then + apply_debian + elif [ $OS_RELEASE -eq 2 ]; then + apply_redhat + else + crit "Current OS is not support!" + fi +} + # This function will check config parameters required check_config() { : diff --git a/bin/hardening/5.1.7_disable_tftp_server.sh b/bin/hardening/5.1.7_disable_tftp_server.sh index e9566d8..52f7fec 100755 --- a/bin/hardening/5.1.7_disable_tftp_server.sh +++ b/bin/hardening/5.1.7_disable_tftp_server.sh @@ -1,7 +1,8 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening +# Modify by: Samson-W (samson@hardenedlinux.org) # # @@ -16,9 +17,9 @@ HARDENING_LEVEL=2 PACKAGES='tftpd tftpd-hpa atftpd' FILE='/etc/inetd.conf' PATTERN='^tftp' +PACKAGE_REDHAT='tftp-server' -# This function will be called if the script status is on enabled / audit mode -audit () { +audit_debian () { for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then @@ -40,8 +41,28 @@ audit () { done } -# This function will be called if the script status is on enabled mode -apply () { +audit_redhat () { + is_pkg_installed $PACKAGE_REDHAT + if [ $FNRET = 0 ]; then + crit "$PACKAGE_REDHAT is installed" + else + ok "$PACKAGE_REDHAT is absent" + fi +} + +# This function will be called if the script status is on enabled / audit mode +audit () { + if [ $OS_RELEASE -eq 1 ]; then + audit_debian + elif [ $OS_RELEASE -eq 2 ]; then + audit_redhat + else + crit "Current OS is not support!" + FNRET=44 + fi +} + +apply_debian () { for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then @@ -69,6 +90,26 @@ apply () { done } +apply_redhat () {a + is_pkg_installed $PACKAGE_REDHAT + if [ $FNRET = 0 ]; then + crit "$PACKAGE_REDHAT is installed, purging it" + yum remove $PACKAGE_REDHAT -y + else + ok "$PACKAGE_REDHAT is absent" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $OS_RELEASE -eq 1 ]; then + apply_debian + elif [ $OS_RELEASE -eq 2 ]; then + apply_redhat + else + crit "Current OS is not support!" + fi +} # This function will check config parameters required check_config() { :