diff --git a/bin/hardening.sh b/bin/hardening.sh index 6635e1f..31e5190 100755 --- a/bin/hardening.sh +++ b/bin/hardening.sh @@ -25,6 +25,7 @@ SET_HARDENING_LEVEL=0 SUDO_MODE='' INIT_G_CONFIG=0 FINAL_G_CONFIG=0 +DONT_BY_UID_G_CONFIG=127 usage() { cat << EOF @@ -90,6 +91,10 @@ $LONG_SCRIPT_NAME [OPTIONS], where RUN_MODE is one of: password strength and robustness; 2. Aide reinitializes. + --dont-auditd-by-uid + Auditd rules do not use uid parameter, for all user to auditd. If set 1 will not use uid, else if + set 0 will use uid. + OPTIONS: --only @@ -158,6 +163,10 @@ while [[ $# > 0 ]]; do --final) FINAL_G_CONFIG=1 ;; + --dont-auditd-by-uid) + DONT_BY_UID_G_CONFIG="$2" + shift + ;; *) usage ;; @@ -175,11 +184,25 @@ if [ -z "$CIS_ROOT_DIR" ]; then exit 128 fi +# For --dont-auditd-by-uid +if [ $DONT_BY_UID_G_CONFIG -ne 127 ]; then + if [ $DONT_BY_UID_G_CONFIG -eq 1 ]; then + echo "Set dont use uid for auditd rules" + sed -i 's/^DONT_AUDITD_BY_UID=.*/DONT_AUDITD_BY_UID=1/g' $CIS_ROOT_DIR/etc/hardening.cfg + else + echo "Set use uid for auditd rules" + sed -i 's/^DONT_AUDITD_BY_UID=.*/DONT_AUDITD_BY_UID=0/g' $CIS_ROOT_DIR/etc/hardening.cfg + fi + exit 0 +fi + [ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh [ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg [ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh [ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh + + # For --init if [ $INIT_G_CONFIG -eq 1 ]; then if [ -r /etc/redhat-release ]; then diff --git a/bin/hardening/8.1.32_record_ufw_of_debian_like.sh b/bin/hardening/8.1.32_record_ufw_of_debian_like.sh new file mode 100755 index 0000000..2317fb2 --- /dev/null +++ b/bin/hardening/8.1.32_record_ufw_of_debian_like.sh @@ -0,0 +1,101 @@ +#!/bin/bash + +# +# harbian-audit for Debian GNU/Linux 7/8/9/10 Hardening +# + +# This script only support Debian-like desktop, So set to x11 service list +# 8.1.32 Collect ufw related items (Scored) +# Add by Author : Samson wen, Samson +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +HARDENING_LEVEL=4 +HARDENING_EXCEPTION=x11 + +# Find all files with setuid or setgid set +AUDIT_PARAMS='-a always,exit -F dir=/etc/ufw/ -F perm=wa -k ufw_config_file_chg +-a always,exit -F path=/etc/default/ufw -F perm=wa -k ufw_config_file_chg +-a always,exit -F path=/usr/sbin/ufw -F perm=wax -k ufw_command_wax +' +FILE='/etc/audit/rules.d/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + if [ $ISEXCEPTION -eq 1 ]; then + warn "Exception is set to 1, so it's pass!" + else + # define custom IFS and save default one + d_IFS=$IFS + c_IFS=$'\n' + IFS=$c_IFS + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE should be in file $FILE" + IFS=$d_IFS + RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}') + does_valid_pattern_exist_in_file $FILE "$RESULT" + IFS=$c_IFS + if [ $FNRET != 0 ]; then + crit "$RESULT is not in file $FILE" + else + ok "$RESULT is present in $FILE" + fi + done + IFS=$d_IFS + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $ISEXCEPTION -eq 1 ]; then + warn "Exception is set to 1, so it's pass!" + else + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE should be in file $FILE" + RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}') + does_valid_pattern_exist_in_file $FILE "$RESULT" + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + check_auditd_is_immutable_mode + else + ok "$AUDIT_VALUE is present in $FILE" + fi + done + fi +} + +# This function will create the config file for this check with default values +create_config() { +cat < +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +HARDENING_LEVEL=4 + +AUDIT_PARAMS='-a always,exit -F path=/sbin/iptables-restore -F perm=x -k iptables_restore_exec +-a always,exit -F path=/sbin/ip6tables-restore -F perm=x -k iptables_restore_exec' + +FILE='/etc/audit/rules.d/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + # define custom IFS and save default one + d_IFS=$IFS + c_IFS=$'\n' + IFS=$c_IFS + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE should be in file $FILE" + IFS=$d_IFS + RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}') + does_valid_pattern_exist_in_file $FILE "$RESULT" + IFS=$c_IFS + if [ $FNRET != 0 ]; then + crit "$RESULT is not in file $FILE" + else + ok "$RESULT is present in $FILE" + fi + done + IFS=$d_IFS +} + +# This function will be called if the script status is on enabled mode +apply () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE should be in file $FILE" + RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}') + does_valid_pattern_exist_in_file $FILE "$RESULT" + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + check_auditd_is_immutable_mode + else + ok "$AUDIT_VALUE is present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + . $CIS_ROOT_DIR/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/8.1.34_record_file_transfer_related.sh b/bin/hardening/8.1.34_record_file_transfer_related.sh new file mode 100755 index 0000000..996ecc2 --- /dev/null +++ b/bin/hardening/8.1.34_record_file_transfer_related.sh @@ -0,0 +1,84 @@ +#!/bin/bash + +# +# harbian-audit for Debian GNU/Linux 9/10 Hardening +# + +# +# 8.1.34 Collect file transfer related items (Scored) +# Add by Author : Samson wen, Samson +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +HARDENING_LEVEL=4 + +AUDIT_PARAMS='-a always,exit -F path=/usr/bin/scp -F perm=x -k file_transfer_exec +-a always,exit -F path=/usr/bin/wget -F perm=x -k file_transfer_exec +-a always,exit -F path=/usr/bin/sftp -F perm=x -k file_transfer_exec +-a always,exit -F path=/usr/bin/curl -F perm=x -k file_transfer_exec' + +FILE='/etc/audit/rules.d/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + echo "DONT_AUDITD_BY_UID $DONT_AUDITD_BY_UID" + # define custom IFS and save default one + d_IFS=$IFS + c_IFS=$'\n' + IFS=$c_IFS + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE should be in file $FILE" + IFS=$d_IFS + RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}') + does_valid_pattern_exist_in_file $FILE "$RESULT" + IFS=$c_IFS + if [ $FNRET != 0 ]; then + crit "$RESULT is not in file $FILE" + else + ok "$RESULT is present in $FILE" + fi + done + IFS=$d_IFS +} + +# This function will be called if the script status is on enabled mode +apply () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE should be in file $FILE" + RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}') + does_valid_pattern_exist_in_file $FILE "$RESULT" + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + check_auditd_is_immutable_mode + else + ok "$AUDIT_VALUE is present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + . $CIS_ROOT_DIR/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/8.1.32_freeze_auditd_conf.sh b/bin/hardening/8.1.35_freeze_auditd_conf.sh similarity index 97% rename from bin/hardening/8.1.32_freeze_auditd_conf.sh rename to bin/hardening/8.1.35_freeze_auditd_conf.sh index 7e06b5f..803f014 100755 --- a/bin/hardening/8.1.32_freeze_auditd_conf.sh +++ b/bin/hardening/8.1.35_freeze_auditd_conf.sh @@ -5,7 +5,7 @@ # # -# 8.1.18 Make the Audit Configuration Immutable (Scored) +# 8.1.35 Make the Audit Configuration Immutable (Scored) # Modify by: Samson-W (sccxboy@gmail.com) # diff --git a/etc/hardening.cfg b/etc/hardening.cfg index d77f231..3a3c1f0 100644 --- a/etc/hardening.cfg +++ b/etc/hardening.cfg @@ -7,3 +7,8 @@ LOGLEVEL=info # Backup directory, every file modified by hardening will be backuped here, with versionning # Means that if a file is modified more than once during the process, you will have hardening step diffs in the folder BACKUPDIR="$CIS_ROOT_DIR/tmp/backups" + +# If set to 1, Don't use uid in auditd rules, all of the users will record to auditd log +# If set to 0, use uid in auditd rules +DONT_AUDITD_BY_UID=0 +