From 3759e22078edfb31eda45569dfe0f95d8c5f658a Mon Sep 17 00:00:00 2001
From: Samson-W <sccxboy@gmail.com>
Date: Fri, 16 Nov 2018 02:43:08 +0800
Subject: [PATCH] Add audit and apply methods for 1.1~1.3

---
 bin/hardening/1.1_install_updates.sh          |  2 +-
 ...le_verify_sign_packages_from_repository.sh | 65 +++++++++++++++++++
 ....3_enable_verify_sign_of_local_packages.sh | 63 ++++++++++++++++++
 3 files changed, 129 insertions(+), 1 deletion(-)
 create mode 100755 bin/hardening/1.2_enable_verify_sign_packages_from_repository.sh
 create mode 100755 bin/hardening/1.3_enable_verify_sign_of_local_packages.sh

diff --git a/bin/hardening/1.1_install_updates.sh b/bin/hardening/1.1_install_updates.sh
index dc9fb88..e1f1165 100755
--- a/bin/hardening/1.1_install_updates.sh
+++ b/bin/hardening/1.1_install_updates.sh
@@ -5,7 +5,7 @@
 #
 
 #
-# 1.1 Install Updates, Patches and Additional Security Software (Not Scored)
+# 1.1 Install Updates, Patches and Additional Security Software (Scored)
 #
 
 set -e # One error, it's over
diff --git a/bin/hardening/1.2_enable_verify_sign_packages_from_repository.sh b/bin/hardening/1.2_enable_verify_sign_packages_from_repository.sh
new file mode 100755
index 0000000..8e1a3ec
--- /dev/null
+++ b/bin/hardening/1.2_enable_verify_sign_packages_from_repository.sh
@@ -0,0 +1,65 @@
+#!/bin/bash
+
+#
+# harbian audit Debian 9 Hardening
+#
+
+#
+# 1.2 Enable Option for signature of packages from a repository (Scored)
+# Authors : Samson wen, Samson <sccxboy@gmail.com>
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+HARDENING_LEVEL=2
+OPTION='AllowUnauthenticated'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    if [ $(grep -v "^#" /etc/apt/ -r | grep -c "${OPTION}.*true") -gt 0 ]; then
+        crit "The signature of packages option is disable "
+        FNRET=1
+    else
+        ok "The signature of packages option is enable "
+        FNRET=0
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    if [ $FNRET = 0 ]; then 
+        ok "The signature of packages option is enable "
+    else
+        warn "Set to enabled signature of packages option"
+        for CONFFILE in $(grep -i "${OPTION}" /etc/apt/ -r | grep -v "^#" | awk -F: '{print $1}')
+        do
+            sed -i "/${OPTION}/d" ${CONFFILE}
+            #sed -i "s/${OPTION}.*true.*/${OPTION} \"false\";/g" ${CONFFILE}
+        done
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    # No parameters for this function
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
diff --git a/bin/hardening/1.3_enable_verify_sign_of_local_packages.sh b/bin/hardening/1.3_enable_verify_sign_of_local_packages.sh
new file mode 100755
index 0000000..55ad84f
--- /dev/null
+++ b/bin/hardening/1.3_enable_verify_sign_of_local_packages.sh
@@ -0,0 +1,63 @@
+#!/bin/bash
+
+#
+# harbian audit Debian 9 Hardening
+#
+
+#
+# 1.3 Enable verify the signature of local packages (Scored)
+# Authors : Samson wen, Samson <sccxboy@gmail.com>
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+HARDENING_LEVEL=2
+OPTION='no-debsig'
+CONFFILE='/etc/dpkg/dpkg.cfg'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    if [ $(grep -v "^#" ${CONFFILE} | grep -c ${OPTION}) -gt 0 ]; then
+        crit "The signature of local packages option is disable "
+        FNRET=1
+    else
+        ok "The signature of local packages option is enable "
+        FNRET=0
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    if [ $FNRET = 0 ]; then 
+        ok "The signature of local packages option is enable "
+    else
+        warn "Set to enabled signature of local packages option"
+            sed -i "/^${OPTION}/d" ${CONFFILE}
+            #sed -i "s/${OPTION}.*true.*/${OPTION} \"false\";/g" ${CONFFILE}
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    # No parameters for this function
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi