tyler.durden
/
harbian-audit
mirror of https://github.com/hardenedlinux/harbian-audit.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #12 from hardenedlinux/master 

Pull from master to harbian-audit-deepin
This commit is contained in:
Samson.W 2019-11-15 01:15:57 +08:00 committed by GitHub
parent 7812833eba 61327ff523
commit 3f9fef44b9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
43 changed files with 801 additions and 517 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
README-CN.md
View File

@ -151,24 +151,41 @@ EXCEPTIONS=""
4) 设置基本的iptables防火墙规则
根据实现场景进行防火墙规则的配置可参考HardenedLinux社区归纳的基于Debian GNU/Linux的防火墙规则的基本规则
[etc.iptables.rules.v4.sh](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/etc.iptables.rules.v4.sh)
执行如下的命令进行部署:
基于iptables的部署:
```
$ INTERFACENAME="your network interfacename(Example eth0)"
$ sed -i "s/PUB_IFS=.*/PUB_IFS=\"$INTERFACENAME\"/g" docs/configurations/etc.iptables.rules.v4.sh
$ sudo bash docs/configurations/etc.iptables.rules.v4.sh
$ sudo bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME
$ sudo -s
# iptables-save > /etc/iptables/rules.v4
# ip6tables-save > /etc/iptables/rules.v6
```
5) 使用passwd命令改变所有用户的密码以满足pam_cracklib模块配置的密码复杂度及健壮性。
基于nft的部署
按照以下命令修改nftables.conf(你的对外网口的名称例如eth0):
```
$ sed -i 's/^define int_if = ens33/define int_if = eth0/g' etc.nftables.conf
$ sudo nft -f ./etc.nftables.conf
```
5) 当所有安全基线项都修复完成后,使用--final方法将完成以下的最终的工作
1.使用passwd命令去重新设置常规用户及root用户的密码以满足pam_cracklib模块配置的密码强度和健壮性。
2. 重新初始化aide工具的数据库。
```
$ sudo bin/hardening.sh --final
```
## 特别注意
一些检查项需要依赖多次修复,且操作系统需要多次重启。需要进行两次修复的项有:
### 必须在第一次修复应用后进行修复的项
8.1.32 因为此项一旦设置,审计规则将不能够再进行添加。
### 必须在所有项都修复应用后进行修复的项
8.4.1 8.4.2 这都是与aide检测文件完整性相关的项最好是在所有项都修复好后再进行修复以修复好的系统中的文件进行完整性的数据库的初始化。
### 一些检查项需要依赖多次修复,且操作系统需要多次重启
#### 需要进行两次修复的项
8.1.1.2
8.1.1.3
8.1.12
需要修复3次的项
4.5
## 玩(如何添加检查项)
@ -219,15 +236,15 @@ This document is a description of the additions to the sections not included in
The HardenedLinux community has created public AMI images for three different regions.
Destination region: US East(Ohio)
AMI ID: ami-0459b7f679f8941a4
AMI ID: ami-091d37e9d358aaa84
AMI Name: harbian-audit complianced for Debian GNU/Linux 9
Destination region: EU(Frankfurt)
AMI ID: ami-022f30970530a0c5b
AMI ID: ami-073725a8c2cf45418
AMI Name: harbian-audit complianced for Debian GNU/Linux 9
Destination region: Asia Pacific(Tokyo)
AMI ID: ami-003de0c48c2711265
AMI ID: ami-06c0adb6ee5e7d417
AMI Name: harbian-audit complianced for Debian GNU/Linux 9
#### 相关文档

29
README.md
View File

@ -169,8 +169,7 @@ Set the corresponding firewall rules according to the applications used. Hardene
to do the following:
```
$ INTERFACENAME="your network interfacename(Example eth0)"
$ sed -i "s/PUB_IFS=.*/PUB_IFS=\"$INTERFACENAME\"/g" docs/configurations/etc.iptables.rules.v4.sh
$ sudo bash docs/configurations/etc.iptables.rules.v4.sh
$ sudo bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME
$ sudo -s
# iptables-save > /etc/iptables/rules.v4
# ip6tables-save > /etc/iptables/rules.v6
@ -183,18 +182,28 @@ to do the following(your network interfacename(Example eth0)):
$ sed -i 's/^define int_if = ens33/define int_if = eth0/g' etc.nftables.conf
$ sudo nft -f ./etc.nftables.conf
```
5) Use the passwd command to change the passwords of all users, and change the password to a secure and reliable password entry with the same password complexity set by the pam_cracklib module.
5) When all repairs are completed. --final method will:
1. Use passwd command to change the password of the regular and root user to apply the password complexity and robustness of the pam_cracklib module configuration.
2. Aide reinitializes.
```
$ sudo bin/hardening.sh --final
```
## Special Note
Some check items check a variety of situations and are interdependent, they must be applied (fix) multiple times, and the OS must be a reboot after each applies (fix).
Items that need to be fix twice:
### Items that must be applied after the first application(reboot after is better)
8.1.32 Because this item is set, the audit rules will not be added.
### Items that must be applied after all application is ok
8.4.1
8.4.2
These are all related to the aide. It is best to fix all the items after they have been fixed to fix the integrity of the database in the system.
### Items that need to be fix twice
8.1.1.2
8.1.1.3
8.1.12
Items that need to be fix three times:
4.5
## Hacking
@ -249,15 +258,15 @@ This document is a description of the additions to the sections not included in
The HardenedLinux community has created public AMI images for three different regions.
Destination region: US East(Ohio)
AMI ID: ami-0459b7f679f8941a4
AMI ID: ami-091d37e9d358aaa84
AMI Name: harbian-audit complianced for Debian GNU/Linux 9
Destination region: EU(Frankfurt)
AMI ID: ami-022f30970530a0c5b
AMI ID: ami-073725a8c2cf45418
AMI Name: harbian-audit complianced for Debian GNU/Linux 9
Destination region: Asia Pacific(Tokyo)
AMI ID: ami-003de0c48c2711265
AMI ID: ami-06c0adb6ee5e7d417
AMI Name: harbian-audit complianced for Debian GNU/Linux 9
#### Docs

51
bin/hardening.sh
View File

@ -24,6 +24,7 @@ ALLOW_SERVICE_LIST=0
SET_HARDENING_LEVEL=0
SUDO_MODE=''
INIT_G_CONFIG=0
FINAL_G_CONFIG=0
usage() {
cat << EOF
@ -32,11 +33,11 @@ $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
--help -h
Show this help
--init
Initialize the global configuration file(/etc/default/cis-hardening) based
on the release version number.
--init
Initialize the global configuration file(/etc/default/cis-hardening) based
on the release version number.
--apply
--apply
Apply hardening for enabled scripts.
Beware that NO confirmation is asked whatsoever, which is why you're warmly
advised to use --audit before, which can be regarded as a dry-run mode.
@ -81,7 +82,13 @@ $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
as http, mail, etc. Can be specified multiple times to allow multiple services.
Use --allow-service-list to get a list of supported services.
Example:
bin/hardening.sh --set-hardening-level 5 --allow-service dns,http
bin/hardening.sh --set-hardening-level 5 --allow-service dns,http
--final
The final action that needs to be done when all repairs are completed. The action items are:
1. Use passwd to change the password of the regular and root user to update the user
password strength and robustness;
2. Aide reinitializes.
OPTIONS:
@ -148,6 +155,9 @@ while [[ $# > 0 ]]; do
--init)
INIT_G_CONFIG=1
;;
--final)
FINAL_G_CONFIG=1
;;
*)
usage
;;
@ -170,6 +180,7 @@ fi
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
# For --init
if [ $INIT_G_CONFIG -eq 1 ]; then
if [ -r /etc/redhat-release ]; then
info "This OS is redhat/CentOS."
@ -194,6 +205,36 @@ else
exit 128
fi
# For --final
if [ $FINAL_G_CONFIG -eq 1 ]; then
# Reset passwd for regular and root user
USERSNAME=$(cat /etc/passwd | awk -F':' '{if($3>=1000 && $3<65534) {print $1}}')
for USER in $USERSNAME; do
RESETCONTIN="n"
read -p "Will password of $USER be reset, are you sure to continue?(y/N)" RESETCONTIN
if [ "$RESETCONTIN" == "y" ]; then
passwd $USER
else
continue
fi
done
RESETCONTIN="n"
read -p "Will password of root be reset, are you sure to continue?(y/N)" RESETCONTIN
if [ "$RESETCONTIN" == "y" ]; then
passwd
fi
# Reinit aide database
info "Will reinitialize the AIDE database"
if [ $OS_RELEASE -eq 1 ]; then
aideinit
elif [ $OS_RELEASE -eq 2 ]; then
aide --init
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
fi
exit 0
fi
# If --allow-service-list is specified, don't run anything, just list the supported services
if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then
declare -a HARDENING_EXCEPTIONS_LIST

52
bin/hardening/2.1_tmp_partition.sh
View File

@ -16,7 +16,10 @@ HARDENING_LEVEL=2
# Quick factoring as many script use the same logic
PARTITION="/tmp"
TMPMOUNTNAME="tmp.mount"
SERVICENAME="tmp.mount"
SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount"
REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount"
# This function will be called if the script status is on enabled / audit mode
audit () {
@ -36,19 +39,12 @@ audit () {
fi
else
warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service"
if [ $(systemctl | grep -c "tmp.mount[[:space:]]*loaded[[:space:]]active[[:space:]]mounted") -eq 1 ]; then
ok "$TMPMOUNTNAME service is active!"
is_mounted "$PARTITION"
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted"
FNRET=3
else
ok "$PARTITION is mounted"
FNRET=0
fi
is_service_active $SERVICENAME
if [ $FNRET -eq 0 ]; then
ok "$SERVICENAME service is active!"
else
crit "$TMPMOUNTNAME service is not active!"
FNRET=4
crit "$SERVICENAME service is inactive!"
FNRET=3
fi
fi
}
@ -63,12 +59,30 @@ apply () {
warn "mounting $PARTITION"
mount $PARTITION
elif [ $FNRET = 3 ]; then
$SUDO_CMD systemctl daemon-reload
$SUDO_CMD systemctl start "$TMPMOUNTNAME"
elif [ $FNRET = 4 ]; then
$SUDO_CMD systemctl enable "$TMPMOUNTNAME"
$SUDO_CMD systemctl daemon-reload
$SUDO_CMD systemctl start "$TMPMOUNTNAME"
if [ $OS_RELEASE -eq 1 ]; then
if [ -e $DEBIAN_SERVICEPATH ]; then
$SUDO_CMD systemctl enable "$SERVICENAME"
$SUDO_CMD systemctl daemon-reload
$SUDO_CMD systemctl start "$SERVICENAME"
else
if [ -e $SERVICEPATH_DEBIAN ]; then
cp $SERVICEPATH_DEBIAN $DEBIAN_SERVICEPATH
$SUDO_CMD systemctl enable "$SERVICENAME"
$SUDO_CMD systemctl daemon-reload
$SUDO_CMD systemctl start "$SERVICENAME"
else
crit "System unit file $DEBIAN_SERVICEPATH is not exist!"
fi
fi
elif [ $OS_RELEASE -eq 2 ]; then
if [ -e $REDHAT_SERVICEPATH ]; then
$SUDO_CMD systemctl enable "$SERVICENAME"
$SUDO_CMD systemctl daemon-reload
$SUDO_CMD systemctl start "$SERVICENAME"
else
crit "System unit file $REDHAT_SERVICEPATH is not exist!"
fi
fi
fi
}

59
bin/hardening/2.2_tmp_nodev.sh
View File

@ -18,8 +18,9 @@ HARDENING_LEVEL=2
PARTITION="/tmp"
OPTION="nodev"
SERVICENAME="tmp.mount"
SERVICEPATH="/usr/share/systemd/tmp.mount"
SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount"
REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount"
# This function will be called if the script status is on enabled / audit mode
audit () {
@ -46,43 +47,45 @@ audit () {
fi
else
warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service"
if [ -e $SERVICEPATH -o -e $REDHAT_SERVICEPATH ]; then
if [ $OS_RELEASE -eq 2 ]; then
has_mount_option_systemd $REDHAT_SERVICEPATH $OPTION
else
has_mount_option_systemd $SERVICEPATH $OPTION
fi
if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in systemd service!"
FNRET=3
else
ok "$PARTITION has $OPTION in systemd service"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
if [ $OS_RELEASE -eq 1 ]; then
UNITSERVICEPATH=$DEBIAN_SERVICEPATH
elif [ $OS_RELEASE -eq 2 ]; then
UNITSERVICEPATH=$REDHAT_SERVICEPATH
fi
if [ -e $UNITSERVICEPATH ]; then
has_mount_option_systemd $UNITSERVICEPATH $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in systemd service!"
FNRET=3
else
ok "$PARTITION has $OPTION in systemd service"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=5
else
ok "$PARTITION mounted with $OPTION"
FNRET=0
fi
fi
else
if [ $OS_RELEASE -eq 2 ]; then
crit "$REDHAT_SERVICEPATH is not exist!"
else
crit "$SERVICEPATH is not exist!"
fi
FNRET=2
fi
fi
else
crit "$UNITSERVICEPATH is not exist! Please apply 2.1 first!"
FNRET=2
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
UNITSERVICEPATH=$DEBIAN_SERVICEPATH
elif [ $OS_RELEASE -eq 2 ]; then
UNITSERVICEPATH=$REDHAT_SERVICEPATH
fi
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
crit "System unit $UNITSERVICEPATH is not exist! Please apply 2.1 first!"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
@ -95,11 +98,7 @@ apply () {
fi
elif [ $FNRET = 3 ]; then
info "Adding $OPTION to systemd"
if [ $OS_RELEASE -eq 2 ]; then
add_option_to_systemd $REDHAT_SERVICEPATH $OPTION $SERVICENAME
else
add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME
fi
add_option_to_systemd $UNITSERVICEPATH $OPTION $SERVICENAME
remount_partition_by_systemd $SERVICENAME $PARTITION
elif [ $FNRET = 4 ]; then
info "Remounting $PARTITION from fstab"

69
bin/hardening/2.3_tmp_nosuid.sh
View File

@ -17,9 +17,10 @@ HARDENING_LEVEL=2
# Quick factoring as many script use the same logic
PARTITION="/tmp"
OPTION="nosuid"
SERVICEPATH="/usr/share/systemd/tmp.mount"
SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount"
SERVICENAME="tmp.mount"
REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount"
# This function will be called if the script status is on enabled / audit mode
audit () {
@ -45,44 +46,46 @@ audit () {
FNRET=1
fi
else
warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service"
if [ -e $SERVICEPATH -o -e $REDHAT_SERVICEPATH ]; then
if [ $OS_RELEASE -eq 2 ]; then
has_mount_option_systemd $REDHAT_SERVICEPATH $OPTION
warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service"
if [ $OS_RELEASE -eq 1 ]; then
UNITSERVICEPATH=$DEBIAN_SERVICEPATH
elif [ $OS_RELEASE -eq 2 ]; then
UNITSERVICEPATH=$REDHAT_SERVICEPATH
fi
if [ -e $UNITSERVICEPATH ]; then
has_mount_option_systemd $UNITSERVICEPATH $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in systemd service!"
FNRET=3
else
has_mount_option_systemd $SERVICEPATH $OPTION
ok "$PARTITION has $OPTION in systemd service"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=5
else
ok "$PARTITION mounted with $OPTION"
FNRET=0
fi
fi
if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in systemd service!"
FNRET=3
else
ok "$PARTITION has $OPTION in systemd service"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=5
else
ok "$PARTITION mounted with $OPTION"
FNRET=0
fi
fi
else
if [ $OS_RELEASE -eq 2 ]; then
crit "$REDHAT_SERVICEPATH is not exist!"
else
crit "$SERVICEPATH is not exist!"
fi
FNRET=2
fi
fi
else
crit "$UNITSERVICEPATH is not exist! Please apply 2.1 first!"
FNRET=2
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
UNITSERVICEPATH=$DEBIAN_SERVICEPATH
elif [ $OS_RELEASE -eq 2 ]; then
UNITSERVICEPATH=$REDHAT_SERVICEPATH
fi
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
crit "System unit $UNITSERVICEPATH is not exist! Please apply 2.1 first!"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
@ -95,11 +98,7 @@ apply () {
fi
elif [ $FNRET = 3 ]; then
info "Adding $OPTION to systemd"
if [ $OS_RELEASE -eq 2 ]; then
add_option_to_systemd $REDHAT_SERVICEPATH $OPTION $SERVICENAME
else
add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME
fi
add_option_to_systemd $UNITSERVICEPATH $OPTION $SERVICENAME
remount_partition_by_systemd $SERVICENAME $PARTITION
elif [ $FNRET = 4 ]; then
info "Remounting $PARTITION from fstab"

67
bin/hardening/2.4_tmp_noexec.sh
View File

@ -17,9 +17,10 @@ HARDENING_LEVEL=2
# Quick factoring as many script use the same logic
PARTITION="/tmp"
OPTION="noexec"
SERVICEPATH="/usr/share/systemd/tmp.mount"
SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount"
SERVICENAME="tmp.mount"
REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount"
# This function will be called if the script status is on enabled / audit mode
audit () {
@ -46,43 +47,45 @@ audit () {
fi
else
warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service"
if [ -e $SERVICEPATH -o -e $REDHAT_SERVICEPATH ]; then
if [ $OS_RELEASE -eq 2 ]; then
has_mount_option_systemd $REDHAT_SERVICEPATH $OPTION
if [ $OS_RELEASE -eq 1 ]; then
UNITSERVICEPATH=$DEBIAN_SERVICEPATH
elif [ $OS_RELEASE -eq 2 ]; then
UNITSERVICEPATH=$REDHAT_SERVICEPATH
fi
if [ -e $UNITSERVICEPATH ]; then
has_mount_option_systemd $UNITSERVICEPATH $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in systemd service!"
FNRET=3
else
has_mount_option_systemd $SERVICEPATH $OPTION
ok "$PARTITION has $OPTION in systemd service"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=5
else
ok "$PARTITION mounted with $OPTION"
FNRET=0
fi
fi
if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in systemd service!"
FNRET=3
else
ok "$PARTITION has $OPTION in systemd service"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=5
else
ok "$PARTITION mounted with $OPTION"
FNRET=0
fi
fi
else
if [ $OS_RELEASE -eq 2 ]; then
crit "$REDHAT_SERVICEPATH is not exist!"
else
crit "$SERVICEPATH is not exist!"
fi
FNRET=2
fi
fi
else
crit "$UNITSERVICEPATH is not exist! Please apply 2.1 first!"
FNRET=2
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
UNITSERVICEPATH=$DEBIAN_SERVICEPATH
elif [ $OS_RELEASE -eq 2 ]; then
UNITSERVICEPATH=$REDHAT_SERVICEPATH
fi
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
crit "System unit $UNITSERVICEPATH is not exist! Please apply 2.1 first!"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
@ -95,11 +98,7 @@ apply () {
fi
elif [ $FNRET = 3 ]; then
info "Adding $OPTION to systemd"
if [ $OS_RELEASE -eq 2 ]; then
add_option_to_systemd $REDHAT_SERVICEPATH $OPTION $SERVICENAME
else
add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME
fi
add_option_to_systemd $UNITSERVICEPATH $OPTION $SERVICENAME
remount_partition_by_systemd $SERVICENAME $PARTITION
elif [ $FNRET = 4 ]; then
info "Remounting $PARTITION from fstab"

64
bin/hardening/6.17_ensure_virul_scan_server_is_enabled.sh
View File

@ -17,31 +17,53 @@ VIRULSERVER='clamav-daemon'
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $(dpkg -l | grep -c $VIRULSERVER) -ge 1 ]; then
if [ $(systemctl | grep $VIRULSERVER | grep -c "active running") -ne 1 ]; then
crit "$VIRULSERVER is not runing"
FNRET=2
else
ok "$VIRULSERVER is enable"
FNRET=0
fi
else
crit "$VIRULSERVER is not installed"
FNRET=1
fi
if [ $OS_RELEASE -eq 1 ]; then
if [ $(dpkg -l | grep -c $VIRULSERVER) -ge 1 ]; then
if [ $(systemctl | grep $VIRULSERVER | grep -c "active running") -ne 1 ]; then
crit "$VIRULSERVER is not runing"
FNRET=2
else
ok "$VIRULSERVER is enable"
FNRET=0
fi
else
crit "$VIRULSERVER is not installed"
FNRET=1
fi
elif [ $OS_RELEASE -eq 2 ]; then
if [ $(rpm -qa | grep -c clamd) -ge 1 ]; then
ok "Clamav is installed"
else
crit "Clamav is not install"
fi
else
crit "Current OS is not support!"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$VIRULSERVER is enable"
elif [ $FNRET = 1 ]; then
warn "Install $VIRULSERVER"
apt-get install -y $VIRULSERVER
else
warn "Start server $VIRULSERVER"
systemctl start $VIRULSERVER
fi
if [ $OS_RELEASE -eq 1 ]; then
if [ $FNRET = 0 ]; then
ok "$VIRULSERVER is enable"
elif [ $FNRET = 1 ]; then
warn "Install $VIRULSERVER"
apt-get install -y $VIRULSERVER
else
warn "Start server $VIRULSERVER"
systemctl start $VIRULSERVER
fi
elif [ $OS_RELEASE -eq 2 ]; then
if [ $FNRET = 0 ]; then
ok "$VIRULSERVER is enable"
elif [ $FNRET = 1 ]; then
warn "Install $VIRULSERVER"
yum install -y $VIRULSERVER
else
warn "Start server $VIRULSERVER"
systemctl start $VIRULSERVER
fi
fi
}
# This function will check config parameters required

90
bin/hardening/6.18_ensure_virusscan_program_update_is_enabled.sh
View File

@ -13,51 +13,71 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
VIRULSERVER='clamav-daemon'
CLAMAVCONF_DIR='/etc/clamav/clamd.conf'
UPDATE_SERVER='clamav-freshclam'
audit_debian () {
UPDATE_DIR=$(grep -i databasedirectory "$CLAMAVCONF_DIR" | awk '{print $2}')
if [ -d $UPDATE_DIR -a -e $CLAMAVCONF_DIR ]; then
NOWTIME=$(date +"%s")
# This file extension name maybe change to .cvd or .cld
VIRUSTIME=$(stat -c "%Y" "$UPDATE_DIR"/daily.*)
INTERVALTIME=$((${NOWTIME}-${VIRUSTIME}))
if [ "${INTERVALTIME}" -ge 604800 ];then
crit "Clamav database file has a date older than seven days from the current date"
FNRET=3
else
ok "Clamav database file has a date less than seven days from the current date"
FNRET=0
fi
else
crit "Clamav config file or update dir is not exist"
FNRET=2
fi
}
# todo
audit_redhat () {
:
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $(systemctl | grep $VIRULSERVER | grep "active running" | wc -l) -ne 1 ]; then
crit "$VIRULSERVER is not runing"
FNRET=1
else
ok "$VIRULSERVER is runing"
UPDATE_DIR=$(grep -i databasedirectory "$CLAMAVCONF_DIR" | awk '{print $2}')
if [ -d $UPDATE_DIR -a -e $CLAMAVCONF_DIR ]; then
NOWTIME=$(date +"%s")
# This file extension name maybe change to .cvd or .cld
VIRUSTIME=$(stat -c "%Y" "$UPDATE_DIR"/daily.*)
INTERVALTIME=$((${NOWTIME}-${VIRUSTIME}))
if [ "${INTERVALTIME}" -ge 604800 ];then
crit "Database file has a date older than seven days from the current date"
FNRET=3
else
ok "Database file has a date less than seven days from the current date"
FNRET=0
fi
else
crit "Clamav config file or update dir is not exist"
FNRET=2
fi
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
elif [ $OS_RELEASE -eq 2 ]; then
audit_redhat
else
crit "Current OS is not support!"
fi
}
apply_debian () {
if [ $FNRET = 0 ]; then
ok "Clamav database file has a date less than seven days from the current date"
elif [ $FNRET = 2 ]; then
warn "Clamav config file or update dir is not exist, please check that is exist or check config"
elif [ $FNRET = 3 ]; then
warn "Clamav database file has a date older than seven days from the current date, start clamav-freshclam.service to update"
apt-get install -y $UPDATE_SERVER
systemctl start $UPDATE_SERVER
fi
}
# todo
apply_redhat () {
:
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "Database file has a date less than seven days from the current date"
elif [ $FNRET = 1 ]; then
warn "Install $VIRULSERVER"
apt-get install -y $VIRULSERVER
elif [ $FNRET = 2 ]; then
warn "Clamav config file or update dir is not exist, please check that is exist or check config"
elif [ $FNRET = 3 ]; then
warn "Database file has a date older than seven days from the current date, start clamav-freshclam.service to update"
apt-get install -y $UPDATE_SERVER
systemctl start $UPDATE_SERVER
fi
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
elif [ $OS_RELEASE -eq 2 ]; then
apply_redhat
else
crit "Current OS is not support!"
fi
}
# This function will check config parameters required

2
bin/hardening/7.7.5.3_ensure_firewall_rules_exist_for_all_open_ports_for_v6.sh
View File

@ -39,7 +39,7 @@ audit () {
if [ "$PROTO_TYPE" == 'udp6' ]; then
PROTO_TYPE="udp"
fi
LISTEN_PORT=$(echo ${LISTENING} | awk '{print $4}' | awk -F: '{print $4}')
LISTEN_PORT=$(echo ${LISTENING} | awk '{print $4}' | awk -F: '{print $NF}')
if [ $($IPS6 -S | grep "^\-A INPUT \-p $PROTO_TYPE" | grep -c "\-\-dport $LISTEN_PORT \-m state \-\-state NEW \-j ACCEPT") -ge 1 ]; then
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT was set ipv6 firewall rules."
else

26
bin/hardening/8.1.16_record_sudo_usage.sh
View File

@ -14,7 +14,6 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4
SUDOLOG='/var/log/sudo.log'
AUDIT_VALUE='-w /var/log/sudo.log -p wa -k sudoaction'
FILE='/etc/audit/rules.d/audit.rules'
@ -23,18 +22,12 @@ audit () {
# define custom IFS and save default one
d_IFS=$IFS
IFS=$'\n'
if [ -f $SUDOLOG ]; then
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
FNRET=2
else
ok "$AUDIT_VALUE is present in $FILE"
fi
else
crit "file $SUDOLOG is not exist!"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
FNRET=1
else
ok "$AUDIT_VALUE is present in $FILE"
fi
IFS=$d_IFS
}
@ -45,15 +38,6 @@ apply () {
d_IFS=$IFS
IFS=$'\n'
if [ $FNRET = 1 ]; then
warn "file $SUDOLOG is not exist! Set default logfile path in /etc/sudoers."
sed -i '$aDefaults logfile="/var/log/sudo.log"' /etc/sudoers
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
fi
elif [ $FNRET = 2 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode

8
bin/hardening/8.1.17_record_kernel_modules.sh
View File

@ -14,13 +14,13 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4
ARCH64_AUDIT_PARAMS='-w /sbin/insmod -p x -k modules
ARCH64_AUDIT_PARAMS='-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-w /bin/kmod -p x -k modules
-a always,exit -F arch=b32 -S init_module -S delete_module -S create_module -S finit_module -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -S create_module -S finit_module -k modules'
ARCH32_AUDIT_PARAMS='-w /sbin/insmod -p x -k modules
ARCH32_AUDIT_PARAMS='-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-w /bin/kmod -p x -k modules
@ -34,8 +34,8 @@ audit () {
d_IFS=$IFS
IFS=$'\n'
is_64bit_arch
if [ $FNRET=0 ]; then
AUDIT_PARAMS=$ARCH64_AUDIT_PARAMS
if [ $FNRET=0 ]; then
AUDIT_PARAMS=$ARCH64_AUDIT_PARAMS
else
AUDIT_PARAMS=$ARCH32_AUDIT_PARAMS
fi

0
bin/hardening/8.1.32_record_Events_netfilter.sh → bin/hardening/8.1.18_record_Events_netfilter.sh
View File

21
bin/hardening/8.1.19_record_sshkeysign_usage.sh
View File

@ -10,17 +10,18 @@
#
set -u # One variable unset, it's over
HARDENING_LEVEL=4
AUDIT_PARAMS="-a always,exit -F path=$(find /usr/ -name "ssh-keysign") -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=$(which ssh-agent 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
set -e # One error, it's over
HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules'
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
AUDIT_PARAMS_REDHAT="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
@ -71,7 +72,11 @@ apply () {
# This function will check config parameters required
check_config() {
:
if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT
fi
}
# Source Root Dir Parameter

25
bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh
View File

@ -10,17 +10,22 @@
#
set -u # One variable unset, it's over
set -e # One error, it's over
HARDENING_LEVEL=4
AUDIT_PARAMS="-a always,exit -F path=$(which passwd 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=$(which unix_chkpwd 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=$(which gpasswd 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=$(which chage 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
set -e # One error, it's over
FILE='/etc/audit/rules.d/audit.rules'
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
AUDIT_PARAMS_REDHAT="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
@ -71,7 +76,11 @@ apply () {
# This function will check config parameters required
check_config() {
:
if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT
fi
}
# Source Root Dir Parameter

31
bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh
View File

@ -10,19 +10,26 @@
#
set -u # One variable unset, it's over
set -e # One error, it's over
HARDENING_LEVEL=4
AUDIT_PARAMS="-a always,exit -F path=$(which su 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=$(which sudo 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=$(which newgrp 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=$(which chsh 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=$(which sudoedit 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=$(which chfn 2>/dev/null) -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change"
set -e # One error, it's over
FILE='/etc/audit/rules.d/audit.rules'
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change"
AUDIT_PARAMS_REDHAT="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change"
AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
@ -73,7 +80,11 @@ apply () {
# This function will check config parameters required
check_config() {
:
if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT
fi
}
# Source Root Dir Parameter

19
bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh
View File

@ -10,15 +10,18 @@
#
set -u # One variable unset, it's over
set -e # One error, it's over
HARDENING_LEVEL=4
AUDIT_PARAMS='-a always,exit -F path=$(which postdrop 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
-a always,exit -F path=$(which postqueue 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
set -e # One error, it's over
FILE='/etc/audit/rules.d/audit.rules'
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
AUDIT_PARAMS_REDHAT='-a always,exit -F path=/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
-a always,exit -F path=/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
@ -69,7 +72,11 @@ apply () {
# This function will check config parameters required
check_config() {
:
if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT
fi
}
# Source Root Dir Parameter

15
bin/hardening/8.1.24_record_crontab_cmd_usage.sh
View File

@ -10,14 +10,15 @@
#
set -u # One variable unset, it's over
set -e # One error, it's over
HARDENING_LEVEL=4
AUDIT_PARAMS='-a always,exit -F path=$(which crontab 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
set -e # One error, it's over
FILE='/etc/audit/rules.d/audit.rules'
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
AUDIT_PARAMS_REDHAT='-a always,exit -F path=/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
@ -68,7 +69,11 @@ apply () {
# This function will check config parameters required
check_config() {
:
if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT
fi
}
# Source Root Dir Parameter

15
bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh
View File

@ -10,14 +10,15 @@
#
set -u # One variable unset, it's over
set -e # One error, it's over
HARDENING_LEVEL=4
AUDIT_PARAMS='-a always,exit -F path=$(which pam_timestamp_check 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
set -e # One error, it's over
FILE='/etc/audit/rules.d/audit.rules'
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
AUDIT_PARAMS_REDHAT='-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
@ -68,7 +69,11 @@ apply () {
# This function will check config parameters required
check_config() {
:
if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT
fi
}
# Source Root Dir Parameter

103
bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh
View File

@ -5,66 +5,75 @@
#
#
# 8.1.26 Recored pam_tally/pam_tally2 command usage (Scored)
# 8.1.26 Recored pam_tally/pam_tally2 command usage(Only for Debian) (Scored)
# Author : Samson wen, Samson <sccxboy@gmail.com> Author add this
#
set -u # One variable unset, it's over
HARDENING_LEVEL=4
AUDIT_PARAMS='-a always,exit -F path=$(which pam_tally 2>/dev/null) -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
-a always,exit -F path=$(which pam_tally2 2>/dev/null) -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
set -e # One error, it's over
FILE='/etc/audit/rules.d/audit.rules'
HARDENING_LEVEL=4
AUDIT_PARAMS='-a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
-a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
crit "path is not exsit! Please check file path is exist!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
# This feature is only for debian
if [ $OS_RELEASE -eq 2 ]; then
ok "CentOS/Redhat is not support, so pass"
elif [ $OS_RELEASE -eq 1 ]; then
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
crit "path is not exsit! Please check file path is exist!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
fi
}
# This function will be called if the script status is on enabled mode
apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
crit "path is not exsit! Please check file path is exist!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
# This feature is only for debian
if [ $OS_RELEASE -eq 2 ]; then
ok "CentOS/Redhat is not support, so pass"
elif [ $OS_RELEASE -eq 1 ]; then
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
crit "path is not exsit! Please check file path is exist!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
fi
}
# This function will check config parameters required

18
bin/hardening/8.1.27_record_Events_that_modify_conf_files.sh
View File

@ -10,16 +10,17 @@
#
set -u # One variable unset, it's over
set -e # One error, it's over
HARDENING_LEVEL=4
AUDIT_PARAMS='-a always,exit -F path=$(find /etc/ -name audisp-remote.conf) -F perm=wa -k config_file_change
-a always,exit -F path=$(find /etc/ -name auditd.conf) -F perm=wa -k config_file_change
-a always,exit -F dir=$(find /etc/audit/ -name rules.d) -F perm=wa -k config_file_change
-a always,exit -F path=$(find /etc/ -name grub) -F perm=wa -k config_file_change
-a always,exit -F path=$(find /etc/ -name fstab) -F perm=wa -k config_file_change
-a always,exit -F path=$(find /etc/ -name hosts.deny) -F perm=wa -k config_file_change
-a always,exit -F path=$(find /etc/ -name login.defs) -F perm=wa -k config_file_change
AUDIT_PARAMS='-a always,exit -F path=/etc/audisp/audisp-remote.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/audit/auditd.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/default/grub -F perm=wa -k config_file_change
-a always,exit -F path=/etc/fstab -F perm=wa -k config_file_change
-a always,exit -F path=/etc/hosts.deny -F perm=wa -k config_file_change
-a always,exit -F path=/etc/login.defs -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/audit/rules.d/ -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/pam.d/ -F perm=wa -k config_file_change
-a always,exit -F path=/etc/profile -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/profile.d/ -F perm=wa -k config_file_change
@ -27,7 +28,6 @@ AUDIT_PARAMS='-a always,exit -F path=$(find /etc/ -name audisp-remote.conf) -F p
-a always,exit -F dir=/etc/iptables/ -F perm=wa -k config_file_change
-a always,exit -F path=/etc/sysctl.conf -F perm=wa -k config_file_change'
set -e # One error, it's over
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
@ -39,7 +39,7 @@ audit () {
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
crit "path is not exsit! Please check file path is exist!"
crit "path is not exsit! Please check file path is exist! Rule: $AUDIT_VALUE"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"

10
bin/hardening/8.1.28_record_acl_cmd_usage.sh
View File

@ -8,16 +8,16 @@
# 8.1.28 Recored Events that privileged-acl command usage (Scored)
# Author : Samson wen, Samson <sccxboy@gmail.com>
#
# todo to ensure path in debian
set -u # One variable unset, it's over
set -e # One error, it's over
FILE='/etc/audit/rules.d/audit.rules'
HARDENING_LEVEL=4
AUDIT_PARAMS='-a always,exit -F path=$(which setfacl 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=$(which chacl 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng'
set -e # One error, it's over
FILE='/etc/audit/rules.d/audit.rules'
AUDIT_PARAMS='-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng'
# This function will be called if the script status is on enabled / audit mode
audit () {

15
bin/hardening/8.1.29_record_usermod_cmd_usage.sh
View File

@ -10,13 +10,14 @@
#
set -u # One variable unset, it's over
set -e # One error, it's over
FILE='/etc/audit/rules.d/audit.rules'
HARDENING_LEVEL=4
AUDIT_PARAMS='-a always,exit -F path=$(which usermod 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod'
set -e # One error, it's over
FILE='/etc/audit/rules.d/audit.rules'
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod'
AUDIT_PARAMS_REDHAT='-a always,exit -F path=/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod'
AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode
audit () {
@ -68,7 +69,11 @@ apply () {
# This function will check config parameters required
check_config() {
:
if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT
fi
}
# Source Root Dir Parameter

7
bin/hardening/8.1.30_record_unix_update_cmd_usage.sh
View File

@ -10,13 +10,12 @@
#
set -u # One variable unset, it's over
set -e # One error, it's over
FILE='/etc/audit/rules.d/audit.rules'
HARDENING_LEVEL=4
AUDIT_PARAMS='-a always,exit -F path=$(which unix_update 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update'
set -e # One error, it's over
FILE='/etc/audit/rules.d/audit.rules'
AUDIT_PARAMS='-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update'
# This function will be called if the script status is on enabled / audit mode
audit () {

0
bin/hardening/8.1.18_freeze_auditd_conf.sh → bin/hardening/8.1.32_freeze_auditd_conf.sh
View File

10
bin/hardening/8.1.7_record_mac_edit.sh
View File

@ -11,6 +11,7 @@
# todo test for centos
set -u # One variable unset, it's over
set -e # One error, it's over
HARDENING_LEVEL=4
@ -19,17 +20,16 @@ SELINUX_PKG_REDHAT="selinux-policy"
SE_AUDIT_PARAMS="-a always,exit -F dir=/etc/selinux/ -F perm=wa -k MAC-policy
-a always,exit -F dir=/usr/share/selinux/ -F perm=wa -k MAC-policy
-a always,exit -F path=$(which chcon 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=$(which semanage 2>/dev/null) -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=$(which setsebool 2>/dev/null) -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=$(which setfiles 2>/dev/null) -F auid>=1000 -F auid!=4294967295 -k perm_chng"
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=/usr/sbin/setfiles -F auid>=1000 -F auid!=4294967295 -k perm_chng"
APPARMOR_PKG="apparmor"
AA_AUDIT_PARAMS='-w /etc/apparmor/ -p wa -k MAC-policy
-w /etc/apparmor.d/ -p wa -k MAC-policy
-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k MAC-policy'
set -e # One error, it's over
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode

2
bin/hardening/8.4.1_install_aide.sh
View File

@ -40,7 +40,7 @@ apply () {
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
else
apt_install $PACKAGE
aideinit
aideinit -y -f
info "${PACKAGE} is now installed but not fully functionnal, please see readme to go further"
fi
fi

4
bin/hardening/8.5_ensure_permissions_on_all_logfiles.sh
View File

@ -41,7 +41,9 @@ apply () {
else
warn "Permissions of all log files are not correctly configured! Set it"
chmod -R $PERMISS_SET $LOGDIR/*
rm $ERRPERFILELIST
if [ -r $ERRPERFILELIST ]; then
rm $ERRPERFILELIST
fi
fi
}

93
bin/hardening/9.3.20_sshd_UsePrivilegeSeparation.sh
View File

@ -1,93 +0,0 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
#
#
# 9.3.20 Set SSHD UsePrivilegeSeparation to sandbox (Scored)
# Author : Samson wen, Samson <sccxboy@gmail.com>
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGE='openssh-server'
OPTIONS='UsePrivilegeSeparation=sandbox'
FILE='/etc/ssh/sshd_config'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
fi
done
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE
fi
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi
/etc/init.d/ssh reload > /dev/null 2>&1
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

57
docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd
View File

@ -24,7 +24,8 @@ The creation process is as follows:
### Pre-Install
```
$ sudo apt update && sudo apt install -y bc net-tools vim unzip
$ sudo apt update
$ sudo apt install -y bc net-tools bc net-tools pciutils network-manager vim unzip
```
### Get harbian-audit project
@ -45,27 +46,55 @@ admin@ip:/opt/harbian-audit-master# passwd admin
```
#### Audit && Apply:
##### First audit && apply:
```
admin@ip:/opt/harbian-audit-master$ sudo cp debian/default /etc/default/cis-hardening
admin@ip:/opt/harbian-audit-master$ sudo sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --init
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --audit-all
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --set-hardening-level 5
admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg
admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/7.4.4_hosts_deny.cfg
admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/10.1.7_remove_nopasswd_sudoers.cfg
admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/10.1.6_remove_nopasswd_sudoers.cfg
admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.1_install_aide.cfg
admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.2_aide_cron.cfg
admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/10.1.1_set_password_exp_days.cfg
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply
admin@ip:/opt/harbian-audit-master$ sudo sed -i "/^root/a\admin ALL=(ALL:ALL) ALL" /etc/sudoers
admin@ip:/opt/harbian-audit-master$ sudo reboot
```
After reboot:
##### Second audit && apply(After reboot)
Configuring the firewall:
```
admin@ip:/opt/harbian-audit-master$ sudo bash ./docs/configurations/etc.iptables.rules.v4.sh
admin@ip:/opt/harbian-audit-master$ INTERFACENAME="eth0"
admin@ip:/opt/harbian-audit-master$ sudo bash /opt/harbian-audit-master/docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME
admin@ip:/opt/harbian-audit-master$ sudo bash /opt/harbian-audit-master/docs/configurations/etc.iptables.rules.v6.sh $INTERFACENAME
admin@ip:/opt/harbian-audit-master$ sudo -s
admin@ip:/opt/harbian-audit-master# iptables-save > /etc/iptables/rules.v4
admin@ip:/opt/harbian-audit-master# ip6tables-save > /etc/iptables/rules.v6
admin@ip:/opt/harbian-audit-master# exit
```
Related how to use harbian-audit to adit and apply, please reference:
[https://github.com/hardenedlinux/harbian-audit/blob/master/README.md](https://github.com/hardenedlinux/harbian-audit/blob/master/README.md)
Apply need to apply twice items and that items of must apply after first apply:
```
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.1.1.2
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.1.1.3
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.1.12
admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.1.32
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 4.5
admin@ip:/opt/harbian-audit-master$ sudo reboot
```
##### Third apply(after reboot)
Apply need to apply three times items:
```
admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.1_install_aide.cfg
admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.2_aide_cron.cfg
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.4.1
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.4.2
admin@ip:/opt/harbian-audit-master$ sudo reboot
```
### Set issues
```
@ -86,9 +115,9 @@ $ sudo rm /opt/harbian-audit-master/tmp/backups/*
$ sudo rm /opt/harbian-audit-master/etc/conf.d/*.cfg
```
#### AIDE RE-INIT
#### Uninstall
```
$ sudo aideinit -y -f
$ sudo apt-get purge --autoremove unzip -y
```
#### Clear the current log:
@ -110,6 +139,13 @@ $ sudo -s
# echo > /var/log/tallylog
# echo > /var/log/lastlog
# echo > /var/log/wtmp
# echo > /var/log/sudo.log
```
#### Final apply
Reset password for all users and reinit aide database:
```
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --final
```
#### Clear bash hostory
@ -144,8 +180,9 @@ $ history -cw
![17](./picture/create-AMI-from-instance-17.png)
## Reference
## Reference
[https://github.com/hardenedlinux/harbian-audit/blob/master/README.md](https://github.com/hardenedlinux/harbian-audit/blob/master/README.md)
[https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html)
[https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/CopyingAMIs.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/CopyingAMIs.html)
[https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-ebs.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-ebs.html)

49
docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img.mkd
View File

@ -1,5 +1,9 @@
# How to creating and making a QEMU image of harbian-audit complianced Debian GNU/Linux 9
In the following context, deploy with the following name:
Network interface: eth0
username: harbian-audit
## Pre-work
In the example below, the vul-manager visual tool will be used to remotely connect to the QEMU server for operation.
@ -42,14 +46,14 @@ Then follow the wizard to install step by step.
### Pre-Install
```
root@harbian:/home/harbian-audit# apt update && apt install -y bc net-tools vim unzip
root@harbian:/home/harbian-audit# apt update && apt install -y bc net-tools vim unzip pciutils network-manager
```
### Get harbian-audit project
```
$ cd /opt
root@harbian:/opt# wget https://github.com/hardenedlinux/harbian-audit/archive/master.zip
root@harbian:/opt# sudo unzip master.zip
root@harbian:/opt# unzip master.zip
root@harbian:/opt# cd harbian-audit-master/
```
@ -59,17 +63,21 @@ root@harbian:/opt# cd harbian-audit-master/
```
root@harbian:/opt/harbian-audit-master# cp debian/default /etc/default/cis-hardening
root@harbian:/opt/harbian-audit-master# sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
root@harbian:/opt/harbian-audit-master# ./bin/hardening.sh --audit-all
root@harbian:/opt/harbian-audit-master# bash bin/hardening.sh --init
root@harbian:/opt/harbian-audit-master# ./bin/hardening.sh --audit-all
root@harbian:/opt/harbian-audit-master# ./bin/hardening.sh --set-hardening-level 5
root@harbian:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/7.4.4_hosts_deny.cfg
root@harbian:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg
root@harbian:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.1_install_aide.cfg
root@harbian:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.2_aide_cron.cfg
root@harbian:/opt/harbian-audit-master# ./bin/hardening.sh --apply
root@harbian:/opt/harbian-audit-master# sed -i "/^root/a\harbian-audit ALL=(ALL:ALL) ALL" /etc/sudoers
root@harbian:/opt/harbian-audit-master# reboot
```
After reboot:
After reboot:
```
harbian-audit@harbian:/opt/harbian-audit-master$ sudo bash ./docs/configurations/etc.iptables.rules.v4.sh
harbian-audit@harbian:/opt/harbian-audit-master$ sudo bash ./docs/configurations/etc.iptables.rules.v4.sh eth0
harbian-audit@harbian:/opt/harbian-audit-master$ sudo -s
root@harbian:/opt/harbian-audit-master# iptables-save > /etc/iptables/rules.v4
root@harbian:/opt/harbian-audit-master# ip6tables-save > /etc/iptables/rules.v6
@ -84,7 +92,7 @@ $ sudo sed -i "s/Debian GNU\/Linux 9/harbian-audit complianced for Debian GNU\/L
### Set grub passwd
superusers: harbiansuper
passwd: harbian_AUDIT,12@)
passwd: harbian_AUDIT,09!)
Related how to config grub2 password protection, please reference:
[how_to_config_grub2_password_protection.mkd](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_config_grub2_password_protection.mkd)
@ -102,17 +110,31 @@ If need adds a project on AMI, add the project on such as /opt, /usr/local/bin d
### Clean up
#### Uninstall
```
$ sudo apt-get purge --autoremove unzip -y
```
#### Clean harbian-audit temp file and conf
```
$ sudo rm /opt/master.zip
$ sudo rm /opt/harbian-audit-master/tmp/backups/*
$ sudo rm /opt/harbian-audit-master/etc/conf.d/*.cfg
$ cd /opt/harbian-audit-master/etc/conf.d
$ sudo rm -f !(8.1.32_freeze_auditd_conf.cfg|8.4.1_install_aide.cfg|8.4.2_aide_cron.cfg)
```
#### AIDE RE-INIT
#### Final fix
```
$ sudo aideinit -y -f
```
$ cd /opt/harbian-audit-master
$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg
$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.1_install_aide.cfg
$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.2_aide_cron.cfg
$ sudo bash bin/hardening.sh --apply --only 8.1.32
$ sudo bash bin/hardening.sh --apply --only 8.4.1
$ sudo bash bin/hardening.sh --apply --only 8.4.2
$ sudo rm /opt/harbian-audit-master/tmp/backups/*
$ sudo rm /opt/harbian-audit-master/etc/conf.d/*
```
#### Clear the current log
```
@ -135,6 +157,11 @@ $ sudo -s
# echo > /var/log/wtmp
```
#### AIDE RE-INIT
```
$ sudo aideinit -y -f
```
#### Clear bash hostory
```
# echo > ~/.bash_history
@ -147,6 +174,6 @@ $ sudo poweroff
## sign QEMU image
ssh to QEMU server, find QEMU image dir, sign the QEMU image:
```
root@debian-9:/opt/images# gpg -b harbian-audit_Debian_9.qcow2
root@debian-9:/opt/images# gpg -u Samson -b debian9.9-harbian-0910.qcow2
```

40
docs/complianced_image/QEMU/how_to_use_QEMU_image_of_harbian_audit_complianced_Debian_9.mkd
View File

@ -1,50 +1,32 @@
# How to use QEMU image of harbian-audit complicanced Debian GNU/Linux 9
## Overview
Image name: harbian-audit_Debian_9.qcow2
Disk size: 50G
File system:
```
harbian-audit@harbian:~$ df -h
Filesystem Size Used Avail Use% Mounted on
udev 2.0G 0 2.0G 0% /dev
tmpfs 396M 5.5M 391M 2% /run
/dev/mapper/harbian--vg-root 15G 1.3G 12G 10% /
tmpfs 2.0G 8.0K 2.0G 1% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs 2.0G 0 2.0G 0% /sys/fs/cgroup
/dev/vda1 236M 37M 187M 17% /boot
tmpfs 2.0G 0 2.0G 0% /tmp
/dev/mapper/harbian--vg-home 27G 45M 25G 1% /home
tmpfs 396M 0 396M 0% /run/user/1000
```
Image name: debian9.9-harbian-0910.qcow2
Disk size: 20G
grub password protection:
username: harbiansuper
password: harbian_AUDIT,12@)
password: harbian_AUDIT,09!)
Users info:
user: root
passwd: 1qaz@WSX3edc$RFV5tgb
user: harbian-audit
user: auditadmin
passwd: 2wsx#EDC4rfv%TGB6yhn
## Get QEMU image
### Download address
[https://drive.google.com/file/d/1osqL0REFisSedOhL04dupC1aDM6jVpdm/view?usp=sharing](https://drive.google.com/file/d/1osqL0REFisSedOhL04dupC1aDM6jVpdm/view?usp=sharing)
![1](./picture/download_01.png)
![2](./picture/download_02.png)
![3](./picture/download_03.png)
[debian9.9-harbian-0910.qcow2.tar.gz](https://drive.google.com/file/d/1HwaHF94AJx-95HeIVi4cUFA5aiQ_diz2/view?usp=sharing)
### Verify
```
$ wget https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/QEMU/signature/harbian-audit_Debian_9.qcow2.sig
$ wget https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/QEMU/signature/harbian-audit_Debian_9.qcow2.tar.gz.sig
$ gpg --verify harbian-audit_Debian_9.qcow2.tar.gz.sig harbian-audit_Debian_9.qcow2.tar.gz
$ tar -xzvf harbian-audit_Debian_9.qcow2.tar.gz
$ gpg --verify harbian-audit_Debian_9.qcow2.sig harbian-audit_Debian_9.qcow2
$ wget https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/QEMU/debian9.9-harbian-0910.qcow2.sig
$ wget https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/QEMU/signature/debian9.9-harbian-0910.qcow2.tar.gz.sig
$ gpg -u Samson --verify debian9.9-harbian-0910.qcow2.tar.gz.sig debian9.9-harbian-0910.qcow2.tar.gz
$ tar -xzvf debian9.9-harbian-0910.qcow2.tar.gz
$ gpg -u Samson --verify debian9.9-harbian-0910.qcow2.sig debian9.9-harbian-0910.qcow2
```
## Use the QEMU image to create virtual machine

BIN
docs/complianced_image/QEMU/picture/download_01.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 52 KiB

BIN
docs/complianced_image/QEMU/picture/download_02.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 26 KiB

BIN
docs/complianced_image/QEMU/picture/download_03.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 37 KiB

BIN
docs/complianced_image/QEMU/signature/debian9.9-harbian-0910.qcow2.sig Normal file
View File

Binary file not shown.

BIN
docs/complianced_image/QEMU/signature/debian9.9-harbian-0910.qcow2.tar.gz.sig Normal file
View File

Binary file not shown.

BIN
docs/complianced_image/QEMU/signature/harbian-audit_Debian_9.qcow2.sig
View File

Binary file not shown.

BIN
docs/complianced_image/QEMU/signature/harbian-audit_Debian_9.qcow2.tar.gz.sig
View File

Binary file not shown.

75
docs/configurations/etc.audit.rules.d.audit.rules → docs/configurations/etc.audit.rules.d.audit.rules_for_debian
View File

@ -11,7 +11,6 @@
## Set failure mode to syslog
-f 1
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
@ -28,7 +27,9 @@
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/network -p wa -k system-locale
-w /etc/selinux/ -p wa -k MAC-policy
-w /etc/apparmor/ -p wa -k MAC-policy
-w /etc/apparmor.d/ -p wa -k MAC-policy
-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k MAC-policy
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
@ -45,20 +46,49 @@
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/ping -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/pppd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/dbus-1.0/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/policykit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/eject/dmcrypt-get-device -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/dotlock.mailutils -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/expiry -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/dotlockfile -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/screen -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/bsd-write -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete
-w /etc/sudoers -p wa -k sudoers
-w /etc/sudoers.d/ -p wa -k sudoers
-e 2
-w /var/log/auth.log -p wa -k sudoaction
-w /var/log/sudo.log -p wa -k sudoaction
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-w /bin/kmod -p x -k modules
-a always,exit -F arch=b32 -S init_module -S delete_module -S create_module -S finit_module -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -S create_module -S finit_module -k modules
-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
@ -70,26 +100,31 @@
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam
-a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
-a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
-a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/ping -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-w /etc/audisp/audisp-remote.conf -p wa -k config_file_change
-w /etc/audit/auditd.conf -p wa -k config_file_change
-w /etc/audit/rules.d/ -p wa -k config_file_change
-w /etc/default/grub -p wa -k config_file_change
-w /etc/fstab -p wa -k config_file_change
-w /etc/hosts.deny -p wa -k config_file_change
-w /etc/login.defs -p wa -k config_file_change
-w /etc/pam.d/ -p wa -k config_file_change
-w /etc/profile -p wa -k config_file_change
-w /etc/profile.d/ -p wa -k config_file_change
-w /etc/security/ -p wa -k config_file_change
-w /etc/iptables/ -p wa -k config_file_change
-w /etc/sysctl.conf -p wa -k config_file_change
-a always,exit -F path=/etc/audisp/audisp-remote.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/audit/auditd.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/default/grub -F perm=wa -k config_file_change
-a always,exit -F path=/etc/fstab -F perm=wa -k config_file_change
-a always,exit -F path=/etc/hosts.deny -F perm=wa -k config_file_change
-a always,exit -F path=/etc/login.defs -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/audit/rules.d/ -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/pam.d/ -F perm=wa -k config_file_change
-a always,exit -F path=/etc/profile -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/profile.d/ -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/security/ -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/iptables/ -F perm=wa -k config_file_change
-a always,exit -F path=/etc/sysctl.conf -F perm=wa -k config_file_change
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod
-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update
-a always,exit -F arch=b64 -S execve -C uid!=euid -F key=execpriv
-a always,exit -F arch=b64 -S execve -C gid!=egid -F key=execpriv
-e 2

16
docs/configurations/etc.iptables.rules.v4.sh
View File

@ -1,6 +1,16 @@
#!/bin/bash
IPT="/sbin/iptables"
PUB_IFS="ens33"
if [ $# -lt 1 ]; then
echo "Must be set to greater than or equal to a public network interface. "
echo "usage: $0 eth0, or $0 eth0 eth1"
exit 1
else
PUB_IFS="$@"
echo "Public interface is $PUB_IFS"
fi
echo "Starting IPv4 Wall..."
$IPT -F
$IPT -X
@ -11,7 +21,6 @@ IPT="/sbin/iptables"
$IPT -N LOGDROP
modprobe ip_conntrack
PUB_IFS="ens33"
#unlimited
$IPT -A INPUT -i lo -j ACCEPT
@ -76,11 +85,10 @@ do
$IPT -A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
$IPT -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# allow ssh/http/ntp/dhclint only
# allow ssh/ntp/dhclint/http/https only
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p udp --dport 123 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p udp --dport 68 -m state --state NEW -j ACCEPT
ip6tables -A INPUT -p udp --dport 123 -m state --state NEW -j ACCEPT
# $IPT -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
# $IPT -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

107
docs/configurations/etc.iptables.rules.v6.sh Normal file
View File

@ -0,0 +1,107 @@
#!/bin/bash
IPT="/sbin/ip6tables"
PUB_IFS="ens33"
if [ $# -lt 1 ]; then
echo "Must be set to greater than or equal to a public network interface. usage: $0 eth0, or $0 eth0 eth1"
exit 1
else
PUB_IFS="$@"
echo "Public interface is $PUB_IFS"
fi
echo "Starting IPv6 Wall..."
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -N LOGDROP
modprobe ip_conntrack
#unlimited
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# DROP all incomming traffic
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A INPUT -s fe80::/64 -j DROP
$IPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
$IPT -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
$IPT -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT
$IPT -A INPUT -p icmp -m state --state RELATED -j ACCEPT
$IPT -A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
$IPT -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT
$IPT -A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
for PUB_IF in $PUB_IFS
do
# sync
$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Syn"
$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP
# Fragments
$IPT -A INPUT -i ${PUB_IF} -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets"
$IPT -A INPUT -i ${PUB_IF} -j DROP
# block bad stuff
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets"
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets"
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan"
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# No smb/windows sharing packets - too much logging
$IPT -A INPUT -p tcp -i ${PUB_IF} --dport 137:139 -j REJECT
$IPT -A INPUT -p udp -i ${PUB_IF} --dport 137:139 -j REJECT
$IPT -I INPUT -p tcp --dport 22 -i ${PUB_IF} -m state --state NEW -m recent --set
$IPT -I INPUT -p tcp --dport 22 -i ${PUB_IF} -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j LOGDROP
done
# Allow full outgoing connection but no incomming stuff
$IPT -A INPUT -p ipv6-icmp -m ipv6-icmp --icmpv6-type 4 -j ACCEPT
$IPT -A OUTPUT -p ipv6-icmp -m ipv6-icmp --icmpv6-type 8 -j ACCEPT
# allow ssh/ntp/dhclint/http/https only
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p udp --dport 123 -m state --state NEW -j ACCEPT
$IPT -A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m conntrack --ctstate NEW -j ACCEPT
# $IPT -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
# $IPT -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
# allow incoming ICMP ping pong stuff
$IPT -A INPUT -p ipv6-icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p ipv6-icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
# prevent ssh brute force attack
$IPT -A LOGDROP -j LOG
$IPT -A LOGDROP -j DROP
# Log everything else
# *** Required for psad ****
$IPT -A INPUT -j LOG
$IPT -A FORWARD -j LOG
$IPT -A INPUT -j DROP
exit 0

32
lib/utils.sh
View File

@ -5,6 +5,22 @@
# debian version check
#
is_debian_ge_9()
{
if [ -r /etc/debian_version ]; then
if [ $(cat /etc/debian_version | awk -F"." '{print $1}') -ge 9 ]; then
debug "Debian version is greater than or equal to 9"
FNRET=0
else
debug "Debian version is less than 9"
FNRET=1
fi
else
debug "Current OS is not Debian."
FNRET=2
fi
}
is_debian_9()
{
if [ -r /etc/debian_version ]; then
@ -136,12 +152,16 @@ has_file_correct_ownership() {
has_file_correct_permissions() {
local FILE=$1
local PERMISSIONS=$2
if [ $($SUDO_CMD stat -L -c "%a" $1) = "$PERMISSIONS" ]; then
FNRET=0
else
if [ -e $FILE ]; then
if [ $($SUDO_CMD stat -L -c "%a" $1) = "$PERMISSIONS" ]; then
FNRET=0
else
FNRET=1
fi
else
FNRET=1
fi
info "$FILE is not exist!"
fi
}
does_pattern_exist_in_file() {
@ -254,7 +274,7 @@ is_service_active() {
if [ $OS_RELEASE -eq 2 ]; then
FNRET=0
else
is_debian_9
is_debian_ge_9
fi
if [ $FNRET = 0 ]; then
if [ $(systemctl is-active $SERVICE | grep -c "^active") -eq 1 ]; then