diff --git a/bin/hardening/1.1_install_updates.sh b/bin/hardening/1.1_install_updates.sh index 07e5820..c3e9b94 100755 --- a/bin/hardening/1.1_install_updates.sh +++ b/bin/hardening/1.1_install_updates.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian-audit for Debian GNU/Linux Debian 9 or CentOS 8 Hardening +# harbian-audit for Debian GNU/Linux Debian 9/10/11/12 or CentOS 8 Hardening # Modify by: Samson-W (samson@hardenedlinux.org) # @@ -47,13 +47,10 @@ audit_centos () # This function will be called if the script status is on enabled / audit mode audit () { - if [ $OS_RELEASE -eq 1 ]; then - audit_debian - elif [ $OS_RELEASE -eq 2 ]; then + if [ $OS_RELEASE -eq 2 ]; then audit_centos else - crit "Current OS is not support!" - FNRET=44 + audit_debian fi } @@ -82,12 +79,10 @@ apply_centos () # This function will be called if the script status is on enabled mode apply () { - if [ $OS_RELEASE -eq 1 ]; then - apply_debian - elif [ $OS_RELEASE -eq 2 ]; then + if [ $OS_RELEASE -eq 2 ]; then apply_centos else - crit "Current OS is not support!" + apply_debian fi } diff --git a/bin/hardening/1.2_enable_verify_sign_packages_from_repository.sh b/bin/hardening/1.2_enable_verify_sign_packages_from_repository.sh index f1ebab6..7699d95 100755 --- a/bin/hardening/1.2_enable_verify_sign_packages_from_repository.sh +++ b/bin/hardening/1.2_enable_verify_sign_packages_from_repository.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian-audit for Debian GNU/Linux Debian 9 or CentOS 8 Hardening +# harbian-audit for Debian GNU/Linux Debian 9/10/11/12 or CentOS 8 Hardening # # @@ -47,13 +47,10 @@ audit_centos () # This function will be called if the script status is on enabled / audit mode audit () { - if [ $OS_RELEASE -eq 1 ]; then - audit_debian - elif [ $OS_RELEASE -eq 2 ]; then + if [ $OS_RELEASE -eq 2 ]; then audit_centos else - crit "Current OS is not support!" - FNRET=44 + audit_debian fi } @@ -87,12 +84,10 @@ apply_centos () { # This function will be called if the script status is on enabled mode apply () { - if [ $OS_RELEASE -eq 1 ]; then - apply_debian - elif [ $OS_RELEASE -eq 2 ]; then + if [ $OS_RELEASE -eq 2 ]; then apply_centos else - crit "Current OS is not support!" + apply_debian fi } diff --git a/bin/hardening/1.3_enable_verify_sign_of_local_packages.sh b/bin/hardening/1.3_enable_verify_sign_of_local_packages.sh index d24fca1..368a528 100755 --- a/bin/hardening/1.3_enable_verify_sign_of_local_packages.sh +++ b/bin/hardening/1.3_enable_verify_sign_of_local_packages.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian-audit for Debian GNU/Linux Debian 9 or CentOS 8 Hardening +# harbian-audit for Debian GNU/Linux Debian 9/10/11/12 or CentOS 8 Hardening # # @@ -49,13 +49,10 @@ audit_centos () # This function will be called if the script status is on enabled / audit mode audit() { - if [ $OS_RELEASE -eq 1 ]; then - audit_debian - elif [ $OS_RELEASE -eq 2 ]; then + if [ $OS_RELEASE -eq 2 ]; then audit_centos else - crit "Current OS is not support!" - FNRET=44 + audit_debian fi } @@ -86,12 +83,10 @@ apply_centos () { # This function will be called if the script status is on enabled mode apply () { - if [ $OS_RELEASE -eq 1 ]; then - apply_debian - elif [ $OS_RELEASE -eq 2 ]; then + if [ $OS_RELEASE -eq 2 ]; then apply_centos else - crit "Current OS is not support!" + apply_debian fi } # This function will check config parameters required diff --git a/bin/hardening/1.4_set_no_allow_insecure_repository_by_apt.sh b/bin/hardening/1.4_set_no_allow_insecure_repository_by_apt.sh index ce71e43..138d084 100755 --- a/bin/hardening/1.4_set_no_allow_insecure_repository_by_apt.sh +++ b/bin/hardening/1.4_set_no_allow_insecure_repository_by_apt.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian-audit for Debian GNU/Linux Debian 9 or CentOS 8 Hardening +# harbian-audit for Debian GNU/Linux Debian 9/10/11/12 or CentOS 8 Hardening # # @@ -46,13 +46,10 @@ audit_centos () # This function will be called if the script status is on enabled / audit mode audit () { - if [ $OS_RELEASE -eq 1 ]; then - audit_debian - elif [ $OS_RELEASE -eq 2 ]; then + if [ $OS_RELEASE -eq 2 ]; then audit_centos else - crit "Current OS is not support!" - FNRET=44 + audit_debian fi } @@ -82,12 +79,10 @@ apply_centos () { # This function will be called if the script status is on enabled mode apply () { - if [ $OS_RELEASE -eq 1 ]; then - apply_debian - elif [ $OS_RELEASE -eq 2 ]; then + if [ $OS_RELEASE -eq 2 ]; then apply_centos else - crit "Current OS is not support!" + apply_debian fi } # This function will check config parameters required diff --git a/bin/hardening/4.1_restrict_core_dumps.sh b/bin/hardening/4.1_restrict_core_dumps.sh index 8adc2bf..16b6224 100755 --- a/bin/hardening/4.1_restrict_core_dumps.sh +++ b/bin/hardening/4.1_restrict_core_dumps.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening +# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 or CentOS Hardening #Modify by: Samson-W (samson@hardenedlinux.org) # @@ -50,13 +50,10 @@ audit_centos () { # This function will be called if the script status is on enabled / audit mode audit () { - if [ $OS_RELEASE -eq 1 ]; then - audit_debian - elif [ $OS_RELEASE -eq 2 ]; then + if [ $OS_RELEASE -eq 2 ]; then audit_centos else - crit "Current OS is not support!" - FNRET=44 + audit_debian fi } @@ -92,12 +89,10 @@ apply_centos () { # This function will be called if the script status is on enabled mode apply () { - if [ $OS_RELEASE -eq 1 ]; then - apply_debian - elif [ $OS_RELEASE -eq 2 ]; then + if [ $OS_RELEASE -eq 2 ]; then apply_centos else - crit "Current OS is not support!" + apply_debian fi } diff --git a/bin/hardening/4.5_enable_apparmor.sh b/bin/hardening/4.5_enable_apparmor.sh index 647812d..bba601a 100755 --- a/bin/hardening/4.5_enable_apparmor.sh +++ b/bin/hardening/4.5_enable_apparmor.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening +# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 or CentOS Hardening # Modify by: Samson-W (samson@hardenedlinux.org) # @@ -73,13 +73,10 @@ audit_centos () { # This function will be called if the script status is on enabled / audit mode audit () { - if [ $OS_RELEASE -eq 1 ]; then - audit_debian - elif [ $OS_RELEASE -eq 2 ]; then + if [ $OS_RELEASE -eq 2 ]; then audit_centos else - crit "Current OS is not support!" - FNRET=44 + audit_debian fi } @@ -119,12 +116,10 @@ apply_centos () { # This function will be called if the script status is on enabled mode apply () { - if [ $OS_RELEASE -eq 1 ]; then - apply_debian - elif [ $OS_RELEASE -eq 2 ]; then + if [ $OS_RELEASE -eq 2 ]; then apply_centos else - crit "Current OS is not support!" + apply_debian fi } diff --git a/bin/hardening/4.6_enable_selinux.sh b/bin/hardening/4.6_enable_selinux.sh index ed1e086..a5c3dcd 100755 --- a/bin/hardening/4.6_enable_selinux.sh +++ b/bin/hardening/4.6_enable_selinux.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian-audit for Debian GNU/Linux 9/10 or CentOS 8 Hardening +# harbian-audit for Debian GNU/Linux 9/10/11/12 or CentOS 8 Hardening # # @@ -93,13 +93,10 @@ audit_centos () { # This function will be called if the script status is on enabled / audit mode audit () { - if [ $OS_RELEASE -eq 1 ]; then - audit_debian - elif [ $OS_RELEASE -eq 2 ]; then + if [ $OS_RELEASE -eq 2 ]; then audit_centos else - crit "Current OS is not support!" - FNRET=44 + audit_debian fi } @@ -157,12 +154,10 @@ apply_centos () { # This function will be called if the script status is on enabled mode apply () { - if [ $OS_RELEASE -eq 1 ]; then - apply_debian - elif [ $OS_RELEASE -eq 2 ]; then + if [ $OS_RELEASE -eq 2 ]; then apply_centos else - crit "Current OS is not support!" + apply_debian fi } diff --git a/bin/hardening/4.7_enable_selinux_policy.sh b/bin/hardening/4.7_enable_selinux_policy.sh index 69ddb6a..2c8d625 100755 --- a/bin/hardening/4.7_enable_selinux_policy.sh +++ b/bin/hardening/4.7_enable_selinux_policy.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian-audit for Debian GNU/Linux 9/10 or CentOS 8 Hardening +# harbian-audit for Debian GNU/Linux 9/10/11/12 or CentOS 8 Hardening # # @@ -48,13 +48,10 @@ audit_centos () { # This function will be called if the script status is on enabled / audit mode audit () { - if [ $OS_RELEASE -eq 1 ]; then - audit_debian - elif [ $OS_RELEASE -eq 2 ]; then + if [ $OS_RELEASE -eq 2 ]; then audit_centos else - crit "Current OS is not support!" - FNRET=44 + audit_debian fi } @@ -89,12 +86,10 @@ apply_centos () { # This function will be called if the script status is on enabled mode apply () { - if [ $OS_RELEASE -eq 1 ]; then - apply_debian - elif [ $OS_RELEASE -eq 2 ]; then + if [ $OS_RELEASE -eq 2 ]; then apply_centos else - crit "Current OS is not support!" + apply_debian fi } diff --git a/bin/hardening/4.8_disable_usb_devices.sh b/bin/hardening/4.8_disable_usb_devices.sh index 6b50299..395eb03 100755 --- a/bin/hardening/4.8_disable_usb_devices.sh +++ b/bin/hardening/4.8_disable_usb_devices.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian-audit for Debian GNU/Linux 9/10 or CentOS Hardening +# harbian-audit for Debian GNU/Linux 9/10/11/12 or CentOS Hardening # Modify by: Samson-W (samson@hardenedlinux.org) # @@ -57,13 +57,10 @@ audit_centos () { # This function will be called if the script status is on enabled / audit mode audit () { - if [ $OS_RELEASE -eq 1 ]; then - audit_debian - elif [ $OS_RELEASE -eq 2 ]; then + if [ $OS_RELEASE -eq 2 ]; then audit_centos else - crit "Current OS is not support!" - FNRET=44 + audit_debian fi } diff --git a/bin/hardening/5.1.2_disable_rsh.sh b/bin/hardening/5.1.2_disable_rsh.sh index 5c1cbb1..8470e0c 100755 --- a/bin/hardening/5.1.2_disable_rsh.sh +++ b/bin/hardening/5.1.2_disable_rsh.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening +# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 or CentOS Hardening # Modify by: Samson-W (samson@hardenedlinux.org) # @@ -52,13 +52,10 @@ audit_centos () { } # This function will be called if the script status is on enabled / audit mode audit () { - if [ $OS_RELEASE -eq 1 ]; then - audit_debian - elif [ $OS_RELEASE -eq 2 ]; then + if [ $OS_RELEASE -eq 2 ]; then audit_centos else - crit "Current OS is not support!" - FNRET=44 + audit_debian fi } @@ -101,12 +98,10 @@ apply_centos () { # This function will be called if the script status is on enabled mode apply () { - if [ $OS_RELEASE -eq 1 ]; then - apply_debian - elif [ $OS_RELEASE -eq 2 ]; then + if [ $OS_RELEASE -eq 2 ]; then apply_centos else - crit "Current OS is not support!" + apply_debian fi } diff --git a/bin/hardening/5.1.4_disable_talk.sh b/bin/hardening/5.1.4_disable_talk.sh index 5d50cad..9bde0ba 100755 --- a/bin/hardening/5.1.4_disable_talk.sh +++ b/bin/hardening/5.1.4_disable_talk.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening +# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 or CentOS Hardening # Modify by: Samson-W (samson@hardenedlinux.org) # @@ -54,13 +54,10 @@ audit_centos () { # This function will be called if the script status is on enabled / audit mode audit () { - if [ $OS_RELEASE -eq 1 ]; then - audit_debian - elif [ $OS_RELEASE -eq 2 ]; then + if [ $OS_RELEASE -eq 2 ]; then audit_centos else - crit "Current OS is not support!" - FNRET=44 + audit_debian fi } @@ -105,12 +102,10 @@ apply_centos () { # This function will be called if the script status is on enabled mode apply () { - if [ $OS_RELEASE -eq 1 ]; then - apply_debian - elif [ $OS_RELEASE -eq 2 ]; then + if [ $OS_RELEASE -eq 2 ]; then apply_centos else - crit "Current OS is not support!" + apply_debian fi } # This function will check config parameters required diff --git a/bin/hardening/5.1.6_disable_telnet_server.sh b/bin/hardening/5.1.6_disable_telnet_server.sh index b2a7e56..e44e097 100755 --- a/bin/hardening/5.1.6_disable_telnet_server.sh +++ b/bin/hardening/5.1.6_disable_telnet_server.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening +# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 or CentOS Hardening # Modify by: Samson-W (samson@hardenedlinux.org) # @@ -53,13 +53,10 @@ audit_centos () { # This function will be called if the script status is on enabled / audit mode audit () { - if [ $OS_RELEASE -eq 1 ]; then - audit_debian - elif [ $OS_RELEASE -eq 2 ]; then + if [ $OS_RELEASE -eq 2 ]; then audit_centos else - crit "Current OS is not support!" - FNRET=44 + audit_debian fi } @@ -102,12 +99,10 @@ apply_centos () { # This function will be called if the script status is on enabled mode apply () { - if [ $OS_RELEASE -eq 1 ]; then - apply_debian - elif [ $OS_RELEASE -eq 2 ]; then + if [ $OS_RELEASE -eq 2 ]; then apply_centos else - crit "Current OS is not support!" + apply_debian fi } diff --git a/bin/hardening/6.17_ensure_virul_scan_server_is_enabled.sh b/bin/hardening/6.17_ensure_virul_scan_server_is_enabled.sh index a434640..f447b25 100755 --- a/bin/hardening/6.17_ensure_virul_scan_server_is_enabled.sh +++ b/bin/hardening/6.17_ensure_virul_scan_server_is_enabled.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian-audit for Debian GNU/Linux 7/8/9 Hardening +# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 Hardening # todo test for centos # @@ -18,7 +18,7 @@ VIRULSERVER_CENTOS='clamav-server clamav-data clamav-update clamav-filesystem cl # This function will be called if the script status is on enabled / audit mode audit () { - if [ $OS_RELEASE -eq 1 ]; then + if [ $OS_RELEASE -ne 2 ]; then if [ $(dpkg -l | grep -c $VIRULSERVER) -ge 1 ]; then if [ $(systemctl | grep $VIRULSERVER | grep -c "active running") -ne 1 ]; then crit "$VIRULSERVER is not runing" @@ -31,7 +31,8 @@ audit () { crit "$VIRULSERVER is not installed" FNRET=1 fi - elif [ $OS_RELEASE -eq 2 ]; then + #CentOS:OS_RELEASE -eq 2 + else if [ $(rpm -qa | grep -c clamd) -ge 1 ]; then ok "Clamav is installed" FNRET=0 @@ -39,33 +40,32 @@ audit () { crit "Clamav is not install" FNRET=1 fi - else - crit "Current OS is not support!" fi } # This function will be called if the script status is on enabled mode apply () { - if [ $OS_RELEASE -eq 1 ]; then + if [ $OS_RELEASE -ne 2 ]; then if [ $FNRET = 0 ]; then ok "$VIRULSERVER is enable" elif [ $FNRET = 1 ]; then - warn "Install $VIRULSERVER" - apt-get install -y $VIRULSERVER - else - warn "Start server $VIRULSERVER" - systemctl start $VIRULSERVER - fi - elif [ $OS_RELEASE -eq 2 ]; then - if [ $FNRET = 0 ]; then - ok "$VIRULSERVER_CENTOS is enable" - elif [ $FNRET = 1 ]; then - warn "Install $VIRULSERVER_CENTOS" - yum install -y $VIRULSERVER_CENTOS - else - warn "Start server $VIRULSERVER" - systemctl start $VIRULSERVER - fi + warn "Install $VIRULSERVER" + apt-get install -y $VIRULSERVER + else + warn "Start server $VIRULSERVER" + systemctl start $VIRULSERVER + fi + #Centos: OS_RELEASE -eq 2 + else + if [ $FNRET = 0 ]; then + ok "$VIRULSERVER_CENTOS is enable" + elif [ $FNRET = 1 ]; then + warn "Install $VIRULSERVER_CENTOS" + yum install -y $VIRULSERVER_CENTOS + else + warn "Start server $VIRULSERVER" + systemctl start $VIRULSERVER + fi fi } diff --git a/bin/hardening/6.18_ensure_virusscan_program_update_is_enabled.sh b/bin/hardening/6.18_ensure_virusscan_program_update_is_enabled.sh index 3422a06..e11b9cf 100755 --- a/bin/hardening/6.18_ensure_virusscan_program_update_is_enabled.sh +++ b/bin/hardening/6.18_ensure_virusscan_program_update_is_enabled.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian-audit for Debian GNU/Linux 9 Hardening +# harbian-audit for Debian GNU/Linux 9/10/11/12 Hardening # todo test for centos # @@ -49,12 +49,10 @@ audit_centos () { # This function will be called if the script status is on enabled / audit mode audit () { - if [ $OS_RELEASE -eq 1 ]; then - audit_debian - elif [ $OS_RELEASE -eq 2 ]; then + if [ $OS_RELEASE -eq 2 ]; then audit_centos else - crit "Current OS is not support!" + audit_debian fi } @@ -81,12 +79,10 @@ apply_centos () { # This function will be called if the script status is on enabled mode apply () { - if [ $OS_RELEASE -eq 1 ]; then - apply_debian - elif [ $OS_RELEASE -eq 2 ]; then + if [ $OS_RELEASE -eq 2 ]; then apply_centos else - crit "Current OS is not support!" + apply_debian fi } diff --git a/bin/hardening/7.7.1_enable_firewall.sh b/bin/hardening/7.7.1_enable_firewall.sh index 0d7ca0e..38383c6 100755 --- a/bin/hardening/7.7.1_enable_firewall.sh +++ b/bin/hardening/7.7.1_enable_firewall.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening +# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 or CentOS Hardening # # @@ -76,13 +76,10 @@ audit_centos () { # This function will be called if the script status is on enabled / audit mode audit () { - if [ $OS_RELEASE -eq 1 ]; then - audit_debian - elif [ $OS_RELEASE -eq 2 ]; then + if [ $OS_RELEASE -eq 2 ]; then audit_centos else - crit "Current OS is not support!" - FNRET=44 + audit_debian fi } @@ -135,13 +132,10 @@ apply_centos () { # This function will be called if the script status is on enabled mode apply () { - if [ $OS_RELEASE -eq 1 ]; then - apply_debian - elif [ $OS_RELEASE -eq 2 ]; then + if [ $OS_RELEASE -eq 2 ]; then apply_centos else - crit "Current OS is not support!" - FNRET=44 + apply_debian fi } diff --git a/bin/hardening/8.1.27_record_Events_that_modify_conf_files.sh b/bin/hardening/8.1.27_record_Events_that_modify_conf_files.sh index 15f08a8..ff4d6c7 100755 --- a/bin/hardening/8.1.27_record_Events_that_modify_conf_files.sh +++ b/bin/hardening/8.1.27_record_Events_that_modify_conf_files.sh @@ -108,7 +108,7 @@ check_config() { -a always,exit -F path=/etc/audit/plugins.d/au-remote.conf -F perm=wa -k config_file_change -a always,exit -F path=/etc/logrotate.conf -F perm=wa -k config_file_change' # Debian - elif [ $OS_RELEASE -eq 1 ]; then + elif [ $OS_RELEASE -eq 1 -o $OS_RELEASE -eq 9 -o $OS_RELEASE -eq 10 -o $OS_RELEASE -eq 11 -o $OS_RELEASE -eq 12 ]; then AUDIT_PARAMS='-a always,exit -F path=/etc/audisp/audisp-remote.conf -F perm=wa -k config_file_change -a always,exit -F path=/etc/audit/auditd.conf -F perm=wa -k config_file_change -a always,exit -F path=/etc/default/grub -F perm=wa -k config_file_change diff --git a/bin/hardening/9.2.17_pam_password_sha512_unix.sh b/bin/hardening/9.2.17_pam_password_sha512_unix.sh index 9b9d3a4..337f236 100755 --- a/bin/hardening/9.2.17_pam_password_sha512_unix.sh +++ b/bin/hardening/9.2.17_pam_password_sha512_unix.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening +# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 or CentOS Hardening # # @@ -68,13 +68,10 @@ audit_centos () { # This function will be called if the script status is on enabled / audit mode audit () { - if [ $OS_RELEASE -eq 1 ]; then - audit_debian - elif [ $OS_RELEASE -eq 2 ]; then + if [ $OS_RELEASE -eq 2 ]; then audit_centos else - crit "Current OS is not support!" - FNRET=44 + audit_debian fi } @@ -121,12 +118,10 @@ apply_centos () { # This function will be called if the script status is on enabled mode apply () { - if [ $OS_RELEASE -eq 1 ]; then - apply_debian - elif [ $OS_RELEASE -eq 2 ]; then + if [ $OS_RELEASE -eq 2 ]; then apply_centos else - crit "Current OS is not support!" + apply_debian fi } # This function will check config parameters required