From 72931d88449fd480784998b0ad0e0e27b4439191 Mon Sep 17 00:00:00 2001 From: Samson-W Date: Sat, 27 Oct 2018 04:12:56 +0800 Subject: [PATCH] Add audit and apply methods for 9.3.20 9.3.21 9.2.15, modify 9.2.13 for compatible. --- .../9.2.13_enable_password_sha512.sh | 3 +- .../9.2.15_set_printlastlog_to_showfailed.sh | 86 +++++++++++++++++ .../9.3.20_sshd_UsePrivilegeSeparation.sh | 93 +++++++++++++++++++ bin/hardening/9.3.21_sshd_compression.sh | 93 +++++++++++++++++++ lib/utils.sh | 23 ++++- 5 files changed, 294 insertions(+), 4 deletions(-) create mode 100755 bin/hardening/9.2.15_set_printlastlog_to_showfailed.sh create mode 100755 bin/hardening/9.3.20_sshd_UsePrivilegeSeparation.sh create mode 100755 bin/hardening/9.3.21_sshd_compression.sh diff --git a/bin/hardening/9.2.13_enable_password_sha512.sh b/bin/hardening/9.2.13_enable_password_sha512.sh index 3e230c9..a5ccb8d 100755 --- a/bin/hardening/9.2.13_enable_password_sha512.sh +++ b/bin/hardening/9.2.13_enable_password_sha512.sh @@ -19,7 +19,6 @@ PATTERN='^password.*pam_unix.so' FILE='/etc/pam.d/common-password' KEYWORD='pam_unix.so' OPTIONNAME='sha512' -CONDT_VAL=5 # This function will be called if the script status is on enabled / audit mode audit () { @@ -32,7 +31,7 @@ audit () { does_pattern_exist_in_file $FILE $PATTERN if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" - check_password_option_by_pam $KEYWORD $OPTIONNAME + check_password_option_by_pam $KEYWORD $OPTIONNAME $FILE if [ $FNRET = 0 ]; then ok "$OPTIONNAME is already configured" else diff --git a/bin/hardening/9.2.15_set_printlastlog_to_showfailed.sh b/bin/hardening/9.2.15_set_printlastlog_to_showfailed.sh new file mode 100755 index 0000000..ddd478f --- /dev/null +++ b/bin/hardening/9.2.15_set_printlastlog_to_showfailed.sh @@ -0,0 +1,86 @@ +#!/bin/bash + +# +# harbian audit 7/8/9 Hardening +# + +# +# 9.2.15 Set login display the date and time of last fail logon (Scored) +# Authors : Samson wen, Samson +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +HARDENING_LEVEL=3 + +PACKAGE='libpam-modules' +PATTERN='^session.*pam_lastlog.so' +FILE='/etc/pam.d/login' +KEYWORD='pam_lastlog.so' +OPTIONNAME='showfailed' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed!" + FNRET=1 + else + ok "$PACKAGE is installed" + does_pattern_exist_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + check_password_option_by_pam $KEYWORD $OPTIONNAME $FILE + if [ $FNRET = 0 ]; then + ok "$OPTIONNAME is already configured" + else + crit "$OPTIONNAME is not configured $FNRET" + fi + else + crit "$PATTERN is not present in $FILE" + FNRET=2 + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + elif [ $FNRET = 1 ]; then + warn "$PACKAGE is absent, installing it" + apt_install $PACKAGE + elif [ $FNRET = 2 ]; then + warn "$PATTERN is not present in $FILE" + add_line_file_before_pattern $FILE "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" "# pam-auth-update(8) for details." + elif [ $FNRET = 3 ]; then + crit "$FILE is not exist, please check" + elif [ $FNRET = 4 ]; then + warn "$OPTIONNAME is not conf in $FILE, add $OPTIONNAME " + add_option_to_session_check $FILE $KEYWORD $OPTIONNAME + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + . $CIS_ROOT_DIR/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/9.3.20_sshd_UsePrivilegeSeparation.sh b/bin/hardening/9.3.20_sshd_UsePrivilegeSeparation.sh new file mode 100755 index 0000000..3487362 --- /dev/null +++ b/bin/hardening/9.3.20_sshd_UsePrivilegeSeparation.sh @@ -0,0 +1,93 @@ +#!/bin/bash + +# +# harbian audit 7/8/9 Hardening +# + +# +# 9.3.20 Set SSHD UsePrivilegeSeparation to sandbox (Scored) +# Authors : Samson wen, Samson +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +HARDENING_LEVEL=2 + +PACKAGE='openssh-server' +OPTIONS='UsePrivilegeSeparation=sandbox' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed!" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exist_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exist_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN is not present in $FILE, adding it" + does_pattern_exist_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + /etc/init.d/ssh reload > /dev/null 2>&1 + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + . $CIS_ROOT_DIR/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/9.3.21_sshd_compression.sh b/bin/hardening/9.3.21_sshd_compression.sh new file mode 100755 index 0000000..6d2536b --- /dev/null +++ b/bin/hardening/9.3.21_sshd_compression.sh @@ -0,0 +1,93 @@ +#!/bin/bash + +# +# harbian audit 7/8/9 Hardening +# + +# +# 9.3.21 Set SSHD Compression to no (Scored) +# Authors : Samson wen, Samson +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +HARDENING_LEVEL=2 + +PACKAGE='openssh-server' +OPTIONS='Compression=no' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed!" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exist_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exist_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN is not present in $FILE, adding it" + does_pattern_exist_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + /etc/init.d/ssh reload > /dev/null 2>&1 + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + . $CIS_ROOT_DIR/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/lib/utils.sh b/lib/utils.sh index cb4b3d9..16a3e55 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -486,12 +486,12 @@ check_password_option_by_pam() { KEYWORD=$1 OPTION=$2 - - LOCATION="/etc/pam.d/common-password" + LOCATION=$3 #Example: #KEYWORD="pam_unix.so" #OPTION="sha512" + #LOCATION="/etc/pam.d/common-password" if [ -f "$LOCATION" ];then RESULT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' $LOCATION | grep "$KEYWORD.*$OPTION" | wc -l) @@ -527,6 +527,25 @@ add_option_to_password_check() sed -ie "s;\(^password.*$KEYWORD.*\);\1 $OPTIONSTR;" $PAMPWDFILE } +# Add session check option +add_option_to_session_check() +{ + #Example: + #local PAMPWDFILE="/etc/pam.d/login" + #local KEYWORD="pam_lastlog.so" + #local OPTIONSTR="showfailed" + local PAMPWDFILE=$1 + local KEYWORD=$2 + local OPTIONSTR=$3 + debug "Setting $OPTIONSTR for $KEYWORD" + backup_file "$PAMPWDFILE" + # For example : + # password requisite pam_cracklib.so minlen=8 difok=3 + # password requisite pam_cracklib.so minlen=8 difok=3 retry=3 + sed -ie "s;\(^session.*$KEYWORD.*\);\1 $OPTIONSTR;" $PAMPWDFILE +} + + # Add auth check option add_option_to_auth_check() {