tyler.durden
/
harbian-audit
mirror of https://github.com/hardenedlinux/harbian-audit.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add audit and apply methods for 9.3.20 9.3.21 9.2.15, modify 9.2.13 for compatible.

This commit is contained in:
Samson-W 2018-10-27 04:12:56 +08:00
parent 7cc05a4ad6
commit 72931d8844
5 changed files with 294 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
bin/hardening/9.2.13_enable_password_sha512.sh
View File

@ -19,7 +19,6 @@ PATTERN='^password.*pam_unix.so'
FILE='/etc/pam.d/common-password' FILE='/etc/pam.d/common-password'
KEYWORD='pam_unix.so' KEYWORD='pam_unix.so'
OPTIONNAME='sha512' OPTIONNAME='sha512'
CONDT_VAL=5
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
@ -32,7 +31,7 @@ audit () {
does_pattern_exist_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
check_password_option_by_pam $KEYWORD $OPTIONNAME check_password_option_by_pam $KEYWORD $OPTIONNAME $FILE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$OPTIONNAME is already configured" ok "$OPTIONNAME is already configured"
else else

86
bin/hardening/9.2.15_set_printlastlog_to_showfailed.sh Executable file
View File

@ -0,0 +1,86 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
#
#
# 9.2.15 Set login display the date and time of last fail logon (Scored)
# Authors : Samson wen, Samson <sccxboy@gmail.com>
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGE='libpam-modules'
PATTERN='^session.*pam_lastlog.so'
FILE='/etc/pam.d/login'
KEYWORD='pam_lastlog.so'
OPTIONNAME='showfailed'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=1
else
ok "$PACKAGE is installed"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
check_password_option_by_pam $KEYWORD $OPTIONNAME $FILE
if [ $FNRET = 0 ]; then
ok "$OPTIONNAME is already configured"
else
crit "$OPTIONNAME is not configured $FNRET"
fi
else
crit "$PATTERN is not present in $FILE"
FNRET=2
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
elif [ $FNRET = 1 ]; then
warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
elif [ $FNRET = 2 ]; then
warn "$PATTERN is not present in $FILE"
add_line_file_before_pattern $FILE "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" "# pam-auth-update(8) for details."
elif [ $FNRET = 3 ]; then
crit "$FILE is not exist, please check"
elif [ $FNRET = 4 ]; then
warn "$OPTIONNAME is not conf in $FILE, add $OPTIONNAME "
add_option_to_session_check $FILE $KEYWORD $OPTIONNAME
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

93
bin/hardening/9.3.20_sshd_UsePrivilegeSeparation.sh Executable file
View File

@ -0,0 +1,93 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
#
#
# 9.3.20 Set SSHD UsePrivilegeSeparation to sandbox (Scored)
# Authors : Samson wen, Samson <sccxboy@gmail.com>
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGE='openssh-server'
OPTIONS='UsePrivilegeSeparation=sandbox'
FILE='/etc/ssh/sshd_config'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
fi
done
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE
fi
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi
/etc/init.d/ssh reload > /dev/null 2>&1
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

93
bin/hardening/9.3.21_sshd_compression.sh Executable file
View File

@ -0,0 +1,93 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
#
#
# 9.3.21 Set SSHD Compression to no (Scored)
# Authors : Samson wen, Samson <sccxboy@gmail.com>
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGE='openssh-server'
OPTIONS='Compression=no'
FILE='/etc/ssh/sshd_config'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
fi
done
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE
fi
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi
/etc/init.d/ssh reload > /dev/null 2>&1
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

23
lib/utils.sh
View File

@ -486,12 +486,12 @@ check_password_option_by_pam()
{ {
KEYWORD=$1 KEYWORD=$1
OPTION=$2 OPTION=$2
LOCATION=$3
LOCATION="/etc/pam.d/common-password"
#Example: #Example:
#KEYWORD="pam_unix.so" #KEYWORD="pam_unix.so"
#OPTION="sha512" #OPTION="sha512"
#LOCATION="/etc/pam.d/common-password"
if [ -f "$LOCATION" ];then if [ -f "$LOCATION" ];then
RESULT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' $LOCATION | grep "$KEYWORD.*$OPTION" | wc -l) RESULT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' $LOCATION | grep "$KEYWORD.*$OPTION" | wc -l)
@ -527,6 +527,25 @@ add_option_to_password_check()
sed -ie "s;\(^password.*$KEYWORD.*\);\1 $OPTIONSTR;" $PAMPWDFILE sed -ie "s;\(^password.*$KEYWORD.*\);\1 $OPTIONSTR;" $PAMPWDFILE
} }
# Add session check option
add_option_to_session_check()
{
#Example:
#local PAMPWDFILE="/etc/pam.d/login"
#local KEYWORD="pam_lastlog.so"
#local OPTIONSTR="showfailed"
local PAMPWDFILE=$1
local KEYWORD=$2
local OPTIONSTR=$3
debug "Setting $OPTIONSTR for $KEYWORD"
backup_file "$PAMPWDFILE"
# For example :
# password requisite pam_cracklib.so minlen=8 difok=3
# password requisite pam_cracklib.so minlen=8 difok=3 retry=3
sed -ie "s;\(^session.*$KEYWORD.*\);\1 $OPTIONSTR;" $PAMPWDFILE
}
# Add auth check option # Add auth check option
add_option_to_auth_check() add_option_to_auth_check()
{ {