tyler.durden
/
harbian-audit
mirror of https://github.com/hardenedlinux/harbian-audit.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #9 from hardenedlinux/master 

Update from the master
This commit is contained in:
Samson.W 2019-08-31 18:08:42 +08:00 committed by GitHub
parent 08e2cf2867 6fab8a8c2d
commit 7812833eba
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
153 changed files with 3251 additions and 1406 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
README-CN.md
View File

@ -31,6 +31,7 @@ hardening [INFO] Treating /home/test/harbian-audit/bin/hardening
$ git clone https://github.com/hardenedlinux/harbian-audit.git && cd harbian-audit
$ sudo cp debian/default /etc/default/cis-hardening
$ sudo sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
$ sudo bin/hardening.sh --init
```
### 对所有的安全检查项进行审计
```
@ -74,7 +75,11 @@ hardening [INFO] Treating /home/test/harbian-audit/bin/hardening
### 需要预装的软件
如果是使用的最小安装方式安装的Debian GNU/Linux系统在使用此项目之前需要安装如下的软件
```
sudo apt-get install -y bc net-tools
sudo apt-get install -y bc net-tools pciutils
```
如果系统是Redhat/CentOS在使用此项目前需要安装如下的软件包
```
sudo yum install -y bc net-tools pciutils NetworkManager
```
### 需要预先进行的配置

26
README.md
View File

@ -34,6 +34,7 @@ hardening [INFO] Treating /home/test/harbian-audit/bin/hardening
$ git clone https://github.com/hardenedlinux/harbian-audit.git && cd harbian-audit
$ sudo cp debian/default /etc/default/cis-hardening
$ sudo sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
$ sudo bin/hardening.sh --init
$ sudo bin/hardening.sh --audit-all
hardening [INFO] Treating /home/test/harbian-audit/bin/hardening/1.1_install_updates.sh
1.1_install_updates [INFO] Working on 1.1_install_updates
@ -70,9 +71,14 @@ hardening [INFO] Treating /home/test/harbian-audit/bin/hardening
### Pre-Install
If use Network install from a minimal CD to installed Debian GNU/Linux, need install bc package before use the hardening tool.
If use Network install from a minimal CD to installed Debian GNU/Linux, need install packages before use the hardening tool.
```
sudo apt-get install -y bc net-tools
sudo apt-get install -y bc net-tools pciutils network-manager
```
Redhat/CentOS need install packages before use the hardening tool:
```
sudo yum install -y bc net-tools pciutils NetworkManager
```
### Pre-Set
@ -155,8 +161,10 @@ This example only allows 192.168.1.[1-255] 192.168.5.[1-255] to access this syst
# sed -i "/^root/a\test ALL=(ALL:ALL) ALL" /etc/sudoers
```
4) Set basic iptables rules
4) Set basic firewall rules
Set the corresponding firewall rules according to the applications used. HardenedLinux community for Debian GNU/Linux basic firewall rules:
### Iptabels format rules:
[etc.iptables.rules.v4.sh](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/etc.iptables.rules.v4.sh)
to do the following:
```
@ -168,6 +176,14 @@ $ sudo -s
# ip6tables-save > /etc/iptables/rules.v6
```
### nft format rules:
[nftables.conf](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/etc.nftables.conf)
to do the following(your network interfacename(Example eth0)):
```
$ sed -i 's/^define int_if = ens33/define int_if = eth0/g' etc.nftables.conf
$ sudo nft -f ./etc.nftables.conf
```
5) Use the passwd command to change the passwords of all users, and change the password to a secure and reliable password entry with the same password complexity set by the pam_cracklib module.
## Special Note
@ -217,7 +233,9 @@ This document is a description of the additions to the sections not included in
### Manual Operation docs
[How to config grub2 password protection](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_config_grub2_password_protection.mkd)
[How to persistent iptables rules with debian 9](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_persistent_iptables_rules_with_debian_9.mkd)
[How to deploy audisp-remote for auditd log](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_deploy_audisp_remote_for_audit_log.mkd)
[How to deploy audisp-remote for auditd log](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_deploy_audisp_remote_for_audit_log.mkd)
[How to migrating from iptables to nftables in debian10](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_migrating_from_iptables_to_nftables_in_debian10.md)
[How to persistent nft rules with debian 10](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_persistent_nft_rules_with_debian_10.mkd)
### Use case docs
[Nodejs + redis + mysql demo](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/use-cases/nodejs-redis-mysql-usecase/README.md)

38
bin/hardening.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit Debian 9 Hardening
# harbian audit Debian 9 / CentOS Hardening
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
# Authors : Samson wen, Samson <sccxboy@gmail.com>
@ -23,6 +23,7 @@ AUDIT_ALL_ENABLE_PASSED=0
ALLOW_SERVICE_LIST=0
SET_HARDENING_LEVEL=0
SUDO_MODE=''
INIT_G_CONFIG=0
usage() {
cat << EOF
@ -30,8 +31,12 @@ $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
--help -h
Show this help
--apply
--init
Initialize the global configuration file(/etc/default/cis-hardening) based
on the release version number.
--apply
Apply hardening for enabled scripts.
Beware that NO confirmation is asked whatsoever, which is why you're warmly
advised to use --audit before, which can be regarded as a dry-run mode.
@ -140,6 +145,9 @@ while [[ $# > 0 ]]; do
-h|--help)
usage
;;
--init)
INIT_G_CONFIG=1
;;
*)
usage
;;
@ -162,6 +170,30 @@ fi
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
if [ $INIT_G_CONFIG -eq 1 ]; then
if [ -r /etc/redhat-release ]; then
info "This OS is redhat/CentOS."
sed -i 's/^OS_RELEASE=.*/OS_RELEASE=2/g' /etc/default/cis-hardening
. /etc/default/cis-hardening
elif [ -r /etc/debian_version ]; then
info "This OS is Debian."
:
else
crit "This OS not support!"
exit 128
fi
exit 0
fi
if [ $OS_RELEASE -eq 1 ]; then
info "Start auditing for Debian."
elif [ $OS_RELEASE -eq 2 ]; then
info "Start auditing for redhat/CentOS."
else
crit "This OS not support!"
exit 128
fi
# If --allow-service-list is specified, don't run anything, just list the supported services
if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then
declare -a HARDENING_EXCEPTIONS_LIST

69
bin/hardening/1.1_install_updates.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash
#
# harbian audit Debian 9 Hardening
# harbian audit Debian 9/CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
@ -13,8 +14,9 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=3
# This function will be called if the script status is on enabled / audit mode
audit () {
audit_debian ()
{
info "Checking if apt needs an update"
apt_update_if_needed
info "Fetching upgrades ..."
@ -28,16 +30,67 @@ audit () {
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET -gt 0 ]; then
audit_redhat ()
{
info "Checking if yum needs an update"
info "Fetching upgrades ..."
yum_check_updates
if [ $FNRET -eq 100 ]; then
crit "There are packages available for an update!"
elif [ $FNRET -eq 0 ]; then
ok "No upgrades available"
else
crit "Call yum_check_updates function error!"
fi
}
# This function will be called if the script status is on enabled / audit mode
audit ()
{
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
elif [ $OS_RELEASE -eq 2 ]; then
audit_redhat
else
crit "Current OS is not support!"
FNRET=44
fi
}
apply_debian ()
{
if [ $FNRET -eq 1 ]; then
info "Applying Upgrades..."
DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' upgrade -y
else
ok "No Upgrades to apply"
else
ok "No Upgrades to apply"
fi
}
apply_redhat ()
{
if [ $FNRET -eq 100 ]; then
info "Applying Upgrades..."
yum upgrade -y
elif [ $FNRET -eq 0 ]; then
ok "No Upgrades to apply"
else
crit "Call yum_check_updates function error!"
fi
}
# This function will be called if the script status is on enabled mode
apply ()
{
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
elif [ $OS_RELEASE -eq 2 ]; then
apply_redhat
else
crit "Current OS is not support!"
fi
}
# This function will check config parameters required
check_config() {
# No parameters for this function

63
bin/hardening/1.2_enable_verify_sign_packages_from_repository.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit Debian 9 Hardening
# harbian audit Debian 9/CentOS Hardening
#
#
@ -14,9 +14,11 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2
OPTION='AllowUnauthenticated'
YUM_OPTION='gpgcheck'
YUM_CONF='/etc/yum.conf'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit_debian ()
{
if [ $(grep -v "^#" /etc/apt/ -r | grep -c "${OPTION}.*true") -gt 0 ]; then
crit "The signature of packages option is disable "
FNRET=1
@ -26,8 +28,37 @@ audit () {
fi
}
# This function will be called if the script status is on enabled mode
apply () {
audit_redhat ()
{
if [ $(grep -c "^$YUM_OPTION" $YUM_CONF) -gt 0 ]; then
if [ $(grep "^$YUM_OPTION" $YUM_CONF | awk -F"=" '{print $2}') -eq 1 ]; then
ok "The signature of packages option is enable "
FNRET=0
else
crit "The signature of packages option is disable "
FNRET=1
fi
else
crit "Option $YUM_OPTION is not set in $YUM_CONF!"
FNRET=2
fi
}
# This function will be called if the script status is on enabled / audit mode
audit ()
{
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
elif [ $OS_RELEASE -eq 2 ]; then
audit_redhat
else
crit "Current OS is not support!"
FNRET=44
fi
}
apply_debian () {
if [ $FNRET = 0 ]; then
ok "The signature of packages option is enable "
else
@ -39,6 +70,28 @@ apply () {
done
fi
}
apply_redhat () {
if [ $FNRET = 0 ]; then
ok "The signature of packages option is enable "
elif [ $FNRET = 1 ]; then
warn "Set to enabled signature of packages option"
sed -i "s/$YUM_OPTION=.*/$YUM_OPTION=1/g" $YUM_CONF
else
warn "Add $YUM_OPTION option to $YUM_CONF"
add_end_of_file $YUM_CONF "$YUM_OPTION=1"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
elif [ $OS_RELEASE -eq 2 ]; then
apply_redhat
else
crit "Current OS is not support!"
fi
}
# This function will check config parameters required
check_config() {

63
bin/hardening/1.3_enable_verify_sign_of_local_packages.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit Debian 9 Hardening
# harbian audit Debian 9/CentOS Hardening
#
#
@ -16,8 +16,10 @@ HARDENING_LEVEL=2
OPTION='no-debsig'
CONFFILE='/etc/dpkg/dpkg.cfg'
# This function will be called if the script status is on enabled / audit mode
audit () {
YUM_OPTION='localpkg_gpgcheck'
YUM_CONFFILE='/etc/yum.conf'
audit_debian () {
if [ $(grep -v "^#" ${CONFFILE} | grep -c ${OPTION}) -gt 0 ]; then
crit "The signature of local packages option is disable "
FNRET=1
@ -27,8 +29,36 @@ audit () {
fi
}
# This function will be called if the script status is on enabled mode
apply () {
audit_redhat ()
{
if [ $(grep -c "^$YUM_OPTION" $YUM_CONFFILE) -gt 0 ]; then
if [ $(grep "^$YUM_OPTION" $YUM_CONFFILE | awk -F"=" '{print $2}') -eq 1 ]; then
ok "The signature of packages option is enable "
FNRET=0
else
crit "The signature of packages option is disable "
FNRET=1
fi
else
crit "Option $YUM_OPTION is not set in $YUM_CONFFILE!"
FNRET=2
fi
}
# This function will be called if the script status is on enabled / audit mode
audit()
{
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
elif [ $OS_RELEASE -eq 2 ]; then
audit_redhat
else
crit "Current OS is not support!"
FNRET=44
fi
}
apply_debian () {
if [ $FNRET = 0 ]; then
ok "The signature of local packages option is enable "
else
@ -38,6 +68,29 @@ apply () {
fi
}
apply_redhat () {
if [ $FNRET = 0 ]; then
ok "The signature of packages option is enable "
elif [ $FNRET = 1 ]; then
warn "Set to enabled signature of packages option"
sed -i "s/$YUM_OPTION=.*/$YUM_OPTION=1/g" $YUM_CONFFILE
else
warn "Add $YUM_OPTION option to $YUM_CONFFILE"
add_end_of_file $YUM_CONFFILE "$YUM_OPTION=1"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
elif [ $OS_RELEASE -eq 2 ]; then
apply_redhat
else
crit "Current OS is not support!"
fi
}
# This function will check config parameters required
check_config() {
# No parameters for this function

61
bin/hardening/1.4_set_no_allow_insecure_repository_by_apt.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit Debian 9 Hardening
# harbian audit Debian 9/CentOS Hardening
#
#
@ -15,8 +15,10 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2
OPTION='AllowInsecureRepositories'
# This function will be called if the script status is on enabled / audit mode
audit () {
YUM_OPTION='repo_gpgcheck'
YUM_CONFFILE='/etc/yum.conf'
audit_debian () {
if [ $(grep -v "^#" /etc/apt/ -r | grep -c "${OPTION}.*true") -gt 0 ]; then
crit "The allow insecure repository when by apt update is enable"
FNRET=1
@ -26,8 +28,35 @@ audit () {
fi
}
# This function will be called if the script status is on enabled mode
apply () {
audit_redhat ()
{
if [ $(grep -c "^$YUM_OPTION" $YUM_CONFFILE) -gt 0 ]; then
if [ $(grep "^$YUM_OPTION" $YUM_CONFFILE | awk -F"=" '{print $2}') -eq 1 ]; then
ok "The allow insecure repository when by yum update is disable"
FNRET=0
else
crit "The signature of repodata option is disable "
FNRET=1
fi
else
crit "Option $YUM_OPTION is not set in $YUM_CONFFILE!"
FNRET=2
fi
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
elif [ $OS_RELEASE -eq 2 ]; then
audit_redhat
else
crit "Current OS is not support!"
FNRET=44
fi
}
apply_debian () {
if [ $FNRET = 0 ]; then
ok "The allow insecure repository when by apt update is disable"
else
@ -39,6 +68,28 @@ apply () {
fi
}
apply_redhat () {
if [ $FNRET = 0 ]; then
ok "The signature of repodata option is enable "
elif [ $FNRET = 1 ]; then
warn "Set to enabled signature of repodata option"
sed -i "s/$YUM_OPTION=.*/$YUM_OPTION=1/g" $YUM_CONFFILE
else
warn "Add $YUM_OPTION option to $YUM_CONFFILE"
add_end_of_file $YUM_CONFFILE "$YUM_OPTION=1"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
elif [ $OS_RELEASE -eq 2 ]; then
apply_redhat
else
crit "Current OS is not support!"
fi
}
# This function will check config parameters required
check_config() {
# No parameters for this function

4
bin/hardening/10.1.11_ensure_no_shosts_cfg_on_system.sh
View File

@ -19,8 +19,8 @@ FILENAME1='shosts.equiv'
# This function will be called if the script status is on enabled / audit mode
audit () {
COUNT=$(find / -name "${FILENAME}" | wc -l)
COUNT1=$(find / -name "${FILENAME1}" | wc -l)
COUNT=$(find / -xdev -name "${FILENAME}" | wc -l)
COUNT1=$(find / -xdev -name "${FILENAME1}" | wc -l)
if [ "$COUNT" -ne 0 -o "$COUNT1" -ne 0 ]; then
crit "$FILENAME or $FILENAME1 file is exist on system."
FNRET=1

5
bin/hardening/12.10_find_suid_files.sh
View File

@ -7,9 +7,10 @@
#
# 12.10 Find SUID System Executables (Not Scored)
#
# set -e # One error, it's over, for some user to audit desktop evn
set -e # One error, it's over
set -u # One variable unset, it's over
# One variable unset, it's over
set -u
HARDENING_LEVEL=2

6
bin/hardening/12.11_find_sgid_files.sh
View File

@ -8,8 +8,10 @@
# 12.11 Find SGID System Executables (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
#set -e # One error, it's over, for some user to audit desktop evn
# One variable unset, it's over
set -u
HARDENING_LEVEL=2

19
bin/hardening/2.17_sticky_bit_world_writable_folder.sh
View File

@ -1,8 +1,8 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
#
# harbian audit 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
# 2.17 Set Sticky Bit on All World-Writable Directories (Scored)
@ -24,6 +24,15 @@ audit () {
else
ok "All world writable directories have a sticky bit"
fi
# Check sticky dir group-owned is root
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -type d ! -group root \( -perm -0002 -a -perm -1000 \) -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then
crit "Some world writable directories are sticky bit mode, but not group owned is root!"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT"
else
ok "All world writable directories have a sticky bit, and group owner is root."
fi
}
# This function will be called if the script status is on enabled mode
@ -34,6 +43,12 @@ apply () {
else
ok "All world writable directories have a sticky bit, nothing to apply"
fi
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -type d ! -group root \( -perm -0002 -a -perm -1000 \) -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -type d ! -group root \( -perm -0002 -a -perm -1000 \) -print 2>/dev/null | xargs chgrp root
else
ok "All world writable directories have a sticky bit, and group owner is root."
fi
}
# This function will check config parameters required

34
bin/hardening/2.1_tmp_partition.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit Debian 7/8/9 Hardening
# harbian audit Debian 7/8/9 or CentOS Hardening
# Modify by: Samson-W (sccxboy@gmail.com)
#
@ -17,7 +17,6 @@ HARDENING_LEVEL=2
# Quick factoring as many script use the same logic
PARTITION="/tmp"
TMPMOUNTNAME="tmp.mount"
TMPMOUNTO="/usr/share/systemd/tmp.mount"
# This function will be called if the script status is on enabled / audit mode
audit () {
@ -37,25 +36,20 @@ audit () {
fi
else
warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service"
if [ -e $TMPMOUNTO ]; then
if [ $(systemctl | grep -c "tmp.mount[[:space:]]*loaded[[:space:]]active[[:space:]]mounted") -eq 1 ]; then
ok "$TMPMOUNTNAME service is active!"
is_mounted "$PARTITION"
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted"
FNRET=3
else
ok "$PARTITION is mounted"
FNRET=0
fi
else
crit "$TMPMOUNTNAME service is not active!"
FNRET=4
if [ $(systemctl | grep -c "tmp.mount[[:space:]]*loaded[[:space:]]active[[:space:]]mounted") -eq 1 ]; then
ok "$TMPMOUNTNAME service is active!"
is_mounted "$PARTITION"
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted"
FNRET=3
else
ok "$PARTITION is mounted"
FNRET=0
fi
else
crit "$TMPMOUNTO is not exist!"
FNRET=1
fi
crit "$TMPMOUNTNAME service is not active!"
FNRET=4
fi
fi
}
@ -72,7 +66,7 @@ apply () {
$SUDO_CMD systemctl daemon-reload
$SUDO_CMD systemctl start "$TMPMOUNTNAME"
elif [ $FNRET = 4 ]; then
$SUDO_CMD systemctl enable "$TMPMOUNTO"
$SUDO_CMD systemctl enable "$TMPMOUNTNAME"
$SUDO_CMD systemctl daemon-reload
$SUDO_CMD systemctl start "$TMPMOUNTNAME"
fi

30
bin/hardening/2.25_disable_automounting.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
@ -20,11 +21,11 @@ audit () {
is_pkg_installed $SERVICE_NAME
if [ $FNRET = 0 ]; then
info "Checking if $SERVICE_NAME is enabled"
is_service_enabled $SERVICE_NAME
is_service_active $SERVICE_NAME
if [ $FNRET = 0 ]; then
crit "$SERVICE_NAME is enabled"
crit "$SERVICE_NAME is actived"
else
ok "$SERVICE_NAME is disabled"
ok "$SERVICE_NAME is inactived"
fi
else
ok "$SERVICE_NAME is not installed"
@ -35,21 +36,34 @@ audit () {
apply () {
is_pkg_installed $SERVICE_NAME
if [ $FNRET = 0 ]; then
info "Checking if $SERVICE_NAME is enabled"
is_service_enabled $SERVICE_NAME
info "Checking if $SERVICE_NAME is active"
is_service_active $SERVICE_NAME
if [ $FNRET = 0 ]; then
is_debian_9
if [ $OS_RELEASE -eq 2 ]; then
:
else
is_debian_9
fi
if [ $FNRET = 0 ]; then
info "Disabling $SERVICE_NAME"
systemctl stop $SERVICE_NAME
systemctl disable $SERVICE_NAME
apt-get -y purge --autoremove $SERVICE_NAME
if [ $OS_RELEASE -eq 2 ]; then
yum -y autoremove $SERVICE_NAME
else
apt-get -y purge --autoremove $SERVICE_NAME
fi
else
info "Disabling $SERVICE_NAME"
update-rc.d $SERVICE_NAME remove > /dev/null 2>&1
fi
else
ok "$SERVICE_NAME is disabled"
if [ $OS_RELEASE -eq 2 ]; then
yum -y autoremove $SERVICE_NAME
else
apt-get -y purge --autoremove $SERVICE_NAME
fi
fi
else
ok "$SERVICE_NAME is not installed"

25
bin/hardening/2.2_tmp_nodev.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit Debian 7/8/9 Hardening
# harbian audit Debian 7/8/9 or CentOS Hardening
# Modify by: Samson-W (sccxboy@gmail.com)
#
@ -17,8 +17,9 @@ HARDENING_LEVEL=2
# Quick factoring as many script use the same logic
PARTITION="/tmp"
OPTION="nodev"
SERVICEPATH="/usr/share/systemd/tmp.mount"
SERVICENAME="tmp.mount"
SERVICEPATH="/usr/share/systemd/tmp.mount"
REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
# This function will be called if the script status is on enabled / audit mode
audit () {
@ -45,8 +46,12 @@ audit () {
fi
else
warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service"
if [ -e $SERVICEPATH ]; then
has_mount_option_systemd $SERVICEPATH $OPTION
if [ -e $SERVICEPATH -o -e $REDHAT_SERVICEPATH ]; then
if [ $OS_RELEASE -eq 2 ]; then
has_mount_option_systemd $REDHAT_SERVICEPATH $OPTION
else
has_mount_option_systemd $SERVICEPATH $OPTION
fi
if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in systemd service!"
FNRET=3
@ -62,7 +67,11 @@ audit () {
fi
fi
else
crit "$TMPMOUNTO is not exist!"
if [ $OS_RELEASE -eq 2 ]; then
crit "$REDHAT_SERVICEPATH is not exist!"
else
crit "$SERVICEPATH is not exist!"
fi
FNRET=2
fi
fi
@ -86,7 +95,11 @@ apply () {
fi
elif [ $FNRET = 3 ]; then
info "Adding $OPTION to systemd"
add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME
if [ $OS_RELEASE -eq 2 ]; then
add_option_to_systemd $REDHAT_SERVICEPATH $OPTION $SERVICENAME
else
add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME
fi
remount_partition_by_systemd $SERVICENAME $PARTITION
elif [ $FNRET = 4 ]; then
info "Remounting $PARTITION from fstab"

23
bin/hardening/2.3_tmp_nosuid.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit Debian 7/8/9 Hardening
# harbian audit Debian 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (sccxboy@gmail.com)
#
@ -19,6 +19,7 @@ PARTITION="/tmp"
OPTION="nosuid"
SERVICEPATH="/usr/share/systemd/tmp.mount"
SERVICENAME="tmp.mount"
REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
# This function will be called if the script status is on enabled / audit mode
audit () {
@ -45,8 +46,12 @@ audit () {
fi
else
warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service"
if [ -e $SERVICEPATH ]; then
has_mount_option_systemd $SERVICEPATH $OPTION
if [ -e $SERVICEPATH -o -e $REDHAT_SERVICEPATH ]; then
if [ $OS_RELEASE -eq 2 ]; then
has_mount_option_systemd $REDHAT_SERVICEPATH $OPTION
else
has_mount_option_systemd $SERVICEPATH $OPTION
fi
if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in systemd service!"
FNRET=3
@ -62,7 +67,11 @@ audit () {
fi
fi
else
crit "$TMPMOUNTO is not exist!"
if [ $OS_RELEASE -eq 2 ]; then
crit "$REDHAT_SERVICEPATH is not exist!"
else
crit "$SERVICEPATH is not exist!"
fi
FNRET=2
fi
fi
@ -86,7 +95,11 @@ apply () {
fi
elif [ $FNRET = 3 ]; then
info "Adding $OPTION to systemd"
add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME
if [ $OS_RELEASE -eq 2 ]; then
add_option_to_systemd $REDHAT_SERVICEPATH $OPTION $SERVICENAME
else
add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME
fi
remount_partition_by_systemd $SERVICENAME $PARTITION
elif [ $FNRET = 4 ]; then
info "Remounting $PARTITION from fstab"

23
bin/hardening/2.4_tmp_noexec.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit Debian 7/8/9 Hardening
# harbian audit Debian 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (sccxboy@gmail.com)
#
@ -19,6 +19,7 @@ PARTITION="/tmp"
OPTION="noexec"
SERVICEPATH="/usr/share/systemd/tmp.mount"
SERVICENAME="tmp.mount"
REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
# This function will be called if the script status is on enabled / audit mode
audit () {
@ -45,8 +46,12 @@ audit () {
fi
else
warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service"
if [ -e $SERVICEPATH ]; then
has_mount_option_systemd $SERVICEPATH $OPTION
if [ -e $SERVICEPATH -o -e $REDHAT_SERVICEPATH ]; then
if [ $OS_RELEASE -eq 2 ]; then
has_mount_option_systemd $REDHAT_SERVICEPATH $OPTION
else
has_mount_option_systemd $SERVICEPATH $OPTION
fi
if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in systemd service!"
FNRET=3
@ -62,7 +67,11 @@ audit () {
fi
fi
else
crit "$TMPMOUNTO is not exist!"
if [ $OS_RELEASE -eq 2 ]; then
crit "$REDHAT_SERVICEPATH is not exist!"
else
crit "$SERVICEPATH is not exist!"
fi
FNRET=2
fi
fi
@ -86,7 +95,11 @@ apply () {
fi
elif [ $FNRET = 3 ]; then
info "Adding $OPTION to systemd"
add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME
if [ $OS_RELEASE -eq 2 ]; then
add_option_to_systemd $REDHAT_SERVICEPATH $OPTION $SERVICENAME
else
add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME
fi
remount_partition_by_systemd $SERVICENAME $PARTITION
elif [ $FNRET = 4 ]; then
info "Remounting $PARTITION from fstab"

103
bin/hardening/3.1_bootloader_ownership.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
@ -16,53 +17,87 @@ HARDENING_LEVEL=1
# Assertion : Grub Based.
FILE='/boot/grub/grub.cfg'
FILE_GRUB2='/boot/grub2/grub.cfg'
USER='root'
GROUP='root'
# This function will be called if the script status is on enabled / audit mode
audit () {
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
if [ $OS_RELEASE -eq 2 ]; then
has_file_correct_ownership $FILE_GRUB2 $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE_GRUB2 has correct ownership"
else
crit "$FILE_GRUB2 ownership was not set to $USER:$GROUP"
fi
else
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
info "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE
fi
if [ $OS_RELEASE -eq 2 ]; then
has_file_correct_ownership $FILE_GRUB2 $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE_GRUB2 has correct ownership"
else
info "fixing $FILE_GRUB2 ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE_GRUB2
fi
else
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
info "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE
fi
fi
}
# This function will check config parameters required
check_config() {
if [ $OS_RELEASE -eq 2 ]; then
is_pkg_installed "grub2-pc"
else
is_pkg_installed "grub-pc"
fi
if [ $FNRET != 0 ]; then
warn "Grub is not installed, not handling configuration"
exit 128
fi
is_pkg_installed "grub-pc"
if [ $FNRET != 0 ]; then
warn "Grub is not installed, not handling configuration"
exit 128
fi
does_user_exist $USER
if [ $FNRET != 0 ]; then
crit "$USER does not exist"
exit 128
fi
does_group_exist $GROUP
if [ $FNRET != 0 ]; then
crit "$GROUP does not exist"
exit 128
fi
does_file_exist $FILE
if [ $FNRET != 0 ]; then
crit "$FILE does not exist"
exit 128
fi
does_user_exist $USER
if [ $FNRET != 0 ]; then
crit "$USER does not exist"
exit 128
fi
does_group_exist $GROUP
if [ $FNRET != 0 ]; then
crit "$GROUP does not exist"
exit 128
fi
if [ $OS_RELEASE -eq 2 ]; then
does_file_exist $FILE_GRUB2
if [ $FNRET != 0 ]; then
crit "$FILE_GRUB2 does not exist"
exit 128
fi
else
does_file_exist $FILE
if [ $FNRET != 0 ]; then
crit "$FILE does not exist"
exit 128
fi
fi
}
# Source Root Dir Parameter

25
bin/hardening/3.2_bootloader_permissions.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
@ -16,10 +17,16 @@ HARDENING_LEVEL=1
# Assertion : Grub Based.
FILE='/boot/grub/grub.cfg'
PKGNAME='grub-pc'
PERMISSIONS='400'
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
FILE='/boot/grub2/grub.cfg'
else
:
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
@ -32,6 +39,11 @@ audit () {
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
FILE='/boot/grub2/grub.cfg'
else
:
fi
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
@ -42,9 +54,16 @@ apply () {
# This function will check config parameters required
check_config() {
is_pkg_installed "grub-pc"
if [ $OS_RELEASE -eq 2 ]; then
FILE='/boot/grub2/grub.cfg'
PKGNAME='grub2-pc'
else
:
fi
is_pkg_installed "$PKGNAME"
if [ $FNRET != 0 ]; then
warn "grub-pc is not installed, not handling configuration"
warn "$PKGNAME is not installed, not handling configuration"
exit 128
fi
if [ $FNRET != 0 ]; then

24
bin/hardening/3.3_bootloader_password.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
@ -14,11 +15,17 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=3
FILE='/boot/grub/grub.cfg'
PKGNAME='grub-pc'
USER_PATTERN="^set superusers"
PWD_PATTERN="^password_pbkdf2"
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
FILE='/boot/grub2/grub.cfg'
else
:
fi
does_pattern_exist_in_file $FILE "$USER_PATTERN"
if [ $FNRET != 0 ]; then
crit "$USER_PATTERN not present in $FILE"
@ -35,6 +42,11 @@ audit () {
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
FILE='/boot/grub2/grub.cfg'
else
:
fi
does_pattern_exist_in_file $FILE "$USER_PATTERN"
if [ $FNRET != 0 ]; then
warn "$USER_PATTERN not present in $FILE, please configure password for grub"
@ -52,9 +64,15 @@ apply () {
# This function will check config parameters required
check_config() {
is_pkg_installed "grub-pc"
if [ $OS_RELEASE -eq 2 ]; then
FILE='/boot/grub2/grub.cfg'
PKGNAME='grub2-pc'
else
:
fi
is_pkg_installed "$PKGNAME"
if [ $FNRET != 0 ]; then
warn "grub-pc is not installed, not handling configuration"
warn "$PKGNAME is not installed, not handling configuration"
exit 128
fi
if [ $FNRET != 0 ]; then

54
bin/hardening/4.1_restrict_core_dumps.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
#Modify by: Samson-W (samson@hardenedlinux.org)
#
#
@ -17,9 +18,9 @@ LIMIT_FILE='/etc/security/limits.conf'
LIMIT_PATTERN='^\*[[:space:]]*hard[[:space:]]*core[[:space:]]*0$'
SYSCTL_PARAM='fs.suid_dumpable'
SYSCTL_EXP_RESULT=0
SERVICE_NAME='kdump'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit_debian () {
does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN
if [ $FNRET != 0 ]; then
crit "$LIMIT_PATTERN not present in $LIMIT_FILE"
@ -36,8 +37,30 @@ audit () {
fi
}
# This function will be called if the script status is on enabled mode
apply () {
audit_redhat () {
is_service_active $SERVICE_NAME
if [ $FNRET -eq 0 ]; then
crit "$SERVICE_NAME is actived"
FNRET=1
else
ok "$SERVICE_NAME is inactived"
FNRET=0
fi
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
elif [ $OS_RELEASE -eq 2 ]; then
audit_redhat
else
crit "Current OS is not support!"
FNRET=44
fi
}
apply_debian () {
does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN
if [ $FNRET != 0 ]; then
warn "$LIMIT_PATTERN not present in $LIMIT_FILE, adding at the end of $LIMIT_FILE"
@ -57,6 +80,27 @@ apply () {
}
apply_redhat () {
if [ $FNRET -eq 1 ]; then
info "Disabling $SERVICE_NAME"
systemctl stop $SERVICE_NAME
systemctl disable $SERVICE_NAME
else
ok "$SERVICE_NAME is disabled"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
elif [ $OS_RELEASE -eq 2 ]; then
apply_redhat
else
crit "Current OS is not support!"
fi
}
# This function will check config parameters required
check_config() {
:

33
bin/hardening/4.4_disable_prelink.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
@ -28,16 +29,26 @@ audit () {
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
/usr/sbin/prelink -ua
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
:
if [ $OS_RELEASE -eq 2 ]; then
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
"$(which $PACKAGE)" -ua
yum autoremove $PACKAGE -y
else
ok "$PACKAGE is absent"
fi
elif [ $OS_RELEASE -eq 1 ]; then
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
/usr/sbin/prelink -ua
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
else
crit "Current OS is not support!"
fi
}
# This function will check config parameters required

46
bin/hardening/4.5_enable_apparmor.sh
View File

@ -1,11 +1,12 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
#
# harbian audit 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
# todo: SELinux
#
# 4.5 Activate AppArmor (Scored)
# 4.5 Activate AppArmor/SELinux (Scored)
# Add by Author : Samson wen, Samson <sccxboy@gmail.com>
#
@ -20,8 +21,7 @@ PATTERN="apparmor=1[[:space:]]*security=apparmor"
SETSTRING="apparmor=1 security=apparmor"
GRUBFILE='/etc/default/grub'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit_debian () {
for PACKAGE in ${PACKAGES}
do
is_pkg_installed $PACKAGE
@ -49,8 +49,24 @@ audit () {
fi
}
# This function will be called if the script status is on enabled mode
apply () {
# Todo
audit_redhat () {
:
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
elif [ $OS_RELEASE -eq 2 ]; then
audit_redhat
else
crit "Current OS is not support!"
FNRET=44
fi
}
apply_debian () {
if [ $FNRET = 0 ]; then
ok "AppArmor profiles is enable in the system "
elif [ $FNRET = 1 ]; then
@ -69,6 +85,22 @@ apply () {
fi
}
# Todo
apply_redhat () {
:
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
elif [ $OS_RELEASE -eq 2 ]; then
apply_redhat
else
crit "Current OS is not support!"
fi
}
# This function will check config parameters required
check_config() {
:

27
bin/hardening/4.6_disable_usb_devices.sh
View File

@ -1,11 +1,13 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening /
# harbian audit 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
# 4.6 Disable USB Devices
# TODO test
#
set -e # One error, it's over
@ -18,8 +20,11 @@ PATTERN='ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{auth
FILES_TO_SEARCH='/etc/udev/rules.d'
FILE='/etc/udev/rules.d/CIS_4.6_usb_devices.conf'
# This function will be called if the script status is on enabled / audit mode
audit () {
BLACKRULEPATTERN='^blacklist[[:blank:]].*usb-storage'
BLACKRULE='blacklist usb-storage'
BLACKCONFILE='/etc/modprobe.d/blacklist.conf'
audit_debian () {
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
if [ $SEARCH_RES = 1 ]; then break; fi
@ -50,6 +55,22 @@ audit () {
fi
}
audit_redhat () {
:
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
elif [ $OS_RELEASE -eq 2 ]; then
audit_redhat
else
crit "Current OS is not support!"
FNRET=44
fi
}
# This function will be called if the script status is on enabled mode
apply () {
SEARCH_RES=0

20
bin/hardening/5.1.1_disable_nis.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
@ -14,10 +15,14 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGE='nis'
PACKAGE_REDHAT='ypserv'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $OS_RELEASE -eq 2 ]; then
PACKAGE=$PACKAGE_REDHAT
fi
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed!"
else
@ -28,11 +33,18 @@ audit () {
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGE=$PACKAGE_REDHAT
fi
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
if [ $OS_RELEASE -eq 2 ]; then
yum -y autoremove $PACKAGE
else
apt-get purge $PACKAGE -y
apt-get autoremove
fi
else
ok "$PACKAGE is absent"
fi

51
bin/hardening/5.1.2_disable_rsh.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
@ -15,11 +16,11 @@ HARDENING_LEVEL=2
# Based on aptitude search '~Prsh-server'
PACKAGES='rsh-server rsh-redone-server heimdal-servers'
PACKAGE_REDHAT='rsh-server'
FILE='/etc/inetd.conf'
PATTERN='^(shell|login|exec)'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit_debian () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
@ -41,8 +42,27 @@ audit () {
done
}
# This function will be called if the script status is on enabled mode
apply () {
audit_redhat () {
is_pkg_installed $PACKAGE_REDHAT
if [ $FNRET = 0 ]; then
crit "$PACKAGE_REDHAT is installed!"
else
ok "$PACKAGE_REDHAT is absent"
fi
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
elif [ $OS_RELEASE -eq 2 ]; then
audit_redhat
else
crit "Current OS is not support!"
FNRET=44
fi
}
apply_debian () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
@ -70,6 +90,27 @@ apply () {
done
}
apply_redhat () {
is_pkg_installed $PACKAGE_REDHAT
if [ $FNRET = 0 ]; then
crit "$PACKAGE_REDHAT is installed, purging it"
yum -y remove $PACKAGE_REDHAT
else
ok "$PACKAGE_REDHAT is absent"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
elif [ $OS_RELEASE -eq 2 ]; then
apply_redhat
else
crit "Current OS is not support!"
fi
}
# This function will check config parameters required
check_config() {
:

47
bin/hardening/5.1.3_disable_rsh_client.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
@ -18,28 +19,36 @@ PACKAGES='rsh-client rsh-redone-client heimdal-clients'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed"
else
ok "$PACKAGE is absent"
fi
done
if [ $OS_RELEASE -eq 2 ]; then
ok "Redhat or CentOS does not have this check, so PASS"
else
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed"
else
ok "$PACKAGE is absent"
fi
done
fi
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, purging"
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
done
if [ $OS_RELEASE -eq 2 ]; then
ok "Redhat or CentOS does not have this check, so PASS"
else
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, purging"
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
done
fi
}
# This function will check config parameters required

55
bin/hardening/5.1.4_disable_talk.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
@ -16,9 +17,9 @@ HARDENING_LEVEL=2
PACKAGES='inetutils-talkd talkd'
FILE='/etc/inetd.conf'
PATTERN='^(talk|ntalk)'
PACKAGES_REDHAT='talk-server'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit_debian () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
@ -40,8 +41,30 @@ audit () {
done
}
# This function will be called if the script status is on enabled mode
apply () {
audit_redhat () {
for PACKAGE in $PACKAGES_REDHAT; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed"
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
elif [ $OS_RELEASE -eq 2 ]; then
audit_redhat
else
crit "Current OS is not support!"
FNRET=44
fi
}
apply_debian () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
@ -69,6 +92,28 @@ apply () {
done
}
apply_redhat () {
for PACKAGE in $PACKAGES_REDHAT; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
yum remove $PACKAGE -y
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
elif [ $OS_RELEASE -eq 2 ]; then
apply_redhat
else
crit "Current OS is not support!"
fi
}
# This function will check config parameters required
check_config() {
:

18
bin/hardening/5.1.5_disable_talk_client.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
@ -14,9 +15,13 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGES='talk inetutils-talk'
PACKAGES_REDHAT='talk'
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
@ -29,12 +34,19 @@ audit () {
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, purging"
apt-get purge $PACKAGE -y
apt-get autoremove
if [ $OS_RELEASE -eq 2 ]; then
yum remove $PACKAGE -y
else
apt-get purge $PACKAGE -y
apt-get autoremove
fi
else
ok "$PACKAGE is absent"
fi

52
bin/hardening/5.1.6_disable_telnet_server.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
@ -17,9 +18,9 @@ HARDENING_LEVEL=2
PACKAGES='telnetd inetutils-telnetd telnetd-ssl krb5-telnetd heimdal-servers'
FILE='/etc/inetd.conf'
PATTERN='^telnet'
PACKAGE_REDHAT='telnet-server'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit_debian () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
@ -41,8 +42,28 @@ audit () {
done
}
# This function will be called if the script status is on enabled mode
apply () {
audit_redhat () {
is_pkg_installed $PACKAGE_REDHAT
if [ $FNRET = 0 ]; then
crit "$PACKAGE_REDHAT is installed"
else
ok "$PACKAGE_REDHAT is absent"
fi
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
elif [ $OS_RELEASE -eq 2 ]; then
audit_redhat
else
crit "Current OS is not support!"
FNRET=44
fi
}
apply_debian () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
@ -70,6 +91,27 @@ apply () {
done
}
apply_redhat () {
is_pkg_installed $PACKAGE_REDHAT
if [ $FNRET = 0 ]; then
crit "$PACKAGE_REDHAT is installed, purging it"
yum remove $PACKAGE_REDHAT -y
else
ok "$PACKAGE_REDHAT is absent"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
elif [ $OS_RELEASE -eq 2 ]; then
apply_redhat
else
crit "Current OS is not support!"
fi
}
# This function will check config parameters required
check_config() {
:

20
bin/hardening/5.1.8_disable_inetd.sh → bin/hardening/5.1.7_disable_inetd.sh
View File

@ -1,11 +1,12 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
# 5.1.8 Ensure xinetd is not enabled (Scored)
# 5.1.7 Ensure xinetd is not enabled (Scored)
#
set -e # One error, it's over
@ -14,9 +15,13 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGES='openbsd-inetd xinetd rlinetd'
PACKAGES_REDHAT='xinetd'
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
@ -29,12 +34,19 @@ audit () {
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, purging"
apt-get purge $PACKAGE -y
apt-get autoremove
if [ $OS_RELEASE -eq 2 ]; then
yum remove $PACKAGE -y
else
apt-get purge $PACKAGE -y
apt-get autoremove
fi
else
ok "$PACKAGE is absent"
fi

93
bin/hardening/5.1.7_disable_tftp_server.sh
View File

@ -1,93 +0,0 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
#
#
# 5.1.7 Ensure tftp-server is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGES='tftpd tftpd-hpa atftpd'
FILE='/etc/inetd.conf'
PATTERN='^tftp'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, checking configuration"
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, $PACKAGE services are enabled!"
else
ok "$PATTERN is not present in $FILE"
fi
fi
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN is not present in $FILE"
fi
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

74
bin/hardening/5.2_disable_chargen.sh
View File

@ -1,74 +0,0 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
#
#
# 5.2 Ensure chargen is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
FILE='/etc/inetd.conf'
PATTERN='^chargen'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, chargen service is enabled!"
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

10
bin/hardening/5.7_install_screen.sh → bin/hardening/5.2_install_screen.sh
View File

@ -1,11 +1,11 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
#
#
# 5.7 Install screen (Scored)
# 5.2 Install screen (Scored)
# Author : Samson wen, Samson <sccxboy@gmail.com>
#
@ -33,7 +33,11 @@ apply () {
ok "$PACKAGE is installed"
else
warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
if [ $OS_RELEASE -eq 2 ]; then
yum install -y $PACKAGE
else
apt_install $PACKAGE
fi
fi
}

74
bin/hardening/5.3_disable_daytime.sh
View File

@ -1,74 +0,0 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
#
#
# 5.3 Ensure daytime is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
FILE='/etc/inetd.conf'
PATTERN='^daytime'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, daytime service is enabled!"
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

34
bin/hardening/5.8_enable_openssh_server.sh → bin/hardening/5.3_enable_openssh_server.sh
View File

@ -1,11 +1,11 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
#
#
# 5.8 Ensure openssh server is enabled (Scored)
# 5.3 Ensure openssh server is enabled (Scored)
# Author : Samson wen, Samson <sccxboy@gmail.com>
#
@ -15,7 +15,8 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGES='openssh-server openssh-client'
SERVICE_NAME='ssh.service'
SERVICE_NAME_REDHAT='sshd.service'
# This function will be called if the script status is on enabled / audit mode
audit () {
@ -28,6 +29,15 @@ audit () {
ok "$PACKAGE is installed"
fi
done
if [ $OS_RELEASE -eq 2 ]; then
SERVICE_NAME=$SERVICE_NAME_REDHAT
fi
is_service_active $SERVICE_NAME
if [ $FNRET = 0 ]; then
ok "$SERVICE_NAME is actived"
else
crit "$SERVICE_NAME is inactive"
fi
}
# This function will be called if the script status is on enabled mode
@ -39,9 +49,25 @@ apply () {
ok "$PACKAGE is installed"
else
warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
if [ $OS_RELEASE -eq 2 ]; then
yum install -y $PACKAGE
else
apt_install $PACKAGE
fi
fi
done
if [ $OS_RELEASE -eq 2 ]; then
SERVICE_NAME=$SERVICE_NAME_REDHAT
fi
is_service_active $SERVICE_NAME
if [ $FNRET = 0 ]; then
ok "$SERVICE_NAME is actived"
else
warn "$SERVICE_NAME is inactive, set enable this service"
systemctl enable $SERVICE_NAME
systemctl daemon-reload
systemctl start $SERVICE_NAME
fi
}
# This function will check config parameters required

4
bin/hardening/5.9_disable_ctrl_alt_del_target.sh → bin/hardening/5.4_disable_ctrl_alt_del_target.sh
View File

@ -1,11 +1,11 @@
#!/bin/bash
#
# harbian audit 9 Hardening
# harbian audit 9 or CentOS Hardening
#
#
# 5.9 Ensure ctrl-alt-del is disabled (Scored)
# 5.4 Ensure ctrl-alt-del is disabled (Scored)
# Author : Samson wen, Samson <sccxboy@gmail.com>
#

74
bin/hardening/5.4_disable_echo.sh
View File

@ -1,74 +0,0 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
#
#
# 5.4 Ensure echo is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
FILE='/etc/inetd.conf'
PATTERN='^echo'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, echo service is enabled!"
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

74
bin/hardening/5.5_disable_discard.sh
View File

@ -1,74 +0,0 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
#
#
# 5.5 Ensure discard is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
FILE='/etc/inetd.conf'
PATTERN='^discard'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, discard service is enabled!"
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

74
bin/hardening/5.6_disable_time.sh
View File

@ -1,74 +0,0 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
#
#
# 5.6 Ensure time is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
FILE='/etc/inetd.conf'
PATTERN='^time'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, time service is enabled!"
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

35
bin/hardening/5.10_ensure_installed_sudo.sh → bin/hardening/5.8_ensure_installed_sudo.sh
View File

@ -1,11 +1,13 @@
#!/bin/bash
#
# harbian audit 9 Hardening
# harbian audit 9 or CentOS Hardening
#
#
# 5.10 Ensure sudo is installed (Scored)
# 5.8 Ensure sudo is installed (Scored)
# Add feature:
# Ensure sudo log file is set to /var/log/sudo.log
# Add new by:
# Author : Samson wen, Samson <sccxboy@gmail.com>
#
@ -16,27 +18,46 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGE='sudo'
CONFIGFILE='/etc/sudoers'
LOGFILENAME='/var/log/sudo.log'
LOGFILENAME_REP='\/var\/log\/sudo.log'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=1
FNRET=1
else
ok "$PACKAGE is installed"
FNRET=0
fi
if [ $(grep -c "^Defaults.*logfile=" $CONFIGFILE) -eq 1 ]; then
if [ $(grep "^Defaults.*logfile=" $CONFIGFILE | grep -c "$LOGFILENAME") -eq 1 ]; then
ok "Log file is set to $LOGFILENAME in $CONFIGFILE"
FNRET=0
else
crit "Log file path was set, but is not set to $LOGFILENAME"
FNRET=3
fi
else
crit "sudo Log file is not set in $CONFIGFILE"
FNRET=2
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
elif [ $FNRET = 1 ]; then
warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
elif [ $FNRET = 2 ]; then
warn "sudo Log file is not set in $CONFIGFILE, add set to"
add_end_of_file $CONFIGFILE "Defaults logfile="$LOGFILENAME""
else
warn "Log file path was set, but is not set to $LOGFILENAME, modify"
replace_in_file $CONFIGFILE "logfile=.*" "logfile=$LOGFILENAME_REP"
fi
}

18
bin/hardening/6.10_disable_http_server.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
@ -16,9 +17,13 @@ HARDENING_EXCEPTION=http
# Based on aptitude search '~Phttpd'
PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd'
PACKAGES_REDHAT='httpd pcp-pmda-nginx'
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
@ -35,6 +40,9 @@ audit () {
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
@ -42,8 +50,12 @@ apply () {
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE
apt-get autoremove
if [ $OS_RELEASE -eq 2 ]; then
yum autoremove $PACKAGE
else
apt-get purge $PACKAGE
apt-get autoremove
fi
fi
else
ok "$PACKAGE is absent"

62
bin/hardening/6.11_disable_imap_pop.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9 or CentOS Hardening
#
#
@ -19,36 +19,44 @@ PACKAGES='citadel-server courier-imap cyrus-imapd-2.4 dovecot-imapd mailutils-im
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
if [ $ISEXCEPTION -eq 1 ]; then
warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!"
else
crit "$PACKAGE is installed!"
fi
else
ok "$PACKAGE is absent"
fi
done
if [ $OS_RELEASE -eq 2 ]; then
ok "Redhat or CentOS does not have this check, so PASS"
else
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
if [ $ISEXCEPTION -eq 1 ]; then
warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!"
else
crit "$PACKAGE is installed!"
fi
else
ok "$PACKAGE is absent"
fi
done
fi
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
if [ $ISEXCEPTION -eq 1 ]; then
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
fi
else
ok "$PACKAGE is absent"
fi
done
if [ $OS_RELEASE -eq 2 ]; then
ok "Redhat or CentOS does not have this check, so PASS"
else
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
if [ $ISEXCEPTION -eq 1 ]; then
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
fi
else
ok "$PACKAGE is absent"
fi
done
fi
}
# This function will create the config file for this check with default values

11
bin/hardening/6.12_disable_samba.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
@ -41,8 +42,12 @@ apply () {
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
if [ $OS_RELEASE -eq 2 ]; then
yum autoremove $PACKAGE -y
else
apt-get purge $PACKAGE -y
apt-get autoremove
fi
fi
else
ok "$PACKAGE is absent"

18
bin/hardening/6.13_disable_http_proxy.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
@ -15,9 +16,13 @@ HARDENING_LEVEL=3
HARDENING_EXCEPTION=http
PACKAGES='squid3 squid'
PACKAGES_REDHAT='squid gssproxy haproxy'
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
@ -34,6 +39,9 @@ audit () {
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
@ -41,8 +49,12 @@ apply () {
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
if [ $OS_RELEASE -eq 2 ]; then
yum autoremove $PACKAGE -y
else
apt-get purge $PACKAGE -y
apt-get autoremove
fi
fi
else
ok "$PACKAGE is absent"

60
bin/hardening/6.14_disable_snmp_server.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9 or CentOS Hardening
#
#
@ -18,35 +18,43 @@ PACKAGES='snmpd'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
if [ $ISEXCEPTION -eq 1 ]; then
warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!"
else
crit "$PACKAGE is installed!"
fi
else
ok "$PACKAGE is absent"
fi
done
if [ $OS_RELEASE -eq 2 ]; then
ok "Redhat or CentOS does not have this check, so PASS"
else
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
if [ $ISEXCEPTION -eq 1 ]; then
warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!"
else
crit "$PACKAGE is installed!"
fi
else
ok "$PACKAGE is absent"
fi
done
fi
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
if [ $ISEXCEPTION -eq 1 ]; then
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
fi
else
ok "$PACKAGE is absent"
fi
done
if [ $OS_RELEASE -eq 2 ]; then
ok "Redhat or CentOS does not have this check, so PASS"
else
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
if [ $ISEXCEPTION -eq 1 ]; then
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
fi
else
ok "$PACKAGE is absent"
fi
done
fi
}
# This function will create the config file for this check with default values

62
bin/hardening/6.16_disable_rsync.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9 or CentOS Hardening
#
#
@ -21,36 +21,44 @@ RSYNC_DEFAULT_PATTERN_TO_SEARCH='RSYNC_ENABLE=true'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
ok "$PACKAGE is not installed"
else
ok "$PACKAGE is installed, checking configuration"
does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN"
if [ $FNRET != 0 ]; then
crit "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE"
else
ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE"
fi
fi
if [ $OS_RELEASE -eq 2 ]; then
ok "Redhat or CentOS does not have this check, so PASS"
else
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
ok "$PACKAGE is not installed"
else
ok "$PACKAGE is installed, checking configuration"
does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN"
if [ $FNRET != 0 ]; then
crit "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE"
else
ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
ok "$PACKAGE is not installed"
else
ok "$PACKAGE is installed, checking configuration"
does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN"
if [ $FNRET != 0 ]; then
warn "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE, adding it"
backup_file $RSYNC_DEFAULT_FILE
replace_in_file $RSYNC_DEFAULT_FILE $RSYNC_DEFAULT_PATTERN_TO_SEARCH $RSYNC_DEFAULT_PATTERN
else
ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE"
fi
fi
if [ $OS_RELEASE -eq 2 ]; then
ok "Redhat or CentOS does not have this check, so PASS"
else
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
ok "$PACKAGE is not installed"
else
ok "$PACKAGE is installed, checking configuration"
does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN"
if [ $FNRET != 0 ]; then
warn "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE, adding it"
backup_file $RSYNC_DEFAULT_FILE
replace_in_file $RSYNC_DEFAULT_FILE $RSYNC_DEFAULT_PATTERN_TO_SEARCH $RSYNC_DEFAULT_PATTERN
else
ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE"
fi
fi
fi
}
# This function will check config parameters required

2
bin/hardening/6.17_ensure_virul_scan_server_is_enabled.sh
View File

@ -2,7 +2,7 @@
#
# harbian audit 7/8/9 Hardening
#
# todo test for centos
#
# 6.17 Ensure virul scan Server is enabled (Scored)

2
bin/hardening/6.18_ensure_virusscan_program_update_is_enabled.sh
View File

@ -2,7 +2,7 @@
#
# harbian audit 9 Hardening
#
# todo test for centos
#
# 6.18 Ensure virul scan Server update is enabled (Scored)

6
bin/hardening/6.19_configure_ntp.sh
View File

@ -1,11 +1,11 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
#
# harbian audit 7/8/9 or CentOS Hardening
# todo base redhat7 v2r3 of STIG
#
# 6.5 Configure Network Time Protocol (NTP) (Scored)
# 6.19 Configure Network Time Protocol (NTP) (Scored)
# Modify Author : Samson wen, Samson <sccxboy@gmail.com>
#

1
bin/hardening/6.1_disable_xwindow_system.sh
View File

@ -7,6 +7,7 @@
#
# 6.1 Ensure the X Window system is not installed (Scored)
#
# todo test for centos
set -e # One error, it's over
set -u # One variable unset, it's over

74
bin/hardening/6.20_configure_chrony.sh
View File

@ -23,48 +23,56 @@ NTP_POOL_CFG='pool 2.debian.pool.ntp.org iburst'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $ANALOGONS_PKG
if [ $FNRET = 0 ]; then
ok "Analogons pagkage $ANALOGONS_PKG is installed. So pass check."
if [ $OS_RELEASE -eq 2 ]; then
ok "Redhat or CentOS does not have this check, so PASS"
else
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed, checking configuration"
does_pattern_exist_in_file $NTP_CONF_FILE $NTP_SERVER_PATTERN
if [ $FNRET != 0 ]; then
crit "$NTP_SERVER_PATTERN not found in $NTP_CONF_FILE"
else
ok "$NTP_SERVER_PATTERN found in $NTP_CONF_FILE"
fi
fi
is_pkg_installed $ANALOGONS_PKG
if [ $FNRET = 0 ]; then
ok "Analogons pagkage $ANALOGONS_PKG is installed. So pass check."
else
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed, checking configuration"
does_pattern_exist_in_file $NTP_CONF_FILE $NTP_SERVER_PATTERN
if [ $FNRET != 0 ]; then
crit "$NTP_SERVER_PATTERN not found in $NTP_CONF_FILE"
else
ok "$NTP_SERVER_PATTERN found in $NTP_CONF_FILE"
fi
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $ANALOGONS_PKG
if [ $FNRET = 0 ]; then
ok "Analogons pagkage $ANALOGONS_PKG is installed. So pass check."
if [ $OS_RELEASE -eq 2 ]; then
ok "Redhat or CentOS does not have this check, so PASS"
else
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE
info "Checking $PACKAGE configuration"
does_pattern_exist_in_file $NTP_CONF_FILE $NTP_SERVER_PATTERN
if [ $FNRET != 0 ]; then
warn "$NTP_SERVER_PATTERN not found in $NTP_CONF_FILE, adding it"
backup_file $NTP_CONF_FILE
add_end_of_file $NTP_CONF_FILE $NTP_POOL_CFG
is_pkg_installed $ANALOGONS_PKG
if [ $FNRET = 0 ]; then
ok "Analogons pagkage $ANALOGONS_PKG is installed. So pass check."
else
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
ok "$NTP_SERVER_PATTERN found in $NTP_CONF_FILE"
crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE
info "Checking $PACKAGE configuration"
does_pattern_exist_in_file $NTP_CONF_FILE $NTP_SERVER_PATTERN
if [ $FNRET != 0 ]; then
warn "$NTP_SERVER_PATTERN not found in $NTP_CONF_FILE, adding it"
backup_file $NTP_CONF_FILE
add_end_of_file $NTP_CONF_FILE $NTP_POOL_CFG
else
ok "$NTP_SERVER_PATTERN found in $NTP_CONF_FILE"
fi
exit 1
fi
exit 1
fi
fi
fi
}

18
bin/hardening/6.2_disable_avahi_server.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
@ -15,9 +16,13 @@ HARDENING_LEVEL=3
HARDENING_EXCEPTION=dns
PACKAGES='avahi-daemon libavahi-common-data libavahi-common3 libavahi-core7'
PACKAGES_REDHAT='avahi'
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
@ -34,6 +39,9 @@ audit () {
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
@ -41,8 +49,12 @@ apply () {
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
if [ $OS_RELEASE -eq 2 ]; then
yum autoremove $PACKAGE -y
else
apt-get purge $PACKAGE -y
apt-get autoremove
fi
fi
else
ok "$PACKAGE is absent"

18
bin/hardening/6.3_disable_print_server.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
@ -15,9 +16,13 @@ HARDENING_LEVEL=3
HARDENING_EXCEPTION=cups
PACKAGES='libcups2 libcupscgi1 libcupsimage2 libcupsmime1 libcupsppdc1 cups-common cups-client cups-ppdc libcupsfilters1 cups-filters cups'
PACKAGES_REDHAT='cups'
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
@ -34,6 +39,9 @@ audit () {
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
@ -41,8 +49,12 @@ apply () {
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
if [ $OS_RELEASE -eq 2 ]; then
yum autoremove $PACKAGE -y
else
apt-get purge $PACKAGE -y
apt-get autoremove
fi
fi
else
ok "$PACKAGE is absent"

18
bin/hardening/6.4_disable_dhcp.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
@ -15,9 +16,13 @@ HARDENING_LEVEL=3
HARDENING_EXCEPTION=dhcp
PACKAGES='udhcpd isc-dhcp-server'
PACKAGES_REDHAT='dnsmasq'
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
@ -34,6 +39,9 @@ audit () {
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
@ -41,8 +49,12 @@ apply () {
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
if [ $OS_RELEASE -eq 2 ]; then
yum autoremove $PACKAGE -y
else
apt-get purge $PACKAGE -y
apt-get autoremove
fi
fi
else
ok "$PACKAGE is absent"

1
bin/hardening/6.5_ensure_time_sync_server_is_installed.sh
View File

@ -14,7 +14,6 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGES='ntp chrony'
PACKAGES_COUNT=$(echo $PACKAGES | wc -w)
# This function will be called if the script status is on enabled / audit mode
audit () {

18
bin/hardening/6.6_disable_ldap.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
@ -15,9 +16,13 @@ HARDENING_LEVEL=3
HARDENING_EXCEPTION=ldap
PACKAGES='slapd'
PACKAGES_REDHAT='openldap-servers'
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
@ -34,6 +39,9 @@ audit () {
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
@ -41,8 +49,12 @@ apply () {
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
if [ $OS_RELEASE -eq 2 ]; then
yum autoremove $PACKAGE -y
else
apt-get purge $PACKAGE -y
apt-get autoremove
fi
fi
else
ok "$PACKAGE is absent"

63
bin/hardening/6.7_disable_nfs_rpc.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
@ -18,36 +19,44 @@ PACKAGES='rpcbind nfs-kernel-server'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
if [ $ISEXCEPTION -eq 1 ]; then
warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!"
else
crit "$PACKAGE is installed!"
fi
else
ok "$PACKAGE is absent"
fi
done
if [ $OS_RELEASE -eq 2 ]; then
ok "Redhat or CentOS does not have this check, so PASS"
else
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
if [ $ISEXCEPTION -eq 1 ]; then
warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!"
else
crit "$PACKAGE is installed!"
fi
else
ok "$PACKAGE is absent"
fi
done
fi
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
if [ $ISEXCEPTION -eq 1 ]; then
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
fi
else
ok "$PACKAGE is absent"
fi
done
if [ $OS_RELEASE -eq 2 ]; then
ok "Redhat or CentOS does not have this check, so PASS"
else
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
if [ $ISEXCEPTION -eq 1 ]; then
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
fi
else
ok "$PACKAGE is absent"
fi
done
fi
}
# This function will create the config file for this check with default values

18
bin/hardening/6.8_disable_dns_server.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
@ -15,9 +16,13 @@ HARDENING_LEVEL=3
HARDENING_EXCEPTION=dns
PACKAGES='bind9 unbound'
PACKAGES_REDHAT='bind unbound'
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
@ -34,6 +39,9 @@ audit () {
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
@ -41,8 +49,12 @@ apply () {
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
if [ $OS_RELEASE -eq 2 ]; then
yum autoremove $PACKAGE -y
else
apt-get purge $PACKAGE -y
apt-get autoremove
fi
fi
else
ok "$PACKAGE is absent"

18
bin/hardening/6.9_disable_ftp.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
@ -16,9 +17,13 @@ HARDENING_EXCEPTION=ftp
# Based on aptitude search '~Pftp-server'
PACKAGES='ftpd ftpd-ssl heimdal-servers inetutils-ftpd krb5-ftpd muddleftpd proftpd-basic pure-ftpd pure-ftpd-ldap pure-ftpd-mysql pure-ftpd-postgresql twoftpd-run vsftpd wzdftpd'
PACKAGE_REDHAT='tftp-server vsftpd'
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGE_REDHAT
fi
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
@ -35,6 +40,9 @@ audit () {
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGE_REDHAT
fi
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
@ -42,8 +50,12 @@ apply () {
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
if [ $OS_RELEASE -eq 2 ]; then
yum autoremove $PACKAGE -y
else
apt-get purge $PACKAGE -y
apt-get autoremove
fi
fi
else
ok "$PACKAGE is absent"

2
bin/hardening/7.1.1_disable_ip_forwarding.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
#
#

2
bin/hardening/7.1.2_disable_send_packet_redirects.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
#
#

2
bin/hardening/7.1.3_disable_interface_promisc_mode.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
#
#

2
bin/hardening/7.2.1_disable_source_routed_packets.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
#
#

2
bin/hardening/7.2.2_disable_icmp_redirect.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
#
#

4
bin/hardening/7.2.3_disable_secure_icmp_redirect.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
#
#
@ -13,7 +13,7 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2
SYSCTL_PARAMS='net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0'
SYSCTL_PARAMS='net.ipv4.conf.all.secure_redirects=1 net.ipv4.conf.default.secure_redirects=1'
# This function will be called if the script status is on enabled / audit mode
audit () {

2
bin/hardening/7.2.4_log_martian_packets.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
#
#

2
bin/hardening/7.2.5_ignore_broadcast_requests.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
#
#

2
bin/hardening/7.2.6_enable_bad_error_message_protection.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
#
#

2
bin/hardening/7.2.7_enable_source_route_validation.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
#
#

2
bin/hardening/7.2.8_enable_tcp_syn_cookies.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
#
#

2
bin/hardening/7.3.1_disable_ipv6_router_advertisement.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
#
#

2
bin/hardening/7.3.2_disable_ipv6_redirect.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
#
#

85
bin/hardening/7.3.3_disable_ipv6.sh
View File

@ -1,85 +0,0 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
#
#
# 7.3.3 Disable IPv6 (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_sysctl_param_exists "net.ipv6"
if [ $FNRET != 0 ]; then
ok "ipv6 is disabled"
else
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
done
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_sysctl_param_exists "net.ipv6"
if [ $FNRET != 0 ]; then
ok "ipv6 is disabled"
else
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT value, fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
warn "you may want to reboot or sysctl -p a file including $SYSCTL_PARAMS"
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
done
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

30
bin/hardening/7.4.1_install_tcp_wrapper.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
@ -14,10 +15,14 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGE='tcpd'
PACKAGE_REDHAT='tcp_wrappers'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $OS_RELEASE -eq 2 ]; then
PACKAGE=$PACKAGE_REDHAT
fi
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
else
@ -27,13 +32,20 @@ audit () {
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE
fi
if [ $OS_RELEASE -eq 2 ]; then
PACKAGE=$PACKAGE_REDHAT
fi
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
if [ $OS_RELEASE -eq 2 ]; then
yum install $PACKAGE -y
else
apt_install $PACKAGE
fi
fi
}
# This function will check config parameters required

2
bin/hardening/7.4.2_hosts_allow.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
#
#

2
bin/hardening/7.4.3_hosts_allow_permissions.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
#
#

2
bin/hardening/7.4.4_hosts_deny.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
#
#

2
bin/hardening/7.4.5_hosts_deny_permissions.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
#
#

7
bin/hardening/7.6_disable_wireless.sh
View File

@ -1,12 +1,12 @@
#!/bin/bash
#
# harbian audit 9 Hardening
# harbian audit 9 or CentOS Hardening
#
#
# 7.6 Ensure wireless interfaces are disabled (Not Scored)
# Author : Samson wen, Samson <sccxboy@gmail.com>
# Author : Samson wen, Samson <samson@hardenedlinux.org>
#
set -e # One error, it's over
@ -35,7 +35,8 @@ apply () {
if [ $FNRET = 0 ]; then
ok "Wireless interfaces are disabled!"
else
warn "Wireless interfaces is not disabled! Need the administrator to manually disable it. HOWTO: ip link set <interface> down"
warn "Wireless interfaces is not disabled! Disabled wireless."
nmcli radio wifi off
fi
}

4
bin/hardening/7.7.1_enable_firewall.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
# todo 7.7.* need test for CentOS
#
#
@ -19,6 +20,7 @@ HARDENING_LEVEL=2
# Do as you want, but this script does not handle this
PACKAGES='iptables iptables-persistent'
PACKAGES_REDHAT='iptables nftables firewalld'
SERVICENAME='netfilter-persistent'
# This function will be called if the script status is on enabled / audit mode

4
bin/hardening/8.0_enable_auditd_kernel.sh
View File

@ -20,7 +20,7 @@ KERNEL_OPTION="CONFIG_AUDIT"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled "^$KERNEL_OPTION="
is_kernel_option_enabled $KERNEL_OPTION
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
ok "$KERNEL_OPTION is enabled"
else
@ -31,7 +31,7 @@ audit () {
# This function will be called if the script status is on enabled mode
apply () {
is_kernel_option_enabled "^$KERNEL_OPTION="
is_kernel_option_enabled $KERNEL_OPTION
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
ok "$KERNEL_OPTION is enabled"
else

2
bin/hardening/8.1.1.1_audit_log_storage.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
#
#

2
bin/hardening/8.1.1.2_halt_when_audit_log_full.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
#
#

2
bin/hardening/8.1.1.3_keep_all_audit_logs.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
#
#

2
bin/hardening/8.1.1.4_set_failure_mode.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit 9 Hardening
# harbian audit 9/10 or CentOS Hardening
#
#

2
bin/hardening/8.1.1.5_ensure_set_remote_server.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit 9 Hardening
# harbian audit 9/10 or CentOS Hardening
#
#

2
bin/hardening/8.1.1.6_ensure_set_encrypt_for_audit_remote.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit 9 Hardening
# harbian audit 9/10 or CentOS Hardening
#
#

2
bin/hardening/8.1.1.7_ensure_set_action_for_audit_storage_full.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit 9 Hardening
# harbian audit 9/10 or CentOS Hardening
#
#

2
bin/hardening/8.1.1.8_ensure_set_action_for_net_fail.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit 9 Hardening
# harbian audit 9/10 or CentOS Hardening
#
#

2
bin/hardening/8.1.1.9_set_space_left_audit.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit 9 Hardening
# harbian audit 9/10 or CentOS Hardening
#
#

2
bin/hardening/8.1.10_record_dac_edit.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
#
#

2
bin/hardening/8.1.11_record_failed_access_file.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
#
#

2
bin/hardening/8.1.12_record_privileged_commands.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
#
#

2
bin/hardening/8.1.13_record_successful_mount.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
#
#

2
bin/hardening/8.1.14_record_file_deletions.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
#
#

2
bin/hardening/8.1.15_record_sudoers_edit.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
#
#

2
bin/hardening/8.1.16_record_sudo_usage.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
#
#

2
bin/hardening/8.1.17_record_kernel_modules.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
#
#

2
bin/hardening/8.1.18_freeze_auditd_conf.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9 or CentOS Hardening
#
#

58
bin/hardening/8.1.19_record_sshkeysign_usage.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
# harbian audit 7/8/9/10 or CentOS Hardening
#
#
@ -9,13 +9,15 @@
# Author : Samson wen, Samson <sccxboy@gmail.com>
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
AUDIT_PARAMS='-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh'
AUDIT_PARAMS="-a always,exit -F path=$(find /usr/ -name "ssh-keysign") -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=$(which ssh-agent 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
set -e # One error, it's over
FILE='/etc/audit/rules.d/audit.rules'
@ -26,15 +28,21 @@ audit () {
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
crit "path is not exsit! Please check file path is exist!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
@ -43,15 +51,21 @@ audit () {
apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
crit "path is not exsit! Please check file path is exist!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
}

Some files were not shown because too many files have changed in this diff Show More