tyler.durden/harbian-audit
1
0
Fork 0
mirror of https://github.com/hardenedlinux/harbian-audit.git synced 2025-09-26 03:09:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #9 from hardenedlinux/master

Browse Source 
Update from the master
This commit is contained in:
Samson.W 2019-08-31 18:08:42 +08:00 committed by GitHub
commit 7812833eba
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
153 changed files with 3251 additions and 1406 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
README-CN.md
View File

@ -31,6 +31,7 @@ hardening [INFO] Treating /home/test/harbian-audit/bin/hardening
$ git clone https://github.com/hardenedlinux/harbian-audit.git && cd harbian-audit $ git clone https://github.com/hardenedlinux/harbian-audit.git && cd harbian-audit
$ sudo cp debian/default /etc/default/cis-hardening $ sudo cp debian/default /etc/default/cis-hardening
$ sudo sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening $ sudo sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
$ sudo bin/hardening.sh --init
``` ```
### 对所有的安全检查项进行审计 ### 对所有的安全检查项进行审计
``` ```
@ -74,7 +75,11 @@ hardening [INFO] Treating /home/test/harbian-audit/bin/hardening
### 需要预装的软件 ### 需要预装的软件
如果是使用的最小安装方式安装的Debian GNU/Linux系统在使用此项目之前需要安装如下的软件 如果是使用的最小安装方式安装的Debian GNU/Linux系统在使用此项目之前需要安装如下的软件
``` ```
sudo apt-get install -y bc net-tools sudo apt-get install -y bc net-tools pciutils
```
如果系统是Redhat/CentOS在使用此项目前需要安装如下的软件包
```
sudo yum install -y bc net-tools pciutils NetworkManager
``` ```
### 需要预先进行的配置 ### 需要预先进行的配置

26
README.md
View File

@ -34,6 +34,7 @@ hardening [INFO] Treating /home/test/harbian-audit/bin/hardening
$ git clone https://github.com/hardenedlinux/harbian-audit.git && cd harbian-audit $ git clone https://github.com/hardenedlinux/harbian-audit.git && cd harbian-audit
$ sudo cp debian/default /etc/default/cis-hardening $ sudo cp debian/default /etc/default/cis-hardening
$ sudo sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening $ sudo sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
$ sudo bin/hardening.sh --init
$ sudo bin/hardening.sh --audit-all $ sudo bin/hardening.sh --audit-all
hardening [INFO] Treating /home/test/harbian-audit/bin/hardening/1.1_install_updates.sh hardening [INFO] Treating /home/test/harbian-audit/bin/hardening/1.1_install_updates.sh
1.1_install_updates [INFO] Working on 1.1_install_updates 1.1_install_updates [INFO] Working on 1.1_install_updates
@ -70,9 +71,14 @@ hardening [INFO] Treating /home/test/harbian-audit/bin/hardening
### Pre-Install ### Pre-Install
If use Network install from a minimal CD to installed Debian GNU/Linux, need install bc package before use the hardening tool. If use Network install from a minimal CD to installed Debian GNU/Linux, need install packages before use the hardening tool.
``` ```
sudo apt-get install -y bc net-tools sudo apt-get install -y bc net-tools pciutils network-manager
```
Redhat/CentOS need install packages before use the hardening tool:
```
sudo yum install -y bc net-tools pciutils NetworkManager
``` ```
### Pre-Set ### Pre-Set
@ -155,8 +161,10 @@ This example only allows 192.168.1.[1-255] 192.168.5.[1-255] to access this syst
# sed -i "/^root/a\test ALL=(ALL:ALL) ALL" /etc/sudoers # sed -i "/^root/a\test ALL=(ALL:ALL) ALL" /etc/sudoers
``` ```
4) Set basic iptables rules 4) Set basic firewall rules
Set the corresponding firewall rules according to the applications used. HardenedLinux community for Debian GNU/Linux basic firewall rules: Set the corresponding firewall rules according to the applications used. HardenedLinux community for Debian GNU/Linux basic firewall rules:
### Iptabels format rules:
[etc.iptables.rules.v4.sh](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/etc.iptables.rules.v4.sh) [etc.iptables.rules.v4.sh](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/etc.iptables.rules.v4.sh)
to do the following: to do the following:
``` ```
@ -168,6 +176,14 @@ $ sudo -s
# ip6tables-save > /etc/iptables/rules.v6 # ip6tables-save > /etc/iptables/rules.v6
``` ```
### nft format rules:
[nftables.conf](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/etc.nftables.conf)
to do the following(your network interfacename(Example eth0)):
```
$ sed -i 's/^define int_if = ens33/define int_if = eth0/g' etc.nftables.conf
$ sudo nft -f ./etc.nftables.conf
```
5) Use the passwd command to change the passwords of all users, and change the password to a secure and reliable password entry with the same password complexity set by the pam_cracklib module. 5) Use the passwd command to change the passwords of all users, and change the password to a secure and reliable password entry with the same password complexity set by the pam_cracklib module.
## Special Note ## Special Note
@ -217,7 +233,9 @@ This document is a description of the additions to the sections not included in
### Manual Operation docs ### Manual Operation docs
[How to config grub2 password protection](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_config_grub2_password_protection.mkd) [How to config grub2 password protection](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_config_grub2_password_protection.mkd)
[How to persistent iptables rules with debian 9](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_persistent_iptables_rules_with_debian_9.mkd) [How to persistent iptables rules with debian 9](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_persistent_iptables_rules_with_debian_9.mkd)
[How to deploy audisp-remote for auditd log](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_deploy_audisp_remote_for_audit_log.mkd) [How to deploy audisp-remote for auditd log](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_deploy_audisp_remote_for_audit_log.mkd)
[How to migrating from iptables to nftables in debian10](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_migrating_from_iptables_to_nftables_in_debian10.md)
[How to persistent nft rules with debian 10](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_persistent_nft_rules_with_debian_10.mkd)
### Use case docs ### Use case docs
[Nodejs + redis + mysql demo](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/use-cases/nodejs-redis-mysql-usecase/README.md) [Nodejs + redis + mysql demo](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/use-cases/nodejs-redis-mysql-usecase/README.md)

38
bin/hardening.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit Debian 9 Hardening # harbian audit Debian 9 / CentOS Hardening
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com> # Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
# Authors : Samson wen, Samson <sccxboy@gmail.com> # Authors : Samson wen, Samson <sccxboy@gmail.com>
@ -23,6 +23,7 @@ AUDIT_ALL_ENABLE_PASSED=0
ALLOW_SERVICE_LIST=0 ALLOW_SERVICE_LIST=0
SET_HARDENING_LEVEL=0 SET_HARDENING_LEVEL=0
SUDO_MODE='' SUDO_MODE=''
INIT_G_CONFIG=0
usage() { usage() {
cat << EOF cat << EOF
@ -30,8 +31,12 @@ $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
--help -h --help -h
Show this help Show this help
--apply --init
Initialize the global configuration file(/etc/default/cis-hardening) based
on the release version number.
--apply
Apply hardening for enabled scripts. Apply hardening for enabled scripts.
Beware that NO confirmation is asked whatsoever, which is why you're warmly Beware that NO confirmation is asked whatsoever, which is why you're warmly
advised to use --audit before, which can be regarded as a dry-run mode. advised to use --audit before, which can be regarded as a dry-run mode.
@ -140,6 +145,9 @@ while [[ $# > 0 ]]; do
-h|--help) -h|--help)
usage usage
;; ;;
--init)
INIT_G_CONFIG=1
;;
*) *)
usage usage
;; ;;
@ -162,6 +170,30 @@ fi
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh [ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh [ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
if [ $INIT_G_CONFIG -eq 1 ]; then
if [ -r /etc/redhat-release ]; then
info "This OS is redhat/CentOS."
sed -i 's/^OS_RELEASE=.*/OS_RELEASE=2/g' /etc/default/cis-hardening
. /etc/default/cis-hardening
elif [ -r /etc/debian_version ]; then
info "This OS is Debian."
:
else
crit "This OS not support!"
exit 128
fi
exit 0
fi
if [ $OS_RELEASE -eq 1 ]; then
info "Start auditing for Debian."
elif [ $OS_RELEASE -eq 2 ]; then
info "Start auditing for redhat/CentOS."
else
crit "This OS not support!"
exit 128
fi
# If --allow-service-list is specified, don't run anything, just list the supported services # If --allow-service-list is specified, don't run anything, just list the supported services
if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then
declare -a HARDENING_EXCEPTIONS_LIST declare -a HARDENING_EXCEPTIONS_LIST

69
bin/hardening/1.1_install_updates.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit Debian 9 Hardening # harbian audit Debian 9/CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
# #
# #
@ -13,8 +14,9 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# This function will be called if the script status is on enabled / audit mode
audit () { audit_debian ()
{
info "Checking if apt needs an update" info "Checking if apt needs an update"
apt_update_if_needed apt_update_if_needed
info "Fetching upgrades ..." info "Fetching upgrades ..."
@ -28,16 +30,67 @@ audit () {
fi fi
} }
# This function will be called if the script status is on enabled mode audit_redhat ()
apply () { {
if [ $FNRET -gt 0 ]; then info "Checking if yum needs an update"
info "Fetching upgrades ..."
yum_check_updates
if [ $FNRET -eq 100 ]; then
crit "There are packages available for an update!"
elif [ $FNRET -eq 0 ]; then
ok "No upgrades available"
else
crit "Call yum_check_updates function error!"
fi
}
# This function will be called if the script status is on enabled / audit mode
audit ()
{
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
elif [ $OS_RELEASE -eq 2 ]; then
audit_redhat
else
crit "Current OS is not support!"
FNRET=44
fi
}
apply_debian ()
{
if [ $FNRET -eq 1 ]; then
info "Applying Upgrades..." info "Applying Upgrades..."
DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' upgrade -y DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' upgrade -y
else else
ok "No Upgrades to apply" ok "No Upgrades to apply"
fi fi
} }
apply_redhat ()
{
if [ $FNRET -eq 100 ]; then
info "Applying Upgrades..."
yum upgrade -y
elif [ $FNRET -eq 0 ]; then
ok "No Upgrades to apply"
else
crit "Call yum_check_updates function error!"
fi
}
# This function will be called if the script status is on enabled mode
apply ()
{
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
elif [ $OS_RELEASE -eq 2 ]; then
apply_redhat
else
crit "Current OS is not support!"
fi
}
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
# No parameters for this function # No parameters for this function

63
bin/hardening/1.2_enable_verify_sign_packages_from_repository.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit Debian 9 Hardening # harbian audit Debian 9/CentOS Hardening
# #
# #
@ -14,9 +14,11 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2 HARDENING_LEVEL=2
OPTION='AllowUnauthenticated' OPTION='AllowUnauthenticated'
YUM_OPTION='gpgcheck'
YUM_CONF='/etc/yum.conf'
# This function will be called if the script status is on enabled / audit mode audit_debian ()
audit () { {
if [ $(grep -v "^#" /etc/apt/ -r | grep -c "${OPTION}.*true") -gt 0 ]; then if [ $(grep -v "^#" /etc/apt/ -r | grep -c "${OPTION}.*true") -gt 0 ]; then
crit "The signature of packages option is disable " crit "The signature of packages option is disable "
FNRET=1 FNRET=1
@ -26,8 +28,37 @@ audit () {
fi fi
} }
# This function will be called if the script status is on enabled mode audit_redhat ()
apply () { {
if [ $(grep -c "^$YUM_OPTION" $YUM_CONF) -gt 0 ]; then
if [ $(grep "^$YUM_OPTION" $YUM_CONF | awk -F"=" '{print $2}') -eq 1 ]; then
ok "The signature of packages option is enable "
FNRET=0
else
crit "The signature of packages option is disable "
FNRET=1
fi
else
crit "Option $YUM_OPTION is not set in $YUM_CONF!"
FNRET=2
fi
}
# This function will be called if the script status is on enabled / audit mode
audit ()
{
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
elif [ $OS_RELEASE -eq 2 ]; then
audit_redhat
else
crit "Current OS is not support!"
FNRET=44
fi
}
apply_debian () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "The signature of packages option is enable " ok "The signature of packages option is enable "
else else
@ -39,6 +70,28 @@ apply () {
done done
fi fi
} }
apply_redhat () {
if [ $FNRET = 0 ]; then
ok "The signature of packages option is enable "
elif [ $FNRET = 1 ]; then
warn "Set to enabled signature of packages option"
sed -i "s/$YUM_OPTION=.*/$YUM_OPTION=1/g" $YUM_CONF
else
warn "Add $YUM_OPTION option to $YUM_CONF"
add_end_of_file $YUM_CONF "$YUM_OPTION=1"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
elif [ $OS_RELEASE -eq 2 ]; then
apply_redhat
else
crit "Current OS is not support!"
fi
}
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {

63
bin/hardening/1.3_enable_verify_sign_of_local_packages.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit Debian 9 Hardening # harbian audit Debian 9/CentOS Hardening
# #
# #
@ -16,8 +16,10 @@ HARDENING_LEVEL=2
OPTION='no-debsig' OPTION='no-debsig'
CONFFILE='/etc/dpkg/dpkg.cfg' CONFFILE='/etc/dpkg/dpkg.cfg'
# This function will be called if the script status is on enabled / audit mode YUM_OPTION='localpkg_gpgcheck'
audit () { YUM_CONFFILE='/etc/yum.conf'
audit_debian () {
if [ $(grep -v "^#" ${CONFFILE} | grep -c ${OPTION}) -gt 0 ]; then if [ $(grep -v "^#" ${CONFFILE} | grep -c ${OPTION}) -gt 0 ]; then
crit "The signature of local packages option is disable " crit "The signature of local packages option is disable "
FNRET=1 FNRET=1
@ -27,8 +29,36 @@ audit () {
fi fi
} }
# This function will be called if the script status is on enabled mode audit_redhat ()
apply () { {
if [ $(grep -c "^$YUM_OPTION" $YUM_CONFFILE) -gt 0 ]; then
if [ $(grep "^$YUM_OPTION" $YUM_CONFFILE | awk -F"=" '{print $2}') -eq 1 ]; then
ok "The signature of packages option is enable "
FNRET=0
else
crit "The signature of packages option is disable "
FNRET=1
fi
else
crit "Option $YUM_OPTION is not set in $YUM_CONFFILE!"
FNRET=2
fi
}
# This function will be called if the script status is on enabled / audit mode
audit()
{
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
elif [ $OS_RELEASE -eq 2 ]; then
audit_redhat
else
crit "Current OS is not support!"
FNRET=44
fi
}
apply_debian () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "The signature of local packages option is enable " ok "The signature of local packages option is enable "
else else
@ -38,6 +68,29 @@ apply () {
fi fi
} }
apply_redhat () {
if [ $FNRET = 0 ]; then
ok "The signature of packages option is enable "
elif [ $FNRET = 1 ]; then
warn "Set to enabled signature of packages option"
sed -i "s/$YUM_OPTION=.*/$YUM_OPTION=1/g" $YUM_CONFFILE
else
warn "Add $YUM_OPTION option to $YUM_CONFFILE"
add_end_of_file $YUM_CONFFILE "$YUM_OPTION=1"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
elif [ $OS_RELEASE -eq 2 ]; then
apply_redhat
else
crit "Current OS is not support!"
fi
}
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
# No parameters for this function # No parameters for this function

61
bin/hardening/1.4_set_no_allow_insecure_repository_by_apt.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit Debian 9 Hardening # harbian audit Debian 9/CentOS Hardening
# #
# #
@ -15,8 +15,10 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2 HARDENING_LEVEL=2
OPTION='AllowInsecureRepositories' OPTION='AllowInsecureRepositories'
# This function will be called if the script status is on enabled / audit mode YUM_OPTION='repo_gpgcheck'
audit () { YUM_CONFFILE='/etc/yum.conf'
audit_debian () {
if [ $(grep -v "^#" /etc/apt/ -r | grep -c "${OPTION}.*true") -gt 0 ]; then if [ $(grep -v "^#" /etc/apt/ -r | grep -c "${OPTION}.*true") -gt 0 ]; then
crit "The allow insecure repository when by apt update is enable" crit "The allow insecure repository when by apt update is enable"
FNRET=1 FNRET=1
@ -26,8 +28,35 @@ audit () {
fi fi
} }
# This function will be called if the script status is on enabled mode audit_redhat ()
apply () { {
if [ $(grep -c "^$YUM_OPTION" $YUM_CONFFILE) -gt 0 ]; then
if [ $(grep "^$YUM_OPTION" $YUM_CONFFILE | awk -F"=" '{print $2}') -eq 1 ]; then
ok "The allow insecure repository when by yum update is disable"
FNRET=0
else
crit "The signature of repodata option is disable "
FNRET=1
fi
else
crit "Option $YUM_OPTION is not set in $YUM_CONFFILE!"
FNRET=2
fi
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
elif [ $OS_RELEASE -eq 2 ]; then
audit_redhat
else
crit "Current OS is not support!"
FNRET=44
fi
}
apply_debian () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "The allow insecure repository when by apt update is disable" ok "The allow insecure repository when by apt update is disable"
else else
@ -39,6 +68,28 @@ apply () {
fi fi
} }
apply_redhat () {
if [ $FNRET = 0 ]; then
ok "The signature of repodata option is enable "
elif [ $FNRET = 1 ]; then
warn "Set to enabled signature of repodata option"
sed -i "s/$YUM_OPTION=.*/$YUM_OPTION=1/g" $YUM_CONFFILE
else
warn "Add $YUM_OPTION option to $YUM_CONFFILE"
add_end_of_file $YUM_CONFFILE "$YUM_OPTION=1"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
elif [ $OS_RELEASE -eq 2 ]; then
apply_redhat
else
crit "Current OS is not support!"
fi
}
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
# No parameters for this function # No parameters for this function

4
bin/hardening/10.1.11_ensure_no_shosts_cfg_on_system.sh
View File

@ -19,8 +19,8 @@ FILENAME1='shosts.equiv'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
COUNT=$(find / -name "${FILENAME}" | wc -l) COUNT=$(find / -xdev -name "${FILENAME}" | wc -l)
COUNT1=$(find / -name "${FILENAME1}" | wc -l) COUNT1=$(find / -xdev -name "${FILENAME1}" | wc -l)
if [ "$COUNT" -ne 0 -o "$COUNT1" -ne 0 ]; then if [ "$COUNT" -ne 0 -o "$COUNT1" -ne 0 ]; then
crit "$FILENAME or $FILENAME1 file is exist on system." crit "$FILENAME or $FILENAME1 file is exist on system."
FNRET=1 FNRET=1

5
bin/hardening/12.10_find_suid_files.sh
View File

@ -7,9 +7,10 @@
# #
# 12.10 Find SUID System Executables (Not Scored) # 12.10 Find SUID System Executables (Not Scored)
# #
# set -e # One error, it's over, for some user to audit desktop evn
set -e # One error, it's over # One variable unset, it's over
set -u # One variable unset, it's over set -u
HARDENING_LEVEL=2 HARDENING_LEVEL=2

6
bin/hardening/12.11_find_sgid_files.sh
View File

@ -8,8 +8,10 @@
# 12.11 Find SGID System Executables (Not Scored) # 12.11 Find SGID System Executables (Not Scored)
# #
set -e # One error, it's over #set -e # One error, it's over, for some user to audit desktop evn
set -u # One variable unset, it's over
# One variable unset, it's over
set -u
HARDENING_LEVEL=2 HARDENING_LEVEL=2

19
bin/hardening/2.17_sticky_bit_world_writable_folder.sh
View File

@ -1,8 +1,8 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# # Modify by: Samson-W (samson@hardenedlinux.org)
# #
# 2.17 Set Sticky Bit on All World-Writable Directories (Scored) # 2.17 Set Sticky Bit on All World-Writable Directories (Scored)
@ -24,6 +24,15 @@ audit () {
else else
ok "All world writable directories have a sticky bit" ok "All world writable directories have a sticky bit"
fi fi
# Check sticky dir group-owned is root
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -type d ! -group root \( -perm -0002 -a -perm -1000 \) -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then
crit "Some world writable directories are sticky bit mode, but not group owned is root!"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT"
else
ok "All world writable directories have a sticky bit, and group owner is root."
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
@ -34,6 +43,12 @@ apply () {
else else
ok "All world writable directories have a sticky bit, nothing to apply" ok "All world writable directories have a sticky bit, nothing to apply"
fi fi
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -type d ! -group root \( -perm -0002 -a -perm -1000 \) -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -type d ! -group root \( -perm -0002 -a -perm -1000 \) -print 2>/dev/null | xargs chgrp root
else
ok "All world writable directories have a sticky bit, and group owner is root."
fi
} }
# This function will check config parameters required # This function will check config parameters required

34
bin/hardening/2.1_tmp_partition.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit Debian 7/8/9 Hardening # harbian audit Debian 7/8/9 or CentOS Hardening
# Modify by: Samson-W (sccxboy@gmail.com) # Modify by: Samson-W (sccxboy@gmail.com)
# #
@ -17,7 +17,6 @@ HARDENING_LEVEL=2
# Quick factoring as many script use the same logic # Quick factoring as many script use the same logic
PARTITION="/tmp" PARTITION="/tmp"
TMPMOUNTNAME="tmp.mount" TMPMOUNTNAME="tmp.mount"
TMPMOUNTO="/usr/share/systemd/tmp.mount"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
@ -37,25 +36,20 @@ audit () {
fi fi
else else
warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service" warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service"
if [ -e $TMPMOUNTO ]; then if [ $(systemctl | grep -c "tmp.mount[[:space:]]*loaded[[:space:]]active[[:space:]]mounted") -eq 1 ]; then
if [ $(systemctl | grep -c "tmp.mount[[:space:]]*loaded[[:space:]]active[[:space:]]mounted") -eq 1 ]; then ok "$TMPMOUNTNAME service is active!"
ok "$TMPMOUNTNAME service is active!" is_mounted "$PARTITION"
is_mounted "$PARTITION" if [ $FNRET -gt 0 ]; then
if [ $FNRET -gt 0 ]; then warn "$PARTITION is not mounted"
warn "$PARTITION is not mounted" FNRET=3
FNRET=3 else
else ok "$PARTITION is mounted"
ok "$PARTITION is mounted" FNRET=0
FNRET=0
fi
else
crit "$TMPMOUNTNAME service is not active!"
FNRET=4
fi fi
else else
crit "$TMPMOUNTO is not exist!" crit "$TMPMOUNTNAME service is not active!"
FNRET=1 FNRET=4
fi fi
fi fi
} }
@ -72,7 +66,7 @@ apply () {
$SUDO_CMD systemctl daemon-reload $SUDO_CMD systemctl daemon-reload
$SUDO_CMD systemctl start "$TMPMOUNTNAME" $SUDO_CMD systemctl start "$TMPMOUNTNAME"
elif [ $FNRET = 4 ]; then elif [ $FNRET = 4 ]; then
$SUDO_CMD systemctl enable "$TMPMOUNTO" $SUDO_CMD systemctl enable "$TMPMOUNTNAME"
$SUDO_CMD systemctl daemon-reload $SUDO_CMD systemctl daemon-reload
$SUDO_CMD systemctl start "$TMPMOUNTNAME" $SUDO_CMD systemctl start "$TMPMOUNTNAME"
fi fi

30
bin/hardening/2.25_disable_automounting.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
# #
# #
@ -20,11 +21,11 @@ audit () {
is_pkg_installed $SERVICE_NAME is_pkg_installed $SERVICE_NAME
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
info "Checking if $SERVICE_NAME is enabled" info "Checking if $SERVICE_NAME is enabled"
is_service_enabled $SERVICE_NAME is_service_active $SERVICE_NAME
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$SERVICE_NAME is enabled" crit "$SERVICE_NAME is actived"
else else
ok "$SERVICE_NAME is disabled" ok "$SERVICE_NAME is inactived"
fi fi
else else
ok "$SERVICE_NAME is not installed" ok "$SERVICE_NAME is not installed"
@ -35,21 +36,34 @@ audit () {
apply () { apply () {
is_pkg_installed $SERVICE_NAME is_pkg_installed $SERVICE_NAME
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
info "Checking if $SERVICE_NAME is enabled" info "Checking if $SERVICE_NAME is active"
is_service_enabled $SERVICE_NAME is_service_active $SERVICE_NAME
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
is_debian_9 if [ $OS_RELEASE -eq 2 ]; then
:
else
is_debian_9
fi
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
info "Disabling $SERVICE_NAME" info "Disabling $SERVICE_NAME"
systemctl stop $SERVICE_NAME systemctl stop $SERVICE_NAME
systemctl disable $SERVICE_NAME systemctl disable $SERVICE_NAME
apt-get -y purge --autoremove $SERVICE_NAME if [ $OS_RELEASE -eq 2 ]; then
yum -y autoremove $SERVICE_NAME
else
apt-get -y purge --autoremove $SERVICE_NAME
fi
else else
info "Disabling $SERVICE_NAME" info "Disabling $SERVICE_NAME"
update-rc.d $SERVICE_NAME remove > /dev/null 2>&1 update-rc.d $SERVICE_NAME remove > /dev/null 2>&1
fi fi
else else
ok "$SERVICE_NAME is disabled" ok "$SERVICE_NAME is disabled"
if [ $OS_RELEASE -eq 2 ]; then
yum -y autoremove $SERVICE_NAME
else
apt-get -y purge --autoremove $SERVICE_NAME
fi
fi fi
else else
ok "$SERVICE_NAME is not installed" ok "$SERVICE_NAME is not installed"

25
bin/hardening/2.2_tmp_nodev.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit Debian 7/8/9 Hardening # harbian audit Debian 7/8/9 or CentOS Hardening
# Modify by: Samson-W (sccxboy@gmail.com) # Modify by: Samson-W (sccxboy@gmail.com)
# #
@ -17,8 +17,9 @@ HARDENING_LEVEL=2
# Quick factoring as many script use the same logic # Quick factoring as many script use the same logic
PARTITION="/tmp" PARTITION="/tmp"
OPTION="nodev" OPTION="nodev"
SERVICEPATH="/usr/share/systemd/tmp.mount"
SERVICENAME="tmp.mount" SERVICENAME="tmp.mount"
SERVICEPATH="/usr/share/systemd/tmp.mount"
REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
@ -45,8 +46,12 @@ audit () {
fi fi
else else
warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service" warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service"
if [ -e $SERVICEPATH ]; then if [ -e $SERVICEPATH -o -e $REDHAT_SERVICEPATH ]; then
has_mount_option_systemd $SERVICEPATH $OPTION if [ $OS_RELEASE -eq 2 ]; then
has_mount_option_systemd $REDHAT_SERVICEPATH $OPTION
else
has_mount_option_systemd $SERVICEPATH $OPTION
fi
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in systemd service!" crit "$PARTITION has no option $OPTION in systemd service!"
FNRET=3 FNRET=3
@ -62,7 +67,11 @@ audit () {
fi fi
fi fi
else else
crit "$TMPMOUNTO is not exist!" if [ $OS_RELEASE -eq 2 ]; then
crit "$REDHAT_SERVICEPATH is not exist!"
else
crit "$SERVICEPATH is not exist!"
fi
FNRET=2 FNRET=2
fi fi
fi fi
@ -86,7 +95,11 @@ apply () {
fi fi
elif [ $FNRET = 3 ]; then elif [ $FNRET = 3 ]; then
info "Adding $OPTION to systemd" info "Adding $OPTION to systemd"
add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME if [ $OS_RELEASE -eq 2 ]; then
add_option_to_systemd $REDHAT_SERVICEPATH $OPTION $SERVICENAME
else
add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME
fi
remount_partition_by_systemd $SERVICENAME $PARTITION remount_partition_by_systemd $SERVICENAME $PARTITION
elif [ $FNRET = 4 ]; then elif [ $FNRET = 4 ]; then
info "Remounting $PARTITION from fstab" info "Remounting $PARTITION from fstab"

23
bin/hardening/2.3_tmp_nosuid.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit Debian 7/8/9 Hardening # harbian audit Debian 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (sccxboy@gmail.com) # Modify by: Samson-W (sccxboy@gmail.com)
# #
@ -19,6 +19,7 @@ PARTITION="/tmp"
OPTION="nosuid" OPTION="nosuid"
SERVICEPATH="/usr/share/systemd/tmp.mount" SERVICEPATH="/usr/share/systemd/tmp.mount"
SERVICENAME="tmp.mount" SERVICENAME="tmp.mount"
REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
@ -45,8 +46,12 @@ audit () {
fi fi
else else
warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service" warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service"
if [ -e $SERVICEPATH ]; then if [ -e $SERVICEPATH -o -e $REDHAT_SERVICEPATH ]; then
has_mount_option_systemd $SERVICEPATH $OPTION if [ $OS_RELEASE -eq 2 ]; then
has_mount_option_systemd $REDHAT_SERVICEPATH $OPTION
else
has_mount_option_systemd $SERVICEPATH $OPTION
fi
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in systemd service!" crit "$PARTITION has no option $OPTION in systemd service!"
FNRET=3 FNRET=3
@ -62,7 +67,11 @@ audit () {
fi fi
fi fi
else else
crit "$TMPMOUNTO is not exist!" if [ $OS_RELEASE -eq 2 ]; then
crit "$REDHAT_SERVICEPATH is not exist!"
else
crit "$SERVICEPATH is not exist!"
fi
FNRET=2 FNRET=2
fi fi
fi fi
@ -86,7 +95,11 @@ apply () {
fi fi
elif [ $FNRET = 3 ]; then elif [ $FNRET = 3 ]; then
info "Adding $OPTION to systemd" info "Adding $OPTION to systemd"
add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME if [ $OS_RELEASE -eq 2 ]; then
add_option_to_systemd $REDHAT_SERVICEPATH $OPTION $SERVICENAME
else
add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME
fi
remount_partition_by_systemd $SERVICENAME $PARTITION remount_partition_by_systemd $SERVICENAME $PARTITION
elif [ $FNRET = 4 ]; then elif [ $FNRET = 4 ]; then
info "Remounting $PARTITION from fstab" info "Remounting $PARTITION from fstab"

23
bin/hardening/2.4_tmp_noexec.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit Debian 7/8/9 Hardening # harbian audit Debian 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (sccxboy@gmail.com) # Modify by: Samson-W (sccxboy@gmail.com)
# #
@ -19,6 +19,7 @@ PARTITION="/tmp"
OPTION="noexec" OPTION="noexec"
SERVICEPATH="/usr/share/systemd/tmp.mount" SERVICEPATH="/usr/share/systemd/tmp.mount"
SERVICENAME="tmp.mount" SERVICENAME="tmp.mount"
REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
@ -45,8 +46,12 @@ audit () {
fi fi
else else
warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service" warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service"
if [ -e $SERVICEPATH ]; then if [ -e $SERVICEPATH -o -e $REDHAT_SERVICEPATH ]; then
has_mount_option_systemd $SERVICEPATH $OPTION if [ $OS_RELEASE -eq 2 ]; then
has_mount_option_systemd $REDHAT_SERVICEPATH $OPTION
else
has_mount_option_systemd $SERVICEPATH $OPTION
fi
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in systemd service!" crit "$PARTITION has no option $OPTION in systemd service!"
FNRET=3 FNRET=3
@ -62,7 +67,11 @@ audit () {
fi fi
fi fi
else else
crit "$TMPMOUNTO is not exist!" if [ $OS_RELEASE -eq 2 ]; then
crit "$REDHAT_SERVICEPATH is not exist!"
else
crit "$SERVICEPATH is not exist!"
fi
FNRET=2 FNRET=2
fi fi
fi fi
@ -86,7 +95,11 @@ apply () {
fi fi
elif [ $FNRET = 3 ]; then elif [ $FNRET = 3 ]; then
info "Adding $OPTION to systemd" info "Adding $OPTION to systemd"
add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME if [ $OS_RELEASE -eq 2 ]; then
add_option_to_systemd $REDHAT_SERVICEPATH $OPTION $SERVICENAME
else
add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME
fi
remount_partition_by_systemd $SERVICENAME $PARTITION remount_partition_by_systemd $SERVICENAME $PARTITION
elif [ $FNRET = 4 ]; then elif [ $FNRET = 4 ]; then
info "Remounting $PARTITION from fstab" info "Remounting $PARTITION from fstab"

103
bin/hardening/3.1_bootloader_ownership.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
# #
# #
@ -16,53 +17,87 @@ HARDENING_LEVEL=1
# Assertion : Grub Based. # Assertion : Grub Based.
FILE='/boot/grub/grub.cfg' FILE='/boot/grub/grub.cfg'
FILE_GRUB2='/boot/grub2/grub.cfg'
USER='root' USER='root'
GROUP='root' GROUP='root'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
has_file_correct_ownership $FILE $USER $GROUP if [ $OS_RELEASE -eq 2 ]; then
if [ $FNRET = 0 ]; then has_file_correct_ownership $FILE_GRUB2 $USER $GROUP
ok "$FILE has correct ownership" if [ $FNRET = 0 ]; then
else ok "$FILE_GRUB2 has correct ownership"
crit "$FILE ownership was not set to $USER:$GROUP" else
fi crit "$FILE_GRUB2 ownership was not set to $USER:$GROUP"
fi
else
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
has_file_correct_ownership $FILE $USER $GROUP if [ $OS_RELEASE -eq 2 ]; then
if [ $FNRET = 0 ]; then has_file_correct_ownership $FILE_GRUB2 $USER $GROUP
ok "$FILE has correct ownership" if [ $FNRET = 0 ]; then
else ok "$FILE_GRUB2 has correct ownership"
info "fixing $FILE ownership to $USER:$GROUP" else
chown $USER:$GROUP $FILE info "fixing $FILE_GRUB2 ownership to $USER:$GROUP"
fi chown $USER:$GROUP $FILE_GRUB2
fi
else
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
info "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE
fi
fi
} }
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
if [ $OS_RELEASE -eq 2 ]; then
is_pkg_installed "grub2-pc"
else
is_pkg_installed "grub-pc"
fi
if [ $FNRET != 0 ]; then
warn "Grub is not installed, not handling configuration"
exit 128
fi
is_pkg_installed "grub-pc" does_user_exist $USER
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "Grub is not installed, not handling configuration" crit "$USER does not exist"
exit 128 exit 128
fi fi
does_user_exist $USER
if [ $FNRET != 0 ]; then does_group_exist $GROUP
crit "$USER does not exist" if [ $FNRET != 0 ]; then
exit 128 crit "$GROUP does not exist"
fi exit 128
does_group_exist $GROUP fi
if [ $FNRET != 0 ]; then
crit "$GROUP does not exist" if [ $OS_RELEASE -eq 2 ]; then
exit 128 does_file_exist $FILE_GRUB2
fi if [ $FNRET != 0 ]; then
does_file_exist $FILE crit "$FILE_GRUB2 does not exist"
if [ $FNRET != 0 ]; then exit 128
crit "$FILE does not exist" fi
exit 128 else
fi does_file_exist $FILE
if [ $FNRET != 0 ]; then
crit "$FILE does not exist"
exit 128
fi
fi
} }
# Source Root Dir Parameter # Source Root Dir Parameter

25
bin/hardening/3.2_bootloader_permissions.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
# #
# #
@ -16,10 +17,16 @@ HARDENING_LEVEL=1
# Assertion : Grub Based. # Assertion : Grub Based.
FILE='/boot/grub/grub.cfg' FILE='/boot/grub/grub.cfg'
PKGNAME='grub-pc'
PERMISSIONS='400' PERMISSIONS='400'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $OS_RELEASE -eq 2 ]; then
FILE='/boot/grub2/grub.cfg'
else
:
fi
has_file_correct_permissions $FILE $PERMISSIONS has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
@ -32,6 +39,11 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $OS_RELEASE -eq 2 ]; then
FILE='/boot/grub2/grub.cfg'
else
:
fi
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
@ -42,9 +54,16 @@ apply () {
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
is_pkg_installed "grub-pc" if [ $OS_RELEASE -eq 2 ]; then
FILE='/boot/grub2/grub.cfg'
PKGNAME='grub2-pc'
else
:
fi
is_pkg_installed "$PKGNAME"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "grub-pc is not installed, not handling configuration" warn "$PKGNAME is not installed, not handling configuration"
exit 128 exit 128
fi fi
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then

24
bin/hardening/3.3_bootloader_password.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
# #
# #
@ -14,11 +15,17 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=3 HARDENING_LEVEL=3
FILE='/boot/grub/grub.cfg' FILE='/boot/grub/grub.cfg'
PKGNAME='grub-pc'
USER_PATTERN="^set superusers" USER_PATTERN="^set superusers"
PWD_PATTERN="^password_pbkdf2" PWD_PATTERN="^password_pbkdf2"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $OS_RELEASE -eq 2 ]; then
FILE='/boot/grub2/grub.cfg'
else
:
fi
does_pattern_exist_in_file $FILE "$USER_PATTERN" does_pattern_exist_in_file $FILE "$USER_PATTERN"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$USER_PATTERN not present in $FILE" crit "$USER_PATTERN not present in $FILE"
@ -35,6 +42,11 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $OS_RELEASE -eq 2 ]; then
FILE='/boot/grub2/grub.cfg'
else
:
fi
does_pattern_exist_in_file $FILE "$USER_PATTERN" does_pattern_exist_in_file $FILE "$USER_PATTERN"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$USER_PATTERN not present in $FILE, please configure password for grub" warn "$USER_PATTERN not present in $FILE, please configure password for grub"
@ -52,9 +64,15 @@ apply () {
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
is_pkg_installed "grub-pc" if [ $OS_RELEASE -eq 2 ]; then
FILE='/boot/grub2/grub.cfg'
PKGNAME='grub2-pc'
else
:
fi
is_pkg_installed "$PKGNAME"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "grub-pc is not installed, not handling configuration" warn "$PKGNAME is not installed, not handling configuration"
exit 128 exit 128
fi fi
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then

54
bin/hardening/4.1_restrict_core_dumps.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
#Modify by: Samson-W (samson@hardenedlinux.org)
# #
# #
@ -17,9 +18,9 @@ LIMIT_FILE='/etc/security/limits.conf'
LIMIT_PATTERN='^\*[[:space:]]*hard[[:space:]]*core[[:space:]]*0$' LIMIT_PATTERN='^\*[[:space:]]*hard[[:space:]]*core[[:space:]]*0$'
SYSCTL_PARAM='fs.suid_dumpable' SYSCTL_PARAM='fs.suid_dumpable'
SYSCTL_EXP_RESULT=0 SYSCTL_EXP_RESULT=0
SERVICE_NAME='kdump'
# This function will be called if the script status is on enabled / audit mode audit_debian () {
audit () {
does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$LIMIT_PATTERN not present in $LIMIT_FILE" crit "$LIMIT_PATTERN not present in $LIMIT_FILE"
@ -36,8 +37,30 @@ audit () {
fi fi
} }
# This function will be called if the script status is on enabled mode audit_redhat () {
apply () { is_service_active $SERVICE_NAME
if [ $FNRET -eq 0 ]; then
crit "$SERVICE_NAME is actived"
FNRET=1
else
ok "$SERVICE_NAME is inactived"
FNRET=0
fi
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
elif [ $OS_RELEASE -eq 2 ]; then
audit_redhat
else
crit "Current OS is not support!"
FNRET=44
fi
}
apply_debian () {
does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$LIMIT_PATTERN not present in $LIMIT_FILE, adding at the end of $LIMIT_FILE" warn "$LIMIT_PATTERN not present in $LIMIT_FILE, adding at the end of $LIMIT_FILE"
@ -57,6 +80,27 @@ apply () {
} }
apply_redhat () {
if [ $FNRET -eq 1 ]; then
info "Disabling $SERVICE_NAME"
systemctl stop $SERVICE_NAME
systemctl disable $SERVICE_NAME
else
ok "$SERVICE_NAME is disabled"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
elif [ $OS_RELEASE -eq 2 ]; then
apply_redhat
else
crit "Current OS is not support!"
fi
}
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
: :

33
bin/hardening/4.4_disable_prelink.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
# #
# #
@ -28,16 +29,26 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
is_pkg_installed $PACKAGE if [ $OS_RELEASE -eq 2 ]; then
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
/usr/sbin/prelink -ua "$(which $PACKAGE)" -ua
apt-get purge $PACKAGE -y yum autoremove $PACKAGE -y
apt-get autoremove else
else ok "$PACKAGE is absent"
ok "$PACKAGE is absent" fi
fi elif [ $OS_RELEASE -eq 1 ]; then
: if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
/usr/sbin/prelink -ua
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
else
crit "Current OS is not support!"
fi
} }
# This function will check config parameters required # This function will check config parameters required

46
bin/hardening/4.5_enable_apparmor.sh
View File

@ -1,11 +1,12 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# # Modify by: Samson-W (samson@hardenedlinux.org)
# todo: SELinux
# #
# 4.5 Activate AppArmor (Scored) # 4.5 Activate AppArmor/SELinux (Scored)
# Add by Author : Samson wen, Samson <sccxboy@gmail.com> # Add by Author : Samson wen, Samson <sccxboy@gmail.com>
# #
@ -20,8 +21,7 @@ PATTERN="apparmor=1[[:space:]]*security=apparmor"
SETSTRING="apparmor=1 security=apparmor" SETSTRING="apparmor=1 security=apparmor"
GRUBFILE='/etc/default/grub' GRUBFILE='/etc/default/grub'
# This function will be called if the script status is on enabled / audit mode audit_debian () {
audit () {
for PACKAGE in ${PACKAGES} for PACKAGE in ${PACKAGES}
do do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
@ -49,8 +49,24 @@ audit () {
fi fi
} }
# This function will be called if the script status is on enabled mode # Todo
apply () { audit_redhat () {
:
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
elif [ $OS_RELEASE -eq 2 ]; then
audit_redhat
else
crit "Current OS is not support!"
FNRET=44
fi
}
apply_debian () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "AppArmor profiles is enable in the system " ok "AppArmor profiles is enable in the system "
elif [ $FNRET = 1 ]; then elif [ $FNRET = 1 ]; then
@ -69,6 +85,22 @@ apply () {
fi fi
} }
# Todo
apply_redhat () {
:
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
elif [ $OS_RELEASE -eq 2 ]; then
apply_redhat
else
crit "Current OS is not support!"
fi
}
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
: :

27
bin/hardening/4.6_disable_usb_devices.sh
View File

@ -1,11 +1,13 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening / # harbian audit 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
# #
# #
# 4.6 Disable USB Devices # 4.6 Disable USB Devices
# TODO test
# #
set -e # One error, it's over set -e # One error, it's over
@ -18,8 +20,11 @@ PATTERN='ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{auth
FILES_TO_SEARCH='/etc/udev/rules.d' FILES_TO_SEARCH='/etc/udev/rules.d'
FILE='/etc/udev/rules.d/CIS_4.6_usb_devices.conf' FILE='/etc/udev/rules.d/CIS_4.6_usb_devices.conf'
# This function will be called if the script status is on enabled / audit mode BLACKRULEPATTERN='^blacklist[[:blank:]].*usb-storage'
audit () { BLACKRULE='blacklist usb-storage'
BLACKCONFILE='/etc/modprobe.d/blacklist.conf'
audit_debian () {
SEARCH_RES=0 SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do for FILE_SEARCHED in $FILES_TO_SEARCH; do
if [ $SEARCH_RES = 1 ]; then break; fi if [ $SEARCH_RES = 1 ]; then break; fi
@ -50,6 +55,22 @@ audit () {
fi fi
} }
audit_redhat () {
:
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
elif [ $OS_RELEASE -eq 2 ]; then
audit_redhat
else
crit "Current OS is not support!"
FNRET=44
fi
}
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
SEARCH_RES=0 SEARCH_RES=0

20
bin/hardening/5.1.1_disable_nis.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
# #
# #
@ -14,10 +15,14 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=3 HARDENING_LEVEL=3
PACKAGE='nis' PACKAGE='nis'
PACKAGE_REDHAT='ypserv'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
is_pkg_installed $PACKAGE if [ $OS_RELEASE -eq 2 ]; then
PACKAGE=$PACKAGE_REDHAT
fi
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed!" crit "$PACKAGE is installed!"
else else
@ -28,11 +33,18 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGE=$PACKAGE_REDHAT
fi
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y if [ $OS_RELEASE -eq 2 ]; then
apt-get autoremove yum -y autoremove $PACKAGE
else
apt-get purge $PACKAGE -y
apt-get autoremove
fi
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi

51
bin/hardening/5.1.2_disable_rsh.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
# #
# #
@ -15,11 +16,11 @@ HARDENING_LEVEL=2
# Based on aptitude search '~Prsh-server' # Based on aptitude search '~Prsh-server'
PACKAGES='rsh-server rsh-redone-server heimdal-servers' PACKAGES='rsh-server rsh-redone-server heimdal-servers'
PACKAGE_REDHAT='rsh-server'
FILE='/etc/inetd.conf' FILE='/etc/inetd.conf'
PATTERN='^(shell|login|exec)' PATTERN='^(shell|login|exec)'
# This function will be called if the script status is on enabled / audit mode audit_debian () {
audit () {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -41,8 +42,27 @@ audit () {
done done
} }
# This function will be called if the script status is on enabled mode audit_redhat () {
apply () { is_pkg_installed $PACKAGE_REDHAT
if [ $FNRET = 0 ]; then
crit "$PACKAGE_REDHAT is installed!"
else
ok "$PACKAGE_REDHAT is absent"
fi
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
elif [ $OS_RELEASE -eq 2 ]; then
audit_redhat
else
crit "Current OS is not support!"
FNRET=44
fi
}
apply_debian () {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -70,6 +90,27 @@ apply () {
done done
} }
apply_redhat () {
is_pkg_installed $PACKAGE_REDHAT
if [ $FNRET = 0 ]; then
crit "$PACKAGE_REDHAT is installed, purging it"
yum -y remove $PACKAGE_REDHAT
else
ok "$PACKAGE_REDHAT is absent"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
elif [ $OS_RELEASE -eq 2 ]; then
apply_redhat
else
crit "Current OS is not support!"
fi
}
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
: :

47
bin/hardening/5.1.3_disable_rsh_client.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
# #
# #
@ -18,28 +19,36 @@ PACKAGES='rsh-client rsh-redone-client heimdal-clients'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
for PACKAGE in $PACKAGES; do if [ $OS_RELEASE -eq 2 ]; then
is_pkg_installed $PACKAGE ok "Redhat or CentOS does not have this check, so PASS"
if [ $FNRET = 0 ]; then else
crit "$PACKAGE is installed" for PACKAGE in $PACKAGES; do
else is_pkg_installed $PACKAGE
ok "$PACKAGE is absent" if [ $FNRET = 0 ]; then
fi crit "$PACKAGE is installed"
done else
ok "$PACKAGE is absent"
fi
done
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
for PACKAGE in $PACKAGES; do if [ $OS_RELEASE -eq 2 ]; then
is_pkg_installed $PACKAGE ok "Redhat or CentOS does not have this check, so PASS"
if [ $FNRET = 0 ]; then else
warn "$PACKAGE is installed, purging" for PACKAGE in $PACKAGES; do
apt-get purge $PACKAGE -y is_pkg_installed $PACKAGE
apt-get autoremove if [ $FNRET = 0 ]; then
else warn "$PACKAGE is installed, purging"
ok "$PACKAGE is absent" apt-get purge $PACKAGE -y
fi apt-get autoremove
done else
ok "$PACKAGE is absent"
fi
done
fi
} }
# This function will check config parameters required # This function will check config parameters required

55
bin/hardening/5.1.4_disable_talk.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
# #
# #
@ -16,9 +17,9 @@ HARDENING_LEVEL=2
PACKAGES='inetutils-talkd talkd' PACKAGES='inetutils-talkd talkd'
FILE='/etc/inetd.conf' FILE='/etc/inetd.conf'
PATTERN='^(talk|ntalk)' PATTERN='^(talk|ntalk)'
PACKAGES_REDHAT='talk-server'
# This function will be called if the script status is on enabled / audit mode audit_debian () {
audit () {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -40,8 +41,30 @@ audit () {
done done
} }
# This function will be called if the script status is on enabled mode audit_redhat () {
apply () { for PACKAGE in $PACKAGES_REDHAT; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed"
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
elif [ $OS_RELEASE -eq 2 ]; then
audit_redhat
else
crit "Current OS is not support!"
FNRET=44
fi
}
apply_debian () {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -69,6 +92,28 @@ apply () {
done done
} }
apply_redhat () {
for PACKAGE in $PACKAGES_REDHAT; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
yum remove $PACKAGE -y
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
elif [ $OS_RELEASE -eq 2 ]; then
apply_redhat
else
crit "Current OS is not support!"
fi
}
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
: :

18
bin/hardening/5.1.5_disable_talk_client.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
# #
# #
@ -14,9 +15,13 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2 HARDENING_LEVEL=2
PACKAGES='talk inetutils-talk' PACKAGES='talk inetutils-talk'
PACKAGES_REDHAT='talk'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -29,12 +34,19 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, purging" warn "$PACKAGE is installed, purging"
apt-get purge $PACKAGE -y if [ $OS_RELEASE -eq 2 ]; then
apt-get autoremove yum remove $PACKAGE -y
else
apt-get purge $PACKAGE -y
apt-get autoremove
fi
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi

52
bin/hardening/5.1.6_disable_telnet_server.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
# #
# #
@ -17,9 +18,9 @@ HARDENING_LEVEL=2
PACKAGES='telnetd inetutils-telnetd telnetd-ssl krb5-telnetd heimdal-servers' PACKAGES='telnetd inetutils-telnetd telnetd-ssl krb5-telnetd heimdal-servers'
FILE='/etc/inetd.conf' FILE='/etc/inetd.conf'
PATTERN='^telnet' PATTERN='^telnet'
PACKAGE_REDHAT='telnet-server'
# This function will be called if the script status is on enabled / audit mode audit_debian () {
audit () {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -41,8 +42,28 @@ audit () {
done done
} }
# This function will be called if the script status is on enabled mode audit_redhat () {
apply () { is_pkg_installed $PACKAGE_REDHAT
if [ $FNRET = 0 ]; then
crit "$PACKAGE_REDHAT is installed"
else
ok "$PACKAGE_REDHAT is absent"
fi
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
elif [ $OS_RELEASE -eq 2 ]; then
audit_redhat
else
crit "Current OS is not support!"
FNRET=44
fi
}
apply_debian () {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -70,6 +91,27 @@ apply () {
done done
} }
apply_redhat () {
is_pkg_installed $PACKAGE_REDHAT
if [ $FNRET = 0 ]; then
crit "$PACKAGE_REDHAT is installed, purging it"
yum remove $PACKAGE_REDHAT -y
else
ok "$PACKAGE_REDHAT is absent"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
elif [ $OS_RELEASE -eq 2 ]; then
apply_redhat
else
crit "Current OS is not support!"
fi
}
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
: :

20
bin/hardening/5.1.8_disable_inetd.sh → bin/hardening/5.1.7_disable_inetd.sh
View File

@ -1,11 +1,12 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
# #
# #
# 5.1.8 Ensure xinetd is not enabled (Scored) # 5.1.7 Ensure xinetd is not enabled (Scored)
# #
set -e # One error, it's over set -e # One error, it's over
@ -14,9 +15,13 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=3 HARDENING_LEVEL=3
PACKAGES='openbsd-inetd xinetd rlinetd' PACKAGES='openbsd-inetd xinetd rlinetd'
PACKAGES_REDHAT='xinetd'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -29,12 +34,19 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, purging" warn "$PACKAGE is installed, purging"
apt-get purge $PACKAGE -y if [ $OS_RELEASE -eq 2 ]; then
apt-get autoremove yum remove $PACKAGE -y
else
apt-get purge $PACKAGE -y
apt-get autoremove
fi
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi

93
bin/hardening/5.1.7_disable_tftp_server.sh
View File

@ -1,93 +0,0 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
#
#
# 5.1.7 Ensure tftp-server is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGES='tftpd tftpd-hpa atftpd'
FILE='/etc/inetd.conf'
PATTERN='^tftp'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, checking configuration"
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, $PACKAGE services are enabled!"
else
ok "$PATTERN is not present in $FILE"
fi
fi
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN is not present in $FILE"
fi
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

74
bin/hardening/5.2_disable_chargen.sh
View File

@ -1,74 +0,0 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
#
#
# 5.2 Ensure chargen is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
FILE='/etc/inetd.conf'
PATTERN='^chargen'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, chargen service is enabled!"
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

10
bin/hardening/5.7_install_screen.sh → bin/hardening/5.2_install_screen.sh
View File

@ -1,11 +1,11 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# #
# #
# 5.7 Install screen (Scored) # 5.2 Install screen (Scored)
# Author : Samson wen, Samson <sccxboy@gmail.com> # Author : Samson wen, Samson <sccxboy@gmail.com>
# #
@ -33,7 +33,11 @@ apply () {
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
else else
warn "$PACKAGE is absent, installing it" warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE if [ $OS_RELEASE -eq 2 ]; then
yum install -y $PACKAGE
else
apt_install $PACKAGE
fi
fi fi
} }

74
bin/hardening/5.3_disable_daytime.sh
View File

@ -1,74 +0,0 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
#
#
# 5.3 Ensure daytime is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
FILE='/etc/inetd.conf'
PATTERN='^daytime'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, daytime service is enabled!"
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

34
bin/hardening/5.8_enable_openssh_server.sh → bin/hardening/5.3_enable_openssh_server.sh
View File

@ -1,11 +1,11 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# #
# #
# 5.8 Ensure openssh server is enabled (Scored) # 5.3 Ensure openssh server is enabled (Scored)
# Author : Samson wen, Samson <sccxboy@gmail.com> # Author : Samson wen, Samson <sccxboy@gmail.com>
# #
@ -15,7 +15,8 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2 HARDENING_LEVEL=2
PACKAGES='openssh-server openssh-client' PACKAGES='openssh-server openssh-client'
SERVICE_NAME='ssh.service'
SERVICE_NAME_REDHAT='sshd.service'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
@ -28,6 +29,15 @@ audit () {
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
fi fi
done done
if [ $OS_RELEASE -eq 2 ]; then
SERVICE_NAME=$SERVICE_NAME_REDHAT
fi
is_service_active $SERVICE_NAME
if [ $FNRET = 0 ]; then
ok "$SERVICE_NAME is actived"
else
crit "$SERVICE_NAME is inactive"
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
@ -39,9 +49,25 @@ apply () {
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
else else
warn "$PACKAGE is absent, installing it" warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE if [ $OS_RELEASE -eq 2 ]; then
yum install -y $PACKAGE
else
apt_install $PACKAGE
fi
fi fi
done done
if [ $OS_RELEASE -eq 2 ]; then
SERVICE_NAME=$SERVICE_NAME_REDHAT
fi
is_service_active $SERVICE_NAME
if [ $FNRET = 0 ]; then
ok "$SERVICE_NAME is actived"
else
warn "$SERVICE_NAME is inactive, set enable this service"
systemctl enable $SERVICE_NAME
systemctl daemon-reload
systemctl start $SERVICE_NAME
fi
} }
# This function will check config parameters required # This function will check config parameters required

4
bin/hardening/5.9_disable_ctrl_alt_del_target.sh → bin/hardening/5.4_disable_ctrl_alt_del_target.sh
View File

@ -1,11 +1,11 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 9 Hardening # harbian audit 9 or CentOS Hardening
# #
# #
# 5.9 Ensure ctrl-alt-del is disabled (Scored) # 5.4 Ensure ctrl-alt-del is disabled (Scored)
# Author : Samson wen, Samson <sccxboy@gmail.com> # Author : Samson wen, Samson <sccxboy@gmail.com>
# #

74
bin/hardening/5.4_disable_echo.sh
View File

@ -1,74 +0,0 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
#
#
# 5.4 Ensure echo is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
FILE='/etc/inetd.conf'
PATTERN='^echo'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, echo service is enabled!"
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

74
bin/hardening/5.5_disable_discard.sh
View File

@ -1,74 +0,0 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
#
#
# 5.5 Ensure discard is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
FILE='/etc/inetd.conf'
PATTERN='^discard'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, discard service is enabled!"
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

74
bin/hardening/5.6_disable_time.sh
View File

@ -1,74 +0,0 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
#
#
# 5.6 Ensure time is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
FILE='/etc/inetd.conf'
PATTERN='^time'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, time service is enabled!"
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

35
bin/hardening/5.10_ensure_installed_sudo.sh → bin/hardening/5.8_ensure_installed_sudo.sh
View File

@ -1,11 +1,13 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 9 Hardening # harbian audit 9 or CentOS Hardening
# #
# #
# 5.10 Ensure sudo is installed (Scored) # 5.8 Ensure sudo is installed (Scored)
# Add feature:
# Ensure sudo log file is set to /var/log/sudo.log
# Add new by: # Add new by:
# Author : Samson wen, Samson <sccxboy@gmail.com> # Author : Samson wen, Samson <sccxboy@gmail.com>
# #
@ -16,27 +18,46 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2 HARDENING_LEVEL=2
PACKAGE='sudo' PACKAGE='sudo'
CONFIGFILE='/etc/sudoers'
LOGFILENAME='/var/log/sudo.log'
LOGFILENAME_REP='\/var\/log\/sudo.log'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!" crit "$PACKAGE is not installed!"
FNRET=1 FNRET=1
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
FNRET=0 if [ $(grep -c "^Defaults.*logfile=" $CONFIGFILE) -eq 1 ]; then
fi if [ $(grep "^Defaults.*logfile=" $CONFIGFILE | grep -c "$LOGFILENAME") -eq 1 ]; then
ok "Log file is set to $LOGFILENAME in $CONFIGFILE"
FNRET=0
else
crit "Log file path was set, but is not set to $LOGFILENAME"
FNRET=3
fi
else
crit "sudo Log file is not set in $CONFIGFILE"
FNRET=2
fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
else elif [ $FNRET = 1 ]; then
warn "$PACKAGE is absent, installing it" warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE apt_install $PACKAGE
elif [ $FNRET = 2 ]; then
warn "sudo Log file is not set in $CONFIGFILE, add set to"
add_end_of_file $CONFIGFILE "Defaults logfile="$LOGFILENAME""
else
warn "Log file path was set, but is not set to $LOGFILENAME, modify"
replace_in_file $CONFIGFILE "logfile=.*" "logfile=$LOGFILENAME_REP"
fi fi
} }

18
bin/hardening/6.10_disable_http_server.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
# #
# #
@ -16,9 +17,13 @@ HARDENING_EXCEPTION=http
# Based on aptitude search '~Phttpd' # Based on aptitude search '~Phttpd'
PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd' PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd'
PACKAGES_REDHAT='httpd pcp-pmda-nginx'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -35,6 +40,9 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -42,8 +50,12 @@ apply () {
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate." warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else else
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE if [ $OS_RELEASE -eq 2 ]; then
apt-get autoremove yum autoremove $PACKAGE
else
apt-get purge $PACKAGE
apt-get autoremove
fi
fi fi
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"

62
bin/hardening/6.11_disable_imap_pop.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9 or CentOS Hardening
# #
# #
@ -19,36 +19,44 @@ PACKAGES='citadel-server courier-imap cyrus-imapd-2.4 dovecot-imapd mailutils-im
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
for PACKAGE in $PACKAGES; do if [ $OS_RELEASE -eq 2 ]; then
is_pkg_installed $PACKAGE ok "Redhat or CentOS does not have this check, so PASS"
if [ $FNRET = 0 ]; then else
if [ $ISEXCEPTION -eq 1 ]; then for PACKAGE in $PACKAGES; do
warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!" is_pkg_installed $PACKAGE
else if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed!" if [ $ISEXCEPTION -eq 1 ]; then
fi warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!"
else else
ok "$PACKAGE is absent" crit "$PACKAGE is installed!"
fi fi
done else
ok "$PACKAGE is absent"
fi
done
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
for PACKAGE in $PACKAGES; do if [ $OS_RELEASE -eq 2 ]; then
is_pkg_installed $PACKAGE ok "Redhat or CentOS does not have this check, so PASS"
if [ $FNRET = 0 ]; then else
if [ $ISEXCEPTION -eq 1 ]; then for PACKAGE in $PACKAGES; do
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate." is_pkg_installed $PACKAGE
else if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it" if [ $ISEXCEPTION -eq 1 ]; then
apt-get purge $PACKAGE -y warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
apt-get autoremove else
fi crit "$PACKAGE is installed, purging it"
else apt-get purge $PACKAGE -y
ok "$PACKAGE is absent" apt-get autoremove
fi fi
done else
ok "$PACKAGE is absent"
fi
done
fi
} }
# This function will create the config file for this check with default values # This function will create the config file for this check with default values

11
bin/hardening/6.12_disable_samba.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
# #
# #
@ -41,8 +42,12 @@ apply () {
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate." warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else else
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y if [ $OS_RELEASE -eq 2 ]; then
apt-get autoremove yum autoremove $PACKAGE -y
else
apt-get purge $PACKAGE -y
apt-get autoremove
fi
fi fi
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"

18
bin/hardening/6.13_disable_http_proxy.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
# #
# #
@ -15,9 +16,13 @@ HARDENING_LEVEL=3
HARDENING_EXCEPTION=http HARDENING_EXCEPTION=http
PACKAGES='squid3 squid' PACKAGES='squid3 squid'
PACKAGES_REDHAT='squid gssproxy haproxy'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -34,6 +39,9 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -41,8 +49,12 @@ apply () {
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate." warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else else
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y if [ $OS_RELEASE -eq 2 ]; then
apt-get autoremove yum autoremove $PACKAGE -y
else
apt-get purge $PACKAGE -y
apt-get autoremove
fi
fi fi
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"

60
bin/hardening/6.14_disable_snmp_server.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9 or CentOS Hardening
# #
# #
@ -18,35 +18,43 @@ PACKAGES='snmpd'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
for PACKAGE in $PACKAGES; do if [ $OS_RELEASE -eq 2 ]; then
is_pkg_installed $PACKAGE ok "Redhat or CentOS does not have this check, so PASS"
if [ $FNRET = 0 ]; then else
if [ $ISEXCEPTION -eq 1 ]; then for PACKAGE in $PACKAGES; do
warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!" is_pkg_installed $PACKAGE
else if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed!" if [ $ISEXCEPTION -eq 1 ]; then
fi warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!"
else else
ok "$PACKAGE is absent" crit "$PACKAGE is installed!"
fi fi
done else
ok "$PACKAGE is absent"
fi
done
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
for PACKAGE in $PACKAGES; do if [ $OS_RELEASE -eq 2 ]; then
is_pkg_installed $PACKAGE ok "Redhat or CentOS does not have this check, so PASS"
if [ $FNRET = 0 ]; then else
if [ $ISEXCEPTION -eq 1 ]; then for PACKAGE in $PACKAGES; do
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate." is_pkg_installed $PACKAGE
else if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it" if [ $ISEXCEPTION -eq 1 ]; then
apt-get purge $PACKAGE -y warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
fi else
else crit "$PACKAGE is installed, purging it"
ok "$PACKAGE is absent" apt-get purge $PACKAGE -y
fi fi
done else
ok "$PACKAGE is absent"
fi
done
fi
} }
# This function will create the config file for this check with default values # This function will create the config file for this check with default values

62
bin/hardening/6.16_disable_rsync.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9 or CentOS Hardening
# #
# #
@ -21,36 +21,44 @@ RSYNC_DEFAULT_PATTERN_TO_SEARCH='RSYNC_ENABLE=true'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
is_pkg_installed $PACKAGE if [ $OS_RELEASE -eq 2 ]; then
if [ $FNRET != 0 ]; then ok "Redhat or CentOS does not have this check, so PASS"
ok "$PACKAGE is not installed" else
else is_pkg_installed $PACKAGE
ok "$PACKAGE is installed, checking configuration" if [ $FNRET != 0 ]; then
does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN" ok "$PACKAGE is not installed"
if [ $FNRET != 0 ]; then else
crit "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE" ok "$PACKAGE is installed, checking configuration"
else does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN"
ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE" if [ $FNRET != 0 ]; then
fi crit "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE"
fi else
ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE"
fi
fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
is_pkg_installed $PACKAGE if [ $OS_RELEASE -eq 2 ]; then
if [ $FNRET != 0 ]; then ok "Redhat or CentOS does not have this check, so PASS"
ok "$PACKAGE is not installed" else
else is_pkg_installed $PACKAGE
ok "$PACKAGE is installed, checking configuration" if [ $FNRET != 0 ]; then
does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN" ok "$PACKAGE is not installed"
if [ $FNRET != 0 ]; then else
warn "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE, adding it" ok "$PACKAGE is installed, checking configuration"
backup_file $RSYNC_DEFAULT_FILE does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN"
replace_in_file $RSYNC_DEFAULT_FILE $RSYNC_DEFAULT_PATTERN_TO_SEARCH $RSYNC_DEFAULT_PATTERN if [ $FNRET != 0 ]; then
else warn "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE, adding it"
ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE" backup_file $RSYNC_DEFAULT_FILE
fi replace_in_file $RSYNC_DEFAULT_FILE $RSYNC_DEFAULT_PATTERN_TO_SEARCH $RSYNC_DEFAULT_PATTERN
fi else
ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE"
fi
fi
fi
} }
# This function will check config parameters required # This function will check config parameters required

2
bin/hardening/6.17_ensure_virul_scan_server_is_enabled.sh
View File

@ -2,7 +2,7 @@
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9 Hardening
# # todo test for centos
# #
# 6.17 Ensure virul scan Server is enabled (Scored) # 6.17 Ensure virul scan Server is enabled (Scored)

2
bin/hardening/6.18_ensure_virusscan_program_update_is_enabled.sh
View File

@ -2,7 +2,7 @@
# #
# harbian audit 9 Hardening # harbian audit 9 Hardening
# # todo test for centos
# #
# 6.18 Ensure virul scan Server update is enabled (Scored) # 6.18 Ensure virul scan Server update is enabled (Scored)

6
bin/hardening/6.19_configure_ntp.sh
View File

@ -1,11 +1,11 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9 or CentOS Hardening
# # todo base redhat7 v2r3 of STIG
# #
# 6.5 Configure Network Time Protocol (NTP) (Scored) # 6.19 Configure Network Time Protocol (NTP) (Scored)
# Modify Author : Samson wen, Samson <sccxboy@gmail.com> # Modify Author : Samson wen, Samson <sccxboy@gmail.com>
# #

1
bin/hardening/6.1_disable_xwindow_system.sh
View File

@ -7,6 +7,7 @@
# #
# 6.1 Ensure the X Window system is not installed (Scored) # 6.1 Ensure the X Window system is not installed (Scored)
# #
# todo test for centos
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over

74
bin/hardening/6.20_configure_chrony.sh
View File

@ -23,48 +23,56 @@ NTP_POOL_CFG='pool 2.debian.pool.ntp.org iburst'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
is_pkg_installed $ANALOGONS_PKG if [ $OS_RELEASE -eq 2 ]; then
if [ $FNRET = 0 ]; then ok "Redhat or CentOS does not have this check, so PASS"
ok "Analogons pagkage $ANALOGONS_PKG is installed. So pass check."
else else
is_pkg_installed $PACKAGE is_pkg_installed $ANALOGONS_PKG
if [ $FNRET != 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is not installed!" ok "Analogons pagkage $ANALOGONS_PKG is installed. So pass check."
else else
ok "$PACKAGE is installed, checking configuration" is_pkg_installed $PACKAGE
does_pattern_exist_in_file $NTP_CONF_FILE $NTP_SERVER_PATTERN if [ $FNRET != 0 ]; then
if [ $FNRET != 0 ]; then crit "$PACKAGE is not installed!"
crit "$NTP_SERVER_PATTERN not found in $NTP_CONF_FILE" else
else ok "$PACKAGE is installed, checking configuration"
ok "$NTP_SERVER_PATTERN found in $NTP_CONF_FILE" does_pattern_exist_in_file $NTP_CONF_FILE $NTP_SERVER_PATTERN
fi if [ $FNRET != 0 ]; then
fi crit "$NTP_SERVER_PATTERN not found in $NTP_CONF_FILE"
else
ok "$NTP_SERVER_PATTERN found in $NTP_CONF_FILE"
fi
fi
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
is_pkg_installed $ANALOGONS_PKG if [ $OS_RELEASE -eq 2 ]; then
if [ $FNRET = 0 ]; then ok "Redhat or CentOS does not have this check, so PASS"
ok "Analogons pagkage $ANALOGONS_PKG is installed. So pass check."
else else
is_pkg_installed $PACKAGE is_pkg_installed $ANALOGONS_PKG
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed" ok "Analogons pagkage $ANALOGONS_PKG is installed. So pass check."
else else
crit "$PACKAGE is absent, installing it" is_pkg_installed $PACKAGE
apt_install $PACKAGE if [ $FNRET = 0 ]; then
info "Checking $PACKAGE configuration" ok "$PACKAGE is installed"
does_pattern_exist_in_file $NTP_CONF_FILE $NTP_SERVER_PATTERN
if [ $FNRET != 0 ]; then
warn "$NTP_SERVER_PATTERN not found in $NTP_CONF_FILE, adding it"
backup_file $NTP_CONF_FILE
add_end_of_file $NTP_CONF_FILE $NTP_POOL_CFG
else else
ok "$NTP_SERVER_PATTERN found in $NTP_CONF_FILE" crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE
info "Checking $PACKAGE configuration"
does_pattern_exist_in_file $NTP_CONF_FILE $NTP_SERVER_PATTERN
if [ $FNRET != 0 ]; then
warn "$NTP_SERVER_PATTERN not found in $NTP_CONF_FILE, adding it"
backup_file $NTP_CONF_FILE
add_end_of_file $NTP_CONF_FILE $NTP_POOL_CFG
else
ok "$NTP_SERVER_PATTERN found in $NTP_CONF_FILE"
fi
exit 1
fi fi
exit 1 fi
fi
fi fi
} }

18
bin/hardening/6.2_disable_avahi_server.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
# #
# #
@ -15,9 +16,13 @@ HARDENING_LEVEL=3
HARDENING_EXCEPTION=dns HARDENING_EXCEPTION=dns
PACKAGES='avahi-daemon libavahi-common-data libavahi-common3 libavahi-core7' PACKAGES='avahi-daemon libavahi-common-data libavahi-common3 libavahi-core7'
PACKAGES_REDHAT='avahi'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -34,6 +39,9 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -41,8 +49,12 @@ apply () {
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate." warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else else
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y if [ $OS_RELEASE -eq 2 ]; then
apt-get autoremove yum autoremove $PACKAGE -y
else
apt-get purge $PACKAGE -y
apt-get autoremove
fi
fi fi
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"

18
bin/hardening/6.3_disable_print_server.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
# #
# #
@ -15,9 +16,13 @@ HARDENING_LEVEL=3
HARDENING_EXCEPTION=cups HARDENING_EXCEPTION=cups
PACKAGES='libcups2 libcupscgi1 libcupsimage2 libcupsmime1 libcupsppdc1 cups-common cups-client cups-ppdc libcupsfilters1 cups-filters cups' PACKAGES='libcups2 libcupscgi1 libcupsimage2 libcupsmime1 libcupsppdc1 cups-common cups-client cups-ppdc libcupsfilters1 cups-filters cups'
PACKAGES_REDHAT='cups'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -34,6 +39,9 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -41,8 +49,12 @@ apply () {
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate." warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else else
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y if [ $OS_RELEASE -eq 2 ]; then
apt-get autoremove yum autoremove $PACKAGE -y
else
apt-get purge $PACKAGE -y
apt-get autoremove
fi
fi fi
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"

18
bin/hardening/6.4_disable_dhcp.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
# #
# #
@ -15,9 +16,13 @@ HARDENING_LEVEL=3
HARDENING_EXCEPTION=dhcp HARDENING_EXCEPTION=dhcp
PACKAGES='udhcpd isc-dhcp-server' PACKAGES='udhcpd isc-dhcp-server'
PACKAGES_REDHAT='dnsmasq'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -34,6 +39,9 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -41,8 +49,12 @@ apply () {
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate." warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else else
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y if [ $OS_RELEASE -eq 2 ]; then
apt-get autoremove yum autoremove $PACKAGE -y
else
apt-get purge $PACKAGE -y
apt-get autoremove
fi
fi fi
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"

1
bin/hardening/6.5_ensure_time_sync_server_is_installed.sh
View File

@ -14,7 +14,6 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=3 HARDENING_LEVEL=3
PACKAGES='ntp chrony' PACKAGES='ntp chrony'
PACKAGES_COUNT=$(echo $PACKAGES | wc -w)
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {

18
bin/hardening/6.6_disable_ldap.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
# #
# #
@ -15,9 +16,13 @@ HARDENING_LEVEL=3
HARDENING_EXCEPTION=ldap HARDENING_EXCEPTION=ldap
PACKAGES='slapd' PACKAGES='slapd'
PACKAGES_REDHAT='openldap-servers'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -34,6 +39,9 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -41,8 +49,12 @@ apply () {
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate." warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else else
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y if [ $OS_RELEASE -eq 2 ]; then
apt-get autoremove yum autoremove $PACKAGE -y
else
apt-get purge $PACKAGE -y
apt-get autoremove
fi
fi fi
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"

63
bin/hardening/6.7_disable_nfs_rpc.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
# #
# #
@ -18,36 +19,44 @@ PACKAGES='rpcbind nfs-kernel-server'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
for PACKAGE in $PACKAGES; do if [ $OS_RELEASE -eq 2 ]; then
is_pkg_installed $PACKAGE ok "Redhat or CentOS does not have this check, so PASS"
if [ $FNRET = 0 ]; then else
if [ $ISEXCEPTION -eq 1 ]; then for PACKAGE in $PACKAGES; do
warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!" is_pkg_installed $PACKAGE
else if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed!" if [ $ISEXCEPTION -eq 1 ]; then
fi warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!"
else else
ok "$PACKAGE is absent" crit "$PACKAGE is installed!"
fi fi
done else
ok "$PACKAGE is absent"
fi
done
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
for PACKAGE in $PACKAGES; do if [ $OS_RELEASE -eq 2 ]; then
is_pkg_installed $PACKAGE ok "Redhat or CentOS does not have this check, so PASS"
if [ $FNRET = 0 ]; then else
if [ $ISEXCEPTION -eq 1 ]; then for PACKAGE in $PACKAGES; do
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate." is_pkg_installed $PACKAGE
else if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it" if [ $ISEXCEPTION -eq 1 ]; then
apt-get purge $PACKAGE -y warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
apt-get autoremove else
fi crit "$PACKAGE is installed, purging it"
else apt-get purge $PACKAGE -y
ok "$PACKAGE is absent" apt-get autoremove
fi fi
done else
ok "$PACKAGE is absent"
fi
done
fi
} }
# This function will create the config file for this check with default values # This function will create the config file for this check with default values

18
bin/hardening/6.8_disable_dns_server.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
# #
# #
@ -15,9 +16,13 @@ HARDENING_LEVEL=3
HARDENING_EXCEPTION=dns HARDENING_EXCEPTION=dns
PACKAGES='bind9 unbound' PACKAGES='bind9 unbound'
PACKAGES_REDHAT='bind unbound'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -34,6 +39,9 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_REDHAT
fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -41,8 +49,12 @@ apply () {
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate." warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else else
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y if [ $OS_RELEASE -eq 2 ]; then
apt-get autoremove yum autoremove $PACKAGE -y
else
apt-get purge $PACKAGE -y
apt-get autoremove
fi
fi fi
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"

18
bin/hardening/6.9_disable_ftp.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
# #
# #
@ -16,9 +17,13 @@ HARDENING_EXCEPTION=ftp
# Based on aptitude search '~Pftp-server' # Based on aptitude search '~Pftp-server'
PACKAGES='ftpd ftpd-ssl heimdal-servers inetutils-ftpd krb5-ftpd muddleftpd proftpd-basic pure-ftpd pure-ftpd-ldap pure-ftpd-mysql pure-ftpd-postgresql twoftpd-run vsftpd wzdftpd' PACKAGES='ftpd ftpd-ssl heimdal-servers inetutils-ftpd krb5-ftpd muddleftpd proftpd-basic pure-ftpd pure-ftpd-ldap pure-ftpd-mysql pure-ftpd-postgresql twoftpd-run vsftpd wzdftpd'
PACKAGE_REDHAT='tftp-server vsftpd'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGE_REDHAT
fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -35,6 +40,9 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGE_REDHAT
fi
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -42,8 +50,12 @@ apply () {
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate." warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else else
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y if [ $OS_RELEASE -eq 2 ]; then
apt-get autoremove yum autoremove $PACKAGE -y
else
apt-get purge $PACKAGE -y
apt-get autoremove
fi
fi fi
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"

2
bin/hardening/7.1.1_disable_ip_forwarding.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# #
# #

2
bin/hardening/7.1.2_disable_send_packet_redirects.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# #
# #

2
bin/hardening/7.1.3_disable_interface_promisc_mode.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# #
# #

2
bin/hardening/7.2.1_disable_source_routed_packets.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# #
# #

2
bin/hardening/7.2.2_disable_icmp_redirect.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# #
# #

4
bin/hardening/7.2.3_disable_secure_icmp_redirect.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# #
# #
@ -13,7 +13,7 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2 HARDENING_LEVEL=2
SYSCTL_PARAMS='net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0' SYSCTL_PARAMS='net.ipv4.conf.all.secure_redirects=1 net.ipv4.conf.default.secure_redirects=1'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {

2
bin/hardening/7.2.4_log_martian_packets.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# #
# #

2
bin/hardening/7.2.5_ignore_broadcast_requests.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# #
# #

2
bin/hardening/7.2.6_enable_bad_error_message_protection.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# #
# #

2
bin/hardening/7.2.7_enable_source_route_validation.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# #
# #

2
bin/hardening/7.2.8_enable_tcp_syn_cookies.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# #
# #

2
bin/hardening/7.3.1_disable_ipv6_router_advertisement.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# #
# #

2
bin/hardening/7.3.2_disable_ipv6_redirect.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# #
# #

85
bin/hardening/7.3.3_disable_ipv6.sh
View File

@ -1,85 +0,0 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
#
#
# 7.3.3 Disable IPv6 (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_sysctl_param_exists "net.ipv6"
if [ $FNRET != 0 ]; then
ok "ipv6 is disabled"
else
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
done
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_sysctl_param_exists "net.ipv6"
if [ $FNRET != 0 ]; then
ok "ipv6 is disabled"
else
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT value, fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
warn "you may want to reboot or sysctl -p a file including $SYSCTL_PARAMS"
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
done
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

30
bin/hardening/7.4.1_install_tcp_wrapper.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
# #
# #
@ -14,10 +15,14 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=3 HARDENING_LEVEL=3
PACKAGE='tcpd' PACKAGE='tcpd'
PACKAGE_REDHAT='tcp_wrappers'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
is_pkg_installed $PACKAGE if [ $OS_RELEASE -eq 2 ]; then
PACKAGE=$PACKAGE_REDHAT
fi
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!" crit "$PACKAGE is not installed!"
else else
@ -27,13 +32,20 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
is_pkg_installed $PACKAGE if [ $OS_RELEASE -eq 2 ]; then
if [ $FNRET = 0 ]; then PACKAGE=$PACKAGE_REDHAT
ok "$PACKAGE is installed" fi
else is_pkg_installed $PACKAGE
crit "$PACKAGE is absent, installing it" if [ $FNRET = 0 ]; then
apt_install $PACKAGE ok "$PACKAGE is installed"
fi else
crit "$PACKAGE is absent, installing it"
if [ $OS_RELEASE -eq 2 ]; then
yum install $PACKAGE -y
else
apt_install $PACKAGE
fi
fi
} }
# This function will check config parameters required # This function will check config parameters required

2
bin/hardening/7.4.2_hosts_allow.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# #
# #

2
bin/hardening/7.4.3_hosts_allow_permissions.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# #
# #

2
bin/hardening/7.4.4_hosts_deny.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# #
# #

2
bin/hardening/7.4.5_hosts_deny_permissions.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# #
# #

7
bin/hardening/7.6_disable_wireless.sh
View File

@ -1,12 +1,12 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 9 Hardening # harbian audit 9 or CentOS Hardening
# #
# #
# 7.6 Ensure wireless interfaces are disabled (Not Scored) # 7.6 Ensure wireless interfaces are disabled (Not Scored)
# Author : Samson wen, Samson <sccxboy@gmail.com> # Author : Samson wen, Samson <samson@hardenedlinux.org>
# #
set -e # One error, it's over set -e # One error, it's over
@ -35,7 +35,8 @@ apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "Wireless interfaces are disabled!" ok "Wireless interfaces are disabled!"
else else
warn "Wireless interfaces is not disabled! Need the administrator to manually disable it. HOWTO: ip link set <interface> down" warn "Wireless interfaces is not disabled! Disabled wireless."
nmcli radio wifi off
fi fi
} }

4
bin/hardening/7.7.1_enable_firewall.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# todo 7.7.* need test for CentOS
# #
# #
@ -19,6 +20,7 @@ HARDENING_LEVEL=2
# Do as you want, but this script does not handle this # Do as you want, but this script does not handle this
PACKAGES='iptables iptables-persistent' PACKAGES='iptables iptables-persistent'
PACKAGES_REDHAT='iptables nftables firewalld'
SERVICENAME='netfilter-persistent' SERVICENAME='netfilter-persistent'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode

4
bin/hardening/8.0_enable_auditd_kernel.sh
View File

@ -20,7 +20,7 @@ KERNEL_OPTION="CONFIG_AUDIT"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
is_kernel_option_enabled "^$KERNEL_OPTION=" is_kernel_option_enabled $KERNEL_OPTION
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
ok "$KERNEL_OPTION is enabled" ok "$KERNEL_OPTION is enabled"
else else
@ -31,7 +31,7 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
is_kernel_option_enabled "^$KERNEL_OPTION=" is_kernel_option_enabled $KERNEL_OPTION
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
ok "$KERNEL_OPTION is enabled" ok "$KERNEL_OPTION is enabled"
else else

2
bin/hardening/8.1.1.1_audit_log_storage.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# #
# #

2
bin/hardening/8.1.1.2_halt_when_audit_log_full.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# #
# #

2
bin/hardening/8.1.1.3_keep_all_audit_logs.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# #
# #

2
bin/hardening/8.1.1.4_set_failure_mode.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 9 Hardening # harbian audit 9/10 or CentOS Hardening
# #
# #

2
bin/hardening/8.1.1.5_ensure_set_remote_server.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 9 Hardening # harbian audit 9/10 or CentOS Hardening
# #
# #

2
bin/hardening/8.1.1.6_ensure_set_encrypt_for_audit_remote.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 9 Hardening # harbian audit 9/10 or CentOS Hardening
# #
# #

2
bin/hardening/8.1.1.7_ensure_set_action_for_audit_storage_full.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 9 Hardening # harbian audit 9/10 or CentOS Hardening
# #
# #

2
bin/hardening/8.1.1.8_ensure_set_action_for_net_fail.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 9 Hardening # harbian audit 9/10 or CentOS Hardening
# #
# #

2
bin/hardening/8.1.1.9_set_space_left_audit.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 9 Hardening # harbian audit 9/10 or CentOS Hardening
# #
# #

2
bin/hardening/8.1.10_record_dac_edit.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# #
# #

2
bin/hardening/8.1.11_record_failed_access_file.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# #
# #

2
bin/hardening/8.1.12_record_privileged_commands.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# #
# #

2
bin/hardening/8.1.13_record_successful_mount.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# #
# #

2
bin/hardening/8.1.14_record_file_deletions.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# #
# #

2
bin/hardening/8.1.15_record_sudoers_edit.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# #
# #

2
bin/hardening/8.1.16_record_sudo_usage.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# #
# #

2
bin/hardening/8.1.17_record_kernel_modules.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# #
# #

2
bin/hardening/8.1.18_freeze_auditd_conf.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9 or CentOS Hardening
# #
# #

58
bin/hardening/8.1.19_record_sshkeysign_usage.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# #
# #
@ -9,13 +9,15 @@
# Author : Samson wen, Samson <sccxboy@gmail.com> # Author : Samson wen, Samson <sccxboy@gmail.com>
# #
set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
HARDENING_LEVEL=4 HARDENING_LEVEL=4
AUDIT_PARAMS='-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh' AUDIT_PARAMS="-a always,exit -F path=$(find /usr/ -name "ssh-keysign") -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=$(which ssh-agent 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
set -e # One error, it's over
FILE='/etc/audit/rules.d/audit.rules' FILE='/etc/audit/rules.d/audit.rules'
@ -26,15 +28,21 @@ audit () {
c_IFS=$'\n' c_IFS=$'\n'
IFS=$c_IFS IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" check_audit_path $AUDIT_VALUE
IFS=$d_IFS if [ $FNRET -eq 1 ];then
does_pattern_exist_in_file $FILE "$AUDIT_VALUE" crit "path is not exsit! Please check file path is exist!"
IFS=$c_IFS continue
if [ $FNRET != 0 ]; then else
crit "$AUDIT_VALUE is not in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
else IFS=$d_IFS
ok "$AUDIT_VALUE is present in $FILE" does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
fi IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done done
IFS=$d_IFS IFS=$d_IFS
} }
@ -43,15 +51,21 @@ audit () {
apply () { apply () {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" check_audit_path $AUDIT_VALUE
does_pattern_exist_in_file $FILE "$AUDIT_VALUE" if [ $FNRET -eq 1 ];then
if [ $FNRET != 0 ]; then crit "path is not exsit! Please check file path is exist!"
warn "$AUDIT_VALUE is not in file $FILE, adding it" continue
add_end_of_file $FILE $AUDIT_VALUE else
check_auditd_is_immutable_mode debug "$AUDIT_VALUE should be in file $FILE"
else does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
ok "$AUDIT_VALUE is present in $FILE" if [ $FNRET != 0 ]; then
fi warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done done
} }

Some files were not shown because too many files have changed in this diff Show More