diff --git a/bin/hardening/10.1.10_set_maxlogins_for_all_accounts.sh b/bin/hardening/10.1.10_set_maxlogins_for_all_accounts.sh index 9007a07..ed5acb1 100755 --- a/bin/hardening/10.1.10_set_maxlogins_for_all_accounts.sh +++ b/bin/hardening/10.1.10_set_maxlogins_for_all_accounts.sh @@ -59,7 +59,7 @@ apply () { ok "$PACKAGE is installed" elif [ $FNRET = 1 ]; then warn "$PACKAGE is not installed, need install." - apt_install $PACKAGE + install_package $PACKAGE elif [ $FNRET = 2 ]; then warn "$FILE is not exist, need manual check." elif [ $FNRET = 3 ]; then diff --git a/bin/hardening/10.1.1_set_password_exp_days.sh b/bin/hardening/10.1.1_set_password_exp_days.sh index b75937a..ea1a3a1 100755 --- a/bin/hardening/10.1.1_set_password_exp_days.sh +++ b/bin/hardening/10.1.1_set_password_exp_days.sh @@ -51,7 +51,7 @@ apply () { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + install_package $PACKAGE fi SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) diff --git a/bin/hardening/10.1.2_set_password_min_days_change.sh b/bin/hardening/10.1.2_set_password_min_days_change.sh index 9aad7b3..276eeac 100755 --- a/bin/hardening/10.1.2_set_password_min_days_change.sh +++ b/bin/hardening/10.1.2_set_password_min_days_change.sh @@ -51,7 +51,7 @@ apply () { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + install_package $PACKAGE fi SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) diff --git a/bin/hardening/10.1.3_set_password_exp_warning_days.sh b/bin/hardening/10.1.3_set_password_exp_warning_days.sh index 6d7dc74..37bf6a5 100755 --- a/bin/hardening/10.1.3_set_password_exp_warning_days.sh +++ b/bin/hardening/10.1.3_set_password_exp_warning_days.sh @@ -50,7 +50,7 @@ apply () { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + install_package $PACKAGE fi SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) diff --git a/bin/hardening/10.1.4_set_password_encrypt_method.sh b/bin/hardening/10.1.4_set_password_encrypt_method.sh index 3d9d624..be6586f 100755 --- a/bin/hardening/10.1.4_set_password_encrypt_method.sh +++ b/bin/hardening/10.1.4_set_password_encrypt_method.sh @@ -46,7 +46,7 @@ apply () { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + install_package $PACKAGE fi for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) diff --git a/bin/hardening/10.1.6_remove_nopasswd_sudoers.sh b/bin/hardening/10.1.6_remove_nopasswd_sudoers.sh index a5dda3a..e9266e5 100755 --- a/bin/hardening/10.1.6_remove_nopasswd_sudoers.sh +++ b/bin/hardening/10.1.6_remove_nopasswd_sudoers.sh @@ -50,8 +50,12 @@ apply () { ok "APPLY: $NOPASSWD is not set on $FILE, it's ok" elif [ $FNRET = 1 ]; then info "$NOPASSWD is set on the $FILE or $INCLUDFILE, need remove" - backup_file $FILE $INCLUDFILE - chmod 640 $FILE $INCLUDFILE && sed -i -e "s/$NOPASSWD/$PASSWD/g" $FILE $INCLUDFILE && chmod 440 $FILE $INCLUDFILE + backup_file $FILE + chmod 640 $FILE && sed -i -e "s/$NOPASSWD/$PASSWD/g" $FILE && chmod 440 $FILE + if [ $(ls $(dirname $INCLUDFILE) | wc -l) -gt 0 ]; then + backup_file $INCLUDFILE + chmod 640 $INCLUDFILE && sed -i -e "s/$NOPASSWD/$PASSWD/g" $INCLUDFILE && chmod 440 $INCLUDFILE + fi elif [ $FNRET = 2 ]; then warn "$FILE is not exist! Maybe sudo package not installed." fi diff --git a/bin/hardening/10.1.8_set_fail_delay_seconds.sh b/bin/hardening/10.1.8_set_fail_delay_seconds.sh index b7de140..e298a83 100755 --- a/bin/hardening/10.1.8_set_fail_delay_seconds.sh +++ b/bin/hardening/10.1.8_set_fail_delay_seconds.sh @@ -55,7 +55,7 @@ apply () { ok "$PACKAGE is installed" elif [ $FNRET = 1 ]; then crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + install_package $PACKAGE elif [ $FNRET = 2 ]; then crit "$PATTERN is not present in $FILE, add default config to $FILE" add_line_file_before_pattern $FILE "auth optional pam_faildelay.so delay=4000000" "# Outputs an issue file prior to each login prompt (Replaces the" diff --git a/bin/hardening/10.1.9_set_create_home_bool.sh b/bin/hardening/10.1.9_set_create_home_bool.sh index 98ac97b..e3afe71 100755 --- a/bin/hardening/10.1.9_set_create_home_bool.sh +++ b/bin/hardening/10.1.9_set_create_home_bool.sh @@ -46,7 +46,7 @@ apply () { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + install_package $PACKAGE fi for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) diff --git a/bin/hardening/9.2.11_pam_deny_times_tally2.sh b/bin/hardening/9.2.11_pam_deny_times_tally2.sh index ab7f68c..b479608 100755 --- a/bin/hardening/9.2.11_pam_deny_times_tally2.sh +++ b/bin/hardening/9.2.11_pam_deny_times_tally2.sh @@ -56,7 +56,7 @@ apply () { ok "$PACKAGE is installed" elif [ $FNRET = 1 ]; then warn "Apply:$PACKAGE is absent, installing it" - apt_install $PACKAGE + install_package $PACKAGE elif [ $FNRET = 2 ]; then warn "Apply:$AUTHPATTERN is not present in $AUTHFILE" add_line_file_after_pattern "$AUTHFILE" "$AUTHRULE" "$ADDPATTERNLINE" diff --git a/bin/hardening/9.2.12_pam_lockout_failed_tally2.sh b/bin/hardening/9.2.12_pam_lockout_failed_tally2.sh index b49199e..c64e533 100755 --- a/bin/hardening/9.2.12_pam_lockout_failed_tally2.sh +++ b/bin/hardening/9.2.12_pam_lockout_failed_tally2.sh @@ -54,7 +54,7 @@ apply () { ok "$PACKAGE is installed" elif [ $FNRET = 1 ]; then warn "Apply:$PACKAGE is absent, installing it" - apt_install $PACKAGE + install_package $PACKAGE elif [ $FNRET = 2 ]; then warn "Apply:$AUTHPATTERN is not present in $AUTHFILE" add_line_file_after_pattern "$AUTHFILE" "$AUTHRULE" "$ADDPATTERNLINE" diff --git a/bin/hardening/9.2.14_pam_auth_without_nullpwd_unix.sh b/bin/hardening/9.2.14_pam_auth_without_nullpwd_unix.sh index 16c2701..89bf0ba 100755 --- a/bin/hardening/9.2.14_pam_auth_without_nullpwd_unix.sh +++ b/bin/hardening/9.2.14_pam_auth_without_nullpwd_unix.sh @@ -53,7 +53,7 @@ apply () { ok "$PACKAGE is installed" elif [ $FNRET = 1 ]; then crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + install_package $PACKAGE elif [ $FNRET = 2 ]; then ok "$PATTERN is not present in $FILE, not need add" elif [ $FNRET = 3 ]; then diff --git a/bin/hardening/9.2.15_pam_printlastlog_to_showfailed_lastlog.sh b/bin/hardening/9.2.15_pam_printlastlog_to_showfailed_lastlog.sh index da9712b..ccd2d7d 100755 --- a/bin/hardening/9.2.15_pam_printlastlog_to_showfailed_lastlog.sh +++ b/bin/hardening/9.2.15_pam_printlastlog_to_showfailed_lastlog.sh @@ -50,7 +50,7 @@ apply () { ok "$PACKAGE is installed" elif [ $FNRET = 1 ]; then warn "$PACKAGE is absent, installing it" - apt_install $PACKAGE + install_package $PACKAGE elif [ $FNRET = 2 ]; then warn "$PATTERN is not present in $FILE" add_line_file_before_pattern $FILE "session optional pam_lastlog.so showfailed" "# pam-auth-update(8) for details." diff --git a/bin/hardening/9.2.16_pam_limit_password_reuse.sh b/bin/hardening/9.2.16_pam_limit_password_reuse.sh index fd2f085..4f22295 100755 --- a/bin/hardening/9.2.16_pam_limit_password_reuse.sh +++ b/bin/hardening/9.2.16_pam_limit_password_reuse.sh @@ -51,7 +51,7 @@ apply () { ok "$PACKAGE is installed" elif [ $FNRET = 1 ]; then crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + install_package $PACKAGE elif [ $FNRET = 2 ]; then warn "$PATTERN is not present in $FILE" add_line_file_before_pattern $FILE "password required pam_pwhistory.so remember=5" "# pam-auth-update(8) for details." diff --git a/bin/hardening/9.2.17_pam_even_deny_root_tally2.sh b/bin/hardening/9.2.17_pam_even_deny_root_tally2.sh index a0eb030..72822f6 100755 --- a/bin/hardening/9.2.17_pam_even_deny_root_tally2.sh +++ b/bin/hardening/9.2.17_pam_even_deny_root_tally2.sh @@ -53,7 +53,7 @@ apply () { ok "$PACKAGE is installed" elif [ $FNRET = 1 ]; then warn "Apply:$PACKAGE is absent, installing it" - apt_install $PACKAGE + install_package $PACKAGE elif [ $FNRET = 2 ]; then warn "Apply:$AUTHPATTERN is not present in $AUTHFILE" add_line_file_after_pattern "$AUTHFILE" "$AUTHRULE" "$ADDPATTERNLINE" diff --git a/bin/hardening/9.3.10_disable_sshd_setenv.sh b/bin/hardening/9.3.10_disable_sshd_setenv.sh index 80c9a46..b593d8a 100755 --- a/bin/hardening/9.3.10_disable_sshd_setenv.sh +++ b/bin/hardening/9.3.10_disable_sshd_setenv.sh @@ -45,7 +45,7 @@ apply () { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + install_package $PACKAGE fi for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) @@ -63,7 +63,7 @@ apply () { info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi - /etc/init.d/ssh reload + systemctl reload sshd fi done } diff --git a/bin/hardening/9.3.11_sshd_ciphers.sh b/bin/hardening/9.3.11_sshd_ciphers.sh index e107a7b..ea82932 100755 --- a/bin/hardening/9.3.11_sshd_ciphers.sh +++ b/bin/hardening/9.3.11_sshd_ciphers.sh @@ -45,7 +45,7 @@ apply () { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + install_package $PACKAGE fi for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) @@ -63,7 +63,7 @@ apply () { info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi - /etc/init.d/ssh reload + systemctl reload sshd fi done } diff --git a/bin/hardening/9.3.12_sshd_idle_timeout.sh b/bin/hardening/9.3.12_sshd_idle_timeout.sh index 4fe2d93..9fd2809 100755 --- a/bin/hardening/9.3.12_sshd_idle_timeout.sh +++ b/bin/hardening/9.3.12_sshd_idle_timeout.sh @@ -46,7 +46,7 @@ apply () { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + install_package $PACKAGE fi for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) @@ -64,7 +64,7 @@ apply () { info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi - /etc/init.d/ssh reload + systemctl reload sshd fi done } diff --git a/bin/hardening/9.3.13_sshd_limit_access.sh b/bin/hardening/9.3.13_sshd_limit_access.sh index eaf4246..eff8281 100755 --- a/bin/hardening/9.3.13_sshd_limit_access.sh +++ b/bin/hardening/9.3.13_sshd_limit_access.sh @@ -46,7 +46,7 @@ apply () { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + install_package $PACKAGE fi for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) @@ -65,7 +65,7 @@ apply () { info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi - /etc/init.d/ssh reload + systemctl reload sshd fi done } diff --git a/bin/hardening/9.3.14_ssh_banner.sh b/bin/hardening/9.3.14_ssh_banner.sh index f227f84..e37026c 100755 --- a/bin/hardening/9.3.14_ssh_banner.sh +++ b/bin/hardening/9.3.14_ssh_banner.sh @@ -44,7 +44,7 @@ apply () { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + install_package $PACKAGE fi for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) @@ -61,7 +61,7 @@ apply () { else info "Parameter $SSH_PARAM is present and activated" fi - /etc/init.d/ssh reload + systemctl reload sshd fi done } diff --git a/bin/hardening/9.3.15_sshd_printlastlog.sh b/bin/hardening/9.3.15_sshd_printlastlog.sh index d7586ba..66a4672 100755 --- a/bin/hardening/9.3.15_sshd_printlastlog.sh +++ b/bin/hardening/9.3.15_sshd_printlastlog.sh @@ -46,7 +46,7 @@ apply () { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + install_package $PACKAGE fi for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) @@ -64,7 +64,7 @@ apply () { info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi - /etc/init.d/ssh reload > /dev/null 2>&1 + systemctl reload sshd fi done } diff --git a/bin/hardening/9.3.16_sshd_IgnoreUserKnownHosts.sh b/bin/hardening/9.3.16_sshd_IgnoreUserKnownHosts.sh index dc78f81..a4ef85c 100755 --- a/bin/hardening/9.3.16_sshd_IgnoreUserKnownHosts.sh +++ b/bin/hardening/9.3.16_sshd_IgnoreUserKnownHosts.sh @@ -46,7 +46,7 @@ apply () { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + install_package $PACKAGE fi for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) @@ -64,7 +64,7 @@ apply () { info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi - /etc/init.d/ssh reload > /dev/null 2>&1 + systemctl reload sshd fi done } diff --git a/bin/hardening/9.3.17_sshd_GSSAPIAuthentication.sh b/bin/hardening/9.3.17_sshd_GSSAPIAuthentication.sh index 7ec0ab2..2f8d77c 100755 --- a/bin/hardening/9.3.17_sshd_GSSAPIAuthentication.sh +++ b/bin/hardening/9.3.17_sshd_GSSAPIAuthentication.sh @@ -46,7 +46,7 @@ apply () { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + install_package $PACKAGE fi for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) @@ -64,7 +64,7 @@ apply () { info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi - /etc/init.d/ssh reload > /dev/null 2>&1 + systemctl reload sshd fi done } diff --git a/bin/hardening/9.3.18_sshd_KerberosAuthentication.sh b/bin/hardening/9.3.18_sshd_KerberosAuthentication.sh index 1fd5c60..4900d48 100755 --- a/bin/hardening/9.3.18_sshd_KerberosAuthentication.sh +++ b/bin/hardening/9.3.18_sshd_KerberosAuthentication.sh @@ -46,7 +46,7 @@ apply () { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + install_package $PACKAGE fi for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) @@ -64,7 +64,7 @@ apply () { info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi - /etc/init.d/ssh reload > /dev/null 2>&1 + systemctl reload sshd fi done } diff --git a/bin/hardening/9.3.19_sshd_StrictModes.sh b/bin/hardening/9.3.19_sshd_StrictModes.sh index 21c4b6d..f5993dc 100755 --- a/bin/hardening/9.3.19_sshd_StrictModes.sh +++ b/bin/hardening/9.3.19_sshd_StrictModes.sh @@ -46,7 +46,7 @@ apply () { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + install_package $PACKAGE fi for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) @@ -64,7 +64,7 @@ apply () { info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi - /etc/init.d/ssh reload > /dev/null 2>&1 + systemctl reload sshd fi done } diff --git a/bin/hardening/9.3.21_sshd_compression.sh b/bin/hardening/9.3.20_sshd_compression.sh similarity index 95% rename from bin/hardening/9.3.21_sshd_compression.sh rename to bin/hardening/9.3.20_sshd_compression.sh index d12ec7a..68b211c 100755 --- a/bin/hardening/9.3.21_sshd_compression.sh +++ b/bin/hardening/9.3.20_sshd_compression.sh @@ -5,7 +5,7 @@ # # -# 9.3.21 Set SSHD Compression to no (Scored) +# 9.3.20 Set SSHD Compression to no (Scored) # Author : Samson wen, Samson # @@ -46,7 +46,7 @@ apply () { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + install_package $PACKAGE fi for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) @@ -64,7 +64,7 @@ apply () { info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi - /etc/init.d/ssh reload > /dev/null 2>&1 + systemctl reload sshd fi done } diff --git a/bin/hardening/9.3.22_sshd_MACs.sh b/bin/hardening/9.3.21_sshd_MACs.sh similarity index 95% rename from bin/hardening/9.3.22_sshd_MACs.sh rename to bin/hardening/9.3.21_sshd_MACs.sh index a5d67e7..7471951 100755 --- a/bin/hardening/9.3.22_sshd_MACs.sh +++ b/bin/hardening/9.3.21_sshd_MACs.sh @@ -5,7 +5,7 @@ # # -# 9.3.22 Set SSHD MACs to hmac-sha2-256,hmac-sha2-512 (Scored) +# 9.3.21 Set SSHD MACs to hmac-sha2-256,hmac-sha2-512 (Scored) # Author : Samson wen, Samson # @@ -46,7 +46,7 @@ apply () { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + install_package $PACKAGE fi for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) @@ -64,7 +64,7 @@ apply () { info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi - /etc/init.d/ssh reload > /dev/null 2>&1 + systemctl reload sshd fi done } diff --git a/bin/hardening/9.3.23_ssh_check_pub_hostkey_permission.sh b/bin/hardening/9.3.22_ssh_check_pub_hostkey_permission.sh similarity index 97% rename from bin/hardening/9.3.23_ssh_check_pub_hostkey_permission.sh rename to bin/hardening/9.3.22_ssh_check_pub_hostkey_permission.sh index 117bb97..33a87cc 100755 --- a/bin/hardening/9.3.23_ssh_check_pub_hostkey_permission.sh +++ b/bin/hardening/9.3.22_ssh_check_pub_hostkey_permission.sh @@ -5,7 +5,7 @@ # # -# 9.3.23 Check SSH public host key permission (Scored) +# 9.3.22 Check SSH public host key permission (Scored) # Author : Samson wen, Samson # diff --git a/bin/hardening/9.3.24_ssh_check_priv_hostkey_permission.sh b/bin/hardening/9.3.23_ssh_check_priv_hostkey_permission.sh similarity index 97% rename from bin/hardening/9.3.24_ssh_check_priv_hostkey_permission.sh rename to bin/hardening/9.3.23_ssh_check_priv_hostkey_permission.sh index ea2639e..279e554 100755 --- a/bin/hardening/9.3.24_ssh_check_priv_hostkey_permission.sh +++ b/bin/hardening/9.3.23_ssh_check_priv_hostkey_permission.sh @@ -5,7 +5,7 @@ # # -# 9.3.24 Check SSH private host key permission (Scored) +# 9.3.23 Check SSH private host key permission (Scored) # Author : Samson wen, Samson # diff --git a/bin/hardening/9.3.25_sshd_kexalgorithms.sh b/bin/hardening/9.3.24_sshd_kexalgorithms.sh similarity index 97% rename from bin/hardening/9.3.25_sshd_kexalgorithms.sh rename to bin/hardening/9.3.24_sshd_kexalgorithms.sh index f4ed0db..35be458 100755 --- a/bin/hardening/9.3.25_sshd_kexalgorithms.sh +++ b/bin/hardening/9.3.24_sshd_kexalgorithms.sh @@ -50,7 +50,7 @@ apply () { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + install_package $PACKAGE fi for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) @@ -68,7 +68,7 @@ apply () { info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi - /etc/init.d/ssh reload > /dev/null 2>&1 + systemctl reload sshd fi done } diff --git a/bin/hardening/9.3.26_sshd_logingracetime.sh b/bin/hardening/9.3.25_sshd_logingracetime.sh similarity index 95% rename from bin/hardening/9.3.26_sshd_logingracetime.sh rename to bin/hardening/9.3.25_sshd_logingracetime.sh index f1640d6..0797938 100755 --- a/bin/hardening/9.3.26_sshd_logingracetime.sh +++ b/bin/hardening/9.3.25_sshd_logingracetime.sh @@ -5,7 +5,7 @@ # # -# 9.3.26 Ensure SSH LoginGraceTime is set to one minute or less (Scored) +# 9.3.25 Ensure SSH LoginGraceTime is set to one minute or less (Scored) # Auther: Samson-W (sccxboy@gmail.com) # @@ -46,7 +46,7 @@ apply () { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + install_package $PACKAGE fi for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) @@ -64,7 +64,7 @@ apply () { info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi - /etc/init.d/ssh reload + systemctl reload sshd fi done } diff --git a/bin/hardening/9.3.27_sshd_access_limit.sh b/bin/hardening/9.3.26_sshd_access_limit.sh similarity index 97% rename from bin/hardening/9.3.27_sshd_access_limit.sh rename to bin/hardening/9.3.26_sshd_access_limit.sh index 2c9740a..d12a64e 100755 --- a/bin/hardening/9.3.27_sshd_access_limit.sh +++ b/bin/hardening/9.3.26_sshd_access_limit.sh @@ -5,7 +5,7 @@ # # -# 9.3.27 Ensure SSH access is limited (Scored) +# 9.3.26 Ensure SSH access is limited (Scored) # Auther: Samson-W (sccxboy@gmail.com) # @@ -68,7 +68,7 @@ apply () { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + install_package $PACKAGE fi if [ $ALLOWUSER_RET -eq 1 ]; then warn "AllowUsers is not set! Need manual operation set it." diff --git a/bin/hardening/9.3.5_sshd_maxauthtries.sh b/bin/hardening/9.3.5_sshd_maxauthtries.sh index f177262..a3b7edf 100755 --- a/bin/hardening/9.3.5_sshd_maxauthtries.sh +++ b/bin/hardening/9.3.5_sshd_maxauthtries.sh @@ -45,7 +45,7 @@ apply () { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + install_package $PACKAGE fi for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) @@ -63,7 +63,7 @@ apply () { info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi - /etc/init.d/ssh reload + systemctl reload sshd fi done } diff --git a/bin/hardening/9.3.6_enable_sshd_ignorerhosts.sh b/bin/hardening/9.3.6_enable_sshd_ignorerhosts.sh index 43d3bf0..f291b41 100755 --- a/bin/hardening/9.3.6_enable_sshd_ignorerhosts.sh +++ b/bin/hardening/9.3.6_enable_sshd_ignorerhosts.sh @@ -45,7 +45,7 @@ apply () { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + install_package $PACKAGE fi for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) @@ -63,7 +63,7 @@ apply () { info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi - /etc/init.d/ssh reload + systemctl reload sshd fi done } diff --git a/bin/hardening/9.3.7_disable_sshd_hostbasedauthentication.sh b/bin/hardening/9.3.7_disable_sshd_hostbasedauthentication.sh index 8bbf917..e1768bf 100755 --- a/bin/hardening/9.3.7_disable_sshd_hostbasedauthentication.sh +++ b/bin/hardening/9.3.7_disable_sshd_hostbasedauthentication.sh @@ -45,7 +45,7 @@ apply () { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + install_package $PACKAGE fi for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) @@ -63,7 +63,7 @@ apply () { info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi - /etc/init.d/ssh reload + systemctl reload sshd fi done } diff --git a/bin/hardening/9.3.8_disable_root_login.sh b/bin/hardening/9.3.8_disable_root_login.sh index d1cd3fe..0192645 100755 --- a/bin/hardening/9.3.8_disable_root_login.sh +++ b/bin/hardening/9.3.8_disable_root_login.sh @@ -45,7 +45,7 @@ apply () { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + install_package $PACKAGE fi for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) @@ -63,7 +63,7 @@ apply () { info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi - /etc/init.d/ssh reload + systemctl reload sshd fi done } diff --git a/bin/hardening/9.3.9_disable_sshd_permitemptypasswords.sh b/bin/hardening/9.3.9_disable_sshd_permitemptypasswords.sh index 362e12b..427de1c 100755 --- a/bin/hardening/9.3.9_disable_sshd_permitemptypasswords.sh +++ b/bin/hardening/9.3.9_disable_sshd_permitemptypasswords.sh @@ -45,7 +45,7 @@ apply () { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + install_package $PACKAGE fi for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) @@ -63,7 +63,7 @@ apply () { info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi - /etc/init.d/ssh reload + systemctl reload sshd fi done } diff --git a/bin/hardening/9.5_pam_restrict_su.sh b/bin/hardening/9.5_pam_restrict_su.sh index 5971163..5784524 100755 --- a/bin/hardening/9.5_pam_restrict_su.sh +++ b/bin/hardening/9.5_pam_restrict_su.sh @@ -14,11 +14,17 @@ set -u # One variable unset, it's over HARDENING_LEVEL=3 PACKAGE='login' +PACKAGE_REDHAT='util-linux' PATTERN='^auth[[:space:]]*required[[:space:]]*pam_wheel.so' FILE='/etc/pam.d/su' # This function will be called if the script status is on enabled / audit mode audit () { + if [ OS_RELEASE -eq 2 ]; then + PACKAGE=$PACKAGE_REDHAT + else + : + fi is_pkg_installed $PACKAGE if [ $FNRET != 0 ]; then crit "$PACKAGE is not installed!" @@ -40,7 +46,7 @@ apply () { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + install_package $PACKAGE fi does_pattern_exist_in_file $FILE $PATTERN if [ $FNRET = 0 ]; then