Merge OVH/debian-cis projects into this Repository.
This commit is contained in:
parent
5bb6856011
commit
a018dadcbd
|
@ -0,0 +1,263 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# Main script : Execute hardening considering configuration
|
||||||
|
#
|
||||||
|
|
||||||
|
LONG_SCRIPT_NAME=$(basename $0)
|
||||||
|
SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh}
|
||||||
|
DISABLED_CHECKS=0
|
||||||
|
PASSED_CHECKS=0
|
||||||
|
FAILED_CHECKS=0
|
||||||
|
TOTAL_CHECKS=0
|
||||||
|
TOTAL_TREATED_CHECKS=0
|
||||||
|
AUDIT=0
|
||||||
|
APPLY=0
|
||||||
|
AUDIT_ALL=0
|
||||||
|
AUDIT_ALL_ENABLE_PASSED=0
|
||||||
|
ALLOW_SERVICE_LIST=0
|
||||||
|
SET_HARDENING_LEVEL=0
|
||||||
|
SUDO_MODE=''
|
||||||
|
|
||||||
|
usage() {
|
||||||
|
cat << EOF
|
||||||
|
$LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
|
||||||
|
|
||||||
|
--help -h
|
||||||
|
Show this help
|
||||||
|
|
||||||
|
--apply
|
||||||
|
Apply hardening for enabled scripts.
|
||||||
|
Beware that NO confirmation is asked whatsoever, which is why you're warmly
|
||||||
|
advised to use --audit before, which can be regarded as a dry-run mode.
|
||||||
|
|
||||||
|
--audit
|
||||||
|
Audit configuration for enabled scripts.
|
||||||
|
No modification will be made on the system, we'll only report on your system
|
||||||
|
compliance for each script.
|
||||||
|
|
||||||
|
--audit-all
|
||||||
|
Same as --audit, but for *all* scripts, even disabled ones.
|
||||||
|
This is a good way to peek at your compliance level if all scripts were enabled,
|
||||||
|
and might be a good starting point.
|
||||||
|
|
||||||
|
--audit-all-enable-passed
|
||||||
|
Same as --audit-all, but in addition, will *modify* the individual scripts
|
||||||
|
configurations to enable those which passed for your system.
|
||||||
|
This is an easy way to enable scripts for which you're already compliant.
|
||||||
|
However, please always review each activated script afterwards, this option
|
||||||
|
should only be regarded as a way to kickstart a configuration from scratch.
|
||||||
|
Don't run this if you have already customized the scripts enable/disable
|
||||||
|
configurations, obviously.
|
||||||
|
|
||||||
|
--set-hardening-level <level>
|
||||||
|
Modifies the configuration to enable/disable tests given an hardening level,
|
||||||
|
between 1 to 5. Don't run this if you have already customized the scripts
|
||||||
|
enable/disable configurations.
|
||||||
|
1: very basic policy, failure to pass tests at this level indicates severe
|
||||||
|
misconfiguration of the machine that can have a huge security impact
|
||||||
|
2: basic policy, some good practice rules that, once applied, shouldn't
|
||||||
|
break anything on most systems
|
||||||
|
3: best practices policy, passing all tests might need some configuration
|
||||||
|
modifications (such as specific partitioning, etc.)
|
||||||
|
4: high security policy, passing all tests might be time-consuming and
|
||||||
|
require high adaptation of your workflow
|
||||||
|
5: placebo, policy rules that might be very difficult to apply and maintain,
|
||||||
|
with questionable security benefits
|
||||||
|
|
||||||
|
--allow-service <service>
|
||||||
|
Use with --set-hardening-level.
|
||||||
|
Modifies the policy to allow a certain kind of services on the machine, such
|
||||||
|
as http, mail, etc. Can be specified multiple times to allow multiple services.
|
||||||
|
Use --allow-service-list to get a list of supported services.
|
||||||
|
|
||||||
|
OPTIONS:
|
||||||
|
|
||||||
|
--only <test_number>
|
||||||
|
Modifies the RUN_MODE to only work on the test_number script.
|
||||||
|
Can be specified multiple times to work only on several scripts.
|
||||||
|
The test number is the numbered prefix of the script,
|
||||||
|
i.e. the test number of 1.2_script_name.sh is 1.2.
|
||||||
|
|
||||||
|
--sudo
|
||||||
|
This option lets you audit your system as a normal user, but allows sudo
|
||||||
|
escalation to gain read-only access to root files. Note that you need to
|
||||||
|
provide a sudoers file with NOPASSWD option in /etc/sudoers.d/ because
|
||||||
|
the '-n' option instructs sudo not to prompt for a password.
|
||||||
|
Finally note that '--sudo' mode only works for audit mode.
|
||||||
|
|
||||||
|
EOF
|
||||||
|
exit 0
|
||||||
|
}
|
||||||
|
|
||||||
|
if [ $# = 0 ]; then
|
||||||
|
usage
|
||||||
|
fi
|
||||||
|
|
||||||
|
declare -a TEST_LIST ALLOWED_SERVICES_LIST
|
||||||
|
|
||||||
|
# Arguments parsing
|
||||||
|
while [[ $# > 0 ]]; do
|
||||||
|
ARG="$1"
|
||||||
|
case $ARG in
|
||||||
|
--audit)
|
||||||
|
AUDIT=1
|
||||||
|
;;
|
||||||
|
--audit-all)
|
||||||
|
AUDIT_ALL=1
|
||||||
|
;;
|
||||||
|
--audit-all-enable-passed)
|
||||||
|
AUDIT_ALL_ENABLE_PASSED=1
|
||||||
|
;;
|
||||||
|
--apply)
|
||||||
|
APPLY=1
|
||||||
|
;;
|
||||||
|
--allow-service-list)
|
||||||
|
ALLOW_SERVICE_LIST=1
|
||||||
|
;;
|
||||||
|
--allow-service)
|
||||||
|
ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2"
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
--set-hardening-level)
|
||||||
|
SET_HARDENING_LEVEL="$2"
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
--only)
|
||||||
|
TEST_LIST[${#TEST_LIST[@]}]="$2"
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
--sudo)
|
||||||
|
SUDO_MODE='--sudo'
|
||||||
|
;;
|
||||||
|
-h|--help)
|
||||||
|
usage
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
usage
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
shift
|
||||||
|
done
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh
|
||||||
|
[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg
|
||||||
|
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
|
||||||
|
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
|
||||||
|
|
||||||
|
# If --allow-service-list is specified, don't run anything, just list the supported services
|
||||||
|
if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then
|
||||||
|
declare -a HARDENING_EXCEPTIONS_LIST
|
||||||
|
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
|
||||||
|
template=$(grep "^HARDENING_EXCEPTION=" "$SCRIPT" | cut -d= -f2)
|
||||||
|
[ -n "$template" ] && HARDENING_EXCEPTIONS_LIST[${#HARDENING_EXCEPTIONS_LIST[@]}]="$template"
|
||||||
|
done
|
||||||
|
echo "Supported services are: "$(echo "${HARDENING_EXCEPTIONS_LIST[@]}" | tr " " "\n" | sort -u | tr "\n" " ")
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
# If --set-hardening-level is specified, don't run anything, just apply config for each script
|
||||||
|
if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then
|
||||||
|
if ! grep -q "^[12345]$" <<< "$SET_HARDENING_LEVEL" ; then
|
||||||
|
echo "Bad --set-hardening-level specified ('$SET_HARDENING_LEVEL'), expected 1 to 5"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
|
||||||
|
SCRIPT_BASENAME=$(basename $SCRIPT .sh)
|
||||||
|
script_level=$(grep "^HARDENING_LEVEL=" "$SCRIPT" | cut -d= -f2)
|
||||||
|
if [ -z "$script_level" ] ; then
|
||||||
|
echo "The script $SCRIPT_BASENAME doesn't have a hardening level, configuration untouched for it"
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
wantedstatus=disabled
|
||||||
|
[ "$script_level" -le "$SET_HARDENING_LEVEL" ] && wantedstatus=enabled
|
||||||
|
sed -i -re "s/^status=.+/status=$wantedstatus/" $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
|
||||||
|
done
|
||||||
|
echo "Configuration modified to enable scripts for hardening level at or below $SET_HARDENING_LEVEL"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Parse every scripts and execute them in the required mode
|
||||||
|
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
|
||||||
|
if [ ${#TEST_LIST[@]} -gt 0 ] ; then
|
||||||
|
# --only X has been specified at least once, is this script in my list ?
|
||||||
|
SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<< "$(basename $SCRIPT)")
|
||||||
|
SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<< "$SCRIPT_PREFIX")
|
||||||
|
if ! grep -qEw "$SCRIPT_PREFIX_RE" <<< "${TEST_LIST[@]}"; then
|
||||||
|
# not in the list
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
info "Treating $SCRIPT"
|
||||||
|
|
||||||
|
if [ $AUDIT = 1 ]; then
|
||||||
|
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE"
|
||||||
|
$SCRIPT --audit $SUDO_MODE
|
||||||
|
elif [ $AUDIT_ALL = 1 ]; then
|
||||||
|
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE"
|
||||||
|
$SCRIPT --audit-all $SUDO_MODE
|
||||||
|
elif [ $AUDIT_ALL_ENABLE_PASSED = 1 ]; then
|
||||||
|
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE"
|
||||||
|
$SCRIPT --audit-all $SUDO_MODE
|
||||||
|
elif [ $APPLY = 1 ]; then
|
||||||
|
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT"
|
||||||
|
$SCRIPT
|
||||||
|
fi
|
||||||
|
|
||||||
|
SCRIPT_EXITCODE=$?
|
||||||
|
|
||||||
|
debug "Script $SCRIPT finished with exit code $SCRIPT_EXITCODE"
|
||||||
|
case $SCRIPT_EXITCODE in
|
||||||
|
0)
|
||||||
|
debug "$SCRIPT passed"
|
||||||
|
PASSED_CHECKS=$((PASSED_CHECKS+1))
|
||||||
|
if [ $AUDIT_ALL_ENABLE_PASSED = 1 ] ; then
|
||||||
|
SCRIPT_BASENAME=$(basename $SCRIPT .sh)
|
||||||
|
sed -i -re 's/^status=.+/status=enabled/' $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
|
||||||
|
info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
1)
|
||||||
|
debug "$SCRIPT failed"
|
||||||
|
FAILED_CHECKS=$((FAILED_CHECKS+1))
|
||||||
|
;;
|
||||||
|
2)
|
||||||
|
debug "$SCRIPT is disabled"
|
||||||
|
DISABLED_CHECKS=$((DISABLED_CHECKS+1))
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
TOTAL_CHECKS=$((TOTAL_CHECKS+1))
|
||||||
|
|
||||||
|
done
|
||||||
|
|
||||||
|
TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS-DISABLED_CHECKS))
|
||||||
|
|
||||||
|
printf "%40s\n" "################### SUMMARY ###################"
|
||||||
|
printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"
|
||||||
|
printf "%30s %s\n" "Total Runned Checks :" "$TOTAL_TREATED_CHECKS"
|
||||||
|
printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
|
||||||
|
printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
|
||||||
|
printf "%30s %.2f %%\n" "Enabled Checks Percentage :" "$( echo "($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100" | bc -l)"
|
||||||
|
if [ $TOTAL_TREATED_CHECKS != 0 ]; then
|
||||||
|
printf "%30s %.2f %%\n" "Conformity Percentage :" "$( echo "($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100" | bc -l)"
|
||||||
|
else
|
||||||
|
printf "%30s %s %%\n" "Conformity Percentage :" "N.A" # No check runned, avoid division by 0
|
||||||
|
fi
|
|
@ -0,0 +1,63 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 1.1 Install Updates, Patches and Additional Security Software (Not Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Checking if apt needs an update"
|
||||||
|
apt_update_if_needed
|
||||||
|
info "Fetching upgrades ..."
|
||||||
|
apt_check_updates "CIS_APT"
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
crit "$RESULT"
|
||||||
|
FNRET=1
|
||||||
|
else
|
||||||
|
ok "No upgrades available"
|
||||||
|
FNRET=0
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
info "Applying Upgrades..."
|
||||||
|
DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' upgrade -y
|
||||||
|
else
|
||||||
|
ok "No Upgrades to apply"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
# No parameters for this function
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,91 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 10.1.1 Set Password Expiration Days (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
|
PACKAGE='login'
|
||||||
|
OPTIONS='PASS_MAX_DAYS=90'
|
||||||
|
FILE='/etc/login.defs'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$PACKAGE is not installed!"
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||||
|
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||||
|
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||||
|
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
crit "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
else
|
||||||
|
crit "$PACKAGE is absent, installing it"
|
||||||
|
apt_install $PACKAGE
|
||||||
|
fi
|
||||||
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||||
|
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||||
|
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||||
|
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
warn "$PATTERN is not present in $FILE, adding it"
|
||||||
|
does_pattern_exist_in_file $FILE "^$SSH_PARAM"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
|
||||||
|
else
|
||||||
|
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
|
||||||
|
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,91 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 10.1.2 Set Password Change Minimum Number of Days (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
|
PACKAGE='login'
|
||||||
|
OPTIONS='PASS_MIN_DAYS=7'
|
||||||
|
FILE='/etc/login.defs'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$PACKAGE is not installed!"
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||||
|
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||||
|
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||||
|
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
crit "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
else
|
||||||
|
crit "$PACKAGE is absent, installing it"
|
||||||
|
apt_install $PACKAGE
|
||||||
|
fi
|
||||||
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||||
|
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||||
|
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||||
|
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
warn "$PATTERN is not present in $FILE, adding it"
|
||||||
|
does_pattern_exist_in_file $FILE "^$SSH_PARAM"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
|
||||||
|
else
|
||||||
|
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
|
||||||
|
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,91 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 10.1.3 Set Password Expiring Warning Days (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
|
PACKAGE='login'
|
||||||
|
OPTIONS='PASS_WARN_AGE=7'
|
||||||
|
FILE='/etc/login.defs'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$PACKAGE is not installed!"
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||||
|
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||||
|
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||||
|
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
crit "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
else
|
||||||
|
crit "$PACKAGE is absent, installing it"
|
||||||
|
apt_install $PACKAGE
|
||||||
|
fi
|
||||||
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||||
|
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||||
|
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||||
|
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
warn "$PATTERN is not present in $FILE, adding it"
|
||||||
|
does_pattern_exist_in_file $FILE "^$SSH_PARAM"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
|
||||||
|
else
|
||||||
|
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
|
||||||
|
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,107 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 10.2 Disable System Accounts (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
|
SHELL='/bin/false'
|
||||||
|
FILE='/etc/passwd'
|
||||||
|
RESULT=''
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Checking if admin accounts have a login shell different than $SHELL"
|
||||||
|
RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}')
|
||||||
|
IFS=$'\n'
|
||||||
|
for LINE in $RESULT; do
|
||||||
|
debug "line : $LINE"
|
||||||
|
ACCOUNT=$( echo $LINE | cut -d: -f 1 )
|
||||||
|
debug "Account : $ACCOUNT"
|
||||||
|
debug "Exceptions : $EXCEPTIONS"
|
||||||
|
debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
|
||||||
|
if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then
|
||||||
|
debug "$ACCOUNT is confirmed as an exception"
|
||||||
|
RESULT=$(sed "s!$LINE!!" <<< "$RESULT")
|
||||||
|
else
|
||||||
|
debug "$ACCOUNT not found in exceptions"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ ! -z "$RESULT" ]; then
|
||||||
|
crit "Some admin accounts don't have $SHELL as their login shell"
|
||||||
|
crit "$RESULT"
|
||||||
|
else
|
||||||
|
ok "All admin accounts deactivated"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}')
|
||||||
|
IFS=$'\n'
|
||||||
|
for LINE in $RESULT; do
|
||||||
|
debug "line : $LINE"
|
||||||
|
ACCOUNT=$( echo $LINE | cut -d: -f 1 )
|
||||||
|
debug "Account : $ACCOUNT"
|
||||||
|
debug "Exceptions : $EXCEPTIONS"
|
||||||
|
debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
|
||||||
|
if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then
|
||||||
|
debug "$ACCOUNT is confirmed as an exception"
|
||||||
|
RESULT=$(sed "s!$LINE!!" <<< "$RESULT")
|
||||||
|
else
|
||||||
|
debug "$ACCOUNT not found in exceptions"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ ! -z "$RESULT" ]; then
|
||||||
|
warn "Some admin accounts don't have $SHELL as their login shell -- Fixing"
|
||||||
|
warn "$RESULT"
|
||||||
|
for USER in $( echo "$RESULT" | cut -d: -f 1 ); do
|
||||||
|
info "Setting $SHELL as $USER login shell"
|
||||||
|
usermod -s $SHELL $USER
|
||||||
|
done
|
||||||
|
else
|
||||||
|
ok "All admin accounts deactivated, nothing to apply"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will create the config file for this check with default values
|
||||||
|
create_config() {
|
||||||
|
cat <<EOF
|
||||||
|
status=disabled
|
||||||
|
# Put here your exceptions concerning admin accounts shells separated by spaces
|
||||||
|
EXCEPTIONS=""
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
if [ -z "$EXCEPTIONS" ]; then
|
||||||
|
EXCEPTIONS="@"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,59 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 10.3 Set Default Group for root Account (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
USER='root'
|
||||||
|
EXPECTED_GID='0'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
if [ $(grep "^root:" /etc/passwd | cut -f4 -d:) = 0 ]; then
|
||||||
|
ok "Root group has GID $EXPECTED_GID"
|
||||||
|
else
|
||||||
|
crit "Root group GID should be $EXPECTED_GID"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
if [ $(grep "^root:" /etc/passwd | cut -f4 -d:) = 0 ]; then
|
||||||
|
ok "Root group GID is $EXPECTED_GID"
|
||||||
|
else
|
||||||
|
warn "Root group GID is not $EXPECTED_GID -- Fixing"
|
||||||
|
usermod -g $EXPECTED_GID $USER
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,109 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 10.4 Set Default umask for Users (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
|
USER='root'
|
||||||
|
PATTERN='umask 077'
|
||||||
|
FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d /etc/profile'
|
||||||
|
FILE='/etc/profile.d/CIS_10.4_umask.sh'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
SEARCH_RES=0
|
||||||
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
|
if [ $SEARCH_RES = 1 ]; then break; fi
|
||||||
|
if test -d $FILE_SEARCHED; then
|
||||||
|
debug "$FILE_SEARCHED is a directory"
|
||||||
|
for file_in_dir in $(ls $FILE_SEARCHED); do
|
||||||
|
does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
|
||||||
|
else
|
||||||
|
ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir"
|
||||||
|
SEARCH_RES=1
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
else
|
||||||
|
does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
debug "$PATTERN is not present in $FILE_SEARCHED"
|
||||||
|
else
|
||||||
|
ok "$PATTERN is present in $FILES_TO_SEARCH"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ $SEARCH_RES = 0 ]; then
|
||||||
|
crit "$PATTERN is not present in $FILES_TO_SEARCH"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
SEARCH_RES=0
|
||||||
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
|
if [ $SEARCH_RES = 1 ]; then break; fi
|
||||||
|
if test -d $FILE_SEARCHED; then
|
||||||
|
debug "$FILE_SEARCHED is a directory"
|
||||||
|
for file_in_dir in $(ls $FILE_SEARCHED); do
|
||||||
|
does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
|
||||||
|
else
|
||||||
|
ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir"
|
||||||
|
SEARCH_RES=1
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
else
|
||||||
|
does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
debug "$PATTERN is not present in $FILE_SEARCHED"
|
||||||
|
else
|
||||||
|
ok "$PATTERN is present in $FILES_TO_SEARCH"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ $SEARCH_RES = 0 ]; then
|
||||||
|
warn "$PATTERN is not present in $FILES_TO_SEARCH"
|
||||||
|
touch $FILE
|
||||||
|
chmod 644 $FILE
|
||||||
|
add_end_of_file $FILE "$PATTERN"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,51 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 10.5 Lock Inactive User Accounts (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Looking at the manual of useradd, it seems that this recommendation does not fill the title"
|
||||||
|
info "The number of days after a password expires until the account is permanently disabled."
|
||||||
|
info "Which is not inactive users per se"
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
info "Looking at the manual of useradd, it seems that this recommendation does not fill the title"
|
||||||
|
info "The number of days after a password expires until the account is permanently disabled."
|
||||||
|
info "Which is not inactive users per se"
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,85 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 11.1 Set Warning Banner for Standard Login Services (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
|
PERMISSIONS='644'
|
||||||
|
USER='root'
|
||||||
|
GROUP='root'
|
||||||
|
FILES='/etc/motd /etc/issue /etc/issue.net'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
for FILE in $FILES; do
|
||||||
|
has_file_correct_ownership $FILE $USER $GROUP
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$FILE has correct ownership"
|
||||||
|
else
|
||||||
|
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||||
|
fi
|
||||||
|
has_file_correct_permissions $FILE $PERMISSIONS
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$FILE has correct permissions"
|
||||||
|
else
|
||||||
|
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
for FILE in $FILES; do
|
||||||
|
does_file_exist $FILE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
info "$FILE does not exist"
|
||||||
|
touch $FILE
|
||||||
|
fi
|
||||||
|
has_file_correct_ownership $FILE $USER $GROUP
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$FILE has correct ownership"
|
||||||
|
else
|
||||||
|
warn "fixing $FILE ownership to $USER:$GROUP"
|
||||||
|
chown $USER:$GROUP $FILE
|
||||||
|
fi
|
||||||
|
has_file_correct_permissions $FILE $PERMISSIONS
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$FILE has correct permissions"
|
||||||
|
else
|
||||||
|
info "fixing $FILE permissions to $PERMISSIONS"
|
||||||
|
chmod 0$PERMISSIONS $FILE
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,65 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 11.2 Remove OS Information from Login Warning Banners (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
|
FILES='/etc/motd /etc/issue /etc/issue.net'
|
||||||
|
PATTERN='(\\v|\\r|\\m|\\s)'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
for FILE in $FILES; do
|
||||||
|
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
crit "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
ok "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
for FILE in $FILES; do
|
||||||
|
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
warn "$PATTERN is present in $FILE"
|
||||||
|
delete_line_in_file $FILE $PATTERN
|
||||||
|
else
|
||||||
|
ok "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,47 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 11.3 Set Graphical Warning Banner (Not Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Not implemented yet"
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
info "Not implemented yet"
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,71 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 12.10 Find SUID System Executables (Not Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Checking if there are suid files"
|
||||||
|
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -type f -perm -4000 -print)
|
||||||
|
for BINARY in $RESULT; do
|
||||||
|
if grep -q $BINARY <<< "$EXCEPTIONS"; then
|
||||||
|
debug "$BINARY is confirmed as an exception"
|
||||||
|
RESULT=$(sed "s!$BINARY!!" <<< $RESULT)
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ ! -z "$RESULT" ]; then
|
||||||
|
crit "Some suid files are present"
|
||||||
|
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
|
||||||
|
crit "$FORMATTED_RESULT"
|
||||||
|
else
|
||||||
|
ok "No unknown suid files found"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
info "Removing suid on valid binary may seriously harm your system, report only here"
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will create the config file for this check with default values
|
||||||
|
create_config() {
|
||||||
|
cat <<EOF
|
||||||
|
status=disabled
|
||||||
|
# Put Here your valid suid binaries so that they do not appear during the audit
|
||||||
|
EXCEPTIONS="/bin/mount /bin/ping /bin/ping6 /bin/su /bin/umount /usr/bin/chfn /usr/bin/chsh /usr/bin/fping /usr/bin/fping6 /usr/bin/gpasswd /usr/bin/mtr /usr/bin/newgrp /usr/bin/passwd /usr/bin/sudo /usr/bin/sudoedit /usr/lib/openssh/ssh-keysign /usr/lib/pt_chown /usr/bin/at"
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
# No param for this function
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,72 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 12.11 Find SGID System Executables (Not Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Checking if there are sgid files"
|
||||||
|
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -type f -perm -2000 -print)
|
||||||
|
for BINARY in $RESULT; do
|
||||||
|
if grep -q $BINARY <<< "$EXCEPTIONS"; then
|
||||||
|
debug "$BINARY is confirmed as an exception"
|
||||||
|
RESULT=$(sed "s!$BINARY!!" <<< $RESULT)
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ ! -z "$RESULT" ]; then
|
||||||
|
crit "Some sgid files are present"
|
||||||
|
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
|
||||||
|
crit "$FORMATTED_RESULT"
|
||||||
|
else
|
||||||
|
ok "No unknown sgid files found"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
info "Removing sgid on valid binary may seriously harm your system, report only here"
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will create the config file for this check with default values
|
||||||
|
create_config() {
|
||||||
|
cat <<EOF
|
||||||
|
status=disabled
|
||||||
|
# Put here valid binaries with sgid enabled separated by spaces
|
||||||
|
EXCEPTIONS="/sbin/unix_chkpwd /usr/bin/bsd-write /usr/bin/chage /usr/bin/crontab /usr/bin/expiry /usr/bin/mutt_dotlock /usr/bin/screen /usr/bin/ssh-agent /usr/bin/wall /usr/sbin/postdrop /usr/sbin/postqueue /usr/bin/at /usr/bin/dotlockfile /usr/bin/mail-lock /usr/bin/mail-touchlock /usr/bin/mail-unlock"
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
if [ -z "$EXCEPTIONS" ]; then
|
||||||
|
EXCEPTIONS="@"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,61 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 12.1 Verify Permissions on /etc/passwd (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=1
|
||||||
|
|
||||||
|
FILE='/etc/passwd'
|
||||||
|
PERMISSIONS='644'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
has_file_correct_permissions $FILE $PERMISSIONS
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$FILE has correct permissions"
|
||||||
|
else
|
||||||
|
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
has_file_correct_permissions $FILE $PERMISSIONS
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$FILE has correct permissions"
|
||||||
|
else
|
||||||
|
info "fixing $FILE permissions to $PERMISSIONS"
|
||||||
|
chmod 0$PERMISSIONS $FILE
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,61 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 12.2 Verify Permissions on /etc/shadow (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=1
|
||||||
|
|
||||||
|
FILE='/etc/shadow'
|
||||||
|
PERMISSIONS='640'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
has_file_correct_permissions $FILE $PERMISSIONS
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$FILE has correct permissions"
|
||||||
|
else
|
||||||
|
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
has_file_correct_permissions $FILE $PERMISSIONS
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$FILE has correct permissions"
|
||||||
|
else
|
||||||
|
info "fixing $FILE permissions to $PERMISSIONS"
|
||||||
|
chmod 0$PERMISSIONS $FILE
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,61 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 12.3 Verify Permissions on /etc/group (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=1
|
||||||
|
|
||||||
|
FILE='/etc/group'
|
||||||
|
PERMISSIONS='644'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
has_file_correct_permissions $FILE $PERMISSIONS
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$FILE has correct permissions"
|
||||||
|
else
|
||||||
|
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
has_file_correct_permissions $FILE $PERMISSIONS
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$FILE has correct permissions"
|
||||||
|
else
|
||||||
|
info "fixing $FILE permissions to $PERMISSIONS"
|
||||||
|
chmod 0$PERMISSIONS $FILE
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,76 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 12.4 Verify User/Group Ownership on /etc/passwd (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=1
|
||||||
|
|
||||||
|
FILE='/etc/passwd'
|
||||||
|
USER='root'
|
||||||
|
GROUP='root'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
has_file_correct_ownership $FILE $USER $GROUP
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$FILE has correct ownership"
|
||||||
|
else
|
||||||
|
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
has_file_correct_ownership $FILE $USER $GROUP
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$FILE has correct ownership"
|
||||||
|
else
|
||||||
|
info "fixing $FILE ownership to $USER:$GROUP"
|
||||||
|
chown $USER:$GROUP $FILE
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
does_user_exist $USER
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$USER does not exist"
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
does_group_exist $GROUP
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$GROUP does not exist"
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
does_file_exist $FILE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$FILE does not exist"
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,76 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 12.5 Verify User/Group Ownership on /etc/shadow (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=1
|
||||||
|
|
||||||
|
FILE='/etc/shadow'
|
||||||
|
USER='root'
|
||||||
|
GROUP='shadow'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
has_file_correct_ownership $FILE $USER $GROUP
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$FILE has correct ownership"
|
||||||
|
else
|
||||||
|
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
has_file_correct_ownership $FILE $USER $GROUP
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$FILE has correct ownership"
|
||||||
|
else
|
||||||
|
info "fixing $FILE ownership to $USER:$GROUP"
|
||||||
|
chown $USER:$GROUP $FILE
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
does_user_exist $USER
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$USER does not exist"
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
does_group_exist $GROUP
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$GROUP does not exist"
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
does_file_exist $FILE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$FILE does not exist"
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,76 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 12.6 Verify User/Group Ownership on /etc/group (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=1
|
||||||
|
|
||||||
|
FILE='/etc/group'
|
||||||
|
USER='root'
|
||||||
|
GROUP='root'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
has_file_correct_ownership $FILE $USER $GROUP
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$FILE has correct ownership"
|
||||||
|
else
|
||||||
|
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
has_file_correct_ownership $FILE $USER $GROUP
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$FILE has correct ownership"
|
||||||
|
else
|
||||||
|
info "fixing $FILE ownership to $USER:$GROUP"
|
||||||
|
chown $USER:$GROUP $FILE
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
does_user_exist $USER
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$USER does not exist"
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
does_group_exist $GROUP
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$GROUP does not exist"
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
does_file_exist $FILE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$FILE does not exist"
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,62 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 12.7 Find World Writable Files (Not Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Checking if there are world writable files"
|
||||||
|
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
|
||||||
|
if [ ! -z "$RESULT" ]; then
|
||||||
|
crit "Some world writable files are present"
|
||||||
|
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
|
||||||
|
crit "$FORMATTED_RESULT"
|
||||||
|
else
|
||||||
|
ok "No world writable files found"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
|
||||||
|
if [ ! -z "$RESULT" ]; then
|
||||||
|
warn "chmoding o-w all files in the system"
|
||||||
|
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null| xargs chmod o-w
|
||||||
|
else
|
||||||
|
ok "No world writable files found, nothing to apply"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
# No param for this function
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,64 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 12.8 Find Un-owned Files and Directories (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
USER='root'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Checking if there are unowned files"
|
||||||
|
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -nouser -print 2>/dev/null)
|
||||||
|
if [ ! -z "$RESULT" ]; then
|
||||||
|
crit "Some unowned files are present"
|
||||||
|
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
|
||||||
|
crit "$FORMATTED_RESULT"
|
||||||
|
else
|
||||||
|
ok "No unowned files found"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
|
||||||
|
if [ ! -z "$RESULT" ]; then
|
||||||
|
warn "Applying chown on all unowned files in the system"
|
||||||
|
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER
|
||||||
|
else
|
||||||
|
ok "No unowned files found, nothing to apply"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
# No param for this function
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,64 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 12.9 Find Un-grouped Files and Directories (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
GROUP='root'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Checking if there are ungrouped files"
|
||||||
|
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -nogroup -print 2>/dev/null)
|
||||||
|
if [ ! -z "$RESULT" ]; then
|
||||||
|
crit "Some ungrouped files are present"
|
||||||
|
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
|
||||||
|
crit "$FORMATTED_RESULT"
|
||||||
|
else
|
||||||
|
ok "No ungrouped files found"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
|
||||||
|
if [ ! -z "$RESULT" ]; then
|
||||||
|
warn "Applying chgrp on all ungrouped files in the system"
|
||||||
|
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp $GROUP
|
||||||
|
else
|
||||||
|
ok "No ungrouped files found, nothing to apply"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
# No param for this function
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,62 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 13.10 Check for Presence of User .rhosts Files (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
ERRORS=0
|
||||||
|
FILENAME=".rhosts"
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
|
||||||
|
debug "Working on $DIR"
|
||||||
|
for FILE in $DIR/$FILENAME; do
|
||||||
|
if [ ! -h "$FILE" -a -f "$FILE" ]; then
|
||||||
|
crit "$FILE present"
|
||||||
|
ERRORS=$((ERRORS+1))
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ $ERRORS = 0 ]; then
|
||||||
|
ok "No $FILENAME present in users home directory"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
info "If the audit returns something, please check with the user why he has this file"
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,60 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 13.11 Check Groups in /etc/passwd (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
ERRORS=0
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
|
||||||
|
for GROUP in $(cut -s -d: -f4 /etc/passwd | sort -u ); do
|
||||||
|
debug "Working on group $GROUP"
|
||||||
|
if ! grep -q -P "^.*?:[^:]*:$GROUP:" /etc/group; then
|
||||||
|
crit "Group $GROUP is referenced by /etc/passwd but does not exist in /etc/group"
|
||||||
|
ERRORS=$((ERRORS+1))
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ $ERRORS = 0 ]; then
|
||||||
|
ok "passwd and group Groups are consistent"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
info "Solving passwd and group consistency automatically may seriously harm your system, report only here"
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,63 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 13.12 Check That Users Are Assigned Valid Home Directories (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
ERRORS=0
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
RESULT=$(cat /etc/passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
|
||||||
|
for LINE in $RESULT; do
|
||||||
|
debug "Working on $LINE"
|
||||||
|
USER=$(awk -F: {'print $1'} <<< $LINE)
|
||||||
|
USERID=$(awk -F: {'print $2'} <<< $LINE)
|
||||||
|
DIR=$(awk -F: {'print $3'} <<< $LINE)
|
||||||
|
if [ $USERID -ge 1000 -a ! -d "$DIR" -a $USER != "nfsnobody" -a $USER != "nobody" ]; then
|
||||||
|
crit "The home directory ($DIR) of user $USER does not exist."
|
||||||
|
ERRORS=$((ERRORS+1))
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ $ERRORS = 0 ]; then
|
||||||
|
ok "All home directories exists"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
info "Modifying home directories may seriously harm your system, report only here"
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,74 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 13.13 Check User Home Directory Ownership (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
ERRORS=0
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
RESULT=$(cat /etc/passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
|
||||||
|
for LINE in $RESULT; do
|
||||||
|
debug "Working on $LINE"
|
||||||
|
USER=$(awk -F: {'print $1'} <<< $LINE)
|
||||||
|
USERID=$(awk -F: {'print $2'} <<< $LINE)
|
||||||
|
DIR=$(awk -F: {'print $3'} <<< $LINE)
|
||||||
|
if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" ]; then
|
||||||
|
OWNER=$(stat -L -c "%U" "$DIR")
|
||||||
|
if [ "$OWNER" != "$USER" ]; then
|
||||||
|
crit "The home directory ($DIR) of user $USER is owned by $OWNER."
|
||||||
|
ERRORS=$((ERRORS+1))
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ $ERRORS = 0 ]; then
|
||||||
|
ok "All home directories have correct ownership"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
cat /etc/passwd | awk -F: '{ print $1 " " $3 " " $6 }' | while read USER USERID DIR; do
|
||||||
|
if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" ]; then
|
||||||
|
OWNER=$(stat -L -c "%U" "$DIR")
|
||||||
|
if [ "$OWNER" != "$USER" ]; then
|
||||||
|
warn "The home directory ($DIR) of user $USER is owned by $OWNER."
|
||||||
|
chown $USER $DIR
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,63 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 13.14 Check for Duplicate UIDs (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
ERRORS=0
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
RESULT=$(cat /etc/passwd | cut -f3 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
|
||||||
|
for LINE in $RESULT; do
|
||||||
|
debug "Working on line $LINE"
|
||||||
|
OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)
|
||||||
|
USERID=$(awk -F: {'print $2'} <<< $LINE)
|
||||||
|
if [ $OCC_NUMBER -gt 1 ]; then
|
||||||
|
USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERID /etc/passwd | xargs)
|
||||||
|
ERRORS=$((ERRORS+1))
|
||||||
|
crit "Duplicate UID ($USERID): ${USERS}"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ $ERRORS = 0 ]; then
|
||||||
|
ok "No duplicate UIDs"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
info "Editing automatically uids may seriously harm your system, report only here"
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,63 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 13.15 Check for Duplicate GIDs (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
ERRORS=0
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
RESULT=$(cat /etc/group | cut -f3 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
|
||||||
|
for LINE in $RESULT; do
|
||||||
|
debug "Working on line $LINE"
|
||||||
|
OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)
|
||||||
|
GROUPID=$(awk -F: {'print $2'} <<< $LINE)
|
||||||
|
if [ $OCC_NUMBER -gt 1 ]; then
|
||||||
|
USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPID /etc/passwd | xargs)
|
||||||
|
ERRORS=$((ERRORS+1))
|
||||||
|
crit "Duplicate GID ($GROUPID): ${USERS}"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ $ERRORS = 0 ]; then
|
||||||
|
ok "No duplicate GIDs"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
info "Editing automatically gids may seriously harm your system, report only here"
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,63 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 13.16 Check for Duplicate User Names (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=1
|
||||||
|
|
||||||
|
ERRORS=0
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
RESULT=$(cat /etc/passwd | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
|
||||||
|
for LINE in $RESULT; do
|
||||||
|
debug "Working on line $LINE"
|
||||||
|
OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)
|
||||||
|
USERNAME=$(awk -F: {'print $2'} <<< $LINE)
|
||||||
|
if [ $OCC_NUMBER -gt 1 ]; then
|
||||||
|
USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERNAME /etc/passwd | xargs)
|
||||||
|
ERRORS=$((ERRORS+1))
|
||||||
|
crit "Duplicate username $USERNAME"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ $ERRORS = 0 ]; then
|
||||||
|
ok "No duplicate usernames"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
info "Editing automatically username may seriously harm your system, report only here"
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,63 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 13.17 Check for Duplicate Group Names (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=1
|
||||||
|
|
||||||
|
ERRORS=0
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
RESULT=$(cat /etc/group | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
|
||||||
|
for LINE in $RESULT; do
|
||||||
|
debug "Working on line $LINE"
|
||||||
|
OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)
|
||||||
|
GROUPNAME=$(awk -F: {'print $2'} <<< $LINE)
|
||||||
|
if [ $OCC_NUMBER -gt 1 ]; then
|
||||||
|
USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPNAME /etc/passwd | xargs)
|
||||||
|
ERRORS=$((ERRORS+1))
|
||||||
|
crit "Duplicate groupname $GROUPNAME"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ $ERRORS = 0 ]; then
|
||||||
|
ok "No duplicate groupnames"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
info "Editing automatically groupname may seriously harm your system, report only here"
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,62 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 13.18 Check for Presence of User .netrc Files (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
ERRORS=0
|
||||||
|
FILENAME='.netrc'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
|
||||||
|
debug "Working on $DIR"
|
||||||
|
for FILE in $DIR/$FILENAME; do
|
||||||
|
if [ ! -h "$FILE" -a -f "$FILE" ]; then
|
||||||
|
crit "$FILE present"
|
||||||
|
ERRORS=$((ERRORS+1))
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ $ERRORS = 0 ]; then
|
||||||
|
ok "No $FILENAME present in users home directory"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
info "If the audit returns something, please check with the user why he has this file"
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,62 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 13.19 Check for Presence of User .forward Files (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
ERRORS=0
|
||||||
|
FILENAME='.forward'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
|
||||||
|
debug "Working on $DIR"
|
||||||
|
for FILE in $DIR/$FILENAME; do
|
||||||
|
if [ ! -h "$FILE" -a -f "$FILE" ]; then
|
||||||
|
crit "$FILE present"
|
||||||
|
ERRORS=$((ERRORS+1))
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ $ERRORS = 0 ]; then
|
||||||
|
ok "No $FILENAME present in users home directory"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
info "If the audit returns something, please check with the user why he has this file"
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,65 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 13.1 Ensure Password Fields are Not Empty (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=1
|
||||||
|
|
||||||
|
FILE='/etc/shadow'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Checking if accounts have an empty password"
|
||||||
|
RESULT=$($SUDO_CMD cat $FILE | awk -F: '($2 == "" ) { print $1 }')
|
||||||
|
if [ ! -z "$RESULT" ]; then
|
||||||
|
crit "Some accounts have an empty password"
|
||||||
|
crit $RESULT
|
||||||
|
else
|
||||||
|
ok "All accounts have a password"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
RESULT=$(cat $FILE | awk -F: '($2 == "" ) { print $1 }')
|
||||||
|
if [ ! -z "$RESULT" ]; then
|
||||||
|
warn "Some accounts have an empty password"
|
||||||
|
for ACCOUNT in $RESULT; do
|
||||||
|
info "Locking $ACCOUNT"
|
||||||
|
passwd -l $ACCOUNT >/dev/null 2>&1
|
||||||
|
done
|
||||||
|
else
|
||||||
|
ok "All accounts have a password"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,72 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 13.20 Ensure shadow group is empty (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=1
|
||||||
|
|
||||||
|
ERRORS=0
|
||||||
|
FILEGROUP='/etc/group'
|
||||||
|
PATTERN='^shadow:x:[[:digit:]]+:'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
does_pattern_exist_in_file $FILEGROUP $PATTERN
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
info "shadow group exists"
|
||||||
|
RESULT=$(grep -E "$PATTERN" $FILEGROUP | cut -d: -f4)
|
||||||
|
GROUPID=$(getent group shadow | cut -d: -f3)
|
||||||
|
debug "$RESULT $GROUPID"
|
||||||
|
if [ ! -z "$RESULT" ]; then
|
||||||
|
crit "Some users belong to shadow group: $RESULT"
|
||||||
|
else
|
||||||
|
ok "No user belongs to shadow group"
|
||||||
|
fi
|
||||||
|
|
||||||
|
info "Checking if a user has $GROUPID as primary group"
|
||||||
|
RESULT=$(awk -F: '($4 == shadowid) { print $1 }' shadowid=$GROUPID /etc/passwd)
|
||||||
|
if [ ! -z "$RESULT" ]; then
|
||||||
|
crit "Some users have shadow id as their primary group: $RESULT"
|
||||||
|
else
|
||||||
|
ok "No user has shadow id as their primary group"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
crit "shadow group doesn't exist"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
info "Editing automatically users/groups may seriously harm your system, report only here"
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,66 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 13.2 Verify No Legacy "+" Entries Exist in /etc/passwd File (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=1
|
||||||
|
|
||||||
|
FILE='/etc/passwd'
|
||||||
|
RESULT=''
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Checking if accounts have a legacy password entry"
|
||||||
|
if grep '^+:' $FILE -q; then
|
||||||
|
RESULT=$(grep '^+:' $FILE)
|
||||||
|
crit "Some accounts have a legacy password entry"
|
||||||
|
crit $RESULT
|
||||||
|
else
|
||||||
|
ok "All accounts have a valid password entry format"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
if grep '^+:' $FILE -q; then
|
||||||
|
RESULT=$(grep '^+:' $FILE)
|
||||||
|
warn "Some accounts have a legacy password entry"
|
||||||
|
for LINE in $RESULT; do
|
||||||
|
info "Removing $LINE from $FILE"
|
||||||
|
delete_line_in_file $FILE $LINE
|
||||||
|
done
|
||||||
|
else
|
||||||
|
ok "All accounts have a valid password entry format"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,66 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 13.3 Verify No Legacy "+" Entries Exist in /etc/shadow File (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=1
|
||||||
|
|
||||||
|
FILE='/etc/shadow'
|
||||||
|
RESULT=''
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Checking if accounts have a legacy password entry"
|
||||||
|
if $SUDO_CMD grep '^+:' $FILE -q; then
|
||||||
|
RESULT=$(grep '^+:' $FILE)
|
||||||
|
crit "Some accounts have a legacy password entry"
|
||||||
|
crit $RESULT
|
||||||
|
else
|
||||||
|
ok "All accounts have a valid password entry format"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
if grep '^+:' $FILE -q; then
|
||||||
|
RESULT=$(grep '^+:' $FILE)
|
||||||
|
warn "Some accounts have a legacy password entry"
|
||||||
|
for LINE in $RESULT; do
|
||||||
|
info "Removing $LINE from $FILE"
|
||||||
|
delete_line_in_file $FILE $LINE
|
||||||
|
done
|
||||||
|
else
|
||||||
|
ok "All accounts have a valid password entry format"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,66 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 13.4 Verify No Legacy "+" Entries Exist in /etc/group File (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=1
|
||||||
|
|
||||||
|
FILE='/etc/group'
|
||||||
|
RESULT=''
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Checking if accounts have a legacy group entry"
|
||||||
|
if grep '^+:' $FILE -q; then
|
||||||
|
RESULT=$(grep '^+:' $FILE)
|
||||||
|
crit "Some accounts have a legacy group entry"
|
||||||
|
crit $RESULT
|
||||||
|
else
|
||||||
|
ok "All accounts have a valid group entry format"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
if grep '^+:' $FILE -q; then
|
||||||
|
RESULT=$(grep '^+:' $FILE)
|
||||||
|
warn "Some accounts have a legacy group entry"
|
||||||
|
for LINE in $RESULT; do
|
||||||
|
info "Removing $LINE from $FILE"
|
||||||
|
delete_line_in_file $FILE $LINE
|
||||||
|
done
|
||||||
|
else
|
||||||
|
ok "All accounts have a valid group entry format"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,79 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 13.5 Verify No UID 0 Accounts Exist Other Than root (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
FILE='/etc/passwd'
|
||||||
|
RESULT=''
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Checking if accounts have uid 0"
|
||||||
|
RESULT=$(cat $FILE | awk -F: '($3 == 0 && $1!="root" ) { print $1 }')
|
||||||
|
for ACCOUNT in $RESULT; do
|
||||||
|
debug "Account : $ACCOUNT"
|
||||||
|
debug "Exceptions : $EXCEPTIONS"
|
||||||
|
debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
|
||||||
|
if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then
|
||||||
|
debug "$ACCOUNT is confirmed as an exception"
|
||||||
|
RESULT=$(sed "s!$ACCOUNT!!" <<< "$RESULT")
|
||||||
|
else
|
||||||
|
debug "$ACCOUNT not found in exceptions"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ ! -z "$RESULT" ]; then
|
||||||
|
crit "Some accounts have uid 0"
|
||||||
|
crit $RESULT
|
||||||
|
else
|
||||||
|
ok "No account with uid 0 appart from root and potential configured exceptions"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
info "Removing accounts with uid 0 may seriously harm your system, report only here"
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will create the config file for this check with default values
|
||||||
|
create_config() {
|
||||||
|
cat <<EOF
|
||||||
|
status=disabled
|
||||||
|
# Put here valid accounts with uid 0 separated by spaces
|
||||||
|
EXCEPTIONS=""
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
if [ -z "$EXCEPTIONS" ]; then
|
||||||
|
EXCEPTIONS="@"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,89 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 13.6 Ensure root PATH Integrity (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
ERRORS=0
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
if [ "`echo $PATH | grep :: `" != "" ]; then
|
||||||
|
crit "Empty Directory in PATH (::)"
|
||||||
|
ERRORS=$((ERRORS+1))
|
||||||
|
fi
|
||||||
|
if [ "`echo $PATH | grep :$`" != "" ]; then
|
||||||
|
crit "Trailing : in PATH $PATH"
|
||||||
|
ERRORS=$((ERRORS+1))
|
||||||
|
fi
|
||||||
|
FORMATTED_PATH=$(echo $PATH | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g')
|
||||||
|
set -- $FORMATTED_PATH
|
||||||
|
while [ "${1:-}" != "" ]; do
|
||||||
|
if [ "$1" = "." ]; then
|
||||||
|
crit "PATH contains ."
|
||||||
|
ERRORS=$((ERRORS+1))
|
||||||
|
else
|
||||||
|
if [ -d $1 ]; then
|
||||||
|
dirperm=$(ls -ldH $1 | cut -f1 -d" ")
|
||||||
|
if [ $(echo $dirperm | cut -c6 ) != "-" ]; then
|
||||||
|
crit "Group Write permission set on directory $1"
|
||||||
|
ERRORS=$((ERRORS+1))
|
||||||
|
fi
|
||||||
|
if [ $(echo $dirperm | cut -c9 ) != "-" ]; then
|
||||||
|
crit "Other Write permission set on directory $1"
|
||||||
|
ERRORS=$((ERRORS+1))
|
||||||
|
fi
|
||||||
|
dirown=$(ls -ldH $1 | awk '{print $3}')
|
||||||
|
if [ "$dirown" != "root" ] ; then
|
||||||
|
crit "$1 is not owned by root"
|
||||||
|
ERRORS=$((ERRORS+1))
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
crit "$1 is not a directory"
|
||||||
|
ERRORS=$((ERRORS+1))
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
shift
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ $ERRORS = 0 ]; then
|
||||||
|
ok "root PATH is secure"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
info "Editing items from PATH may seriously harm your system, report only here"
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,123 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 13.7 Check Permissions on User Home Directories (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
ERRORS=0
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
for dir in $(cat /etc/passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
|
||||||
|
debug "Working on $dir"
|
||||||
|
debug "Exceptions : $EXCEPTIONS"
|
||||||
|
debug "echo \"$EXCEPTIONS\" | grep -q $dir"
|
||||||
|
if echo "$EXCEPTIONS" | grep -q $dir; then
|
||||||
|
debug "$dir is confirmed as an exception"
|
||||||
|
RESULT=$(sed "s!$dir!!" <<< "$RESULT")
|
||||||
|
else
|
||||||
|
debug "$dir not found in exceptions"
|
||||||
|
fi
|
||||||
|
if [ -d $dir ]; then
|
||||||
|
dirperm=$(/bin/ls -ld $dir | cut -f1 -d" ")
|
||||||
|
if [ $(echo $dirperm | cut -c6 ) != "-" ]; then
|
||||||
|
crit "Group Write permission set on directory $dir"
|
||||||
|
ERRORS=$((ERRORS+1))
|
||||||
|
fi
|
||||||
|
if [ $(echo $dirperm | cut -c8 ) != "-" ]; then
|
||||||
|
crit "Other Read permission set on directory $dir"
|
||||||
|
ERRORS=$((ERRORS+1))
|
||||||
|
fi
|
||||||
|
if [ $(echo $dirperm | cut -c9 ) != "-" ]; then
|
||||||
|
crit "Other Write permission set on directory $dir"
|
||||||
|
ERRORS=$((ERRORS+1))
|
||||||
|
fi
|
||||||
|
if [ $(echo $dirperm | cut -c10 ) != "-" ]; then
|
||||||
|
crit "Other Execute permission set on directory $dir"
|
||||||
|
ERRORS=$((ERRORS+1))
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ $ERRORS = 0 ]; then
|
||||||
|
ok "No incorrect permissions on home directories"
|
||||||
|
fi
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
for dir in $(cat /etc/passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
|
||||||
|
debug "Working on $dir"
|
||||||
|
debug "Exceptions : $EXCEPTIONS"
|
||||||
|
debug "echo \"$EXCEPTIONS\" | grep -q $dir"
|
||||||
|
if echo "$EXCEPTIONS" | grep -q $dir; then
|
||||||
|
debug "$dir is confirmed as an exception"
|
||||||
|
RESULT=$(sed "s!$dir!!" <<< "$RESULT")
|
||||||
|
else
|
||||||
|
debug "$dir not found in exceptions"
|
||||||
|
fi
|
||||||
|
if [ -d $dir ]; then
|
||||||
|
dirperm=$(/bin/ls -ld $dir | cut -f1 -d" ")
|
||||||
|
if [ $(echo $dirperm | cut -c6 ) != "-" ]; then
|
||||||
|
warn "Group Write permission set on directory $dir"
|
||||||
|
chmod g-w $dir
|
||||||
|
fi
|
||||||
|
if [ $(echo $dirperm | cut -c8 ) != "-" ]; then
|
||||||
|
warn "Other Read permission set on directory $dir"
|
||||||
|
chmod o-r $dir
|
||||||
|
fi
|
||||||
|
if [ $(echo $dirperm | cut -c9 ) != "-" ]; then
|
||||||
|
warn "Other Write permission set on directory $dir"
|
||||||
|
chmod o-w $dir
|
||||||
|
fi
|
||||||
|
if [ $(echo $dirperm | cut -c10 ) != "-" ]; then
|
||||||
|
warn "Other Execute permission set on directory $dir"
|
||||||
|
chmod o-x $dir
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will create the config file for this check with default values
|
||||||
|
create_config() {
|
||||||
|
cat <<EOF
|
||||||
|
status=disabled
|
||||||
|
# Put here user home directories exceptions, separated by spaces
|
||||||
|
EXCEPTIONS=""
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
if [ -z "$EXCEPTIONS" ]; then
|
||||||
|
EXCEPTIONS="@"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,82 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 13.8 Check User Dot File Permissions (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
ERRORS=0
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
|
||||||
|
debug "Working on $DIR"
|
||||||
|
for FILE in $DIR/.[A-Za-z0-9]*; do
|
||||||
|
if [ ! -h "$FILE" -a -f "$FILE" ]; then
|
||||||
|
FILEPERM=$(ls -ld $FILE | cut -f1 -d" ")
|
||||||
|
if [ $(echo $FILEPERM | cut -c6) != "-" ]; then
|
||||||
|
crit "Group Write permission set on FILE $FILE"
|
||||||
|
ERRORS=$((ERRORS+1))
|
||||||
|
fi
|
||||||
|
if [ $(echo $FILEPERM | cut -c9) != "-" ]; then
|
||||||
|
crit "Other Write permission set on FILE $FILE"
|
||||||
|
ERRORS=$((ERRORS+1))
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ $ERRORS = 0 ]; then
|
||||||
|
ok "Dot file permission in users directories are correct"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
|
||||||
|
for FILE in $DIR/.[A-Za-z0-9]*; do
|
||||||
|
if [ ! -h "$FILE" -a -f "$FILE" ]; then
|
||||||
|
FILEPERM=$(ls -ld $FILE | cut -f1 -d" ")
|
||||||
|
if [ $(echo $FILEPERM | cut -c6) != "-" ]; then
|
||||||
|
warn "Group Write permission set on FILE $FILE"
|
||||||
|
chmod g-w $FILE
|
||||||
|
fi
|
||||||
|
if [ $(echo $FILEPERM | cut -c9) != "-" ]; then
|
||||||
|
warn "Other Write permission set on FILE $FILE"
|
||||||
|
chmod o-w $FILE
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,81 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 13.9 Check Permissions on User .netrc Files (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
PERMISSIONS="600"
|
||||||
|
ERRORS=0
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
|
||||||
|
debug "Working on $DIR"
|
||||||
|
for FILE in $DIR/.netrc; do
|
||||||
|
if [ ! -h "$FILE" -a -f "$FILE" ]; then
|
||||||
|
has_file_correct_permissions $FILE $PERMISSIONS
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$FILE has correct permissions"
|
||||||
|
else
|
||||||
|
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||||
|
ERRORS=$((ERRORS+1))
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ $ERRORS = 0 ]; then
|
||||||
|
ok "permission $PERMISSIONS set on .netrc users files"
|
||||||
|
fi
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
|
||||||
|
debug "Working on $DIR"
|
||||||
|
for FILE in $DIR/.netrc; do
|
||||||
|
if [ ! -h "$FILE" -a -f "$FILE" ]; then
|
||||||
|
has_file_correct_permissions $FILE $PERMISSIONS
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$FILE has correct permissions"
|
||||||
|
else
|
||||||
|
warn "$FILE permissions were not set to $PERMISSIONS"
|
||||||
|
chmod 600 $FILE
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,86 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 2.10 Add nodev Option to /home (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
# Quick factoring as many script use the same logic
|
||||||
|
PARTITION="/home"
|
||||||
|
OPTION="nodev"
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Verifying that $PARTITION is a partition"
|
||||||
|
FNRET=0
|
||||||
|
is_a_partition "$PARTITION"
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
crit "$PARTITION is not a partition"
|
||||||
|
FNRET=2
|
||||||
|
else
|
||||||
|
ok "$PARTITION is a partition"
|
||||||
|
has_mount_option $PARTITION $OPTION
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
crit "$PARTITION has no option $OPTION in fstab!"
|
||||||
|
FNRET=1
|
||||||
|
else
|
||||||
|
ok "$PARTITION has $OPTION in fstab"
|
||||||
|
has_mounted_option $PARTITION $OPTION
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||||
|
FNRET=3
|
||||||
|
else
|
||||||
|
ok "$PARTITION mounted with $OPTION"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PARTITION is correctly set"
|
||||||
|
elif [ $FNRET = 2 ]; then
|
||||||
|
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||||
|
elif [ $FNRET = 1 ]; then
|
||||||
|
info "Adding $OPTION to fstab"
|
||||||
|
add_option_to_fstab $PARTITION $OPTION
|
||||||
|
info "Remounting $PARTITION from fstab"
|
||||||
|
remount_partition $PARTITION
|
||||||
|
elif [ $FNRET = 3 ]; then
|
||||||
|
info "Remounting $PARTITION from fstab"
|
||||||
|
remount_partition $PARTITION
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
# No param for this script
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,74 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 2.11 Add nodev Option to Removable Media Partitions (Not Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
|
||||||
|
|
||||||
|
# Quick factoring as many script use the same logic
|
||||||
|
PARTITION="/media\S*"
|
||||||
|
OPTION="nodev"
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Verifying if there is $PARTITION like partition"
|
||||||
|
FNRET=0
|
||||||
|
is_a_partition "$PARTITION"
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
ok "There is no partition like $PARTITION"
|
||||||
|
FNRET=0
|
||||||
|
else
|
||||||
|
info "detected $PARTITION like"
|
||||||
|
has_mount_option $PARTITION $OPTION
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
crit "$PARTITION has no option $OPTION in fstab!"
|
||||||
|
FNRET=1
|
||||||
|
else
|
||||||
|
ok "$PARTITION has $OPTION in fstab"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PARTITION is correctly set"
|
||||||
|
elif [ $FNRET = 1 ]; then
|
||||||
|
info "Adding $OPTION to fstab"
|
||||||
|
add_option_to_fstab $PARTITION $OPTION
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
# No param for this script
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,74 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 2.12 Add noexec Option to Removable Media Partitions (Not Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
|
||||||
|
|
||||||
|
# Quick factoring as many script use the same logic
|
||||||
|
PARTITION="/media\S*"
|
||||||
|
OPTION="noexec"
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Verifying if there is $PARTITION like partition"
|
||||||
|
FNRET=0
|
||||||
|
is_a_partition "$PARTITION"
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
ok "There is no partition like $PARTITION"
|
||||||
|
FNRET=0
|
||||||
|
else
|
||||||
|
info "detected $PARTITION like"
|
||||||
|
has_mount_option $PARTITION $OPTION
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
crit "$PARTITION has no option $OPTION in fstab!"
|
||||||
|
FNRET=1
|
||||||
|
else
|
||||||
|
ok "$PARTITION has $OPTION in fstab"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PARTITION is correctly set"
|
||||||
|
elif [ $FNRET = 1 ]; then
|
||||||
|
info "Adding $OPTION to fstab"
|
||||||
|
add_option_to_fstab $PARTITION $OPTION
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
# No param for this script
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,74 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 2.13 Add nosuid Option to Removable Media Partitions (Not Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
|
||||||
|
|
||||||
|
# Quick factoring as many script use the same logic
|
||||||
|
PARTITION="/media\S*"
|
||||||
|
OPTION="nosuid"
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Verifying if there is $PARTITION like partition"
|
||||||
|
FNRET=0
|
||||||
|
is_a_partition "$PARTITION"
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
ok "There is no partition like $PARTITION"
|
||||||
|
FNRET=0
|
||||||
|
else
|
||||||
|
info "detected $PARTITION like"
|
||||||
|
has_mount_option $PARTITION $OPTION
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
crit "$PARTITION has no option $OPTION in fstab!"
|
||||||
|
FNRET=1
|
||||||
|
else
|
||||||
|
ok "$PARTITION has $OPTION in fstab"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PARTITION is correctly set"
|
||||||
|
elif [ $FNRET = 1 ]; then
|
||||||
|
info "Adding $OPTION to fstab"
|
||||||
|
add_option_to_fstab $PARTITION $OPTION
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
# No param for this script
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,86 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 2.14 Add nodev Option to /run/shm Partition (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
# Quick factoring as many script use the same logic
|
||||||
|
PARTITION="/run/shm"
|
||||||
|
OPTION="nodev"
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Verifying that $PARTITION is a partition"
|
||||||
|
FNRET=0
|
||||||
|
is_a_partition "$PARTITION"
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
crit "$PARTITION is not a partition"
|
||||||
|
FNRET=2
|
||||||
|
else
|
||||||
|
ok "$PARTITION is a partition"
|
||||||
|
has_mount_option $PARTITION $OPTION
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
crit "$PARTITION has no option $OPTION in fstab!"
|
||||||
|
FNRET=1
|
||||||
|
else
|
||||||
|
ok "$PARTITION has $OPTION in fstab"
|
||||||
|
has_mounted_option $PARTITION $OPTION
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||||
|
FNRET=3
|
||||||
|
else
|
||||||
|
ok "$PARTITION mounted with $OPTION"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PARTITION is correctly set"
|
||||||
|
elif [ $FNRET = 2 ]; then
|
||||||
|
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||||
|
elif [ $FNRET = 1 ]; then
|
||||||
|
info "Adding $OPTION to fstab"
|
||||||
|
add_option_to_fstab $PARTITION $OPTION
|
||||||
|
info "Remounting $PARTITION from fstab"
|
||||||
|
remount_partition $PARTITION
|
||||||
|
elif [ $FNRET = 3 ]; then
|
||||||
|
info "Remounting $PARTITION from fstab"
|
||||||
|
remount_partition $PARTITION
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
# No param for this script
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,86 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 2.15 Add nosuid Option to /run/shm Partition (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
# Quick factoring as many script use the same logic
|
||||||
|
PARTITION="/run/shm"
|
||||||
|
OPTION="nosuid"
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Verifying that $PARTITION is a partition"
|
||||||
|
FNRET=0
|
||||||
|
is_a_partition "$PARTITION"
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
crit "$PARTITION is not a partition"
|
||||||
|
FNRET=2
|
||||||
|
else
|
||||||
|
ok "$PARTITION is a partition"
|
||||||
|
has_mount_option $PARTITION $OPTION
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
crit "$PARTITION has no option $OPTION in fstab!"
|
||||||
|
FNRET=1
|
||||||
|
else
|
||||||
|
ok "$PARTITION has $OPTION in fstab"
|
||||||
|
has_mounted_option $PARTITION $OPTION
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||||
|
FNRET=3
|
||||||
|
else
|
||||||
|
ok "$PARTITION mounted with $OPTION"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PARTITION is correctly set"
|
||||||
|
elif [ $FNRET = 2 ]; then
|
||||||
|
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||||
|
elif [ $FNRET = 1 ]; then
|
||||||
|
info "Adding $OPTION to fstab"
|
||||||
|
add_option_to_fstab $PARTITION $OPTION
|
||||||
|
info "Remounting $PARTITION from fstab"
|
||||||
|
remount_partition $PARTITION
|
||||||
|
elif [ $FNRET = 3 ]; then
|
||||||
|
info "Remounting $PARTITION from fstab"
|
||||||
|
remount_partition $PARTITION
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
# No param for this script
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,86 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 2.16 Add noexec Option to /run/shm Partition (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
|
# Quick factoring as many script use the same logic
|
||||||
|
PARTITION="/run/shm"
|
||||||
|
OPTION="noexec"
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Verifying that $PARTITION is a partition"
|
||||||
|
FNRET=0
|
||||||
|
is_a_partition "$PARTITION"
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
crit "$PARTITION is not a partition"
|
||||||
|
FNRET=2
|
||||||
|
else
|
||||||
|
ok "$PARTITION is a partition"
|
||||||
|
has_mount_option $PARTITION $OPTION
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
crit "$PARTITION has no option $OPTION in fstab!"
|
||||||
|
FNRET=1
|
||||||
|
else
|
||||||
|
ok "$PARTITION has $OPTION in fstab"
|
||||||
|
has_mounted_option $PARTITION $OPTION
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||||
|
FNRET=3
|
||||||
|
else
|
||||||
|
ok "$PARTITION mounted with $OPTION"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PARTITION is correctly set"
|
||||||
|
elif [ $FNRET = 2 ]; then
|
||||||
|
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||||
|
elif [ $FNRET = 1 ]; then
|
||||||
|
info "Adding $OPTION to fstab"
|
||||||
|
add_option_to_fstab $PARTITION $OPTION
|
||||||
|
info "Remounting $PARTITION from fstab"
|
||||||
|
remount_partition $PARTITION
|
||||||
|
elif [ $FNRET = 3 ]; then
|
||||||
|
info "Remounting $PARTITION from fstab"
|
||||||
|
remount_partition $PARTITION
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
# No param for this script
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,61 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 2.17 Set Sticky Bit on All World-Writable Directories (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Checking if setuid is set on world writable Directories"
|
||||||
|
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
|
||||||
|
if [ ! -z "$RESULT" ]; then
|
||||||
|
crit "Some world writable directories are not on sticky bit mode!"
|
||||||
|
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
|
||||||
|
crit "$FORMATTED_RESULT"
|
||||||
|
else
|
||||||
|
ok "All world writable directories have a sticky bit"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
|
||||||
|
if [ ! -z "$RESULT" ]; then
|
||||||
|
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
|
||||||
|
else
|
||||||
|
ok "All world writable directories have a sticky bit, nothing to apply"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
# No param for this function
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,63 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 2.18 Disable Mounting of cramfs Filesystems (Not Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
KERNEL_OPTION="CONFIG_CRAMFS"
|
||||||
|
MODULE_NAME="cramfs"
|
||||||
|
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
|
||||||
|
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
|
crit "$KERNEL_OPTION is enabled!"
|
||||||
|
else
|
||||||
|
ok "$KERNEL_OPTION is disabled"
|
||||||
|
fi
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
is_kernel_option_enabled $KERNEL_OPTION
|
||||||
|
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
|
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
||||||
|
else
|
||||||
|
ok "$KERNEL_OPTION is disabled, nothing to do"
|
||||||
|
fi
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,63 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 2.19 Disable Mounting of freevxfs Filesystems (Not Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
KERNEL_OPTION="CONFIG_VXFS_FS"
|
||||||
|
MODULE_NAME="freevxfs"
|
||||||
|
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
|
||||||
|
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
|
crit "$KERNEL_OPTION is enabled!"
|
||||||
|
else
|
||||||
|
ok "$KERNEL_OPTION is disabled"
|
||||||
|
fi
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
is_kernel_option_enabled $KERNEL_OPTION
|
||||||
|
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
|
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
||||||
|
else
|
||||||
|
ok "$KERNEL_OPTION is disabled, nothing to do"
|
||||||
|
fi
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,75 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 2.1 Create Separate Partition for /tmp (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
|
# Quick factoring as many script use the same logic
|
||||||
|
PARTITION="/tmp"
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Verifying that $PARTITION is a partition"
|
||||||
|
FNRET=0
|
||||||
|
is_a_partition "$PARTITION"
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
crit "$PARTITION is not a partition"
|
||||||
|
FNRET=2
|
||||||
|
else
|
||||||
|
ok "$PARTITION is a partition"
|
||||||
|
is_mounted "$PARTITION"
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
warn "$PARTITION is not mounted"
|
||||||
|
FNRET=1
|
||||||
|
else
|
||||||
|
ok "$PARTITION is mounted"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PARTITION is correctly set"
|
||||||
|
elif [ $FNRET = 2 ]; then
|
||||||
|
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||||
|
else
|
||||||
|
info "mounting $PARTITION"
|
||||||
|
mount $PARTITION
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
# No parameter for this script
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,63 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 2.20 Disable Mounting of jffs2 Filesystems (Not Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
KERNEL_OPTION="CONFIG_JFFS2_FS"
|
||||||
|
MODULE_NAME="jffs2"
|
||||||
|
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
|
||||||
|
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
|
crit "$KERNEL_OPTION is enabled!"
|
||||||
|
else
|
||||||
|
ok "$KERNEL_OPTION is disabled"
|
||||||
|
fi
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
is_kernel_option_enabled $KERNEL_OPTION
|
||||||
|
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
|
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
||||||
|
else
|
||||||
|
ok "$KERNEL_OPTION is disabled, nothing to do"
|
||||||
|
fi
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,63 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 2.21 Disable Mounting of hfs Filesystems (Not Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
KERNEL_OPTION="CONFIG_HFS_FS"
|
||||||
|
MODULE_FILE="hfs"
|
||||||
|
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
|
||||||
|
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
|
crit "$KERNEL_OPTION is enabled!"
|
||||||
|
else
|
||||||
|
ok "$KERNEL_OPTION is disabled"
|
||||||
|
fi
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
is_kernel_option_enabled $KERNEL_OPTION
|
||||||
|
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
|
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
||||||
|
else
|
||||||
|
ok "$KERNEL_OPTION is disabled, nothing to do"
|
||||||
|
fi
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,63 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 2.22 Disable Mounting of hfsplus Filesystems (Not Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
KERNEL_OPTION="CONFIG_HFSPLUS_FS"
|
||||||
|
MODULE_FILE="hfsplus"
|
||||||
|
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
|
||||||
|
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
|
crit "$KERNEL_OPTION is enabled!"
|
||||||
|
else
|
||||||
|
ok "$KERNEL_OPTION is disabled"
|
||||||
|
fi
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
is_kernel_option_enabled $KERNEL_OPTION
|
||||||
|
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
|
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
||||||
|
else
|
||||||
|
ok "$KERNEL_OPTION is disabled, nothing to do"
|
||||||
|
fi
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,63 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 2.23 Disable Mounting of squashfs Filesystems (Not Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
KERNEL_OPTION="CONFIG_SQUASHFS"
|
||||||
|
MODULE_FILE="squashfs"
|
||||||
|
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
|
||||||
|
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
|
crit "$KERNEL_OPTION is enabled!"
|
||||||
|
else
|
||||||
|
ok "$KERNEL_OPTION is disabled"
|
||||||
|
fi
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
is_kernel_option_enabled $KERNEL_OPTION
|
||||||
|
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
|
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
||||||
|
else
|
||||||
|
ok "$KERNEL_OPTION is disabled, nothing to do"
|
||||||
|
fi
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,63 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 2.24 Disable Mounting of udf Filesystems (Not Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
KERNEL_OPTION="CONFIG_UDF_FS"
|
||||||
|
MODULE_FILE="udf"
|
||||||
|
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
|
||||||
|
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
|
crit "$KERNEL_OPTION is enabled!"
|
||||||
|
else
|
||||||
|
ok "$KERNEL_OPTION is disabled"
|
||||||
|
fi
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
is_kernel_option_enabled $KERNEL_OPTION
|
||||||
|
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
|
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
||||||
|
else
|
||||||
|
ok "$KERNEL_OPTION is disabled, nothing to do"
|
||||||
|
fi
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,62 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 2.25 Disable Automounting (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
SERVICE_NAME="autofs"
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Checking if $SERVICE_NAME is enabled"
|
||||||
|
is_service_enabled $SERVICE_NAME
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
crit "$SERVICE_NAME is enabled"
|
||||||
|
else
|
||||||
|
ok "$SERVICE_NAME is disabled"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
info "Checking if $SERVICE_NAME is enabled"
|
||||||
|
is_service_enabled $SERVICE_NAME
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
info "Disabling $SERVICE_NAME"
|
||||||
|
update-rc.d $SERVICE_NAME remove > /dev/null 2>&1
|
||||||
|
else
|
||||||
|
ok "$SERVICE_NAME is disabled"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,86 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 2.2 Set nodev option for /tmp Partition (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
# Quick factoring as many script use the same logic
|
||||||
|
PARTITION="/tmp"
|
||||||
|
OPTION="nodev"
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Verifying that $PARTITION is a partition"
|
||||||
|
FNRET=0
|
||||||
|
is_a_partition "$PARTITION"
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
crit "$PARTITION is not a partition"
|
||||||
|
FNRET=2
|
||||||
|
else
|
||||||
|
ok "$PARTITION is a partition"
|
||||||
|
has_mount_option $PARTITION $OPTION
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
crit "$PARTITION has no option $OPTION in fstab!"
|
||||||
|
FNRET=1
|
||||||
|
else
|
||||||
|
ok "$PARTITION has $OPTION in fstab"
|
||||||
|
has_mounted_option $PARTITION $OPTION
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||||
|
FNRET=3
|
||||||
|
else
|
||||||
|
ok "$PARTITION mounted with $OPTION"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PARTITION is correctly set"
|
||||||
|
elif [ $FNRET = 2 ]; then
|
||||||
|
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||||
|
elif [ $FNRET = 1 ]; then
|
||||||
|
info "Adding $OPTION to fstab"
|
||||||
|
add_option_to_fstab $PARTITION $OPTION
|
||||||
|
info "Remounting $PARTITION from fstab"
|
||||||
|
remount_partition $PARTITION
|
||||||
|
elif [ $FNRET = 3 ]; then
|
||||||
|
info "Remounting $PARTITION from fstab"
|
||||||
|
remount_partition $PARTITION
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
# No param for this script
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,86 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 2.3 Set nosuid option for /tmp Partition (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
# Quick factoring as many script use the same logic
|
||||||
|
PARTITION="/tmp"
|
||||||
|
OPTION="nosuid"
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Verifying that $PARTITION is a partition"
|
||||||
|
FNRET=0
|
||||||
|
is_a_partition "$PARTITION"
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
crit "$PARTITION is not a partition"
|
||||||
|
FNRET=2
|
||||||
|
else
|
||||||
|
ok "$PARTITION is a partition"
|
||||||
|
has_mount_option $PARTITION $OPTION
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
crit "$PARTITION has no option $OPTION in fstab!"
|
||||||
|
FNRET=1
|
||||||
|
else
|
||||||
|
ok "$PARTITION has $OPTION in fstab"
|
||||||
|
has_mounted_option $PARTITION $OPTION
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||||
|
FNRET=3
|
||||||
|
else
|
||||||
|
ok "$PARTITION mounted with $OPTION"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PARTITION is correctly set"
|
||||||
|
elif [ $FNRET = 2 ]; then
|
||||||
|
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||||
|
elif [ $FNRET = 1 ]; then
|
||||||
|
info "Adding $OPTION to fstab"
|
||||||
|
add_option_to_fstab $PARTITION $OPTION
|
||||||
|
info "Remounting $PARTITION from fstab"
|
||||||
|
remount_partition $PARTITION
|
||||||
|
elif [ $FNRET = 3 ]; then
|
||||||
|
info "Remounting $PARTITION from fstab"
|
||||||
|
remount_partition $PARTITION
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
# No param for this script
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,86 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 2.4 Set noexec option for /tmp Partition (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
|
# Quick factoring as many script use the same logic
|
||||||
|
PARTITION="/tmp"
|
||||||
|
OPTION="noexec"
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Verifying that $PARTITION is a partition"
|
||||||
|
FNRET=0
|
||||||
|
is_a_partition "$PARTITION"
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
crit "$PARTITION is not a partition"
|
||||||
|
FNRET=2
|
||||||
|
else
|
||||||
|
ok "$PARTITION is a partition"
|
||||||
|
has_mount_option $PARTITION $OPTION
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
crit "$PARTITION has no option $OPTION in fstab!"
|
||||||
|
FNRET=1
|
||||||
|
else
|
||||||
|
ok "$PARTITION has $OPTION in fstab"
|
||||||
|
has_mounted_option $PARTITION $OPTION
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||||
|
FNRET=3
|
||||||
|
else
|
||||||
|
ok "$PARTITION mounted with $OPTION"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PARTITION is correctly set"
|
||||||
|
elif [ $FNRET = 2 ]; then
|
||||||
|
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||||
|
elif [ $FNRET = 1 ]; then
|
||||||
|
info "Adding $OPTION to fstab"
|
||||||
|
add_option_to_fstab $PARTITION $OPTION
|
||||||
|
info "Remounting $PARTITION from fstab"
|
||||||
|
remount_partition $PARTITION
|
||||||
|
elif [ $FNRET = 3 ]; then
|
||||||
|
info "Remounting $PARTITION from fstab"
|
||||||
|
remount_partition $PARTITION
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
# No param for this script
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,75 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 2.5 Create Separate Partition for /var (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
|
# Quick factoring as many script use the same logic
|
||||||
|
PARTITION="/var"
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Verifying that $PARTITION is a partition"
|
||||||
|
FNRET=0
|
||||||
|
is_a_partition "$PARTITION"
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
crit "$PARTITION is not a partition"
|
||||||
|
FNRET=2
|
||||||
|
else
|
||||||
|
ok "$PARTITION is a partition"
|
||||||
|
is_mounted "$PARTITION"
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
warn "$PARTITION is not mounted"
|
||||||
|
FNRET=1
|
||||||
|
else
|
||||||
|
ok "$PARTITION is mounted"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PARTITION is correctly set"
|
||||||
|
elif [ $FNRET = 2 ]; then
|
||||||
|
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||||
|
else
|
||||||
|
info "mounting $PARTITION"
|
||||||
|
mount $PARTITION
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
# No parameter for this script
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,75 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 2.6.1 Create Separate Partition for /var/tmp (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
|
# Quick factoring as many script use the same logic
|
||||||
|
PARTITION="/var/tmp"
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Verifying that $PARTITION is a partition"
|
||||||
|
FNRET=0
|
||||||
|
is_a_partition "$PARTITION"
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
crit "$PARTITION is not a partition"
|
||||||
|
FNRET=2
|
||||||
|
else
|
||||||
|
ok "$PARTITION is a partition"
|
||||||
|
is_mounted "$PARTITION"
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
warn "$PARTITION is not mounted"
|
||||||
|
FNRET=1
|
||||||
|
else
|
||||||
|
ok "$PARTITION is mounted"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PARTITION is correctly set"
|
||||||
|
elif [ $FNRET = 2 ]; then
|
||||||
|
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||||
|
else
|
||||||
|
info "mounting $PARTITION"
|
||||||
|
mount $PARTITION
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
# No parameter for this script
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,86 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 2.6.2 Set nodev option for /var/tmp Partition (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
# Quick factoring as many script use the same logic
|
||||||
|
PARTITION="/var/tmp"
|
||||||
|
OPTION="nodev"
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Verifying that $PARTITION is a partition"
|
||||||
|
FNRET=0
|
||||||
|
is_a_partition "$PARTITION"
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
crit "$PARTITION is not a partition"
|
||||||
|
FNRET=2
|
||||||
|
else
|
||||||
|
ok "$PARTITION is a partition"
|
||||||
|
has_mount_option $PARTITION $OPTION
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
crit "$PARTITION has no option $OPTION in fstab!"
|
||||||
|
FNRET=1
|
||||||
|
else
|
||||||
|
ok "$PARTITION has $OPTION in fstab"
|
||||||
|
has_mounted_option $PARTITION $OPTION
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||||
|
FNRET=3
|
||||||
|
else
|
||||||
|
ok "$PARTITION mounted with $OPTION"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PARTITION is correctly set"
|
||||||
|
elif [ $FNRET = 2 ]; then
|
||||||
|
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||||
|
elif [ $FNRET = 1 ]; then
|
||||||
|
info "Adding $OPTION to fstab"
|
||||||
|
add_option_to_fstab $PARTITION $OPTION
|
||||||
|
info "Remounting $PARTITION from fstab"
|
||||||
|
remount_partition $PARTITION
|
||||||
|
elif [ $FNRET = 3 ]; then
|
||||||
|
info "Remounting $PARTITION from fstab"
|
||||||
|
remount_partition $PARTITION
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
# No param for this script
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,86 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 2.6.3 Set nosuid option for /var/tmp Partition (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
# Quick factoring as many script use the same logic
|
||||||
|
PARTITION="/var/tmp"
|
||||||
|
OPTION="nosuid"
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Verifying that $PARTITION is a partition"
|
||||||
|
FNRET=0
|
||||||
|
is_a_partition "$PARTITION"
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
crit "$PARTITION is not a partition"
|
||||||
|
FNRET=2
|
||||||
|
else
|
||||||
|
ok "$PARTITION is a partition"
|
||||||
|
has_mount_option $PARTITION $OPTION
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
crit "$PARTITION has no option $OPTION in fstab!"
|
||||||
|
FNRET=1
|
||||||
|
else
|
||||||
|
ok "$PARTITION has $OPTION in fstab"
|
||||||
|
has_mounted_option $PARTITION $OPTION
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||||
|
FNRET=3
|
||||||
|
else
|
||||||
|
ok "$PARTITION mounted with $OPTION"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PARTITION is correctly set"
|
||||||
|
elif [ $FNRET = 2 ]; then
|
||||||
|
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||||
|
elif [ $FNRET = 1 ]; then
|
||||||
|
info "Adding $OPTION to fstab"
|
||||||
|
add_option_to_fstab $PARTITION $OPTION
|
||||||
|
info "Remounting $PARTITION from fstab"
|
||||||
|
remount_partition $PARTITION
|
||||||
|
elif [ $FNRET = 3 ]; then
|
||||||
|
info "Remounting $PARTITION from fstab"
|
||||||
|
remount_partition $PARTITION
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
# No param for this script
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,86 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 2.6.4 Set noexec option for /var/tmp Partition (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
|
# Quick factoring as many script use the same logic
|
||||||
|
PARTITION="/var/tmp"
|
||||||
|
OPTION="noexec"
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Verifying that $PARTITION is a partition"
|
||||||
|
FNRET=0
|
||||||
|
is_a_partition "$PARTITION"
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
crit "$PARTITION is not a partition"
|
||||||
|
FNRET=2
|
||||||
|
else
|
||||||
|
ok "$PARTITION is a partition"
|
||||||
|
has_mount_option $PARTITION $OPTION
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
crit "$PARTITION has no option $OPTION in fstab!"
|
||||||
|
FNRET=1
|
||||||
|
else
|
||||||
|
ok "$PARTITION has $OPTION in fstab"
|
||||||
|
has_mounted_option $PARTITION $OPTION
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||||
|
FNRET=3
|
||||||
|
else
|
||||||
|
ok "$PARTITION mounted with $OPTION"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PARTITION is correctly set"
|
||||||
|
elif [ $FNRET = 2 ]; then
|
||||||
|
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||||
|
elif [ $FNRET = 1 ]; then
|
||||||
|
info "Adding $OPTION to fstab"
|
||||||
|
add_option_to_fstab $PARTITION $OPTION
|
||||||
|
info "Remounting $PARTITION from fstab"
|
||||||
|
remount_partition $PARTITION
|
||||||
|
elif [ $FNRET = 3 ]; then
|
||||||
|
info "Remounting $PARTITION from fstab"
|
||||||
|
remount_partition $PARTITION
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
# No param for this script
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,75 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 2.7 Create Separate Partition for /var/log (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
|
# Quick factoring as many script use the same logic
|
||||||
|
PARTITION="/var/log"
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Verifying that $PARTITION is a partition"
|
||||||
|
FNRET=0
|
||||||
|
is_a_partition "$PARTITION"
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
crit "$PARTITION is not a partition"
|
||||||
|
FNRET=2
|
||||||
|
else
|
||||||
|
ok "$PARTITION is a partition"
|
||||||
|
is_mounted "$PARTITION"
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
warn "$PARTITION is not mounted"
|
||||||
|
FNRET=1
|
||||||
|
else
|
||||||
|
ok "$PARTITION is mounted"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PARTITION is correctly set"
|
||||||
|
elif [ $FNRET = 2 ]; then
|
||||||
|
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||||
|
else
|
||||||
|
info "mounting $PARTITION"
|
||||||
|
mount $PARTITION
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
# No parameter for this script
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,75 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 2.8 Create Separate Partition for /var/log/audit (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=4
|
||||||
|
|
||||||
|
# Quick factoring as many script use the same logic
|
||||||
|
PARTITION="/var/log/audit"
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Verifying that $PARTITION is a partition"
|
||||||
|
FNRET=0
|
||||||
|
is_a_partition "$PARTITION"
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
crit "$PARTITION is not a partition"
|
||||||
|
FNRET=2
|
||||||
|
else
|
||||||
|
ok "$PARTITION is a partition"
|
||||||
|
is_mounted "$PARTITION"
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
warn "$PARTITION is not mounted"
|
||||||
|
FNRET=1
|
||||||
|
else
|
||||||
|
ok "$PARTITION is mounted"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PARTITION is correctly set"
|
||||||
|
elif [ $FNRET = 2 ]; then
|
||||||
|
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||||
|
else
|
||||||
|
info "mounting $PARTITION"
|
||||||
|
mount $PARTITION
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
# No parameter for this script
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,75 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 2.9 Create Separate Partition for /home (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
|
# Quick factoring as many script use the same logic
|
||||||
|
PARTITION="/home"
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Verifying that $PARTITION is a partition"
|
||||||
|
FNRET=0
|
||||||
|
is_a_partition "$PARTITION"
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
crit "$PARTITION is not a partition"
|
||||||
|
FNRET=2
|
||||||
|
else
|
||||||
|
ok "$PARTITION is a partition"
|
||||||
|
is_mounted "$PARTITION"
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
warn "$PARTITION is not mounted"
|
||||||
|
FNRET=1
|
||||||
|
else
|
||||||
|
ok "$PARTITION is mounted"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PARTITION is correctly set"
|
||||||
|
elif [ $FNRET = 2 ]; then
|
||||||
|
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||||
|
else
|
||||||
|
info "mounting $PARTITION"
|
||||||
|
mount $PARTITION
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
# No parameter for this script
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,84 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 3.1 Set User/Group Owner on bootloader config (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=1
|
||||||
|
|
||||||
|
# Assertion : Grub Based.
|
||||||
|
|
||||||
|
FILE='/boot/grub/grub.cfg'
|
||||||
|
USER='root'
|
||||||
|
GROUP='root'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
has_file_correct_ownership $FILE $USER $GROUP
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$FILE has correct ownership"
|
||||||
|
else
|
||||||
|
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
has_file_correct_ownership $FILE $USER $GROUP
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$FILE has correct ownership"
|
||||||
|
else
|
||||||
|
info "fixing $FILE ownership to $USER:$GROUP"
|
||||||
|
chown $USER:$GROUP $FILE
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
|
||||||
|
is_pkg_installed "grub-pc"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
warn "Grub is not installed, not handling configuration"
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
does_user_exist $USER
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$USER does not exist"
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
does_group_exist $GROUP
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$GROUP does not exist"
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
does_file_exist $FILE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$FILE does not exist"
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,71 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 3.2 Set Permissions on bootloader config (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=1
|
||||||
|
|
||||||
|
# Assertion : Grub Based.
|
||||||
|
|
||||||
|
FILE='/boot/grub/grub.cfg'
|
||||||
|
PERMISSIONS='400'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
has_file_correct_permissions $FILE $PERMISSIONS
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$FILE has correct permissions"
|
||||||
|
else
|
||||||
|
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
has_file_correct_permissions $FILE $PERMISSIONS
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$FILE has correct permissions"
|
||||||
|
else
|
||||||
|
info "fixing $FILE permissions to $PERMISSIONS"
|
||||||
|
chmod 0$PERMISSIONS $FILE
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
is_pkg_installed "grub-pc"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
warn "grub-pc is not installed, not handling configuration"
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$FILE does not exist"
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,82 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 3.3 Set Boot Loader Password (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
|
FILE='/boot/grub/grub.cfg'
|
||||||
|
USER_PATTERN="^set superusers"
|
||||||
|
PWD_PATTERN="^password_pbkdf2"
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
does_pattern_exist_in_file $FILE "$USER_PATTERN"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$USER_PATTERN not present in $FILE"
|
||||||
|
else
|
||||||
|
ok "$USER_PATTERN is present in $FILE"
|
||||||
|
fi
|
||||||
|
does_pattern_exist_in_file $FILE "$PWD_PATTERN"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$PWD_PATTERN not present in $FILE"
|
||||||
|
else
|
||||||
|
ok "$PWD_PATTERN is present in $FILE"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
does_pattern_exist_in_file $FILE "$USER_PATTERN"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
warn "$USER_PATTERN not present in $FILE, please configure password for grub"
|
||||||
|
else
|
||||||
|
ok "$USER_PATTERN is present in $FILE"
|
||||||
|
fi
|
||||||
|
does_pattern_exist_in_file $FILE "$PWD_PATTERN"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
warn "$PWD_PATTERN not present in $FILE, please configure password for grub"
|
||||||
|
else
|
||||||
|
ok "$PWD_PATTERN is present in $FILE"
|
||||||
|
fi
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
is_pkg_installed "grub-pc"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
warn "grub-pc is not installed, not handling configuration"
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$FILE does not exist"
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,61 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 3.4 Require Authentication for Single-User Mode (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
|
FILE="/etc/shadow"
|
||||||
|
PATTERN="^root:[*\!]:"
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
does_pattern_exist_in_file $FILE $PATTERN
|
||||||
|
if [ $FNRET != 1 ]; then
|
||||||
|
crit "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
ok "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
does_pattern_exist_in_file $FILE $PATTERN
|
||||||
|
if [ $FNRET != 1 ]; then
|
||||||
|
warn "$PATTERN is present in $FILE, please put a root password"
|
||||||
|
else
|
||||||
|
ok "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,81 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 4.1 Restrict Core Dumps (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
LIMIT_FILE='/etc/security/limits.conf'
|
||||||
|
LIMIT_PATTERN='^\*[[:space:]]*hard[[:space:]]*core[[:space:]]*0$'
|
||||||
|
SYSCTL_PARAM='fs.suid_dumpable'
|
||||||
|
SYSCTL_EXP_RESULT=0
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$LIMIT_PATTERN not present in $LIMIT_FILE"
|
||||||
|
else
|
||||||
|
ok "$LIMIT_PATTERN present in $LIMIT_FILE"
|
||||||
|
fi
|
||||||
|
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
|
||||||
|
elif [ $FNRET = 255 ]; then
|
||||||
|
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||||
|
else
|
||||||
|
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
warn "$LIMIT_PATTERN not present in $LIMIT_FILE, adding at the end of $LIMIT_FILE"
|
||||||
|
add_end_of_file $LIMIT_FILE "* hard core 0"
|
||||||
|
else
|
||||||
|
ok "$LIMIT_PATTERN present in $LIMIT_FILE"
|
||||||
|
fi
|
||||||
|
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
||||||
|
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||||
|
elif [ $FNRET = 255 ]; then
|
||||||
|
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||||
|
else
|
||||||
|
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
||||||
|
fi
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,83 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 4.2 Enable XD/NX Support on 32-bit x86 Systems (Not Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
PATTERN='NX[[:space:]]\(Execute[[:space:]]Disable\)[[:space:]]protection:[[:space:]]active'
|
||||||
|
|
||||||
|
# Check if the NX bit is supported and noexec=off hasn't been asked
|
||||||
|
nx_supported_and_enabled() {
|
||||||
|
if grep -q ' nx ' /proc/cpuinfo; then
|
||||||
|
# NX supported, but if noexec=off specified, it's not enabled
|
||||||
|
if $SUDO_CMD grep -qi 'noexec=off' /proc/cmdline; then
|
||||||
|
FNRET=1 # supported but disabled
|
||||||
|
else
|
||||||
|
FNRET=0 # supported and enabled
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
FNRET=1 # not supported
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
does_pattern_exist_in_dmesg $PATTERN
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
nx_supported_and_enabled
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
|
||||||
|
else
|
||||||
|
ok "NX is supported and enabled"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
ok "$PATTERN is present in dmesg"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
does_pattern_exist_in_dmesg $PATTERN
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
nx_supported_and_enabled
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
|
||||||
|
else
|
||||||
|
ok "NX is supported and enabled"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
ok "$PATTERN is present in dmesg"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,65 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 4.3 Enable Randomized Virtual Memory Region Placement (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
SYSCTL_PARAM='kernel.randomize_va_space'
|
||||||
|
SYSCTL_EXP_RESULT=2
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
|
||||||
|
elif [ $FNRET = 255 ]; then
|
||||||
|
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||||
|
else
|
||||||
|
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
||||||
|
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||||
|
elif [ $FNRET = 255 ]; then
|
||||||
|
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||||
|
else
|
||||||
|
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,64 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 4.4 Disable Prelink (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
PACKAGE='prelink'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
crit "$PACKAGE is installed!"
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is absent"
|
||||||
|
fi
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
crit "$PACKAGE is installed, purging it"
|
||||||
|
/usr/sbin/prelink -ua
|
||||||
|
apt-get purge $PACKAGE -y
|
||||||
|
apt-get autoremove
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is absent"
|
||||||
|
fi
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,61 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 4.5 Activate AppArmor (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
|
PACKAGE='apparmor'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$PACKAGE is absent!"
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
fi
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$PACKAGE is not installed, please install $PACKAGE and configure it"
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
fi
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,62 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 5.1.1 Ensure NIS is not installed (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
|
PACKAGE='nis'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
crit "$PACKAGE is installed!"
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is absent"
|
||||||
|
fi
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
crit "$PACKAGE is installed, purging it"
|
||||||
|
apt-get purge $PACKAGE -y
|
||||||
|
apt-get autoremove
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is absent"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,94 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 5.1.2 Ensure rsh server is not enabled (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
# Based on aptitude search '~Prsh-server'
|
||||||
|
PACKAGES='rsh-server rsh-redone-server heimdal-servers'
|
||||||
|
FILE='/etc/inetd.conf'
|
||||||
|
PATTERN='^(shell|login|exec)'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
for PACKAGE in $PACKAGES; do
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
warn "$PACKAGE is installed, checking configuration"
|
||||||
|
does_file_exist $FILE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
ok "$FILE does not exist"
|
||||||
|
else
|
||||||
|
does_pattern_exist_in_file $FILE $PATTERN
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
crit "$PATTERN exists, $PACKAGE services are enabled!"
|
||||||
|
else
|
||||||
|
ok "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is absent"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
for PACKAGE in $PACKAGES; do
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
crit "$PACKAGE is installed, purging it"
|
||||||
|
apt-get purge $PACKAGE -y
|
||||||
|
apt-get autoremove
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is absent"
|
||||||
|
fi
|
||||||
|
does_file_exist $FILE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
ok "$FILE does not exist"
|
||||||
|
else
|
||||||
|
info "$FILE exists, checking patterns"
|
||||||
|
does_pattern_exist_in_file $FILE $PATTERN
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
warn "$PATTERN is present in $FILE, purging it"
|
||||||
|
backup_file $FILE
|
||||||
|
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
|
||||||
|
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
|
||||||
|
else
|
||||||
|
ok "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,66 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 5.1.3 Ensure rsh client is not installed (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
# Based on aptitude search '~Prsh-client', exluding ssh-client OFC
|
||||||
|
PACKAGES='rsh-client rsh-redone-client heimdal-clients'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
for PACKAGE in $PACKAGES; do
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
crit "$PACKAGE is installed"
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is absent"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
for PACKAGE in $PACKAGES; do
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
warn "$PACKAGE is installed, purging"
|
||||||
|
apt-get purge $PACKAGE -y
|
||||||
|
apt-get autoremove
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is absent"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,93 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 5.1.4 Ensure talk server is not enabled (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
PACKAGES='inetutils-talkd talkd'
|
||||||
|
FILE='/etc/inetd.conf'
|
||||||
|
PATTERN='^(talk|ntalk)'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
for PACKAGE in $PACKAGES; do
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
warn "$PACKAGE is installed, checking configuration"
|
||||||
|
does_file_exist $FILE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
ok "$FILE does not exist"
|
||||||
|
else
|
||||||
|
does_pattern_exist_in_file $FILE $PATTERN
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
crit "$PATTERN exists, $PACKAGE services are enabled!"
|
||||||
|
else
|
||||||
|
ok "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is absent"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
for PACKAGE in $PACKAGES; do
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
crit "$PACKAGE is installed, purging it"
|
||||||
|
apt-get purge $PACKAGE -y
|
||||||
|
apt-get autoremove
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is absent"
|
||||||
|
fi
|
||||||
|
does_file_exist $FILE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
ok "$FILE does not exist"
|
||||||
|
else
|
||||||
|
info "$FILE exists, checking patterns"
|
||||||
|
does_pattern_exist_in_file $FILE $PATTERN
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
warn "$PATTERN is present in $FILE, purging it"
|
||||||
|
backup_file $FILE
|
||||||
|
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
|
||||||
|
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
|
||||||
|
else
|
||||||
|
ok "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,65 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 5.1.5 Ensure talk client is not installed (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
PACKAGES='talk inetutils-talk'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
for PACKAGE in $PACKAGES; do
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
crit "$PACKAGE is installed"
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is absent"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
for PACKAGE in $PACKAGES; do
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
warn "$PACKAGE is installed, purging"
|
||||||
|
apt-get purge $PACKAGE -y
|
||||||
|
apt-get autoremove
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is absent"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,94 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 5.1.6 Ensure telnet server is not enabled (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
# Based on aptitude search '~Ptelnet-server'
|
||||||
|
PACKAGES='telnetd inetutils-telnetd telnetd-ssl krb5-telnetd heimdal-servers'
|
||||||
|
FILE='/etc/inetd.conf'
|
||||||
|
PATTERN='^telnet'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
for PACKAGE in $PACKAGES; do
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
warn "$PACKAGE is installed, checking configuration"
|
||||||
|
does_file_exist $FILE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
ok "$FILE does not exist"
|
||||||
|
else
|
||||||
|
does_pattern_exist_in_file $FILE $PATTERN
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
crit "$PATTERN exists, $PACKAGE services are enabled!"
|
||||||
|
else
|
||||||
|
ok "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is absent"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
for PACKAGE in $PACKAGES; do
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
crit "$PACKAGE is installed, purging it"
|
||||||
|
apt-get purge $PACKAGE -y
|
||||||
|
apt-get autoremove
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is absent"
|
||||||
|
fi
|
||||||
|
does_file_exist $FILE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
ok "$FILE does not exist"
|
||||||
|
else
|
||||||
|
info "$FILE exists, checking patterns"
|
||||||
|
does_pattern_exist_in_file $FILE $PATTERN
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
warn "$PATTERN is present in $FILE, purging it"
|
||||||
|
backup_file $FILE
|
||||||
|
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
|
||||||
|
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
|
||||||
|
else
|
||||||
|
ok "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,93 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 5.1.7 Ensure tftp-server is not enabled (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
PACKAGES='tftpd tftpd-hpa atftpd'
|
||||||
|
FILE='/etc/inetd.conf'
|
||||||
|
PATTERN='^tftp'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
for PACKAGE in $PACKAGES; do
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
warn "$PACKAGE is installed, checking configuration"
|
||||||
|
does_file_exist $FILE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
ok "$FILE does not exist"
|
||||||
|
else
|
||||||
|
does_pattern_exist_in_file $FILE $PATTERN
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
crit "$PATTERN exists, $PACKAGE services are enabled!"
|
||||||
|
else
|
||||||
|
ok "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is absent"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
for PACKAGE in $PACKAGES; do
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
crit "$PACKAGE is installed, purging it"
|
||||||
|
apt-get purge $PACKAGE -y
|
||||||
|
apt-get autoremove
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is absent"
|
||||||
|
fi
|
||||||
|
does_file_exist $FILE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
ok "$FILE does not exist"
|
||||||
|
else
|
||||||
|
info "$FILE exists, checking patterns"
|
||||||
|
does_pattern_exist_in_file $FILE $PATTERN
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
warn "$PATTERN is present in $FILE, purging it"
|
||||||
|
backup_file $FILE
|
||||||
|
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
|
||||||
|
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
|
||||||
|
else
|
||||||
|
ok "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,65 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 5.1.8 Ensure xinetd is not enabled (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
|
PACKAGES='openbsd-inetd xinetd rlinetd'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
for PACKAGE in $PACKAGES; do
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
crit "$PACKAGE is installed"
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is absent"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
for PACKAGE in $PACKAGES; do
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
warn "$PACKAGE is installed, purging"
|
||||||
|
apt-get purge $PACKAGE -y
|
||||||
|
apt-get autoremove
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is absent"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,74 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 5.2 Ensure chargen is not enabled (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
FILE='/etc/inetd.conf'
|
||||||
|
PATTERN='^chargen'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
does_file_exist $FILE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
ok "$FILE does not exist"
|
||||||
|
else
|
||||||
|
does_pattern_exist_in_file $FILE $PATTERN
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
crit "$PATTERN exists, chargen service is enabled!"
|
||||||
|
else
|
||||||
|
ok "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
does_file_exist $FILE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
ok "$FILE does not exist"
|
||||||
|
else
|
||||||
|
info "$FILE exists, checking patterns"
|
||||||
|
does_pattern_exist_in_file $FILE $PATTERN
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
warn "$PATTERN is present in $FILE, purging it"
|
||||||
|
backup_file $FILE
|
||||||
|
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
|
||||||
|
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
|
||||||
|
else
|
||||||
|
ok "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,74 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 5.3 Ensure daytime is not enabled (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
FILE='/etc/inetd.conf'
|
||||||
|
PATTERN='^daytime'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
does_file_exist $FILE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
ok "$FILE does not exist"
|
||||||
|
else
|
||||||
|
does_pattern_exist_in_file $FILE $PATTERN
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
crit "$PATTERN exists, daytime service is enabled!"
|
||||||
|
else
|
||||||
|
ok "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
does_file_exist $FILE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
ok "$FILE does not exist"
|
||||||
|
else
|
||||||
|
info "$FILE exists, checking patterns"
|
||||||
|
does_pattern_exist_in_file $FILE $PATTERN
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
warn "$PATTERN is present in $FILE, purging it"
|
||||||
|
backup_file $FILE
|
||||||
|
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
|
||||||
|
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
|
||||||
|
else
|
||||||
|
ok "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,74 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 5.4 Ensure echo is not enabled (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
FILE='/etc/inetd.conf'
|
||||||
|
PATTERN='^echo'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
does_file_exist $FILE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
ok "$FILE does not exist"
|
||||||
|
else
|
||||||
|
does_pattern_exist_in_file $FILE $PATTERN
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
crit "$PATTERN exists, echo service is enabled!"
|
||||||
|
else
|
||||||
|
ok "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
does_file_exist $FILE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
ok "$FILE does not exist"
|
||||||
|
else
|
||||||
|
info "$FILE exists, checking patterns"
|
||||||
|
does_pattern_exist_in_file $FILE $PATTERN
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
warn "$PATTERN is present in $FILE, purging it"
|
||||||
|
backup_file $FILE
|
||||||
|
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
|
||||||
|
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
|
||||||
|
else
|
||||||
|
ok "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,74 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 5.5 Ensure discard is not enabled (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
FILE='/etc/inetd.conf'
|
||||||
|
PATTERN='^discard'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
does_file_exist $FILE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
ok "$FILE does not exist"
|
||||||
|
else
|
||||||
|
does_pattern_exist_in_file $FILE $PATTERN
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
crit "$PATTERN exists, discard service is enabled!"
|
||||||
|
else
|
||||||
|
ok "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
does_file_exist $FILE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
ok "$FILE does not exist"
|
||||||
|
else
|
||||||
|
info "$FILE exists, checking patterns"
|
||||||
|
does_pattern_exist_in_file $FILE $PATTERN
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
warn "$PATTERN is present in $FILE, purging it"
|
||||||
|
backup_file $FILE
|
||||||
|
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
|
||||||
|
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
|
||||||
|
else
|
||||||
|
ok "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,74 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 5.6 Ensure time is not enabled (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
|
FILE='/etc/inetd.conf'
|
||||||
|
PATTERN='^time'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
does_file_exist $FILE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
ok "$FILE does not exist"
|
||||||
|
else
|
||||||
|
does_pattern_exist_in_file $FILE $PATTERN
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
crit "$PATTERN exists, time service is enabled!"
|
||||||
|
else
|
||||||
|
ok "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
does_file_exist $FILE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
ok "$FILE does not exist"
|
||||||
|
else
|
||||||
|
info "$FILE exists, checking patterns"
|
||||||
|
does_pattern_exist_in_file $FILE $PATTERN
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
warn "$PATTERN is present in $FILE, purging it"
|
||||||
|
backup_file $FILE
|
||||||
|
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
|
||||||
|
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
|
||||||
|
else
|
||||||
|
ok "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,67 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 6.10 Ensure HTTP Server is not enabled (Not Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
HARDENING_EXCEPTION=http
|
||||||
|
|
||||||
|
# Based on aptitude search '~Phttpd'
|
||||||
|
PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
for PACKAGE in $PACKAGES; do
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
crit "$PACKAGE is installed!"
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is absent"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
for PACKAGE in $PACKAGES; do
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
crit "$PACKAGE is installed, purging it"
|
||||||
|
apt-get purge $PACKAGE -y
|
||||||
|
apt-get autoremove
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is absent"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,67 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 6.11 Ensure IMAP and POP server is not enabled (Not Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
HARDENING_EXCEPTION=mail
|
||||||
|
|
||||||
|
# Based on aptitude search '~Pimap-server' and aptitude search '~Ppop3-server'
|
||||||
|
PACKAGES='citadel-server courier-imap cyrus-imapd-2.4 dovecot-imapd mailutils-imap4d courier-pop cyrus-pop3d-2.4 dovecot-pop3d heimdal-servers mailutils-pop3d popa3d solid-pop3d xmail'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
for PACKAGE in $PACKAGES; do
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
crit "$PACKAGE is installed!"
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is absent"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
for PACKAGE in $PACKAGES; do
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
crit "$PACKAGE is installed, purging it"
|
||||||
|
apt-get purge $PACKAGE -y
|
||||||
|
apt-get autoremove
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is absent"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,66 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 6.12 Ensure Samba is not enabled (Not Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
HARDENING_EXCEPTION=samba
|
||||||
|
|
||||||
|
PACKAGES='samba'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
for PACKAGE in $PACKAGES; do
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
crit "$PACKAGE is installed!"
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is absent"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
for PACKAGE in $PACKAGES; do
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
crit "$PACKAGE is installed, purging it"
|
||||||
|
apt-get purge $PACKAGE -y
|
||||||
|
apt-get autoremove
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is absent"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,66 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 6.13 Ensure HTTP Proxy Server is not enabled (Not Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
HARDENING_EXCEPTION=http
|
||||||
|
|
||||||
|
PACKAGES='squid3 squid'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
for PACKAGE in $PACKAGES; do
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
crit "$PACKAGE is installed!"
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is absent"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
for PACKAGE in $PACKAGES; do
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
crit "$PACKAGE is installed, purging it"
|
||||||
|
apt-get purge $PACKAGE -y
|
||||||
|
apt-get autoremove
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is absent"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,66 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 6.14 Ensure SNMP Server is not enabled (Not Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
HARDENING_EXCEPTION=snmp
|
||||||
|
|
||||||
|
PACKAGES='snmpd'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
for PACKAGE in $PACKAGES; do
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
crit "$PACKAGE is installed!"
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is absent"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
for PACKAGE in $PACKAGES; do
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
crit "$PACKAGE is installed, purging it"
|
||||||
|
apt-get purge $PACKAGE -y
|
||||||
|
apt-get autoremove
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is absent"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,75 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 6.15 Configure Mail Transfer Agent for Local-Only Mode (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
HARDENING_EXCEPTION=mail
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Checking netport ports opened"
|
||||||
|
RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || :
|
||||||
|
RESULT=${RESULT:-}
|
||||||
|
debug "Result is $RESULT"
|
||||||
|
if [ -z "$RESULT" ]; then
|
||||||
|
ok "Nothing listens on 25 port, probably unix socket configured"
|
||||||
|
else
|
||||||
|
info "Checking $RESULT"
|
||||||
|
if $(grep -q "127.0.0.1" <<< $RESULT); then
|
||||||
|
ok "MTA is configured to localhost only"
|
||||||
|
else
|
||||||
|
crit "MTA listens worldwide"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
info "Checking netport ports opened"
|
||||||
|
RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
|
||||||
|
RESULT=${RESULT:-}
|
||||||
|
debug "Result is $RESULT"
|
||||||
|
if [ -z "$RESULT" ]; then
|
||||||
|
ok "Nothing listens on 25 port, probably unix socket configured"
|
||||||
|
else
|
||||||
|
info "Checking $RESULT"
|
||||||
|
if $(grep -q "127.0.0.1" <<< $RESULT); then
|
||||||
|
ok "MTA is configured to localhost only"
|
||||||
|
else
|
||||||
|
warn "MTA listens worldwide, correct this considering your MTA"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
|
@ -0,0 +1,77 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7/8 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 6.16 Ensure rsync service is not enabled (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
HARDENING_EXCEPTION=rsync
|
||||||
|
|
||||||
|
PACKAGE='rsync'
|
||||||
|
RSYNC_DEFAULT_PATTERN='RSYNC_ENABLE=false'
|
||||||
|
RSYNC_DEFAULT_FILE='/etc/default/rsync'
|
||||||
|
RSYNC_DEFAULT_PATTERN_TO_SEARCH='RSYNC_ENABLE=true'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
ok "$PACKAGE is not installed"
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is installed, checking configuration"
|
||||||
|
does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE"
|
||||||
|
else
|
||||||
|
ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
ok "$PACKAGE is not installed"
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is installed, checking configuration"
|
||||||
|
does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
warn "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE, adding it"
|
||||||
|
backup_file $RSYNC_DEFAULT_FILE
|
||||||
|
replace_in_file $RSYNC_DEFAULT_FILE $RSYNC_DEFAULT_PATTERN_TO_SEARCH $RSYNC_DEFAULT_PATTERN
|
||||||
|
else
|
||||||
|
ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue