tyler.durden
/
harbian-audit
mirror of https://github.com/hardenedlinux/harbian-audit.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge OVH/debian-cis projects into this Repository.

This commit is contained in:
Samson-W 2018-08-21 16:01:50 -04:00
parent 5bb6856011
commit a018dadcbd
201 changed files with 15333 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

263
bin/hardening.sh Executable file
View File

@ -0,0 +1,263 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
#
#
# Main script : Execute hardening considering configuration
#
LONG_SCRIPT_NAME=$(basename $0)
SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh}
DISABLED_CHECKS=0
PASSED_CHECKS=0
FAILED_CHECKS=0
TOTAL_CHECKS=0
TOTAL_TREATED_CHECKS=0
AUDIT=0
APPLY=0
AUDIT_ALL=0
AUDIT_ALL_ENABLE_PASSED=0
ALLOW_SERVICE_LIST=0
SET_HARDENING_LEVEL=0
SUDO_MODE=''
usage() {
cat << EOF
$LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
--help -h
Show this help
--apply
Apply hardening for enabled scripts.
Beware that NO confirmation is asked whatsoever, which is why you're warmly
advised to use --audit before, which can be regarded as a dry-run mode.
--audit
Audit configuration for enabled scripts.
No modification will be made on the system, we'll only report on your system
compliance for each script.
--audit-all
Same as --audit, but for *all* scripts, even disabled ones.
This is a good way to peek at your compliance level if all scripts were enabled,
and might be a good starting point.
--audit-all-enable-passed
Same as --audit-all, but in addition, will *modify* the individual scripts
configurations to enable those which passed for your system.
This is an easy way to enable scripts for which you're already compliant.
However, please always review each activated script afterwards, this option
should only be regarded as a way to kickstart a configuration from scratch.
Don't run this if you have already customized the scripts enable/disable
configurations, obviously.
--set-hardening-level <level>
Modifies the configuration to enable/disable tests given an hardening level,
between 1 to 5. Don't run this if you have already customized the scripts
enable/disable configurations.
1: very basic policy, failure to pass tests at this level indicates severe
misconfiguration of the machine that can have a huge security impact
2: basic policy, some good practice rules that, once applied, shouldn't
break anything on most systems
3: best practices policy, passing all tests might need some configuration
modifications (such as specific partitioning, etc.)
4: high security policy, passing all tests might be time-consuming and
require high adaptation of your workflow
5: placebo, policy rules that might be very difficult to apply and maintain,
with questionable security benefits
--allow-service <service>
Use with --set-hardening-level.
Modifies the policy to allow a certain kind of services on the machine, such
as http, mail, etc. Can be specified multiple times to allow multiple services.
Use --allow-service-list to get a list of supported services.
OPTIONS:
--only <test_number>
Modifies the RUN_MODE to only work on the test_number script.
Can be specified multiple times to work only on several scripts.
The test number is the numbered prefix of the script,
i.e. the test number of 1.2_script_name.sh is 1.2.
--sudo
This option lets you audit your system as a normal user, but allows sudo
escalation to gain read-only access to root files. Note that you need to
provide a sudoers file with NOPASSWD option in /etc/sudoers.d/ because
the '-n' option instructs sudo not to prompt for a password.
Finally note that '--sudo' mode only works for audit mode.
EOF
exit 0
}
if [ $# = 0 ]; then
usage
fi
declare -a TEST_LIST ALLOWED_SERVICES_LIST
# Arguments parsing
while [[ $# > 0 ]]; do
ARG="$1"
case $ARG in
--audit)
AUDIT=1
;;
--audit-all)
AUDIT_ALL=1
;;
--audit-all-enable-passed)
AUDIT_ALL_ENABLE_PASSED=1
;;
--apply)
APPLY=1
;;
--allow-service-list)
ALLOW_SERVICE_LIST=1
;;
--allow-service)
ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2"
shift
;;
--set-hardening-level)
SET_HARDENING_LEVEL="$2"
shift
;;
--only)
TEST_LIST[${#TEST_LIST[@]}]="$2"
shift
;;
--sudo)
SUDO_MODE='--sudo'
;;
-h|--help)
usage
;;
*)
usage
;;
esac
shift
done
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh
[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
# If --allow-service-list is specified, don't run anything, just list the supported services
if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then
declare -a HARDENING_EXCEPTIONS_LIST
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
template=$(grep "^HARDENING_EXCEPTION=" "$SCRIPT" | cut -d= -f2)
[ -n "$template" ] && HARDENING_EXCEPTIONS_LIST[${#HARDENING_EXCEPTIONS_LIST[@]}]="$template"
done
echo "Supported services are: "$(echo "${HARDENING_EXCEPTIONS_LIST[@]}" | tr " " "\n" | sort -u | tr "\n" " ")
exit 0
fi
# If --set-hardening-level is specified, don't run anything, just apply config for each script
if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then
if ! grep -q "^[12345]$" <<< "$SET_HARDENING_LEVEL" ; then
echo "Bad --set-hardening-level specified ('$SET_HARDENING_LEVEL'), expected 1 to 5"
exit 1
fi
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
SCRIPT_BASENAME=$(basename $SCRIPT .sh)
script_level=$(grep "^HARDENING_LEVEL=" "$SCRIPT" | cut -d= -f2)
if [ -z "$script_level" ] ; then
echo "The script $SCRIPT_BASENAME doesn't have a hardening level, configuration untouched for it"
continue
fi
wantedstatus=disabled
[ "$script_level" -le "$SET_HARDENING_LEVEL" ] && wantedstatus=enabled
sed -i -re "s/^status=.+/status=$wantedstatus/" $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
done
echo "Configuration modified to enable scripts for hardening level at or below $SET_HARDENING_LEVEL"
exit 0
fi
# Parse every scripts and execute them in the required mode
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
if [ ${#TEST_LIST[@]} -gt 0 ] ; then
# --only X has been specified at least once, is this script in my list ?
SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<< "$(basename $SCRIPT)")
SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<< "$SCRIPT_PREFIX")
if ! grep -qEw "$SCRIPT_PREFIX_RE" <<< "${TEST_LIST[@]}"; then
# not in the list
continue
fi
fi
info "Treating $SCRIPT"
if [ $AUDIT = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE"
$SCRIPT --audit $SUDO_MODE
elif [ $AUDIT_ALL = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE"
$SCRIPT --audit-all $SUDO_MODE
elif [ $AUDIT_ALL_ENABLE_PASSED = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE"
$SCRIPT --audit-all $SUDO_MODE
elif [ $APPLY = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT"
$SCRIPT
fi
SCRIPT_EXITCODE=$?
debug "Script $SCRIPT finished with exit code $SCRIPT_EXITCODE"
case $SCRIPT_EXITCODE in
0)
debug "$SCRIPT passed"
PASSED_CHECKS=$((PASSED_CHECKS+1))
if [ $AUDIT_ALL_ENABLE_PASSED = 1 ] ; then
SCRIPT_BASENAME=$(basename $SCRIPT .sh)
sed -i -re 's/^status=.+/status=enabled/' $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
fi
;;
1)
debug "$SCRIPT failed"
FAILED_CHECKS=$((FAILED_CHECKS+1))
;;
2)
debug "$SCRIPT is disabled"
DISABLED_CHECKS=$((DISABLED_CHECKS+1))
;;
esac
TOTAL_CHECKS=$((TOTAL_CHECKS+1))
done
TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS-DISABLED_CHECKS))
printf "%40s\n" "################### SUMMARY ###################"
printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"
printf "%30s %s\n" "Total Runned Checks :" "$TOTAL_TREATED_CHECKS"
printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
printf "%30s %.2f %%\n" "Enabled Checks Percentage :" "$( echo "($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100" | bc -l)"
if [ $TOTAL_TREATED_CHECKS != 0 ]; then
printf "%30s %.2f %%\n" "Conformity Percentage :" "$( echo "($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100" | bc -l)"
else
printf "%30s %s %%\n" "Conformity Percentage :" "N.A" # No check runned, avoid division by 0
fi

63
bin/hardening/1.1_install_updates.sh Executable file
View File

@ -0,0 +1,63 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 1.1 Install Updates, Patches and Additional Security Software (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if apt needs an update"
apt_update_if_needed
info "Fetching upgrades ..."
apt_check_updates "CIS_APT"
if [ $FNRET -gt 0 ]; then
crit "$RESULT"
FNRET=1
else
ok "No upgrades available"
FNRET=0
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET -gt 0 ]; then
info "Applying Upgrades..."
DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' upgrade -y
else
ok "No Upgrades to apply"
fi
}
# This function will check config parameters required
check_config() {
# No parameters for this function
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

91
bin/hardening/10.1.1_set_password_exp_days.sh Executable file
View File

@ -0,0 +1,91 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 10.1.1 Set Password Expiration Days (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGE='login'
OPTIONS='PASS_MAX_DAYS=90'
FILE='/etc/login.defs'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
fi
done
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE
fi
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

91
bin/hardening/10.1.2_set_password_min_days_change.sh Executable file
View File

@ -0,0 +1,91 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 10.1.2 Set Password Change Minimum Number of Days (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGE='login'
OPTIONS='PASS_MIN_DAYS=7'
FILE='/etc/login.defs'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
fi
done
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE
fi
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

91
bin/hardening/10.1.3_set_password_exp_warning_days.sh Executable file
View File

@ -0,0 +1,91 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 10.1.3 Set Password Expiring Warning Days (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGE='login'
OPTIONS='PASS_WARN_AGE=7'
FILE='/etc/login.defs'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
fi
done
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE
fi
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

107
bin/hardening/10.2_disable_system_accounts.sh Executable file
View File

@ -0,0 +1,107 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 10.2 Disable System Accounts (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
SHELL='/bin/false'
FILE='/etc/passwd'
RESULT=''
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if admin accounts have a login shell different than $SHELL"
RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}')
IFS=$'\n'
for LINE in $RESULT; do
debug "line : $LINE"
ACCOUNT=$( echo $LINE | cut -d: -f 1 )
debug "Account : $ACCOUNT"
debug "Exceptions : $EXCEPTIONS"
debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then
debug "$ACCOUNT is confirmed as an exception"
RESULT=$(sed "s!$LINE!!" <<< "$RESULT")
else
debug "$ACCOUNT not found in exceptions"
fi
done
if [ ! -z "$RESULT" ]; then
crit "Some admin accounts don't have $SHELL as their login shell"
crit "$RESULT"
else
ok "All admin accounts deactivated"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}')
IFS=$'\n'
for LINE in $RESULT; do
debug "line : $LINE"
ACCOUNT=$( echo $LINE | cut -d: -f 1 )
debug "Account : $ACCOUNT"
debug "Exceptions : $EXCEPTIONS"
debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then
debug "$ACCOUNT is confirmed as an exception"
RESULT=$(sed "s!$LINE!!" <<< "$RESULT")
else
debug "$ACCOUNT not found in exceptions"
fi
done
if [ ! -z "$RESULT" ]; then
warn "Some admin accounts don't have $SHELL as their login shell -- Fixing"
warn "$RESULT"
for USER in $( echo "$RESULT" | cut -d: -f 1 ); do
info "Setting $SHELL as $USER login shell"
usermod -s $SHELL $USER
done
else
ok "All admin accounts deactivated, nothing to apply"
fi
}
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=disabled
# Put here your exceptions concerning admin accounts shells separated by spaces
EXCEPTIONS=""
EOF
}
# This function will check config parameters required
check_config() {
if [ -z "$EXCEPTIONS" ]; then
EXCEPTIONS="@"
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

59
bin/hardening/10.3_default_root_group.sh Executable file
View File

@ -0,0 +1,59 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 10.3 Set Default Group for root Account (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
USER='root'
EXPECTED_GID='0'
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $(grep "^root:" /etc/passwd | cut -f4 -d:) = 0 ]; then
ok "Root group has GID $EXPECTED_GID"
else
crit "Root group GID should be $EXPECTED_GID"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $(grep "^root:" /etc/passwd | cut -f4 -d:) = 0 ]; then
ok "Root group GID is $EXPECTED_GID"
else
warn "Root group GID is not $EXPECTED_GID -- Fixing"
usermod -g $EXPECTED_GID $USER
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

109
bin/hardening/10.4_default_umask.sh Executable file
View File

@ -0,0 +1,109 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 10.4 Set Default umask for Users (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
USER='root'
PATTERN='umask 077'
FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d /etc/profile'
FILE='/etc/profile.d/CIS_10.4_umask.sh'
# This function will be called if the script status is on enabled / audit mode
audit () {
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
if [ $SEARCH_RES = 1 ]; then break; fi
if test -d $FILE_SEARCHED; then
debug "$FILE_SEARCHED is a directory"
for file_in_dir in $(ls $FILE_SEARCHED); do
does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN"
if [ $FNRET != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
else
ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir"
SEARCH_RES=1
break
fi
done
else
does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
if [ $FNRET != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED"
else
ok "$PATTERN is present in $FILES_TO_SEARCH"
SEARCH_RES=1
fi
fi
done
if [ $SEARCH_RES = 0 ]; then
crit "$PATTERN is not present in $FILES_TO_SEARCH"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
if [ $SEARCH_RES = 1 ]; then break; fi
if test -d $FILE_SEARCHED; then
debug "$FILE_SEARCHED is a directory"
for file_in_dir in $(ls $FILE_SEARCHED); do
does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN"
if [ $FNRET != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
else
ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir"
SEARCH_RES=1
break
fi
done
else
does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
if [ $FNRET != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED"
else
ok "$PATTERN is present in $FILES_TO_SEARCH"
SEARCH_RES=1
fi
fi
done
if [ $SEARCH_RES = 0 ]; then
warn "$PATTERN is not present in $FILES_TO_SEARCH"
touch $FILE
chmod 644 $FILE
add_end_of_file $FILE "$PATTERN"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

51
bin/hardening/10.5_lock_inactive_user_account.sh Executable file
View File

@ -0,0 +1,51 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 10.5 Lock Inactive User Accounts (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Looking at the manual of useradd, it seems that this recommendation does not fill the title"
info "The number of days after a password expires until the account is permanently disabled."
info "Which is not inactive users per se"
}
# This function will be called if the script status is on enabled mode
apply () {
info "Looking at the manual of useradd, it seems that this recommendation does not fill the title"
info "The number of days after a password expires until the account is permanently disabled."
info "Which is not inactive users per se"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

85
bin/hardening/11.1_warning_banners.sh Executable file
View File

@ -0,0 +1,85 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 11.1 Set Warning Banner for Standard Login Services (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PERMISSIONS='644'
USER='root'
GROUP='root'
FILES='/etc/motd /etc/issue /etc/issue.net'
# This function will be called if the script status is on enabled / audit mode
audit () {
for FILE in $FILES; do
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for FILE in $FILES; do
does_file_exist $FILE
if [ $FNRET != 0 ]; then
info "$FILE does not exist"
touch $FILE
fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

65
bin/hardening/11.2_remove_os_info_warning_banners.sh Executable file
View File

@ -0,0 +1,65 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 11.2 Remove OS Information from Login Warning Banners (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
FILES='/etc/motd /etc/issue /etc/issue.net'
PATTERN='(\\v|\\r|\\m|\\s)'
# This function will be called if the script status is on enabled / audit mode
audit () {
for FILE in $FILES; do
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
crit "$PATTERN is present in $FILE"
else
ok "$PATTERN is not present in $FILE"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for FILE in $FILES; do
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE"
delete_line_in_file $FILE $PATTERN
else
ok "$PATTERN is not present in $FILE"
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

47
bin/hardening/11.3_graphical_warning_banners.sh Executable file
View File

@ -0,0 +1,47 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 11.3 Set Graphical Warning Banner (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Not implemented yet"
}
# This function will be called if the script status is on enabled mode
apply () {
info "Not implemented yet"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

71
bin/hardening/12.10_find_suid_files.sh Executable file
View File

@ -0,0 +1,71 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 12.10 Find SUID System Executables (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if there are suid files"
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -type f -perm -4000 -print)
for BINARY in $RESULT; do
if grep -q $BINARY <<< "$EXCEPTIONS"; then
debug "$BINARY is confirmed as an exception"
RESULT=$(sed "s!$BINARY!!" <<< $RESULT)
fi
done
if [ ! -z "$RESULT" ]; then
crit "Some suid files are present"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT"
else
ok "No unknown suid files found"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "Removing suid on valid binary may seriously harm your system, report only here"
}
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=disabled
# Put Here your valid suid binaries so that they do not appear during the audit
EXCEPTIONS="/bin/mount /bin/ping /bin/ping6 /bin/su /bin/umount /usr/bin/chfn /usr/bin/chsh /usr/bin/fping /usr/bin/fping6 /usr/bin/gpasswd /usr/bin/mtr /usr/bin/newgrp /usr/bin/passwd /usr/bin/sudo /usr/bin/sudoedit /usr/lib/openssh/ssh-keysign /usr/lib/pt_chown /usr/bin/at"
EOF
}
# This function will check config parameters required
check_config() {
# No param for this function
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

72
bin/hardening/12.11_find_sgid_files.sh Executable file
View File

@ -0,0 +1,72 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 12.11 Find SGID System Executables (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if there are sgid files"
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -type f -perm -2000 -print)
for BINARY in $RESULT; do
if grep -q $BINARY <<< "$EXCEPTIONS"; then
debug "$BINARY is confirmed as an exception"
RESULT=$(sed "s!$BINARY!!" <<< $RESULT)
fi
done
if [ ! -z "$RESULT" ]; then
crit "Some sgid files are present"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT"
else
ok "No unknown sgid files found"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "Removing sgid on valid binary may seriously harm your system, report only here"
}
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=disabled
# Put here valid binaries with sgid enabled separated by spaces
EXCEPTIONS="/sbin/unix_chkpwd /usr/bin/bsd-write /usr/bin/chage /usr/bin/crontab /usr/bin/expiry /usr/bin/mutt_dotlock /usr/bin/screen /usr/bin/ssh-agent /usr/bin/wall /usr/sbin/postdrop /usr/sbin/postqueue /usr/bin/at /usr/bin/dotlockfile /usr/bin/mail-lock /usr/bin/mail-touchlock /usr/bin/mail-unlock"
EOF
}
# This function will check config parameters required
check_config() {
if [ -z "$EXCEPTIONS" ]; then
EXCEPTIONS="@"
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

61
bin/hardening/12.1_etc_passwd_permissions.sh Executable file
View File

@ -0,0 +1,61 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 12.1 Verify Permissions on /etc/passwd (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/passwd'
PERMISSIONS='644'
# This function will be called if the script status is on enabled / audit mode
audit () {
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

61
bin/hardening/12.2_etc_shadow_permissions.sh Executable file
View File

@ -0,0 +1,61 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 12.2 Verify Permissions on /etc/shadow (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/shadow'
PERMISSIONS='640'
# This function will be called if the script status is on enabled / audit mode
audit () {
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

61
bin/hardening/12.3_etc_group_permissions.sh Executable file
View File

@ -0,0 +1,61 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 12.3 Verify Permissions on /etc/group (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/group'
PERMISSIONS='644'
# This function will be called if the script status is on enabled / audit mode
audit () {
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

76
bin/hardening/12.4_etc_passwd_ownership.sh Executable file
View File

@ -0,0 +1,76 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 12.4 Verify User/Group Ownership on /etc/passwd (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/passwd'
USER='root'
GROUP='root'
# This function will be called if the script status is on enabled / audit mode
audit () {
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
info "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE
fi
}
# This function will check config parameters required
check_config() {
does_user_exist $USER
if [ $FNRET != 0 ]; then
crit "$USER does not exist"
exit 128
fi
does_group_exist $GROUP
if [ $FNRET != 0 ]; then
crit "$GROUP does not exist"
exit 128
fi
does_file_exist $FILE
if [ $FNRET != 0 ]; then
crit "$FILE does not exist"
exit 128
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

76
bin/hardening/12.5_etc_shadow_ownership.sh Executable file
View File

@ -0,0 +1,76 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 12.5 Verify User/Group Ownership on /etc/shadow (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/shadow'
USER='root'
GROUP='shadow'
# This function will be called if the script status is on enabled / audit mode
audit () {
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
info "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE
fi
}
# This function will check config parameters required
check_config() {
does_user_exist $USER
if [ $FNRET != 0 ]; then
crit "$USER does not exist"
exit 128
fi
does_group_exist $GROUP
if [ $FNRET != 0 ]; then
crit "$GROUP does not exist"
exit 128
fi
does_file_exist $FILE
if [ $FNRET != 0 ]; then
crit "$FILE does not exist"
exit 128
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

76
bin/hardening/12.6_etc_group_ownership.sh Executable file
View File

@ -0,0 +1,76 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 12.6 Verify User/Group Ownership on /etc/group (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/group'
USER='root'
GROUP='root'
# This function will be called if the script status is on enabled / audit mode
audit () {
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
info "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE
fi
}
# This function will check config parameters required
check_config() {
does_user_exist $USER
if [ $FNRET != 0 ]; then
crit "$USER does not exist"
exit 128
fi
does_group_exist $GROUP
if [ $FNRET != 0 ]; then
crit "$GROUP does not exist"
exit 128
fi
does_file_exist $FILE
if [ $FNRET != 0 ]; then
crit "$FILE does not exist"
exit 128
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

62
bin/hardening/12.7_find_world_writable_file.sh Executable file
View File

@ -0,0 +1,62 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 12.7 Find World Writable Files (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if there are world writable files"
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then
crit "Some world writable files are present"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT"
else
ok "No world writable files found"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then
warn "chmoding o-w all files in the system"
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null| xargs chmod o-w
else
ok "No world writable files found, nothing to apply"
fi
}
# This function will check config parameters required
check_config() {
# No param for this function
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

64
bin/hardening/12.8_find_unowned_files.sh Executable file
View File

@ -0,0 +1,64 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 12.8 Find Un-owned Files and Directories (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
USER='root'
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if there are unowned files"
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -nouser -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then
crit "Some unowned files are present"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT"
else
ok "No unowned files found"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
if [ ! -z "$RESULT" ]; then
warn "Applying chown on all unowned files in the system"
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER
else
ok "No unowned files found, nothing to apply"
fi
}
# This function will check config parameters required
check_config() {
# No param for this function
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

64
bin/hardening/12.9_find_ungrouped_files.sh Executable file
View File

@ -0,0 +1,64 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 12.9 Find Un-grouped Files and Directories (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
GROUP='root'
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if there are ungrouped files"
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -nogroup -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then
crit "Some ungrouped files are present"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT"
else
ok "No ungrouped files found"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
if [ ! -z "$RESULT" ]; then
warn "Applying chgrp on all ungrouped files in the system"
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp $GROUP
else
ok "No ungrouped files found, nothing to apply"
fi
}
# This function will check config parameters required
check_config() {
# No param for this function
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

62
bin/hardening/13.10_find_user_rhosts_files.sh Executable file
View File

@ -0,0 +1,62 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 13.10 Check for Presence of User .rhosts Files (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
FILENAME=".rhosts"
# This function will be called if the script status is on enabled / audit mode
audit () {
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
debug "Working on $DIR"
for FILE in $DIR/$FILENAME; do
if [ ! -h "$FILE" -a -f "$FILE" ]; then
crit "$FILE present"
ERRORS=$((ERRORS+1))
fi
done
done
if [ $ERRORS = 0 ]; then
ok "No $FILENAME present in users home directory"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "If the audit returns something, please check with the user why he has this file"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

60
bin/hardening/13.11_find_passwd_group_inconsistencies.sh Executable file
View File

@ -0,0 +1,60 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 13.11 Check Groups in /etc/passwd (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
# This function will be called if the script status is on enabled / audit mode
audit () {
for GROUP in $(cut -s -d: -f4 /etc/passwd | sort -u ); do
debug "Working on group $GROUP"
if ! grep -q -P "^.*?:[^:]*:$GROUP:" /etc/group; then
crit "Group $GROUP is referenced by /etc/passwd but does not exist in /etc/group"
ERRORS=$((ERRORS+1))
fi
done
if [ $ERRORS = 0 ]; then
ok "passwd and group Groups are consistent"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "Solving passwd and group consistency automatically may seriously harm your system, report only here"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

63
bin/hardening/13.12_users_valid_homedir.sh Executable file
View File

@ -0,0 +1,63 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 13.12 Check That Users Are Assigned Valid Home Directories (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
# This function will be called if the script status is on enabled / audit mode
audit () {
RESULT=$(cat /etc/passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
for LINE in $RESULT; do
debug "Working on $LINE"
USER=$(awk -F: {'print $1'} <<< $LINE)
USERID=$(awk -F: {'print $2'} <<< $LINE)
DIR=$(awk -F: {'print $3'} <<< $LINE)
if [ $USERID -ge 1000 -a ! -d "$DIR" -a $USER != "nfsnobody" -a $USER != "nobody" ]; then
crit "The home directory ($DIR) of user $USER does not exist."
ERRORS=$((ERRORS+1))
fi
done
if [ $ERRORS = 0 ]; then
ok "All home directories exists"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "Modifying home directories may seriously harm your system, report only here"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

74
bin/hardening/13.13_check_user_homedir_ownership.sh Executable file
View File

@ -0,0 +1,74 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 13.13 Check User Home Directory Ownership (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
# This function will be called if the script status is on enabled / audit mode
audit () {
RESULT=$(cat /etc/passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
for LINE in $RESULT; do
debug "Working on $LINE"
USER=$(awk -F: {'print $1'} <<< $LINE)
USERID=$(awk -F: {'print $2'} <<< $LINE)
DIR=$(awk -F: {'print $3'} <<< $LINE)
if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" ]; then
OWNER=$(stat -L -c "%U" "$DIR")
if [ "$OWNER" != "$USER" ]; then
crit "The home directory ($DIR) of user $USER is owned by $OWNER."
ERRORS=$((ERRORS+1))
fi
fi
done
if [ $ERRORS = 0 ]; then
ok "All home directories have correct ownership"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
cat /etc/passwd | awk -F: '{ print $1 " " $3 " " $6 }' | while read USER USERID DIR; do
if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" ]; then
OWNER=$(stat -L -c "%U" "$DIR")
if [ "$OWNER" != "$USER" ]; then
warn "The home directory ($DIR) of user $USER is owned by $OWNER."
chown $USER $DIR
fi
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

63
bin/hardening/13.14_check_duplicate_uid.sh Executable file
View File

@ -0,0 +1,63 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 13.14 Check for Duplicate UIDs (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
# This function will be called if the script status is on enabled / audit mode
audit () {
RESULT=$(cat /etc/passwd | cut -f3 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
for LINE in $RESULT; do
debug "Working on line $LINE"
OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)
USERID=$(awk -F: {'print $2'} <<< $LINE)
if [ $OCC_NUMBER -gt 1 ]; then
USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERID /etc/passwd | xargs)
ERRORS=$((ERRORS+1))
crit "Duplicate UID ($USERID): ${USERS}"
fi
done
if [ $ERRORS = 0 ]; then
ok "No duplicate UIDs"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "Editing automatically uids may seriously harm your system, report only here"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

63
bin/hardening/13.15_check_duplicate_gid.sh Executable file
View File

@ -0,0 +1,63 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 13.15 Check for Duplicate GIDs (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
# This function will be called if the script status is on enabled / audit mode
audit () {
RESULT=$(cat /etc/group | cut -f3 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
for LINE in $RESULT; do
debug "Working on line $LINE"
OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)
GROUPID=$(awk -F: {'print $2'} <<< $LINE)
if [ $OCC_NUMBER -gt 1 ]; then
USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPID /etc/passwd | xargs)
ERRORS=$((ERRORS+1))
crit "Duplicate GID ($GROUPID): ${USERS}"
fi
done
if [ $ERRORS = 0 ]; then
ok "No duplicate GIDs"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "Editing automatically gids may seriously harm your system, report only here"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

63
bin/hardening/13.16_check_duplicate_username.sh Executable file
View File

@ -0,0 +1,63 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 13.16 Check for Duplicate User Names (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
ERRORS=0
# This function will be called if the script status is on enabled / audit mode
audit () {
RESULT=$(cat /etc/passwd | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
for LINE in $RESULT; do
debug "Working on line $LINE"
OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)
USERNAME=$(awk -F: {'print $2'} <<< $LINE)
if [ $OCC_NUMBER -gt 1 ]; then
USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERNAME /etc/passwd | xargs)
ERRORS=$((ERRORS+1))
crit "Duplicate username $USERNAME"
fi
done
if [ $ERRORS = 0 ]; then
ok "No duplicate usernames"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "Editing automatically username may seriously harm your system, report only here"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

63
bin/hardening/13.17_check_duplicate_groupname.sh Executable file
View File

@ -0,0 +1,63 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 13.17 Check for Duplicate Group Names (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
ERRORS=0
# This function will be called if the script status is on enabled / audit mode
audit () {
RESULT=$(cat /etc/group | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
for LINE in $RESULT; do
debug "Working on line $LINE"
OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)
GROUPNAME=$(awk -F: {'print $2'} <<< $LINE)
if [ $OCC_NUMBER -gt 1 ]; then
USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPNAME /etc/passwd | xargs)
ERRORS=$((ERRORS+1))
crit "Duplicate groupname $GROUPNAME"
fi
done
if [ $ERRORS = 0 ]; then
ok "No duplicate groupnames"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "Editing automatically groupname may seriously harm your system, report only here"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

62
bin/hardening/13.18_find_user_netrc_files.sh Executable file
View File

@ -0,0 +1,62 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 13.18 Check for Presence of User .netrc Files (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
FILENAME='.netrc'
# This function will be called if the script status is on enabled / audit mode
audit () {
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
debug "Working on $DIR"
for FILE in $DIR/$FILENAME; do
if [ ! -h "$FILE" -a -f "$FILE" ]; then
crit "$FILE present"
ERRORS=$((ERRORS+1))
fi
done
done
if [ $ERRORS = 0 ]; then
ok "No $FILENAME present in users home directory"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "If the audit returns something, please check with the user why he has this file"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

62
bin/hardening/13.19_find_user_forward_files.sh Executable file
View File

@ -0,0 +1,62 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 13.19 Check for Presence of User .forward Files (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
FILENAME='.forward'
# This function will be called if the script status is on enabled / audit mode
audit () {
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
debug "Working on $DIR"
for FILE in $DIR/$FILENAME; do
if [ ! -h "$FILE" -a -f "$FILE" ]; then
crit "$FILE present"
ERRORS=$((ERRORS+1))
fi
done
done
if [ $ERRORS = 0 ]; then
ok "No $FILENAME present in users home directory"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "If the audit returns something, please check with the user why he has this file"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

65
bin/hardening/13.1_remove_empty_password_field.sh Executable file
View File

@ -0,0 +1,65 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 13.1 Ensure Password Fields are Not Empty (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/shadow'
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if accounts have an empty password"
RESULT=$($SUDO_CMD cat $FILE | awk -F: '($2 == "" ) { print $1 }')
if [ ! -z "$RESULT" ]; then
crit "Some accounts have an empty password"
crit $RESULT
else
ok "All accounts have a password"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
RESULT=$(cat $FILE | awk -F: '($2 == "" ) { print $1 }')
if [ ! -z "$RESULT" ]; then
warn "Some accounts have an empty password"
for ACCOUNT in $RESULT; do
info "Locking $ACCOUNT"
passwd -l $ACCOUNT >/dev/null 2>&1
done
else
ok "All accounts have a password"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

72
bin/hardening/13.20_shadow_group_empty.sh Executable file
View File

@ -0,0 +1,72 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 13.20 Ensure shadow group is empty (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
ERRORS=0
FILEGROUP='/etc/group'
PATTERN='^shadow:x:[[:digit:]]+:'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_pattern_exist_in_file $FILEGROUP $PATTERN
if [ $FNRET = 0 ]; then
info "shadow group exists"
RESULT=$(grep -E "$PATTERN" $FILEGROUP | cut -d: -f4)
GROUPID=$(getent group shadow | cut -d: -f3)
debug "$RESULT $GROUPID"
if [ ! -z "$RESULT" ]; then
crit "Some users belong to shadow group: $RESULT"
else
ok "No user belongs to shadow group"
fi
info "Checking if a user has $GROUPID as primary group"
RESULT=$(awk -F: '($4 == shadowid) { print $1 }' shadowid=$GROUPID /etc/passwd)
if [ ! -z "$RESULT" ]; then
crit "Some users have shadow id as their primary group: $RESULT"
else
ok "No user has shadow id as their primary group"
fi
else
crit "shadow group doesn't exist"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "Editing automatically users/groups may seriously harm your system, report only here"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

66
bin/hardening/13.2_remove_legacy_passwd_entries.sh Executable file
View File

@ -0,0 +1,66 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 13.2 Verify No Legacy "+" Entries Exist in /etc/passwd File (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/passwd'
RESULT=''
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if accounts have a legacy password entry"
if grep '^+:' $FILE -q; then
RESULT=$(grep '^+:' $FILE)
crit "Some accounts have a legacy password entry"
crit $RESULT
else
ok "All accounts have a valid password entry format"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if grep '^+:' $FILE -q; then
RESULT=$(grep '^+:' $FILE)
warn "Some accounts have a legacy password entry"
for LINE in $RESULT; do
info "Removing $LINE from $FILE"
delete_line_in_file $FILE $LINE
done
else
ok "All accounts have a valid password entry format"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

66
bin/hardening/13.3_remove_legacy_shadow_entries.sh Executable file
View File

@ -0,0 +1,66 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 13.3 Verify No Legacy "+" Entries Exist in /etc/shadow File (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/shadow'
RESULT=''
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if accounts have a legacy password entry"
if $SUDO_CMD grep '^+:' $FILE -q; then
RESULT=$(grep '^+:' $FILE)
crit "Some accounts have a legacy password entry"
crit $RESULT
else
ok "All accounts have a valid password entry format"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if grep '^+:' $FILE -q; then
RESULT=$(grep '^+:' $FILE)
warn "Some accounts have a legacy password entry"
for LINE in $RESULT; do
info "Removing $LINE from $FILE"
delete_line_in_file $FILE $LINE
done
else
ok "All accounts have a valid password entry format"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

66
bin/hardening/13.4_remove_legacy_group_entries.sh Executable file
View File

@ -0,0 +1,66 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 13.4 Verify No Legacy "+" Entries Exist in /etc/group File (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/group'
RESULT=''
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if accounts have a legacy group entry"
if grep '^+:' $FILE -q; then
RESULT=$(grep '^+:' $FILE)
crit "Some accounts have a legacy group entry"
crit $RESULT
else
ok "All accounts have a valid group entry format"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if grep '^+:' $FILE -q; then
RESULT=$(grep '^+:' $FILE)
warn "Some accounts have a legacy group entry"
for LINE in $RESULT; do
info "Removing $LINE from $FILE"
delete_line_in_file $FILE $LINE
done
else
ok "All accounts have a valid group entry format"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

79
bin/hardening/13.5_find_0_uid_non_root_account.sh Executable file
View File

@ -0,0 +1,79 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 13.5 Verify No UID 0 Accounts Exist Other Than root (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
FILE='/etc/passwd'
RESULT=''
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if accounts have uid 0"
RESULT=$(cat $FILE | awk -F: '($3 == 0 && $1!="root" ) { print $1 }')
for ACCOUNT in $RESULT; do
debug "Account : $ACCOUNT"
debug "Exceptions : $EXCEPTIONS"
debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then
debug "$ACCOUNT is confirmed as an exception"
RESULT=$(sed "s!$ACCOUNT!!" <<< "$RESULT")
else
debug "$ACCOUNT not found in exceptions"
fi
done
if [ ! -z "$RESULT" ]; then
crit "Some accounts have uid 0"
crit $RESULT
else
ok "No account with uid 0 appart from root and potential configured exceptions"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "Removing accounts with uid 0 may seriously harm your system, report only here"
}
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=disabled
# Put here valid accounts with uid 0 separated by spaces
EXCEPTIONS=""
EOF
}
# This function will check config parameters required
check_config() {
if [ -z "$EXCEPTIONS" ]; then
EXCEPTIONS="@"
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

89
bin/hardening/13.6_sanitize_root_path.sh Executable file
View File

@ -0,0 +1,89 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 13.6 Ensure root PATH Integrity (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ "`echo $PATH | grep :: `" != "" ]; then
crit "Empty Directory in PATH (::)"
ERRORS=$((ERRORS+1))
fi
if [ "`echo $PATH | grep :$`" != "" ]; then
crit "Trailing : in PATH $PATH"
ERRORS=$((ERRORS+1))
fi
FORMATTED_PATH=$(echo $PATH | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g')
set -- $FORMATTED_PATH
while [ "${1:-}" != "" ]; do
if [ "$1" = "." ]; then
crit "PATH contains ."
ERRORS=$((ERRORS+1))
else
if [ -d $1 ]; then
dirperm=$(ls -ldH $1 | cut -f1 -d" ")
if [ $(echo $dirperm | cut -c6 ) != "-" ]; then
crit "Group Write permission set on directory $1"
ERRORS=$((ERRORS+1))
fi
if [ $(echo $dirperm | cut -c9 ) != "-" ]; then
crit "Other Write permission set on directory $1"
ERRORS=$((ERRORS+1))
fi
dirown=$(ls -ldH $1 | awk '{print $3}')
if [ "$dirown" != "root" ] ; then
crit "$1 is not owned by root"
ERRORS=$((ERRORS+1))
fi
else
crit "$1 is not a directory"
ERRORS=$((ERRORS+1))
fi
fi
shift
done
if [ $ERRORS = 0 ]; then
ok "root PATH is secure"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "Editing items from PATH may seriously harm your system, report only here"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

123
bin/hardening/13.7_check_user_dir_perm.sh Executable file
View File

@ -0,0 +1,123 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 13.7 Check Permissions on User Home Directories (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
# This function will be called if the script status is on enabled / audit mode
audit () {
for dir in $(cat /etc/passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
debug "Working on $dir"
debug "Exceptions : $EXCEPTIONS"
debug "echo \"$EXCEPTIONS\" | grep -q $dir"
if echo "$EXCEPTIONS" | grep -q $dir; then
debug "$dir is confirmed as an exception"
RESULT=$(sed "s!$dir!!" <<< "$RESULT")
else
debug "$dir not found in exceptions"
fi
if [ -d $dir ]; then
dirperm=$(/bin/ls -ld $dir | cut -f1 -d" ")
if [ $(echo $dirperm | cut -c6 ) != "-" ]; then
crit "Group Write permission set on directory $dir"
ERRORS=$((ERRORS+1))
fi
if [ $(echo $dirperm | cut -c8 ) != "-" ]; then
crit "Other Read permission set on directory $dir"
ERRORS=$((ERRORS+1))
fi
if [ $(echo $dirperm | cut -c9 ) != "-" ]; then
crit "Other Write permission set on directory $dir"
ERRORS=$((ERRORS+1))
fi
if [ $(echo $dirperm | cut -c10 ) != "-" ]; then
crit "Other Execute permission set on directory $dir"
ERRORS=$((ERRORS+1))
fi
fi
done
if [ $ERRORS = 0 ]; then
ok "No incorrect permissions on home directories"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
for dir in $(cat /etc/passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
debug "Working on $dir"
debug "Exceptions : $EXCEPTIONS"
debug "echo \"$EXCEPTIONS\" | grep -q $dir"
if echo "$EXCEPTIONS" | grep -q $dir; then
debug "$dir is confirmed as an exception"
RESULT=$(sed "s!$dir!!" <<< "$RESULT")
else
debug "$dir not found in exceptions"
fi
if [ -d $dir ]; then
dirperm=$(/bin/ls -ld $dir | cut -f1 -d" ")
if [ $(echo $dirperm | cut -c6 ) != "-" ]; then
warn "Group Write permission set on directory $dir"
chmod g-w $dir
fi
if [ $(echo $dirperm | cut -c8 ) != "-" ]; then
warn "Other Read permission set on directory $dir"
chmod o-r $dir
fi
if [ $(echo $dirperm | cut -c9 ) != "-" ]; then
warn "Other Write permission set on directory $dir"
chmod o-w $dir
fi
if [ $(echo $dirperm | cut -c10 ) != "-" ]; then
warn "Other Execute permission set on directory $dir"
chmod o-x $dir
fi
fi
done
}
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=disabled
# Put here user home directories exceptions, separated by spaces
EXCEPTIONS=""
EOF
}
# This function will check config parameters required
check_config() {
if [ -z "$EXCEPTIONS" ]; then
EXCEPTIONS="@"
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

82
bin/hardening/13.8_check_user_dot_file_perm.sh Executable file
View File

@ -0,0 +1,82 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 13.8 Check User Dot File Permissions (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
# This function will be called if the script status is on enabled / audit mode
audit () {
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
debug "Working on $DIR"
for FILE in $DIR/.[A-Za-z0-9]*; do
if [ ! -h "$FILE" -a -f "$FILE" ]; then
FILEPERM=$(ls -ld $FILE | cut -f1 -d" ")
if [ $(echo $FILEPERM | cut -c6) != "-" ]; then
crit "Group Write permission set on FILE $FILE"
ERRORS=$((ERRORS+1))
fi
if [ $(echo $FILEPERM | cut -c9) != "-" ]; then
crit "Other Write permission set on FILE $FILE"
ERRORS=$((ERRORS+1))
fi
fi
done
done
if [ $ERRORS = 0 ]; then
ok "Dot file permission in users directories are correct"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
for FILE in $DIR/.[A-Za-z0-9]*; do
if [ ! -h "$FILE" -a -f "$FILE" ]; then
FILEPERM=$(ls -ld $FILE | cut -f1 -d" ")
if [ $(echo $FILEPERM | cut -c6) != "-" ]; then
warn "Group Write permission set on FILE $FILE"
chmod g-w $FILE
fi
if [ $(echo $FILEPERM | cut -c9) != "-" ]; then
warn "Other Write permission set on FILE $FILE"
chmod o-w $FILE
fi
fi
done
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

81
bin/hardening/13.9_set_perm_on_user_netrc.sh Executable file
View File

@ -0,0 +1,81 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 13.9 Check Permissions on User .netrc Files (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PERMISSIONS="600"
ERRORS=0
# This function will be called if the script status is on enabled / audit mode
audit () {
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
debug "Working on $DIR"
for FILE in $DIR/.netrc; do
if [ ! -h "$FILE" -a -f "$FILE" ]; then
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
ERRORS=$((ERRORS+1))
fi
fi
done
done
if [ $ERRORS = 0 ]; then
ok "permission $PERMISSIONS set on .netrc users files"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
debug "Working on $DIR"
for FILE in $DIR/.netrc; do
if [ ! -h "$FILE" -a -f "$FILE" ]; then
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
warn "$FILE permissions were not set to $PERMISSIONS"
chmod 600 $FILE
fi
fi
done
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

86
bin/hardening/2.10_home_nodev.sh Executable file
View File

@ -0,0 +1,86 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 2.10 Add nodev Option to /home (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Quick factoring as many script use the same logic
PARTITION="/home"
OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
elif [ $FNRET = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

74
bin/hardening/2.11_removable_device_nodev.sh Executable file
View File

@ -0,0 +1,74 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 2.11 Add nodev Option to Removable Media Partitions (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
# Quick factoring as many script use the same logic
PARTITION="/media\S*"
OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying if there is $PARTITION like partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
ok "There is no partition like $PARTITION"
FNRET=0
else
info "detected $PARTITION like"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

74
bin/hardening/2.12_removable_device_noexec.sh Executable file
View File

@ -0,0 +1,74 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 2.12 Add noexec Option to Removable Media Partitions (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
# Quick factoring as many script use the same logic
PARTITION="/media\S*"
OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying if there is $PARTITION like partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
ok "There is no partition like $PARTITION"
FNRET=0
else
info "detected $PARTITION like"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

74
bin/hardening/2.13_removable_device_nosuid.sh Executable file
View File

@ -0,0 +1,74 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 2.13 Add nosuid Option to Removable Media Partitions (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
# Quick factoring as many script use the same logic
PARTITION="/media\S*"
OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying if there is $PARTITION like partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
ok "There is no partition like $PARTITION"
FNRET=0
else
info "detected $PARTITION like"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

86
bin/hardening/2.14_run_shm_nodev.sh Executable file
View File

@ -0,0 +1,86 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 2.14 Add nodev Option to /run/shm Partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Quick factoring as many script use the same logic
PARTITION="/run/shm"
OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
elif [ $FNRET = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

86
bin/hardening/2.15_run_shm_nosuid.sh Executable file
View File

@ -0,0 +1,86 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 2.15 Add nosuid Option to /run/shm Partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Quick factoring as many script use the same logic
PARTITION="/run/shm"
OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
elif [ $FNRET = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

86
bin/hardening/2.16_run_shm_noexec.sh Executable file
View File

@ -0,0 +1,86 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 2.16 Add noexec Option to /run/shm Partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# Quick factoring as many script use the same logic
PARTITION="/run/shm"
OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
elif [ $FNRET = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

61
bin/hardening/2.17_sticky_bit_world_writable_folder.sh Executable file
View File

@ -0,0 +1,61 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 2.17 Set Sticky Bit on All World-Writable Directories (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if setuid is set on world writable Directories"
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then
crit "Some world writable directories are not on sticky bit mode!"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT"
else
ok "All world writable directories have a sticky bit"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
else
ok "All world writable directories have a sticky bit, nothing to apply"
fi
}
# This function will check config parameters required
check_config() {
# No param for this function
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

63
bin/hardening/2.18_disable_cramfs.sh Executable file
View File

@ -0,0 +1,63 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 2.18 Disable Mounting of cramfs Filesystems (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
KERNEL_OPTION="CONFIG_CRAMFS"
MODULE_NAME="cramfs"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
else
ok "$KERNEL_OPTION is disabled"
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
is_kernel_option_enabled $KERNEL_OPTION
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
else
ok "$KERNEL_OPTION is disabled, nothing to do"
fi
:
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

63
bin/hardening/2.19_disable_freevxfs.sh Executable file
View File

@ -0,0 +1,63 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 2.19 Disable Mounting of freevxfs Filesystems (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
KERNEL_OPTION="CONFIG_VXFS_FS"
MODULE_NAME="freevxfs"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
else
ok "$KERNEL_OPTION is disabled"
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
is_kernel_option_enabled $KERNEL_OPTION
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
else
ok "$KERNEL_OPTION is disabled, nothing to do"
fi
:
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

75
bin/hardening/2.1_tmp_partition.sh Executable file
View File

@ -0,0 +1,75 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 2.1 Create Separate Partition for /tmp (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# Quick factoring as many script use the same logic
PARTITION="/tmp"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
is_mounted "$PARTITION"
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted"
FNRET=1
else
ok "$PARTITION is mounted"
fi
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
else
info "mounting $PARTITION"
mount $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No parameter for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

63
bin/hardening/2.20_disable_jffs2.sh Executable file
View File

@ -0,0 +1,63 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 2.20 Disable Mounting of jffs2 Filesystems (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
KERNEL_OPTION="CONFIG_JFFS2_FS"
MODULE_NAME="jffs2"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
else
ok "$KERNEL_OPTION is disabled"
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
is_kernel_option_enabled $KERNEL_OPTION
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
else
ok "$KERNEL_OPTION is disabled, nothing to do"
fi
:
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

63
bin/hardening/2.21_disable_hfs.sh Executable file
View File

@ -0,0 +1,63 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 2.21 Disable Mounting of hfs Filesystems (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
KERNEL_OPTION="CONFIG_HFS_FS"
MODULE_FILE="hfs"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
else
ok "$KERNEL_OPTION is disabled"
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
is_kernel_option_enabled $KERNEL_OPTION
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
else
ok "$KERNEL_OPTION is disabled, nothing to do"
fi
:
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

63
bin/hardening/2.22_disable_hfsplus.sh Executable file
View File

@ -0,0 +1,63 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 2.22 Disable Mounting of hfsplus Filesystems (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
KERNEL_OPTION="CONFIG_HFSPLUS_FS"
MODULE_FILE="hfsplus"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
else
ok "$KERNEL_OPTION is disabled"
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
is_kernel_option_enabled $KERNEL_OPTION
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
else
ok "$KERNEL_OPTION is disabled, nothing to do"
fi
:
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

63
bin/hardening/2.23_disable_squashfs.sh Executable file
View File

@ -0,0 +1,63 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 2.23 Disable Mounting of squashfs Filesystems (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
KERNEL_OPTION="CONFIG_SQUASHFS"
MODULE_FILE="squashfs"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
else
ok "$KERNEL_OPTION is disabled"
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
is_kernel_option_enabled $KERNEL_OPTION
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
else
ok "$KERNEL_OPTION is disabled, nothing to do"
fi
:
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

63
bin/hardening/2.24_disable_udf.sh Executable file
View File

@ -0,0 +1,63 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 2.24 Disable Mounting of udf Filesystems (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
KERNEL_OPTION="CONFIG_UDF_FS"
MODULE_FILE="udf"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
else
ok "$KERNEL_OPTION is disabled"
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
is_kernel_option_enabled $KERNEL_OPTION
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
else
ok "$KERNEL_OPTION is disabled, nothing to do"
fi
:
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

62
bin/hardening/2.25_disable_automounting.sh Executable file
View File

@ -0,0 +1,62 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 2.25 Disable Automounting (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
SERVICE_NAME="autofs"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if $SERVICE_NAME is enabled"
is_service_enabled $SERVICE_NAME
if [ $FNRET = 0 ]; then
crit "$SERVICE_NAME is enabled"
else
ok "$SERVICE_NAME is disabled"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "Checking if $SERVICE_NAME is enabled"
is_service_enabled $SERVICE_NAME
if [ $FNRET = 0 ]; then
info "Disabling $SERVICE_NAME"
update-rc.d $SERVICE_NAME remove > /dev/null 2>&1
else
ok "$SERVICE_NAME is disabled"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

86
bin/hardening/2.2_tmp_nodev.sh Executable file
View File

@ -0,0 +1,86 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 2.2 Set nodev option for /tmp Partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Quick factoring as many script use the same logic
PARTITION="/tmp"
OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
elif [ $FNRET = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

86
bin/hardening/2.3_tmp_nosuid.sh Executable file
View File

@ -0,0 +1,86 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 2.3 Set nosuid option for /tmp Partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Quick factoring as many script use the same logic
PARTITION="/tmp"
OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
elif [ $FNRET = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

86
bin/hardening/2.4_tmp_noexec.sh Executable file
View File

@ -0,0 +1,86 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 2.4 Set noexec option for /tmp Partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# Quick factoring as many script use the same logic
PARTITION="/tmp"
OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
elif [ $FNRET = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

75
bin/hardening/2.5_var_partition.sh Executable file
View File

@ -0,0 +1,75 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 2.5 Create Separate Partition for /var (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# Quick factoring as many script use the same logic
PARTITION="/var"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
is_mounted "$PARTITION"
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted"
FNRET=1
else
ok "$PARTITION is mounted"
fi
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
else
info "mounting $PARTITION"
mount $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No parameter for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

75
bin/hardening/2.6.1_var_tmp_partition.sh Executable file
View File

@ -0,0 +1,75 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 2.6.1 Create Separate Partition for /var/tmp (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# Quick factoring as many script use the same logic
PARTITION="/var/tmp"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
is_mounted "$PARTITION"
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted"
FNRET=1
else
ok "$PARTITION is mounted"
fi
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
else
info "mounting $PARTITION"
mount $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No parameter for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

86
bin/hardening/2.6.2_var_tmp_nodev.sh Executable file
View File

@ -0,0 +1,86 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 2.6.2 Set nodev option for /var/tmp Partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Quick factoring as many script use the same logic
PARTITION="/var/tmp"
OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
elif [ $FNRET = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

86
bin/hardening/2.6.3_var_tmp_nosuid.sh Executable file
View File

@ -0,0 +1,86 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 2.6.3 Set nosuid option for /var/tmp Partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Quick factoring as many script use the same logic
PARTITION="/var/tmp"
OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
elif [ $FNRET = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

86
bin/hardening/2.6.4_var_tmp_noexec.sh Executable file
View File

@ -0,0 +1,86 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 2.6.4 Set noexec option for /var/tmp Partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# Quick factoring as many script use the same logic
PARTITION="/var/tmp"
OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
elif [ $FNRET = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

75
bin/hardening/2.7_var_log_partition.sh Executable file
View File

@ -0,0 +1,75 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 2.7 Create Separate Partition for /var/log (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# Quick factoring as many script use the same logic
PARTITION="/var/log"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
is_mounted "$PARTITION"
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted"
FNRET=1
else
ok "$PARTITION is mounted"
fi
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
else
info "mounting $PARTITION"
mount $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No parameter for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

75
bin/hardening/2.8_var_log_audit_partition.sh Executable file
View File

@ -0,0 +1,75 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 2.8 Create Separate Partition for /var/log/audit (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
# Quick factoring as many script use the same logic
PARTITION="/var/log/audit"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
is_mounted "$PARTITION"
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted"
FNRET=1
else
ok "$PARTITION is mounted"
fi
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
else
info "mounting $PARTITION"
mount $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No parameter for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

75
bin/hardening/2.9_home_partition.sh Executable file
View File

@ -0,0 +1,75 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 2.9 Create Separate Partition for /home (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# Quick factoring as many script use the same logic
PARTITION="/home"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
is_mounted "$PARTITION"
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted"
FNRET=1
else
ok "$PARTITION is mounted"
fi
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
else
info "mounting $PARTITION"
mount $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No parameter for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

84
bin/hardening/3.1_bootloader_ownership.sh Executable file
View File

@ -0,0 +1,84 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 3.1 Set User/Group Owner on bootloader config (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
# Assertion : Grub Based.
FILE='/boot/grub/grub.cfg'
USER='root'
GROUP='root'
# This function will be called if the script status is on enabled / audit mode
audit () {
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
info "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE
fi
}
# This function will check config parameters required
check_config() {
is_pkg_installed "grub-pc"
if [ $FNRET != 0 ]; then
warn "Grub is not installed, not handling configuration"
exit 128
fi
does_user_exist $USER
if [ $FNRET != 0 ]; then
crit "$USER does not exist"
exit 128
fi
does_group_exist $GROUP
if [ $FNRET != 0 ]; then
crit "$GROUP does not exist"
exit 128
fi
does_file_exist $FILE
if [ $FNRET != 0 ]; then
crit "$FILE does not exist"
exit 128
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

71
bin/hardening/3.2_bootloader_permissions.sh Executable file
View File

@ -0,0 +1,71 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 3.2 Set Permissions on bootloader config (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
# Assertion : Grub Based.
FILE='/boot/grub/grub.cfg'
PERMISSIONS='400'
# This function will be called if the script status is on enabled / audit mode
audit () {
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE
fi
}
# This function will check config parameters required
check_config() {
is_pkg_installed "grub-pc"
if [ $FNRET != 0 ]; then
warn "grub-pc is not installed, not handling configuration"
exit 128
fi
if [ $FNRET != 0 ]; then
crit "$FILE does not exist"
exit 128
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

82
bin/hardening/3.3_bootloader_password.sh Executable file
View File

@ -0,0 +1,82 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 3.3 Set Boot Loader Password (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
FILE='/boot/grub/grub.cfg'
USER_PATTERN="^set superusers"
PWD_PATTERN="^password_pbkdf2"
# This function will be called if the script status is on enabled / audit mode
audit () {
does_pattern_exist_in_file $FILE "$USER_PATTERN"
if [ $FNRET != 0 ]; then
crit "$USER_PATTERN not present in $FILE"
else
ok "$USER_PATTERN is present in $FILE"
fi
does_pattern_exist_in_file $FILE "$PWD_PATTERN"
if [ $FNRET != 0 ]; then
crit "$PWD_PATTERN not present in $FILE"
else
ok "$PWD_PATTERN is present in $FILE"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_pattern_exist_in_file $FILE "$USER_PATTERN"
if [ $FNRET != 0 ]; then
warn "$USER_PATTERN not present in $FILE, please configure password for grub"
else
ok "$USER_PATTERN is present in $FILE"
fi
does_pattern_exist_in_file $FILE "$PWD_PATTERN"
if [ $FNRET != 0 ]; then
warn "$PWD_PATTERN not present in $FILE, please configure password for grub"
else
ok "$PWD_PATTERN is present in $FILE"
fi
:
}
# This function will check config parameters required
check_config() {
is_pkg_installed "grub-pc"
if [ $FNRET != 0 ]; then
warn "grub-pc is not installed, not handling configuration"
exit 128
fi
if [ $FNRET != 0 ]; then
crit "$FILE does not exist"
exit 128
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

61
bin/hardening/3.4_root_password.sh Executable file
View File

@ -0,0 +1,61 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 3.4 Require Authentication for Single-User Mode (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
FILE="/etc/shadow"
PATTERN="^root:[*\!]:"
# This function will be called if the script status is on enabled / audit mode
audit () {
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET != 1 ]; then
crit "$PATTERN is present in $FILE"
else
ok "$PATTERN is not present in $FILE"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET != 1 ]; then
warn "$PATTERN is present in $FILE, please put a root password"
else
ok "$PATTERN is not present in $FILE"
fi
:
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

81
bin/hardening/4.1_restrict_core_dumps.sh Executable file
View File

@ -0,0 +1,81 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 4.1 Restrict Core Dumps (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
LIMIT_FILE='/etc/security/limits.conf'
LIMIT_PATTERN='^\*[[:space:]]*hard[[:space:]]*core[[:space:]]*0$'
SYSCTL_PARAM='fs.suid_dumpable'
SYSCTL_EXP_RESULT=0
# This function will be called if the script status is on enabled / audit mode
audit () {
does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN
if [ $FNRET != 0 ]; then
crit "$LIMIT_PATTERN not present in $LIMIT_FILE"
else
ok "$LIMIT_PATTERN present in $LIMIT_FILE"
fi
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN
if [ $FNRET != 0 ]; then
warn "$LIMIT_PATTERN not present in $LIMIT_FILE, adding at the end of $LIMIT_FILE"
add_end_of_file $LIMIT_FILE "* hard core 0"
else
ok "$LIMIT_PATTERN present in $LIMIT_FILE"
fi
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ $FNRET != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

83
bin/hardening/4.2_enable_nx_support.sh Executable file
View File

@ -0,0 +1,83 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 4.2 Enable XD/NX Support on 32-bit x86 Systems (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PATTERN='NX[[:space:]]\(Execute[[:space:]]Disable\)[[:space:]]protection:[[:space:]]active'
# Check if the NX bit is supported and noexec=off hasn't been asked
nx_supported_and_enabled() {
if grep -q ' nx ' /proc/cpuinfo; then
# NX supported, but if noexec=off specified, it's not enabled
if $SUDO_CMD grep -qi 'noexec=off' /proc/cmdline; then
FNRET=1 # supported but disabled
else
FNRET=0 # supported and enabled
fi
else
FNRET=1 # not supported
fi
}
# This function will be called if the script status is on enabled / audit mode
audit () {
does_pattern_exist_in_dmesg $PATTERN
if [ $FNRET != 0 ]; then
nx_supported_and_enabled
if [ $FNRET != 0 ]; then
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
else
ok "NX is supported and enabled"
fi
else
ok "$PATTERN is present in dmesg"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_pattern_exist_in_dmesg $PATTERN
if [ $FNRET != 0 ]; then
nx_supported_and_enabled
if [ $FNRET != 0 ]; then
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
else
ok "NX is supported and enabled"
fi
else
ok "$PATTERN is present in dmesg"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

65
bin/hardening/4.3_enable_randomized_vm_placement.sh Executable file
View File

@ -0,0 +1,65 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 4.3 Enable Randomized Virtual Memory Region Placement (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
SYSCTL_PARAM='kernel.randomize_va_space'
SYSCTL_EXP_RESULT=2
# This function will be called if the script status is on enabled / audit mode
audit () {
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

64
bin/hardening/4.4_disable_prelink.sh Executable file
View File

@ -0,0 +1,64 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 4.4 Disable Prelink (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGE='prelink'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed!"
else
ok "$PACKAGE is absent"
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
/usr/sbin/prelink -ua
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
:
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

61
bin/hardening/4.5_enable_apparmor.sh Executable file
View File

@ -0,0 +1,61 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 4.5 Activate AppArmor (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGE='apparmor'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is absent!"
else
ok "$PACKAGE is installed"
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed, please install $PACKAGE and configure it"
else
ok "$PACKAGE is installed"
fi
:
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

62
bin/hardening/5.1.1_disable_nis.sh Executable file
View File

@ -0,0 +1,62 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 5.1.1 Ensure NIS is not installed (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGE='nis'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed!"
else
ok "$PACKAGE is absent"
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

94
bin/hardening/5.1.2_disable_rsh.sh Executable file
View File

@ -0,0 +1,94 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 5.1.2 Ensure rsh server is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Based on aptitude search '~Prsh-server'
PACKAGES='rsh-server rsh-redone-server heimdal-servers'
FILE='/etc/inetd.conf'
PATTERN='^(shell|login|exec)'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, checking configuration"
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, $PACKAGE services are enabled!"
else
ok "$PATTERN is not present in $FILE"
fi
fi
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN is not present in $FILE"
fi
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

66
bin/hardening/5.1.3_disable_rsh_client.sh Executable file
View File

@ -0,0 +1,66 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 5.1.3 Ensure rsh client is not installed (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Based on aptitude search '~Prsh-client', exluding ssh-client OFC
PACKAGES='rsh-client rsh-redone-client heimdal-clients'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed"
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, purging"
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

93
bin/hardening/5.1.4_disable_talk.sh Executable file
View File

@ -0,0 +1,93 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 5.1.4 Ensure talk server is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGES='inetutils-talkd talkd'
FILE='/etc/inetd.conf'
PATTERN='^(talk|ntalk)'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, checking configuration"
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, $PACKAGE services are enabled!"
else
ok "$PATTERN is not present in $FILE"
fi
fi
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN is not present in $FILE"
fi
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

65
bin/hardening/5.1.5_disable_talk_client.sh Executable file
View File

@ -0,0 +1,65 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 5.1.5 Ensure talk client is not installed (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGES='talk inetutils-talk'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed"
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, purging"
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

94
bin/hardening/5.1.6_disable_telnet_server.sh Executable file
View File

@ -0,0 +1,94 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 5.1.6 Ensure telnet server is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Based on aptitude search '~Ptelnet-server'
PACKAGES='telnetd inetutils-telnetd telnetd-ssl krb5-telnetd heimdal-servers'
FILE='/etc/inetd.conf'
PATTERN='^telnet'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, checking configuration"
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, $PACKAGE services are enabled!"
else
ok "$PATTERN is not present in $FILE"
fi
fi
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN is not present in $FILE"
fi
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

93
bin/hardening/5.1.7_disable_tftp_server.sh Executable file
View File

@ -0,0 +1,93 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 5.1.7 Ensure tftp-server is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGES='tftpd tftpd-hpa atftpd'
FILE='/etc/inetd.conf'
PATTERN='^tftp'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, checking configuration"
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, $PACKAGE services are enabled!"
else
ok "$PATTERN is not present in $FILE"
fi
fi
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN is not present in $FILE"
fi
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

65
bin/hardening/5.1.8_disable_inetd.sh Executable file
View File

@ -0,0 +1,65 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 5.1.8 Ensure xinetd is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGES='openbsd-inetd xinetd rlinetd'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed"
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, purging"
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

74
bin/hardening/5.2_disable_chargen.sh Executable file
View File

@ -0,0 +1,74 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 5.2 Ensure chargen is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
FILE='/etc/inetd.conf'
PATTERN='^chargen'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, chargen service is enabled!"
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

74
bin/hardening/5.3_disable_daytime.sh Executable file
View File

@ -0,0 +1,74 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 5.3 Ensure daytime is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
FILE='/etc/inetd.conf'
PATTERN='^daytime'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, daytime service is enabled!"
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

74
bin/hardening/5.4_disable_echo.sh Executable file
View File

@ -0,0 +1,74 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 5.4 Ensure echo is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
FILE='/etc/inetd.conf'
PATTERN='^echo'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, echo service is enabled!"
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

74
bin/hardening/5.5_disable_discard.sh Executable file
View File

@ -0,0 +1,74 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 5.5 Ensure discard is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
FILE='/etc/inetd.conf'
PATTERN='^discard'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, discard service is enabled!"
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

74
bin/hardening/5.6_disable_time.sh Executable file
View File

@ -0,0 +1,74 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 5.6 Ensure time is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
FILE='/etc/inetd.conf'
PATTERN='^time'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, time service is enabled!"
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN is not present in $FILE"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

67
bin/hardening/6.10_disable_http_server.sh Executable file
View File

@ -0,0 +1,67 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 6.10 Ensure HTTP Server is not enabled (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
HARDENING_EXCEPTION=http
# Based on aptitude search '~Phttpd'
PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed!"
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

67
bin/hardening/6.11_disable_imap_pop.sh Executable file
View File

@ -0,0 +1,67 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 6.11 Ensure IMAP and POP server is not enabled (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
HARDENING_EXCEPTION=mail
# Based on aptitude search '~Pimap-server' and aptitude search '~Ppop3-server'
PACKAGES='citadel-server courier-imap cyrus-imapd-2.4 dovecot-imapd mailutils-imap4d courier-pop cyrus-pop3d-2.4 dovecot-pop3d heimdal-servers mailutils-pop3d popa3d solid-pop3d xmail'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed!"
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

66
bin/hardening/6.12_disable_samba.sh Executable file
View File

@ -0,0 +1,66 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 6.12 Ensure Samba is not enabled (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
HARDENING_EXCEPTION=samba
PACKAGES='samba'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed!"
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

66
bin/hardening/6.13_disable_http_proxy.sh Executable file
View File

@ -0,0 +1,66 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 6.13 Ensure HTTP Proxy Server is not enabled (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
HARDENING_EXCEPTION=http
PACKAGES='squid3 squid'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed!"
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

66
bin/hardening/6.14_disable_snmp_server.sh Executable file
View File

@ -0,0 +1,66 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 6.14 Ensure SNMP Server is not enabled (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
HARDENING_EXCEPTION=snmp
PACKAGES='snmpd'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed!"
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

75
bin/hardening/6.15_mta_localhost.sh Executable file
View File

@ -0,0 +1,75 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 6.15 Configure Mail Transfer Agent for Local-Only Mode (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
HARDENING_EXCEPTION=mail
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking netport ports opened"
RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || :
RESULT=${RESULT:-}
debug "Result is $RESULT"
if [ -z "$RESULT" ]; then
ok "Nothing listens on 25 port, probably unix socket configured"
else
info "Checking $RESULT"
if $(grep -q "127.0.0.1" <<< $RESULT); then
ok "MTA is configured to localhost only"
else
crit "MTA listens worldwide"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "Checking netport ports opened"
RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
RESULT=${RESULT:-}
debug "Result is $RESULT"
if [ -z "$RESULT" ]; then
ok "Nothing listens on 25 port, probably unix socket configured"
else
info "Checking $RESULT"
if $(grep -q "127.0.0.1" <<< $RESULT); then
ok "MTA is configured to localhost only"
else
warn "MTA listens worldwide, correct this considering your MTA"
fi
fi
:
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

77
bin/hardening/6.16_disable_rsync.sh Executable file
View File

@ -0,0 +1,77 @@
#!/bin/bash
#
# CIS Debian 7/8 Hardening
#
#
# 6.16 Ensure rsync service is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
HARDENING_EXCEPTION=rsync
PACKAGE='rsync'
RSYNC_DEFAULT_PATTERN='RSYNC_ENABLE=false'
RSYNC_DEFAULT_FILE='/etc/default/rsync'
RSYNC_DEFAULT_PATTERN_TO_SEARCH='RSYNC_ENABLE=true'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
ok "$PACKAGE is not installed"
else
ok "$PACKAGE is installed, checking configuration"
does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN"
if [ $FNRET != 0 ]; then
crit "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE"
else
ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
ok "$PACKAGE is not installed"
else
ok "$PACKAGE is installed, checking configuration"
does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN"
if [ $FNRET != 0 ]; then
warn "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE, adding it"
backup_file $RSYNC_DEFAULT_FILE
replace_in_file $RSYNC_DEFAULT_FILE $RSYNC_DEFAULT_PATTERN_TO_SEARCH $RSYNC_DEFAULT_PATTERN
else
ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

Some files were not shown because too many files have changed in this diff Show More