From a1459e7e4170e7e24b169a599fee4d39bf8867e9 Mon Sep 17 00:00:00 2001 From: Samson-W Date: Tue, 4 Sep 2018 23:12:42 +0800 Subject: [PATCH] Add verifies integrity all packages method, and doc. --- bin/hardening.sh | 2 +- .../8.5_verifies_integrity_all_packages.sh | 52 +++++++++++++++++++ .../harbian_audit_Debian_9_Benchmark_v0.1.mkd | 31 +++++++++++ lib/utils.sh | 12 +++++ 4 files changed, 96 insertions(+), 1 deletion(-) create mode 100755 bin/hardening/8.5_verifies_integrity_all_packages.sh create mode 100644 docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd diff --git a/bin/hardening.sh b/bin/hardening.sh index 34e5db2..0be759a 100755 --- a/bin/hardening.sh +++ b/bin/hardening.sh @@ -68,7 +68,7 @@ $LONG_SCRIPT_NAME [OPTIONS], where RUN_MODE is one of: 4: high security policy, passing all tests might be time-consuming and require high adaptation of your workflow 5: placebo, policy rules that might be very difficult to apply and maintain, - with questionable security benefits + with questionable security benefits, need to confirm manually --allow-service Use with --set-hardening-level. diff --git a/bin/hardening/8.5_verifies_integrity_all_packages.sh b/bin/hardening/8.5_verifies_integrity_all_packages.sh new file mode 100755 index 0000000..c7c5858 --- /dev/null +++ b/bin/hardening/8.5_verifies_integrity_all_packages.sh @@ -0,0 +1,52 @@ +#!/bin/bash + +# +# harbian audit 7/8/9 Hardening +# + +# +# 8.5 8.5_Verifies integrity all packages (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +HARDENING_LEVEL=5 + +# This function will be called if the script status is on enabled / audit mode +audit () { + verify_integrity_all_packages + if [ $FNRET != 0 ]; then + crit "Verify integrity all packages is fail!" + else + ok "Verify integrity all packages is ok." + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "This check item need to confirm manually. No automatic fix is available." +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + . $CIS_ROOT_DIR/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd b/docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd new file mode 100644 index 0000000..5cdf92c --- /dev/null +++ b/docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd @@ -0,0 +1,31 @@ +# harbian audit Debian Linux 9 Benchmark + +8.5 Verifies integrity all packages + +Profile Applicability: +Level 5 + +Description: +Without cryptographic integrity protections, system command and files can be altered by unauthorized users without detection.Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash. + +Rationale: +Verify integrity all packages features to to monitor the files of the packages installed by the system. + +Aduit: +Perform the following to determine: +``` +# dpkg -V +??5?????? c /etc/sudoers +??5?????? c /etc/vim/vimrc +``` + +Remediation: +Run the following command to determine which package owns the file: +``` +# dpkg -S +``` +If the confirmation is not modified by owner, the package can be reinstalled from a apt repository using the command: +``` +# apt-get --reinstall +``` + diff --git a/lib/utils.sh b/lib/utils.sh index f3ce39e..cb4b07d 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -429,3 +429,15 @@ is_debian_9() FNRET=1 fi } + +verify_integrity_all_packages() +{ + if [ $($SUDO_CMD dpkg -V | wc -l) -gt 0 ]; then + debug "Verify integrity all packages is fail" + FNRET=1 + else + debug "Verify integrity all packages is OK" + FNRET=0 + fi +} +