Add check_sshd_conf_for_one_value_runtime method, and modify 9.3.2

2020-11-03 19:50:50 +08:00 · 2020-11-03 19:50:50 +08:00 · cbf85fe443
parent 34de8084d7
commit cbf85fe443
2 changed files with 75 additions and 43 deletions
--- a/bin/hardening/9.3.2_sshd_loglevel.sh
+++ b/bin/hardening/9.3.2_sshd_loglevel.sh
@ -19,53 +19,62 @@ FILE='/etc/ssh/sshd_config'

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET != 0 ]; then
-        crit "$PACKAGE is not installed!"
-    else
-        ok "$PACKAGE is installed"
-        for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
-            if [ $FNRET = 0 ]; then
-                ok "$PATTERN is present in $FILE"
-            else
-                crit "$PATTERN is not present in $FILE"
-            fi
-        done
-    fi
+	is_pkg_installed $PACKAGE
+	if [ $FNRET != 0 ]; then
+		crit "$PACKAGE is not installed!"
+		FNRET=5
+	else
+		ok "$PACKAGE is installed"
+		for SSH_OPTION in $OPTIONS; do
+			SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+			SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+			check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE
+			if [ $FNRET = 0 ]; then 
+				ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
+				FNRET=0
+			elif [ $FNRET = 1 ]; then 
+				crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration."
+				PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+				does_pattern_exist_in_file $FILE "$PATTERN"
+				if [ $FNRET = 0 ]; then
+					ok "$PATTERN is present in $FILE"
+					FNRET=1
+				else
+					crit "$PATTERN is not present in $FILE"
+					FNRET=2
+				fi
+			else
+				crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
+				FNRET=3
+			fi
+	done
+fi
 }

 # This function will be called if the script status is on enabled mode
 apply () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET = 0 ]; then
-        ok "$PACKAGE is installed"
-    else
-        crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
-    fi
-    for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
-            if [ $FNRET = 0 ]; then
-                ok "$PATTERN is present in $FILE"
-            else
-                warn "$PATTERN is not present in $FILE, adding it"
-                does_pattern_exist_in_file $FILE "^$SSH_PARAM"
-                if [ $FNRET != 0 ]; then
-                    add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
-                else
-                    info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                    replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
-                fi
-                /etc/init.d/ssh reload > /dev/null 2>&1
-            fi
-    done
+	SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+	SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+	PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+	case $FNRET in
+		0)	ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
+			;;
+		1)	warn "$PATTERN is present in $FILE, but runtime conf is incorrect, need reload"
+			/etc/init.d/ssh reload > /dev/null 2>&1
+			;;
+		2)	warn "$PATTERN is not present in $FILE, need add to sshd_config and reload"
+			add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
+			/etc/init.d/ssh reload > /dev/null 2>&1
+			;;
+		3)	warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
+			replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+			/etc/init.d/ssh reload > /dev/null 2>&1
+			;;
+		5)	warn "$PACKAGE is absent, installing it"
+			apt_install $PACKAGE
+			;;
+		*)	;;
+	esac
 }

 # This function will check config parameters required
--- a/lib/utils.sh
+++ b/lib/utils.sh
@ -1212,6 +1212,29 @@ check_sshd_access_limit ()
 	fi
 }

+# Check sshd conf for one value  sshd -T return 'keyword value' pairs
+# If the value of keyword is equal $2, return 0 
+# If the keywork does not exist in the sshd runtime configuration, return 1
+# If the value of keyword is not equal $2, return 2
+# Example: $1='PermitRootLogin'  $2='no'
+check_sshd_conf_for_one_value_runtime ()
+{
+	COUNT=$(sshd -T | grep -i $1 | wc -l)
+	if [ $COUNT -eq 0 ]; then
+		debug "The keyword $1 does not exist in the sshd runtime configuration."
+		FNRET=1
+	else
+		RUNTIMEVALUE=$(sshd -T | grep -i $1 | awk '{print $2}')
+		if [ "$RUNTIMEVALUE" = "$2" ]; then
+			debug "The value of keyword $1 has set to $2, it's correct."
+			FNRET=0
+		else
+			debug "The value of keyword $1 is not set to $2, it's incorrect."
+			FNRET=2
+		fi
+	fi
+}
+
 # Check blacklist module set of /etc/modprobe.d/* 
 # If set, return 0; else return 1
 # Example: $1='nf_nat_sip'