tyler.durden
/
harbian-audit
mirror of https://github.com/hardenedlinux/harbian-audit.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Modify 4.8: Re-implement the detection items of disabled USB devices.

This commit is contained in:
Samson-W 2021-07-28 00:42:01 +08:00
parent b3857a06da
commit cfb0a3c22f
1 changed files with 31 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
bin/hardening/4.8_disable_usb_devices.sh
View File

@ -1,13 +1,13 @@
#!/bin/bash #!/bin/bash
# #
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening # harbian-audit for Debian GNU/Linux 9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org) # Modify by: Samson-W (samson@hardenedlinux.org)
# #
# #
# 4.8 Disable USB Devices # 4.8 Disable USB storage Devices
# TODO test # TODO: CentOS
# #
set -e # One error, it's over set -e # One error, it's over
@ -15,43 +15,39 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4 HARDENING_LEVEL=4
USER='root' BLACKRULEPATTERN='install[[:blank:]].*usb_storage[[:blank:]].*/bin/true'
PATTERN='ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"' # We do test disabled by default, whitelist is up to you BLACKRULE='install usb_storage /bin/true'
FILES_TO_SEARCH='/etc/udev/rules.d'
FILE='/etc/udev/rules.d/CIS_4.6_usb_devices.conf'
BLACKRULEPATTERN='^blacklist[[:blank:]].*usb-storage'
BLACKRULE='blacklist usb-storage'
BLACKCONFILE='/etc/modprobe.d/blacklist.conf' BLACKCONFILE='/etc/modprobe.d/blacklist.conf'
BLACKCONDIR='/etc/modprobe.d'
audit_debian () { audit_debian () {
SEARCH_RES=0 SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do for FILE_SEARCHED in $BLACKCONDIR; do
if [ $SEARCH_RES = 1 ]; then break; fi if [ $SEARCH_RES = 1 ]; then break; fi
if test -d $FILE_SEARCHED; then if test -d $FILE_SEARCHED; then
debug "$FILE_SEARCHED is a directory" debug "$FILE_SEARCHED is a directory"
for file_in_dir in $(ls $FILE_SEARCHED); do for file_in_dir in $(ls $FILE_SEARCHED); do
does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN" does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$BLACKRULEPATTERN"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir" debug "$BLACKRULEPATTERN is not present in $FILE_SEARCHED/$file_in_dir"
else else
ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir" ok "$BLACKRULEPATTERN is present in $FILE_SEARCHED/$file_in_dir"
SEARCH_RES=1 SEARCH_RES=1
break break
fi fi
done done
else else
does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN" does_pattern_exist_in_file "$FILE_SEARCHED" "^$BLACKRULEPATTERN"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED" debug "$BLACKRULEPATTERN is not present in $FILE_SEARCHED"
else else
ok "$PATTERN is present in $FILES_TO_SEARCH" ok "$BLACKRULEPATTERN is present in $BLACKCONDIR"
SEARCH_RES=1 SEARCH_RES=1
fi fi
fi fi
done done
if [ $SEARCH_RES = 0 ]; then if [ $SEARCH_RES = 0 ]; then
crit "$PATTERN is not present in $FILES_TO_SEARCH" crit "$BLACKRULEPATTERN is not present in $BLACKCONDIR"
fi fi
} }
@ -74,47 +70,41 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
SEARCH_RES=0 SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do for FILE_SEARCHED in $BLACKCONDIR; do
if [ $SEARCH_RES = 1 ]; then break; fi if [ $SEARCH_RES = 1 ]; then break; fi
if test -d $FILE_SEARCHED; then if test -d $FILE_SEARCHED; then
debug "$FILE_SEARCHED is a directory" debug "$FILE_SEARCHED is a directory"
for file_in_dir in $(ls $FILE_SEARCHED); do for file_in_dir in $(ls $FILE_SEARCHED); do
does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN" does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$BLACKRULEPATTERN"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir" debug "$BLACKRULEPATTERN is not present in $FILE_SEARCHED/$file_in_dir"
else else
ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir" ok "$BLACKRULEPATTERN is present in $FILE_SEARCHED/$file_in_dir"
SEARCH_RES=1 SEARCH_RES=1
break break
fi fi
done done
else else
does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN" does_pattern_exist_in_file "$FILE_SEARCHED" "^$BLACKRULEPATTERN "
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED" debug "$BLACKRULEPATTERN is not present in $FILE_SEARCHED"
else else
ok "$PATTERN is present in $FILES_TO_SEARCH" ok "$BLACKRULEPATTERN is present in $BLACKCONDIR"
SEARCH_RES=1 SEARCH_RES=1
fi fi
fi fi
done done
if [ $SEARCH_RES = 0 ]; then if [ $SEARCH_RES = 0 ]; then
warn "$PATTERN is not present in $FILES_TO_SEARCH" warn "$BLACKRULEPATTERN is not present in $BLACKCONDIR"
touch $FILE if [ -f $BLACKCONFILE ]; then
chmod 644 $FILE warn "Add $BLACKRULE to $BLACKCONFILE"
add_end_of_file $FILE ' add_end_of_file $BLACKCONFILE "$BLACKRULE"
# By default, disable all. else
ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0" warn "Create $BLACKCONFILE and add $BLACKRULE to $BLACKCONFILE"
touch $BLACKCONFILE
# Enable hub devices. chmod 644 $BLACKCONFILE
ACTION=="add", ATTR{bDeviceClass}=="09", TEST=="authorized", ATTR{authorized}="1" add_end_of_file $BLACKCONFILE "$BLACKRULE"
fi
# Enables keyboard devices
ACTION=="add", ATTR{product}=="*[Kk]eyboard*", TEST=="authorized", ATTR{authorized}="1"
# PS2-USB converter
ACTION=="add", ATTR{product}=="*Thinnet TM*", TEST=="authorized", ATTR{authorized}="1"
'
fi fi
} }