tyler.durden
/
harbian-audit
mirror of https://github.com/hardenedlinux/harbian-audit.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Apply check_sshd_conf_for_one_value_runtime for sshd config relate

This commit is contained in:
Samson-W 2020-11-04 18:35:17 +08:00
parent cbf85fe443
commit d9d2609e84
16 changed files with 727 additions and 621 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
bin/hardening/9.3.10_disable_sshd_setenv.sh
View File

@ -22,50 +22,57 @@ audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
fi
done
fi
FNRET=5
else
ok "$PACKAGE is installed"
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE
if [ $FNRET = 0 ]; then
ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
FNRET=0
elif [ $FNRET = 1 ]; then
crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration."
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
FNRET=1
else
crit "$PATTERN is not present in $FILE"
FNRET=2
fi
else
crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
FNRET=3
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
install_package $PACKAGE
fi
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi
systemctl reload sshd
fi
done
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
case $FNRET in
0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
;;
1) warn "$PATTERN is present in $FILE, but runtime conf is incorrect, need reload"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
2) warn "$PATTERN is not present in $FILE, need add to sshd_config and reload"
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
3) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
5) warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
;;
*) ;;
esac
}
# This function will check config parameters required

86
bin/hardening/9.3.14_ssh_banner.sh
View File

@ -22,48 +22,58 @@ audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
PATTERN="^$SSH_PARAM[[:space:]]*"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
fi
done
fi
FNRET=5
else
ok "$PACKAGE is installed"
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE
if [ $FNRET = 0 ]; then
ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
FNRET=0
elif [ $FNRET = 1 ]; then
crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration."
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
FNRET=1
else
crit "$PATTERN is not present in $FILE"
FNRET=2
fi
else
crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
FNRET=3
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
install_package $PACKAGE
fi
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else
info "Parameter $SSH_PARAM is present and activated"
fi
systemctl reload sshd
fi
done
OPTIONS="Banner=$BANNER_FILE"
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
case $FNRET in
0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
;;
1) warn "$PATTERN is present in $FILE, but runtime conf is incorrect, need reload"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
2) warn "$PATTERN is not present in $FILE, need add to sshd_config and reload"
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
3) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
5) warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
;;
*) ;;
esac
}
# This function will create the config file for this check with default values

87
bin/hardening/9.3.15_sshd_printlastlog.sh
View File

@ -23,50 +23,57 @@ audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
fi
done
fi
FNRET=5
else
ok "$PACKAGE is installed"
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE
if [ $FNRET = 0 ]; then
ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
FNRET=0
elif [ $FNRET = 1 ]; then
crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration."
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
FNRET=1
else
crit "$PATTERN is not present in $FILE"
FNRET=2
fi
else
crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
FNRET=3
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
install_package $PACKAGE
fi
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi
systemctl reload sshd
fi
done
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
case $FNRET in
0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
;;
1) warn "$PATTERN is present in $FILE, but runtime conf is incorrect, need reload"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
2) warn "$PATTERN is not present in $FILE, need add to sshd_config and reload"
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
3) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
5) warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
;;
*) ;;
esac
}
# This function will check config parameters required

87
bin/hardening/9.3.16_sshd_IgnoreUserKnownHosts.sh
View File

@ -23,50 +23,57 @@ audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
fi
done
fi
FNRET=5
else
ok "$PACKAGE is installed"
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE
if [ $FNRET = 0 ]; then
ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
FNRET=0
elif [ $FNRET = 1 ]; then
crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration."
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
FNRET=1
else
crit "$PATTERN is not present in $FILE"
FNRET=2
fi
else
crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
FNRET=3
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
install_package $PACKAGE
fi
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi
systemctl reload sshd
fi
done
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
case $FNRET in
0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
;;
1) warn "$PATTERN is present in $FILE, but runtime conf is incorrect, need reload"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
2) warn "$PATTERN is not present in $FILE, need add to sshd_config and reload"
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
3) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
5) warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
;;
*) ;;
esac
}
# This function will check config parameters required

87
bin/hardening/9.3.17_sshd_GSSAPIAuthentication.sh
View File

@ -23,50 +23,57 @@ audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
fi
done
fi
FNRET=5
else
ok "$PACKAGE is installed"
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE
if [ $FNRET = 0 ]; then
ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
FNRET=0
elif [ $FNRET = 1 ]; then
crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration."
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
FNRET=1
else
crit "$PATTERN is not present in $FILE"
FNRET=2
fi
else
crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
FNRET=3
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
install_package $PACKAGE
fi
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi
systemctl reload sshd
fi
done
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
case $FNRET in
0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
;;
1) warn "$PATTERN is present in $FILE, but runtime conf is incorrect, need reload"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
2) warn "$PATTERN is not present in $FILE, need add to sshd_config and reload"
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
3) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
5) warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
;;
*) ;;
esac
}
# This function will check config parameters required

87
bin/hardening/9.3.18_sshd_KerberosAuthentication.sh
View File

@ -23,50 +23,57 @@ audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
fi
done
fi
FNRET=5
else
ok "$PACKAGE is installed"
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE
if [ $FNRET = 0 ]; then
ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
FNRET=0
elif [ $FNRET = 1 ]; then
crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration."
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
FNRET=1
else
crit "$PATTERN is not present in $FILE"
FNRET=2
fi
else
crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
FNRET=3
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
install_package $PACKAGE
fi
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi
systemctl reload sshd
fi
done
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
case $FNRET in
0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
;;
1) warn "$PATTERN is present in $FILE, but runtime conf is incorrect, need reload"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
2) warn "$PATTERN is not present in $FILE, need add to sshd_config and reload"
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
3) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
5) warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
;;
*) ;;
esac
}
# This function will check config parameters required

87
bin/hardening/9.3.19_sshd_StrictModes.sh
View File

@ -23,50 +23,57 @@ audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
fi
done
fi
FNRET=5
else
ok "$PACKAGE is installed"
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE
if [ $FNRET = 0 ]; then
ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
FNRET=0
elif [ $FNRET = 1 ]; then
crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration."
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
FNRET=1
else
crit "$PATTERN is not present in $FILE"
FNRET=2
fi
else
crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
FNRET=3
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
install_package $PACKAGE
fi
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi
systemctl reload sshd
fi
done
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
case $FNRET in
0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
;;
1) warn "$PATTERN is present in $FILE, but runtime conf is incorrect, need reload"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
2) warn "$PATTERN is not present in $FILE, need add to sshd_config and reload"
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
3) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
5) warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
;;
*) ;;
esac
}
# This function will check config parameters required

87
bin/hardening/9.3.20_sshd_compression.sh
View File

@ -23,50 +23,57 @@ audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
fi
done
fi
FNRET=5
else
ok "$PACKAGE is installed"
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE
if [ $FNRET = 0 ]; then
ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
FNRET=0
elif [ $FNRET = 1 ]; then
crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration."
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
FNRET=1
else
crit "$PATTERN is not present in $FILE"
FNRET=2
fi
else
crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
FNRET=3
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
install_package $PACKAGE
fi
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi
systemctl reload sshd
fi
done
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN="$SSH_PARAM $SSH_VALUE"
case $FNRET in
0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
;;
1) warn "$PATTERN is present in $FILE, but runtime conf is incorrect, need reload"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
2) warn "$PATTERN is not present in $FILE, need add to sshd_config and reload"
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
3) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
5) warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
;;
*) ;;
esac
}
# This function will check config parameters required

87
bin/hardening/9.3.25_sshd_logingracetime.sh
View File

@ -23,50 +23,57 @@ audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
fi
done
fi
FNRET=5
else
ok "$PACKAGE is installed"
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE
if [ $FNRET = 0 ]; then
ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
FNRET=0
elif [ $FNRET = 1 ]; then
crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration."
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
FNRET=1
else
crit "$PATTERN is not present in $FILE"
FNRET=2
fi
else
crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
FNRET=3
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
install_package $PACKAGE
fi
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi
systemctl reload sshd
fi
done
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN="$SSH_PARAM $SSH_VALUE"
case $FNRET in
0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
;;
1) warn "$PATTERN is present in $FILE, but runtime conf is incorrect, need reload"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
2) warn "$PATTERN is not present in $FILE, need add to sshd_config and reload"
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
3) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
5) warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
;;
*) ;;
esac
}
# This function will check config parameters required

46
bin/hardening/9.3.2_sshd_loglevel.sh
View File

@ -25,36 +25,34 @@ audit () {
FNRET=5
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE
if [ $FNRET = 0 ]; then
ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
FNRET=0
elif [ $FNRET = 1 ]; then
crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration."
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
FNRET=1
else
crit "$PATTERN is not present in $FILE"
FNRET=2
fi
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE
if [ $FNRET = 0 ]; then
ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
FNRET=0
elif [ $FNRET = 1 ]; then
crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration."
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
FNRET=1
else
crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
FNRET=3
crit "$PATTERN is not present in $FILE"
FNRET=2
fi
done
fi
else
crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
FNRET=3
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
case $FNRET in
0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."

85
bin/hardening/9.3.4_disable_x11_forwarding.sh
View File

@ -22,50 +22,57 @@ audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
fi
done
FNRET=5
else
ok "$PACKAGE is installed"
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE
if [ $FNRET = 0 ]; then
ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
FNRET=0
elif [ $FNRET = 1 ]; then
crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration."
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
FNRET=1
else
crit "$PATTERN is not present in $FILE"
FNRET=2
fi
else
crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
FNRET=3
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE
fi
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi
/etc/init.d/ssh reload > /dev/null 2>&1
fi
done
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
case $FNRET in
0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
;;
1) warn "$PATTERN is present in $FILE, but runtime conf is incorrect, need reload"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
2) warn "$PATTERN is not present in $FILE, need add to sshd_config and reload"
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
3) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
5) warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
;;
*) ;;
esac
}
# This function will check config parameters required

87
bin/hardening/9.3.5_sshd_maxauthtries.sh
View File

@ -22,50 +22,57 @@ audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
fi
done
fi
FNRET=5
else
ok "$PACKAGE is installed"
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE
if [ $FNRET = 0 ]; then
ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
FNRET=0
elif [ $FNRET = 1 ]; then
crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration."
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
FNRET=1
else
crit "$PATTERN is not present in $FILE"
FNRET=2
fi
else
crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
FNRET=3
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
install_package $PACKAGE
fi
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi
systemctl reload sshd
fi
done
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
case $FNRET in
0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
;;
1) warn "$PATTERN is present in $FILE, but runtime conf is incorrect, need reload"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
2) warn "$PATTERN is not present in $FILE, need add to sshd_config and reload"
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
3) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
5) warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
;;
*) ;;
esac
}
# This function will check config parameters required

87
bin/hardening/9.3.6_enable_sshd_ignorerhosts.sh
View File

@ -22,50 +22,57 @@ audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
fi
done
fi
FNRET=5
else
ok "$PACKAGE is installed"
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE
if [ $FNRET = 0 ]; then
ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
FNRET=0
elif [ $FNRET = 1 ]; then
crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration."
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
FNRET=1
else
crit "$PATTERN is not present in $FILE"
FNRET=2
fi
else
crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
FNRET=3
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
install_package $PACKAGE
fi
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi
systemctl reload sshd
fi
done
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
case $FNRET in
0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
;;
1) warn "$PATTERN is present in $FILE, but runtime conf is incorrect, need reload"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
2) warn "$PATTERN is not present in $FILE, need add to sshd_config and reload"
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
3) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
5) warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
;;
*) ;;
esac
}
# This function will check config parameters required

87
bin/hardening/9.3.7_disable_sshd_hostbasedauthentication.sh
View File

@ -22,50 +22,57 @@ audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
fi
done
fi
FNRET=5
else
ok "$PACKAGE is installed"
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE
if [ $FNRET = 0 ]; then
ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
FNRET=0
elif [ $FNRET = 1 ]; then
crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration."
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
FNRET=1
else
crit "$PATTERN is not present in $FILE"
FNRET=2
fi
else
crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
FNRET=3
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
install_package $PACKAGE
fi
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi
systemctl reload sshd
fi
done
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
case $FNRET in
0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
;;
1) warn "$PATTERN is present in $FILE, but runtime conf is incorrect, need reload"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
2) warn "$PATTERN is not present in $FILE, need add to sshd_config and reload"
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
3) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
5) warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
;;
*) ;;
esac
}
# This function will check config parameters required

87
bin/hardening/9.3.8_disable_root_login.sh
View File

@ -22,50 +22,57 @@ audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
fi
done
fi
FNRET=5
else
ok "$PACKAGE is installed"
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE
if [ $FNRET = 0 ]; then
ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
FNRET=0
elif [ $FNRET = 1 ]; then
crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration."
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
FNRET=1
else
crit "$PATTERN is not present in $FILE"
FNRET=2
fi
else
crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
FNRET=3
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
install_package $PACKAGE
fi
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi
systemctl reload sshd
fi
done
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
case $FNRET in
0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
;;
1) warn "$PATTERN is present in $FILE, but runtime conf is incorrect, need reload"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
2) warn "$PATTERN is not present in $FILE, need add to sshd_config and reload"
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
3) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
5) warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
;;
*) ;;
esac
}
# This function will check config parameters required

87
bin/hardening/9.3.9_disable_sshd_permitemptypasswords.sh
View File

@ -22,50 +22,57 @@ audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
fi
done
fi
FNRET=5
else
ok "$PACKAGE is installed"
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE
if [ $FNRET = 0 ]; then
ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
FNRET=0
elif [ $FNRET = 1 ]; then
crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration."
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
FNRET=1
else
crit "$PATTERN is not present in $FILE"
FNRET=2
fi
else
crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
FNRET=3
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
install_package $PACKAGE
fi
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi
systemctl reload sshd
fi
done
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
case $FNRET in
0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
;;
1) warn "$PATTERN is present in $FILE, but runtime conf is incorrect, need reload"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
2) warn "$PATTERN is not present in $FILE, need add to sshd_config and reload"
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
3) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
5) warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
;;
*) ;;
esac
}
# This function will check config parameters required