From d9d2609e843189f172a7b9e9f3e4aee74e6cdb17 Mon Sep 17 00:00:00 2001 From: Samson-W Date: Wed, 4 Nov 2020 18:35:17 +0800 Subject: [PATCH] Apply check_sshd_conf_for_one_value_runtime for sshd config relate --- bin/hardening/9.3.10_disable_sshd_setenv.sh | 87 ++++++++++--------- bin/hardening/9.3.14_ssh_banner.sh | 86 ++++++++++-------- bin/hardening/9.3.15_sshd_printlastlog.sh | 87 ++++++++++--------- .../9.3.16_sshd_IgnoreUserKnownHosts.sh | 87 ++++++++++--------- .../9.3.17_sshd_GSSAPIAuthentication.sh | 87 ++++++++++--------- .../9.3.18_sshd_KerberosAuthentication.sh | 87 ++++++++++--------- bin/hardening/9.3.19_sshd_StrictModes.sh | 87 ++++++++++--------- bin/hardening/9.3.20_sshd_compression.sh | 87 ++++++++++--------- bin/hardening/9.3.25_sshd_logingracetime.sh | 87 ++++++++++--------- bin/hardening/9.3.2_sshd_loglevel.sh | 46 +++++----- bin/hardening/9.3.4_disable_x11_forwarding.sh | 85 +++++++++--------- bin/hardening/9.3.5_sshd_maxauthtries.sh | 87 ++++++++++--------- .../9.3.6_enable_sshd_ignorerhosts.sh | 87 ++++++++++--------- ....7_disable_sshd_hostbasedauthentication.sh | 87 ++++++++++--------- bin/hardening/9.3.8_disable_root_login.sh | 87 ++++++++++--------- ...9.3.9_disable_sshd_permitemptypasswords.sh | 87 ++++++++++--------- 16 files changed, 727 insertions(+), 621 deletions(-) diff --git a/bin/hardening/9.3.10_disable_sshd_setenv.sh b/bin/hardening/9.3.10_disable_sshd_setenv.sh index ef0aca6..e87918e 100755 --- a/bin/hardening/9.3.10_disable_sshd_setenv.sh +++ b/bin/hardening/9.3.10_disable_sshd_setenv.sh @@ -22,50 +22,57 @@ audit () { is_pkg_installed $PACKAGE if [ $FNRET != 0 ]; then crit "$PACKAGE is not installed!" - else - ok "$PACKAGE is installed" - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" - else - crit "$PATTERN is not present in $FILE" - fi - done - fi + FNRET=5 + else + ok "$PACKAGE is installed" + SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) + SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) + check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE + if [ $FNRET = 0 ]; then + ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct." + FNRET=0 + elif [ $FNRET = 1 ]; then + crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration." + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exist_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + FNRET=1 + else + crit "$PATTERN is not present in $FILE" + FNRET=2 + fi + else + crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect." + FNRET=3 + fi + fi } # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - ok "$PACKAGE is installed" - else - crit "$PACKAGE is absent, installing it" - install_package $PACKAGE - fi - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" - else - warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" - if [ $FNRET != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" - else - info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" - fi - systemctl reload sshd - fi - done + SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) + SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + case $FNRET in + 0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct." + ;; + 1) warn "$PATTERN is present in $FILE, but runtime conf is incorrect, need reload" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 2) warn "$PATTERN is not present in $FILE, need add to sshd_config and reload" + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 3) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 5) warn "$PACKAGE is absent, installing it" + apt_install $PACKAGE + ;; + *) ;; + esac } # This function will check config parameters required diff --git a/bin/hardening/9.3.14_ssh_banner.sh b/bin/hardening/9.3.14_ssh_banner.sh index d0dd639..bc3947a 100755 --- a/bin/hardening/9.3.14_ssh_banner.sh +++ b/bin/hardening/9.3.14_ssh_banner.sh @@ -22,48 +22,58 @@ audit () { is_pkg_installed $PACKAGE if [ $FNRET != 0 ]; then crit "$PACKAGE is not installed!" - else - ok "$PACKAGE is installed" - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - PATTERN="^$SSH_PARAM[[:space:]]*" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" - else - crit "$PATTERN is not present in $FILE" - fi - done - fi + FNRET=5 + else + ok "$PACKAGE is installed" + SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) + SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) + check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE + if [ $FNRET = 0 ]; then + ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct." + FNRET=0 + elif [ $FNRET = 1 ]; then + crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration." + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exist_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + FNRET=1 + else + crit "$PATTERN is not present in $FILE" + FNRET=2 + fi + else + crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect." + FNRET=3 + fi + fi } # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - ok "$PACKAGE is installed" - else - crit "$PACKAGE is absent, installing it" - install_package $PACKAGE - fi - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" - else - warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" - if [ $FNRET != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" - else - info "Parameter $SSH_PARAM is present and activated" - fi - systemctl reload sshd - fi - done + OPTIONS="Banner=$BANNER_FILE" + SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) + SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + case $FNRET in + 0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct." + ;; + 1) warn "$PATTERN is present in $FILE, but runtime conf is incorrect, need reload" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 2) warn "$PATTERN is not present in $FILE, need add to sshd_config and reload" + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 3) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 5) warn "$PACKAGE is absent, installing it" + apt_install $PACKAGE + ;; + *) ;; + esac } # This function will create the config file for this check with default values diff --git a/bin/hardening/9.3.15_sshd_printlastlog.sh b/bin/hardening/9.3.15_sshd_printlastlog.sh index ee3e03d..9107361 100755 --- a/bin/hardening/9.3.15_sshd_printlastlog.sh +++ b/bin/hardening/9.3.15_sshd_printlastlog.sh @@ -23,50 +23,57 @@ audit () { is_pkg_installed $PACKAGE if [ $FNRET != 0 ]; then crit "$PACKAGE is not installed!" - else - ok "$PACKAGE is installed" - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" - else - crit "$PATTERN is not present in $FILE" - fi - done - fi + FNRET=5 + else + ok "$PACKAGE is installed" + SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) + SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) + check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE + if [ $FNRET = 0 ]; then + ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct." + FNRET=0 + elif [ $FNRET = 1 ]; then + crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration." + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exist_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + FNRET=1 + else + crit "$PATTERN is not present in $FILE" + FNRET=2 + fi + else + crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect." + FNRET=3 + fi + fi } # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - ok "$PACKAGE is installed" - else - crit "$PACKAGE is absent, installing it" - install_package $PACKAGE - fi - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" - else - warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" - if [ $FNRET != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" - else - info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" - fi - systemctl reload sshd - fi - done + SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) + SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + case $FNRET in + 0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct." + ;; + 1) warn "$PATTERN is present in $FILE, but runtime conf is incorrect, need reload" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 2) warn "$PATTERN is not present in $FILE, need add to sshd_config and reload" + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 3) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 5) warn "$PACKAGE is absent, installing it" + apt_install $PACKAGE + ;; + *) ;; + esac } # This function will check config parameters required diff --git a/bin/hardening/9.3.16_sshd_IgnoreUserKnownHosts.sh b/bin/hardening/9.3.16_sshd_IgnoreUserKnownHosts.sh index 98a7223..b218e95 100755 --- a/bin/hardening/9.3.16_sshd_IgnoreUserKnownHosts.sh +++ b/bin/hardening/9.3.16_sshd_IgnoreUserKnownHosts.sh @@ -23,50 +23,57 @@ audit () { is_pkg_installed $PACKAGE if [ $FNRET != 0 ]; then crit "$PACKAGE is not installed!" - else - ok "$PACKAGE is installed" - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" - else - crit "$PATTERN is not present in $FILE" - fi - done - fi + FNRET=5 + else + ok "$PACKAGE is installed" + SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) + SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) + check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE + if [ $FNRET = 0 ]; then + ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct." + FNRET=0 + elif [ $FNRET = 1 ]; then + crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration." + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exist_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + FNRET=1 + else + crit "$PATTERN is not present in $FILE" + FNRET=2 + fi + else + crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect." + FNRET=3 + fi + fi } # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - ok "$PACKAGE is installed" - else - crit "$PACKAGE is absent, installing it" - install_package $PACKAGE - fi - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" - else - warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" - if [ $FNRET != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" - else - info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" - fi - systemctl reload sshd - fi - done + SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) + SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + case $FNRET in + 0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct." + ;; + 1) warn "$PATTERN is present in $FILE, but runtime conf is incorrect, need reload" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 2) warn "$PATTERN is not present in $FILE, need add to sshd_config and reload" + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 3) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 5) warn "$PACKAGE is absent, installing it" + apt_install $PACKAGE + ;; + *) ;; + esac } # This function will check config parameters required diff --git a/bin/hardening/9.3.17_sshd_GSSAPIAuthentication.sh b/bin/hardening/9.3.17_sshd_GSSAPIAuthentication.sh index e13d1a5..20124c6 100755 --- a/bin/hardening/9.3.17_sshd_GSSAPIAuthentication.sh +++ b/bin/hardening/9.3.17_sshd_GSSAPIAuthentication.sh @@ -23,50 +23,57 @@ audit () { is_pkg_installed $PACKAGE if [ $FNRET != 0 ]; then crit "$PACKAGE is not installed!" - else - ok "$PACKAGE is installed" - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" - else - crit "$PATTERN is not present in $FILE" - fi - done - fi + FNRET=5 + else + ok "$PACKAGE is installed" + SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) + SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) + check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE + if [ $FNRET = 0 ]; then + ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct." + FNRET=0 + elif [ $FNRET = 1 ]; then + crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration." + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exist_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + FNRET=1 + else + crit "$PATTERN is not present in $FILE" + FNRET=2 + fi + else + crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect." + FNRET=3 + fi + fi } # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - ok "$PACKAGE is installed" - else - crit "$PACKAGE is absent, installing it" - install_package $PACKAGE - fi - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" - else - warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" - if [ $FNRET != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" - else - info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" - fi - systemctl reload sshd - fi - done + SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) + SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + case $FNRET in + 0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct." + ;; + 1) warn "$PATTERN is present in $FILE, but runtime conf is incorrect, need reload" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 2) warn "$PATTERN is not present in $FILE, need add to sshd_config and reload" + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 3) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 5) warn "$PACKAGE is absent, installing it" + apt_install $PACKAGE + ;; + *) ;; + esac } # This function will check config parameters required diff --git a/bin/hardening/9.3.18_sshd_KerberosAuthentication.sh b/bin/hardening/9.3.18_sshd_KerberosAuthentication.sh index 276100c..837cc10 100755 --- a/bin/hardening/9.3.18_sshd_KerberosAuthentication.sh +++ b/bin/hardening/9.3.18_sshd_KerberosAuthentication.sh @@ -23,50 +23,57 @@ audit () { is_pkg_installed $PACKAGE if [ $FNRET != 0 ]; then crit "$PACKAGE is not installed!" - else - ok "$PACKAGE is installed" - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" - else - crit "$PATTERN is not present in $FILE" - fi - done - fi + FNRET=5 + else + ok "$PACKAGE is installed" + SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) + SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) + check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE + if [ $FNRET = 0 ]; then + ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct." + FNRET=0 + elif [ $FNRET = 1 ]; then + crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration." + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exist_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + FNRET=1 + else + crit "$PATTERN is not present in $FILE" + FNRET=2 + fi + else + crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect." + FNRET=3 + fi + fi } # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - ok "$PACKAGE is installed" - else - crit "$PACKAGE is absent, installing it" - install_package $PACKAGE - fi - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" - else - warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" - if [ $FNRET != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" - else - info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" - fi - systemctl reload sshd - fi - done + SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) + SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + case $FNRET in + 0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct." + ;; + 1) warn "$PATTERN is present in $FILE, but runtime conf is incorrect, need reload" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 2) warn "$PATTERN is not present in $FILE, need add to sshd_config and reload" + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 3) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 5) warn "$PACKAGE is absent, installing it" + apt_install $PACKAGE + ;; + *) ;; + esac } # This function will check config parameters required diff --git a/bin/hardening/9.3.19_sshd_StrictModes.sh b/bin/hardening/9.3.19_sshd_StrictModes.sh index b6ba407..caabd39 100755 --- a/bin/hardening/9.3.19_sshd_StrictModes.sh +++ b/bin/hardening/9.3.19_sshd_StrictModes.sh @@ -23,50 +23,57 @@ audit () { is_pkg_installed $PACKAGE if [ $FNRET != 0 ]; then crit "$PACKAGE is not installed!" - else - ok "$PACKAGE is installed" - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" - else - crit "$PATTERN is not present in $FILE" - fi - done - fi + FNRET=5 + else + ok "$PACKAGE is installed" + SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) + SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) + check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE + if [ $FNRET = 0 ]; then + ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct." + FNRET=0 + elif [ $FNRET = 1 ]; then + crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration." + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exist_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + FNRET=1 + else + crit "$PATTERN is not present in $FILE" + FNRET=2 + fi + else + crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect." + FNRET=3 + fi + fi } # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - ok "$PACKAGE is installed" - else - crit "$PACKAGE is absent, installing it" - install_package $PACKAGE - fi - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" - else - warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" - if [ $FNRET != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" - else - info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" - fi - systemctl reload sshd - fi - done + SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) + SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + case $FNRET in + 0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct." + ;; + 1) warn "$PATTERN is present in $FILE, but runtime conf is incorrect, need reload" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 2) warn "$PATTERN is not present in $FILE, need add to sshd_config and reload" + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 3) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 5) warn "$PACKAGE is absent, installing it" + apt_install $PACKAGE + ;; + *) ;; + esac } # This function will check config parameters required diff --git a/bin/hardening/9.3.20_sshd_compression.sh b/bin/hardening/9.3.20_sshd_compression.sh index 636f339..0ec6f67 100755 --- a/bin/hardening/9.3.20_sshd_compression.sh +++ b/bin/hardening/9.3.20_sshd_compression.sh @@ -23,50 +23,57 @@ audit () { is_pkg_installed $PACKAGE if [ $FNRET != 0 ]; then crit "$PACKAGE is not installed!" - else - ok "$PACKAGE is installed" - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" - else - crit "$PATTERN is not present in $FILE" - fi - done - fi + FNRET=5 + else + ok "$PACKAGE is installed" + SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) + SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) + check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE + if [ $FNRET = 0 ]; then + ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct." + FNRET=0 + elif [ $FNRET = 1 ]; then + crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration." + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exist_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + FNRET=1 + else + crit "$PATTERN is not present in $FILE" + FNRET=2 + fi + else + crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect." + FNRET=3 + fi + fi } # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - ok "$PACKAGE is installed" - else - crit "$PACKAGE is absent, installing it" - install_package $PACKAGE - fi - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" - else - warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" - if [ $FNRET != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" - else - info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" - fi - systemctl reload sshd - fi - done + SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) + SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) + PATTERN="$SSH_PARAM $SSH_VALUE" + case $FNRET in + 0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct." + ;; + 1) warn "$PATTERN is present in $FILE, but runtime conf is incorrect, need reload" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 2) warn "$PATTERN is not present in $FILE, need add to sshd_config and reload" + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 3) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 5) warn "$PACKAGE is absent, installing it" + apt_install $PACKAGE + ;; + *) ;; + esac } # This function will check config parameters required diff --git a/bin/hardening/9.3.25_sshd_logingracetime.sh b/bin/hardening/9.3.25_sshd_logingracetime.sh index 126812f..fafd216 100755 --- a/bin/hardening/9.3.25_sshd_logingracetime.sh +++ b/bin/hardening/9.3.25_sshd_logingracetime.sh @@ -23,50 +23,57 @@ audit () { is_pkg_installed $PACKAGE if [ $FNRET != 0 ]; then crit "$PACKAGE is not installed!" - else - ok "$PACKAGE is installed" - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" - else - crit "$PATTERN is not present in $FILE" - fi - done - fi + FNRET=5 + else + ok "$PACKAGE is installed" + SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) + SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) + check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE + if [ $FNRET = 0 ]; then + ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct." + FNRET=0 + elif [ $FNRET = 1 ]; then + crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration." + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exist_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + FNRET=1 + else + crit "$PATTERN is not present in $FILE" + FNRET=2 + fi + else + crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect." + FNRET=3 + fi + fi } # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - ok "$PACKAGE is installed" - else - crit "$PACKAGE is absent, installing it" - install_package $PACKAGE - fi - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" - else - warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" - if [ $FNRET != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" - else - info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" - fi - systemctl reload sshd - fi - done + SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) + SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) + PATTERN="$SSH_PARAM $SSH_VALUE" + case $FNRET in + 0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct." + ;; + 1) warn "$PATTERN is present in $FILE, but runtime conf is incorrect, need reload" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 2) warn "$PATTERN is not present in $FILE, need add to sshd_config and reload" + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 3) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 5) warn "$PACKAGE is absent, installing it" + apt_install $PACKAGE + ;; + *) ;; + esac } # This function will check config parameters required diff --git a/bin/hardening/9.3.2_sshd_loglevel.sh b/bin/hardening/9.3.2_sshd_loglevel.sh index 0d87f0b..376085d 100755 --- a/bin/hardening/9.3.2_sshd_loglevel.sh +++ b/bin/hardening/9.3.2_sshd_loglevel.sh @@ -25,36 +25,34 @@ audit () { FNRET=5 else ok "$PACKAGE is installed" - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE - if [ $FNRET = 0 ]; then - ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct." - FNRET=0 - elif [ $FNRET = 1 ]; then - crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration." - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" - FNRET=1 - else - crit "$PATTERN is not present in $FILE" - FNRET=2 - fi + SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) + SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) + check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE + if [ $FNRET = 0 ]; then + ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct." + FNRET=0 + elif [ $FNRET = 1 ]; then + crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration." + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exist_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + FNRET=1 else - crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect." - FNRET=3 + crit "$PATTERN is not present in $FILE" + FNRET=2 fi - done -fi + else + crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect." + FNRET=3 + fi + fi } # This function will be called if the script status is on enabled mode apply () { - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) + SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" case $FNRET in 0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct." diff --git a/bin/hardening/9.3.4_disable_x11_forwarding.sh b/bin/hardening/9.3.4_disable_x11_forwarding.sh index f21dd48..d61f884 100755 --- a/bin/hardening/9.3.4_disable_x11_forwarding.sh +++ b/bin/hardening/9.3.4_disable_x11_forwarding.sh @@ -22,50 +22,57 @@ audit () { is_pkg_installed $PACKAGE if [ $FNRET != 0 ]; then crit "$PACKAGE is not installed!" - else - ok "$PACKAGE is installed" - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" - else - crit "$PATTERN is not present in $FILE" - fi - done + FNRET=5 + else + ok "$PACKAGE is installed" + SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) + SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) + check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE + if [ $FNRET = 0 ]; then + ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct." + FNRET=0 + elif [ $FNRET = 1 ]; then + crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration." + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exist_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + FNRET=1 + else + crit "$PATTERN is not present in $FILE" + FNRET=2 + fi + else + crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect." + FNRET=3 + fi fi } # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - ok "$PACKAGE is installed" - else - crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE - fi - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" - else - warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" - if [ $FNRET != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" - else - info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" - fi - /etc/init.d/ssh reload > /dev/null 2>&1 - fi - done + SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) + SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + case $FNRET in + 0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct." + ;; + 1) warn "$PATTERN is present in $FILE, but runtime conf is incorrect, need reload" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 2) warn "$PATTERN is not present in $FILE, need add to sshd_config and reload" + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 3) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 5) warn "$PACKAGE is absent, installing it" + apt_install $PACKAGE + ;; + *) ;; + esac } # This function will check config parameters required diff --git a/bin/hardening/9.3.5_sshd_maxauthtries.sh b/bin/hardening/9.3.5_sshd_maxauthtries.sh index 3e6aeb0..2e990ba 100755 --- a/bin/hardening/9.3.5_sshd_maxauthtries.sh +++ b/bin/hardening/9.3.5_sshd_maxauthtries.sh @@ -22,50 +22,57 @@ audit () { is_pkg_installed $PACKAGE if [ $FNRET != 0 ]; then crit "$PACKAGE is not installed!" - else - ok "$PACKAGE is installed" - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" - else - crit "$PATTERN is not present in $FILE" - fi - done - fi + FNRET=5 + else + ok "$PACKAGE is installed" + SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) + SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) + check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE + if [ $FNRET = 0 ]; then + ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct." + FNRET=0 + elif [ $FNRET = 1 ]; then + crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration." + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exist_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + FNRET=1 + else + crit "$PATTERN is not present in $FILE" + FNRET=2 + fi + else + crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect." + FNRET=3 + fi + fi } # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - ok "$PACKAGE is installed" - else - crit "$PACKAGE is absent, installing it" - install_package $PACKAGE - fi - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" - else - warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" - if [ $FNRET != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" - else - info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" - fi - systemctl reload sshd - fi - done + SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) + SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + case $FNRET in + 0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct." + ;; + 1) warn "$PATTERN is present in $FILE, but runtime conf is incorrect, need reload" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 2) warn "$PATTERN is not present in $FILE, need add to sshd_config and reload" + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 3) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 5) warn "$PACKAGE is absent, installing it" + apt_install $PACKAGE + ;; + *) ;; + esac } # This function will check config parameters required diff --git a/bin/hardening/9.3.6_enable_sshd_ignorerhosts.sh b/bin/hardening/9.3.6_enable_sshd_ignorerhosts.sh index 769ad22..2559d25 100755 --- a/bin/hardening/9.3.6_enable_sshd_ignorerhosts.sh +++ b/bin/hardening/9.3.6_enable_sshd_ignorerhosts.sh @@ -22,50 +22,57 @@ audit () { is_pkg_installed $PACKAGE if [ $FNRET != 0 ]; then crit "$PACKAGE is not installed!" - else - ok "$PACKAGE is installed" - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" - else - crit "$PATTERN is not present in $FILE" - fi - done - fi + FNRET=5 + else + ok "$PACKAGE is installed" + SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) + SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) + check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE + if [ $FNRET = 0 ]; then + ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct." + FNRET=0 + elif [ $FNRET = 1 ]; then + crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration." + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exist_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + FNRET=1 + else + crit "$PATTERN is not present in $FILE" + FNRET=2 + fi + else + crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect." + FNRET=3 + fi + fi } # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - ok "$PACKAGE is installed" - else - crit "$PACKAGE is absent, installing it" - install_package $PACKAGE - fi - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" - else - warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" - if [ $FNRET != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" - else - info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" - fi - systemctl reload sshd - fi - done + SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) + SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + case $FNRET in + 0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct." + ;; + 1) warn "$PATTERN is present in $FILE, but runtime conf is incorrect, need reload" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 2) warn "$PATTERN is not present in $FILE, need add to sshd_config and reload" + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 3) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 5) warn "$PACKAGE is absent, installing it" + apt_install $PACKAGE + ;; + *) ;; + esac } # This function will check config parameters required diff --git a/bin/hardening/9.3.7_disable_sshd_hostbasedauthentication.sh b/bin/hardening/9.3.7_disable_sshd_hostbasedauthentication.sh index ec00d5d..75b5d90 100755 --- a/bin/hardening/9.3.7_disable_sshd_hostbasedauthentication.sh +++ b/bin/hardening/9.3.7_disable_sshd_hostbasedauthentication.sh @@ -22,50 +22,57 @@ audit () { is_pkg_installed $PACKAGE if [ $FNRET != 0 ]; then crit "$PACKAGE is not installed!" - else - ok "$PACKAGE is installed" - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" - else - crit "$PATTERN is not present in $FILE" - fi - done - fi + FNRET=5 + else + ok "$PACKAGE is installed" + SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) + SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) + check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE + if [ $FNRET = 0 ]; then + ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct." + FNRET=0 + elif [ $FNRET = 1 ]; then + crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration." + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exist_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + FNRET=1 + else + crit "$PATTERN is not present in $FILE" + FNRET=2 + fi + else + crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect." + FNRET=3 + fi + fi } # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - ok "$PACKAGE is installed" - else - crit "$PACKAGE is absent, installing it" - install_package $PACKAGE - fi - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" - else - warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" - if [ $FNRET != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" - else - info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" - fi - systemctl reload sshd - fi - done + SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) + SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + case $FNRET in + 0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct." + ;; + 1) warn "$PATTERN is present in $FILE, but runtime conf is incorrect, need reload" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 2) warn "$PATTERN is not present in $FILE, need add to sshd_config and reload" + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 3) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 5) warn "$PACKAGE is absent, installing it" + apt_install $PACKAGE + ;; + *) ;; + esac } # This function will check config parameters required diff --git a/bin/hardening/9.3.8_disable_root_login.sh b/bin/hardening/9.3.8_disable_root_login.sh index 3441693..0204a65 100755 --- a/bin/hardening/9.3.8_disable_root_login.sh +++ b/bin/hardening/9.3.8_disable_root_login.sh @@ -22,50 +22,57 @@ audit () { is_pkg_installed $PACKAGE if [ $FNRET != 0 ]; then crit "$PACKAGE is not installed!" - else - ok "$PACKAGE is installed" - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" - else - crit "$PATTERN is not present in $FILE" - fi - done - fi + FNRET=5 + else + ok "$PACKAGE is installed" + SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) + SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) + check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE + if [ $FNRET = 0 ]; then + ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct." + FNRET=0 + elif [ $FNRET = 1 ]; then + crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration." + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exist_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + FNRET=1 + else + crit "$PATTERN is not present in $FILE" + FNRET=2 + fi + else + crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect." + FNRET=3 + fi + fi } # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - ok "$PACKAGE is installed" - else - crit "$PACKAGE is absent, installing it" - install_package $PACKAGE - fi - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" - else - warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" - if [ $FNRET != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" - else - info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" - fi - systemctl reload sshd - fi - done + SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) + SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + case $FNRET in + 0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct." + ;; + 1) warn "$PATTERN is present in $FILE, but runtime conf is incorrect, need reload" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 2) warn "$PATTERN is not present in $FILE, need add to sshd_config and reload" + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 3) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 5) warn "$PACKAGE is absent, installing it" + apt_install $PACKAGE + ;; + *) ;; + esac } # This function will check config parameters required diff --git a/bin/hardening/9.3.9_disable_sshd_permitemptypasswords.sh b/bin/hardening/9.3.9_disable_sshd_permitemptypasswords.sh index 4c9cfaa..3f07676 100755 --- a/bin/hardening/9.3.9_disable_sshd_permitemptypasswords.sh +++ b/bin/hardening/9.3.9_disable_sshd_permitemptypasswords.sh @@ -22,50 +22,57 @@ audit () { is_pkg_installed $PACKAGE if [ $FNRET != 0 ]; then crit "$PACKAGE is not installed!" - else - ok "$PACKAGE is installed" - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" - else - crit "$PATTERN is not present in $FILE" - fi - done - fi + FNRET=5 + else + ok "$PACKAGE is installed" + SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) + SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) + check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE + if [ $FNRET = 0 ]; then + ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct." + FNRET=0 + elif [ $FNRET = 1 ]; then + crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration." + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exist_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + FNRET=1 + else + crit "$PATTERN is not present in $FILE" + FNRET=2 + fi + else + crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect." + FNRET=3 + fi + fi } # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - ok "$PACKAGE is installed" - else - crit "$PACKAGE is absent, installing it" - install_package $PACKAGE - fi - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" - else - warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" - if [ $FNRET != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" - else - info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" - fi - systemctl reload sshd - fi - done + SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) + SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + case $FNRET in + 0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct." + ;; + 1) warn "$PATTERN is present in $FILE, but runtime conf is incorrect, need reload" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 2) warn "$PATTERN is not present in $FILE, need add to sshd_config and reload" + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 3) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + /etc/init.d/ssh reload > /dev/null 2>&1 + ;; + 5) warn "$PACKAGE is absent, installing it" + apt_install $PACKAGE + ;; + *) ;; + esac } # This function will check config parameters required