tyler.durden
/
harbian-audit
mirror of https://github.com/hardenedlinux/harbian-audit.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Implement the exception handling feature for the specified service.

This commit is contained in:
samson 2019-03-29 17:02:58 +08:00
parent 0985aedee2
commit ebed556653
12 changed files with 254 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
bin/hardening/6.11_disable_imap_pop.sh
View File

@ -22,7 +22,11 @@ audit () {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed!" if [ $ISEXCEPTION -eq 1 ]; then
warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!"
else
crit "$PACKAGE is installed!"
fi
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi
@ -34,15 +38,28 @@ apply () {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it" if [ $ISEXCEPTION -eq 1 ]; then
apt-get purge $PACKAGE -y warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
apt-get autoremove else
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
fi
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi
done done
} }
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=disabled
# Put here exception to pass this case, if set is 1, don't need apply, let to pass.
ISEXCEPTION=0
EOF
}
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
: :

26
bin/hardening/6.12_disable_samba.sh
View File

@ -21,7 +21,11 @@ audit () {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed!" if [ $ISEXCEPTION -eq 1 ]; then
warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!"
else
crit "$PACKAGE is installed!"
fi
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi
@ -33,15 +37,29 @@ apply () {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it" if [ $ISEXCEPTION -eq 1 ]; then
apt-get purge $PACKAGE -y warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
apt-get autoremove else
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
fi
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi
done done
} }
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=disabled
# Put here exception to pass this case, if set is 1, don't need apply, let to pass.
ISEXCEPTION=0
EOF
}
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
: :

25
bin/hardening/6.13_disable_http_proxy.sh
View File

@ -21,7 +21,11 @@ audit () {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed!" if [ $ISEXCEPTION -eq 1 ]; then
warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!"
else
crit "$PACKAGE is installed!"
fi
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi
@ -33,15 +37,28 @@ apply () {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it" if [ $ISEXCEPTION -eq 1 ]; then
apt-get purge $PACKAGE -y warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
apt-get autoremove else
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
fi
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi
done done
} }
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=disabled
# Put here exception to pass this case, if set is 1, don't need apply, let to pass.
ISEXCEPTION=0
EOF
}
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
: :

23
bin/hardening/6.14_disable_snmp_server.sh
View File

@ -21,7 +21,11 @@ audit () {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed!" if [ $ISEXCEPTION -eq 1 ]; then
warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!"
else
crit "$PACKAGE is installed!"
fi
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi
@ -33,14 +37,27 @@ apply () {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it" if [ $ISEXCEPTION -eq 1 ]; then
apt-get purge $PACKAGE -y warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
fi
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi
done done
} }
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=disabled
# Put here exception to pass this case, if set is 1, don't need apply, let to pass.
ISEXCEPTION=0
EOF
}
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
: :

26
bin/hardening/6.2_disable_avahi_server.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
HARDENING_LEVEL=3 HARDENING_LEVEL=3
HARDENING_EXCEPTION=dns
PACKAGES='avahi-daemon libavahi-common-data libavahi-common3 libavahi-core7' PACKAGES='avahi-daemon libavahi-common-data libavahi-common3 libavahi-core7'
@ -20,7 +21,11 @@ audit () {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed!" if [ $ISEXCEPTION -eq 1 ]; then
warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!"
else
crit "$PACKAGE is installed!"
fi
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi
@ -32,15 +37,28 @@ apply () {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it" if [ $ISEXCEPTION -eq 1 ]; then
apt-get purge $PACKAGE -y warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
apt-get autoremove else
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
fi
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi
done done
} }
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=disabled
# Put here exception to pass this case, if set is 1, don't need apply, let to pass.
ISEXCEPTION=0
EOF
}
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
: :

25
bin/hardening/6.3_disable_print_server.sh
View File

@ -21,7 +21,11 @@ audit () {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed!" if [ $ISEXCEPTION -eq 1 ]; then
warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!"
else
crit "$PACKAGE is installed!"
fi
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi
@ -33,15 +37,28 @@ apply () {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it" if [ $ISEXCEPTION -eq 1 ]; then
apt-get purge $PACKAGE -y warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
apt-get autoremove else
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
fi
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi
done done
} }
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=disabled
# Put here exception to pass this case, if set is 1, don't need apply, let to pass.
ISEXCEPTION=0
EOF
}
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
: :

25
bin/hardening/6.4_disable_dhcp.sh
View File

@ -21,7 +21,11 @@ audit () {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed!" if [ $ISEXCEPTION -eq 1 ]; then
warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!"
else
crit "$PACKAGE is installed!"
fi
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi
@ -33,15 +37,28 @@ apply () {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it" if [ $ISEXCEPTION -eq 1 ]; then
apt-get purge $PACKAGE -y warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
apt-get autoremove else
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
fi
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi
done done
} }
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=disabled
# Put here exception to pass this case, if set is 1, don't need apply, let to pass.
ISEXCEPTION=0
EOF
}
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
: :

26
bin/hardening/6.6_disable_ldap.sh
View File

@ -21,7 +21,11 @@ audit () {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed!" if [ $ISEXCEPTION -eq 1 ]; then
warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!"
else
crit "$PACKAGE is installed!"
fi
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi
@ -33,15 +37,29 @@ apply () {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it" if [ $ISEXCEPTION -eq 1 ]; then
apt-get purge $PACKAGE -y warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
apt-get autoremove else
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
fi
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi
done done
} }
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=disabled
# Put here exception to pass this case, if set is 1, don't need apply, let to pass.
ISEXCEPTION=0
EOF
}
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
: :

25
bin/hardening/6.7_disable_nfs_rpc.sh
View File

@ -21,7 +21,11 @@ audit () {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed!" if [ $ISEXCEPTION -eq 1 ]; then
warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!"
else
crit "$PACKAGE is installed!"
fi
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi
@ -33,15 +37,28 @@ apply () {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it" if [ $ISEXCEPTION -eq 1 ]; then
apt-get purge $PACKAGE -y warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
apt-get autoremove else
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
fi
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi
done done
} }
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=disabled
# Put here exception to pass this case, if set is 1, don't need apply, let to pass.
ISEXCEPTION=0
EOF
}
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
: :

25
bin/hardening/6.8_disable_dns_server.sh
View File

@ -21,7 +21,11 @@ audit () {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed!" if [ $ISEXCEPTION -eq 1 ]; then
warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!"
else
crit "$PACKAGE is installed!"
fi
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi
@ -33,15 +37,28 @@ apply () {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it" if [ $ISEXCEPTION -eq 1 ]; then
apt-get purge $PACKAGE -y warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
apt-get autoremove else
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
fi
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi
done done
} }
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=disabled
# Put here exception to pass this case, if set is 1, don't need apply, let to pass.
ISEXCEPTION=0
EOF
}
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
: :

25
bin/hardening/6.9_disable_ftp.sh
View File

@ -22,7 +22,11 @@ audit () {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed!" if [ $ISEXCEPTION -eq 1 ]; then
warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!"
else
crit "$PACKAGE is installed!"
fi
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi
@ -34,15 +38,28 @@ apply () {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it" if [ $ISEXCEPTION -eq 1 ]; then
apt-get purge $PACKAGE -y warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
apt-get autoremove else
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
fi
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi
done done
} }
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=disabled
# Put here exception to pass this case, if set is 1, don't need apply, let to pass.
ISEXCEPTION=0
EOF
}
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
: :

25
bin/hardening/7.1.1_disable_ip_forwarding.sh
View File

@ -21,7 +21,11 @@ SYSCTL_EXP_RESULT=0
audit () { audit () {
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" if [ $ISEXCEPTION -eq 1 ]; then
warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!"
else
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
fi
elif [ $FNRET = 255 ]; then elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
@ -33,9 +37,13 @@ audit () {
apply () { apply () {
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" if [ $ISEXCEPTION -eq 1 ]; then
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
sysctl -w net.ipv4.route.flush=1 > /dev/null else
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
fi
elif [ $FNRET = 255 ]; then elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
@ -43,6 +51,15 @@ apply () {
fi fi
} }
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=disabled
# Put here exception to pass this case, if set is 1, don't need apply, let to pass.
ISEXCEPTION=0
EOF
}
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
: :