tyler.durden/harbian-audit
1
0
Fork 0
mirror of https://github.com/hardenedlinux/harbian-audit.git synced 2025-04-08 17:06:34 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: tyler.durden:V0.4.1
Branches Tags
tyler.durden:master
tyler.durden:add_dictcheck_pwquality
tyler.durden:harbian-audit-UOS-server
tyler.durden:harbian-audit-deepin
tyler.durden:V0.7.0
tyler.durden:V0.6.0
tyler.durden:V0.5.0
tyler.durden:V0.1.2
tyler.durden:V0.4.1
tyler.durden:V0.4.0
tyler.durden:V0.1.1
tyler.durden:V0.1.0
tyler.durden:V0.3.0
tyler.durden:v0.2.0
tyler.durden:v0.1
...
compare: tyler.durden:master
Branches Tags
tyler.durden:master
tyler.durden:add_dictcheck_pwquality
tyler.durden:harbian-audit-UOS-server
tyler.durden:harbian-audit-deepin
tyler.durden:V0.7.0
tyler.durden:V0.6.0
tyler.durden:V0.5.0
tyler.durden:V0.1.2
tyler.durden:V0.4.1
tyler.durden:V0.4.0
tyler.durden:V0.1.1
tyler.durden:V0.1.0
tyler.durden:V0.3.0
tyler.durden:v0.2.0
tyler.durden:v0.1

140 Commits
V0.4.1 ... master

Author SHA1 Message Date
Samson-W
bb6574e441 Remove AMI images for Ohio and Tokyo regions. 2024-07-08 00:08:59 +08:00
Samson-W
2d83a6a34e Fix #54: hardening.sh: line 275: [: missing ] 2023-10-21 15:00:37 +08:00
Samson-W
e00770d5ff Optimize 9.2.14 audit items, and update README.md README-CN.md 2023-08-25 01:49:11 +08:00
Samson.W
9545137a08
Merge pull request #53 from hardenedlinux/add_dictcheck_pwquality 
Add 9.2.14 for dictcheck of pwquality
 2023-08-24 21:47:24 +08:00
Samson-W
436dea1f6b Update 9.2.14_pam_dictcheck_pwquality.sh 2023-08-24 21:45:09 +08:00
Samson-W
c3744f83a0 Add 9.2.14_pam_dictcheck_pwquality.sh 2023-08-24 00:45:51 +08:00
Samson.W
b88af0e351
Merge pull request #52 from atastycookie/master-1 
Fixing Markdown markup
 2023-08-09 20:43:59 +08:00
Roman
67c97fe7fc
Fixing Markdown markup 2023-08-09 14:22:23 +04:00
Samson-W
9822545cc8 Update the description information of 8.7.2 2023-07-15 18:02:28 +08:00
Samson-W
d496c2b320 Update README.md README-CN.md 2023-07-15 02:09:54 +08:00
Samson-W
612a90d844 Fix #50: Autofix improvement: Ensure journald is configured to write logfiles to persistent disk 2023-07-15 02:03:40 +08:00
Samson-W
d995a65375 Fix #49: Autofix improvement: Ensure journald is configured to compress large log files 2023-07-15 02:02:58 +08:00
Samson-W
8c0b9da8b3 Add clean: Cleanup of usage traces to ~/.ssh/known_hosts file. 2023-07-15 01:23:40 +08:00
Samson-W
eaa2339336 Fix #51 Autofix improvement: Ensure rsyslog default file permissions are configured. Add method for check FileCreateMode in /etc/rsyslog.d/ 2023-07-10 01:11:55 +08:00
Samson-W
8e97a31f98 Fix some bugs: When the find command has permission denied, it will exit due to an error, so remove set -e. 2023-07-05 00:11:51 +08:00
Samson-w
76c9070615 update README-CN.md README.md for Debian12 2023-06-17 16:22:37 +08:00
Samson-w
195ec744e0 Fix #40: Shadow utils checks are not possible to maintain with current requirements. 2023-06-17 13:57:38 +08:00
Samson-w
ee6cb27946 Del some not Scored check items. 2023-06-17 11:36:10 +08:00
Samson-w
eadba375b6 Fix some bugs about disable kernel module 2023-06-17 11:18:31 +08:00
Samson-w
e109fe76c6 Update 2.2 2.3 2.4 7.6 for Debian12. 2023-06-17 10:21:46 +08:00
Samson-W
ac5c810184 Fix a bug: Debian 12 errors : Current OS is not support! 2023-06-17 00:40:38 +08:00
Samson-W
1eecbc633f Fix some bugs for Debian12. 2023-06-17 00:14:38 +08:00
Samson-W
754ff95056 Fix #44: Debian 11 uses ntfables, not iptables. Update 7.7.2 7.7.3 7.7.4.1 7.7.4.3 7.7.4.4 7.7.5.1 7.7.5.2 7.7.5.3 7.7.5.4 for nftables. 2023-06-17 00:12:06 +08:00
Samson-W
1b4337464a Update 7.7.2 7.7.3 7.7.4.1~7.7.4.4 for nftables. 2023-06-16 02:43:44 +08:00
Samson-W
f0d0f65467 Update 7.7.1 for nftables 2023-06-15 01:47:35 +08:00
Samson-W
14b396769a Fix #39: Need extra check on blacklisted Linux kernel modules. Update 2.18 2.19 2.20 2.21 2.22 2.23 2.24 14.1 2023-06-14 01:40:47 +08:00
Samson-W
4699911078 Fix #48: Debian 12 errors : Current OS is not support! 2023-06-13 01:23:56 +08:00
Samson-W
0ab75f8fa8 Update 9.2.14 for Debian12 2023-06-12 02:28:31 +08:00
Samson-W
2b6949548f Update 9.2.11 9.2.12 9.2.13 for Debian12 2023-06-12 02:18:30 +08:00
Samson-W
03f583ad94 Fix #43: Debian 11 uses pwquality, not cracklib. Update 9.2.4 9.2.5 9.2.6 9.2.7 9.2.8 9.2.9 9.2.10 for Debian11/Debian12 2023-06-12 01:59:10 +08:00
Samson-W
13f75e093e Update 9.2.3 for Debian12 2023-06-12 01:27:48 +08:00
Samson-W
ab55dd82ee Update 9.2.2 for Debian12 2023-06-12 01:23:48 +08:00
Samson-W
3308bd7aa4 Update 9.2.1 for Debian12 2023-06-12 00:59:29 +08:00
Samson-W
706cc65542 Adapt to the Debian 12 release version 2023-06-12 00:46:56 +08:00
Samson-W
881c51608e Fix #42: 14.1 grep returns line format that will never match the regex filter applied 2023-06-04 23:10:05 +08:00
Samson.W
07f7f86612
Merge pull request #47 from dominiquefournier/master 
Add systemd-timesyncd to tests
 2023-03-10 01:37:07 +08:00
root
1b7ee81794 Add systemd-timesyncd server 2023-03-07 13:55:24 +01:00
dominiquefournier
235c85c3d8
Merge pull request #1 from dominiquefournier/dominiquefournier-patch-3 
Add Systemd-TimeSyncd to time syncronization packages
 2023-03-07 11:46:40 +01:00
dominiquefournier
b36087e840
Update 6.19_configure_ntp.sh 
Add systemd-timesyncd
 2023-03-07 11:43:02 +01:00
Samson-W
1835a45c0e Fix pam-tally2.so is missing in Ubuntu #38, Modify 8.1.26 for support to ubuntu. 2022-09-05 14:14:13 +00:00
Samson-W
297b4fa343 Fix pam-tally2.so is missing in Ubuntu #38 2022-09-05 13:45:01 +00:00
Samson-W
d9b24e2e7e Modify 9.2.11 for support to ubuntu 22.04 2022-09-04 17:52:01 +00:00
Samson-W
e5539baf5b Fix a bug in 8.1.27: when the system is Ubuntu, set the path of au-remote.conf to /etc/audit/plugins.d/au-remote.conf. 2022-08-25 18:40:14 +00:00
Samson-W
3bb4e50a7c Fix issues #37 need extra checks on audisp path on Ubuntu. 2022-08-25 18:11:23 +00:00
Samson.W
dbbec7cc98
Merge pull request #36 from Samson-W/master 
Add 14.2: Check abuse 777 permissions
 2022-04-01 01:14:30 +08:00
Samson-W
d894963f71 Add 14.2: Check abuse 777 permissions 2022-04-01 01:12:42 +08:00
Samson.W
666f071399
Merge pull request #35 from aptx4869/fix_log_permission 
fix(log directory permissions) : Apply chmod only to logfiles
 2021-11-15 03:14:31 +08:00
aptx4869
2a9a08bf9c
fix(log directory permissions) : Apply chmod only to logfiles instead of 'log/*' 
Many services like nginx, redis, postgresql put their logs into subdirectory of /var/log
chmod -R 0640 /var/log/* will forbid those from entering the directories
 2021-11-12 15:00:12 +08:00
Samson.W
aced6e66ac
Merge pull request #34 from Samson-W/master 
Fix a bug: Replaced pam_tally2 with pam_faillock in debian 11.
 2021-08-16 02:16:35 +08:00
Samson-W
79670bde38 Fix bug: Replaced pam_tally2 with pam_faillock in debian 11. 2021-08-16 02:14:00 +08:00
Samson-W
f175cf4639 Update auditd rules of 8.1.26: replaced pam_tally2 with faillock in debian 11. 2021-08-16 00:57:51 +08:00
Samson.W
0d8593986f
Merge pull request #33 from Samson-W/master 
Update Readme.md: support debian11
 2021-08-15 17:30:51 +08:00
Samson-W
6b89d4cb24 Update Readme.md: support debian11 2021-08-15 17:29:46 +08:00
Samson.W
0652ec431f
Merge pull request #32 from Samson-W/master 
Update the number of the check item .
 2021-08-15 17:23:06 +08:00
Samson-W
356124dfdb Update the number of the check item . 2021-08-15 17:12:07 +08:00
Samson.W
baccad9c3b
Merge pull request #31 from Samson-W/master 
Modify 4.8: Re-implement the detection items of disabled USB devices.
 2021-07-28 00:45:26 +08:00
Samson-W
cfb0a3c22f Modify 4.8: Re-implement the detection items of disabled USB devices. 2021-07-28 00:42:01 +08:00
Samson.W
7e2bf1c5b5
Merge pull request #30 from Samson-W/master 
Fix some bugs and apply rsyslog server
 2021-07-18 21:55:40 +08:00
Samson-W
b3857a06da Modify the log prefix of iptables for the log classification collection of rsyslog. 2021-07-18 21:52:39 +08:00
Samson-W
9b7beb1588 Add some auditd rules for log server. 2021-07-17 22:47:39 +08:00
Samson-W
e4743a7588 Fix a bug space_left of auditd.conf 2021-07-17 22:46:18 +08:00
Samson.W
8995b0c9db
Merge pull request #29 from Samson-W/master 
Fix a bug and update how_to_deploy_audisp_remote_for_audit_log.mkd
 2021-07-16 01:02:21 +08:00
Samson-W
8ad11ac333 Fix a bug: If /var/log is a separate partition, check whether /var is a separate partition will be passed. 2021-07-16 00:58:37 +08:00
Samson-W
d262a18d70 Update how_to_deploy_audisp_remote_for_audit_log.mkd 2021-07-09 01:51:32 +08:00
Samson.W
c944bbb498
Merge pull request #28 from Samson-W/master 
Modify for apply rsyslog.
 2021-07-08 01:18:27 +08:00
Samson-W
0349040bb4 Modify for apply rsyslog. 2021-07-08 01:16:15 +08:00
Samson.W
bbd85fa9b6
Merge pull request #27 from Samson-W/master 
Update README.md
 2021-07-07 00:51:54 +08:00
Samson-W
54c2ac38a1 Update README.md 2021-07-07 00:50:08 +08:00
Samson-W
00531deb50 Update README.md 2021-07-06 23:58:29 +08:00
Samson.W
ffc3809e47
Merge pull request #26 from Samson-W/master 
Fix a bug of 1.2 and add depend pkg info to 1.3
 2021-07-04 04:32:54 +08:00
Samson-W
7d0be2a21e Add dependance pkg info for 1.3 2021-07-04 04:28:24 +08:00
Samson-W
7419bdc333 Fix a bug of 1.2 2021-07-04 03:31:46 +08:00
Samson.W
0124084e0b
Merge pull request #25 from Samson-W/master 
Delete unimplemented items: 8.2.3 8.3.3 8.6 9.4
 2021-06-24 01:43:58 +08:00
Samson.W
23e2fd0e4f
Merge branch 'hardenedlinux:master' into master 2021-06-24 01:41:54 +08:00
Samson-W
0bc369003c Delete unimplemented items: 8.2.3 8.3.3 8.6 9.4 2021-06-23 01:43:21 +08:00
Samson.W
8a02a3638c
Merge pull request #24 from Samson-W/master 
Modify auditd related check items to apply -dont-auditd-by-uid and check_audit_path.
 2021-06-22 21:51:36 +08:00
Samson-W
e45da09761 Modify some checklists apply check_audit_path 2021-06-22 21:20:30 +08:00
Samson-W
fad9b17d38 Rename 8.1.31 to 8.1.34, rename 8.1.34 to 8.1.31 2021-06-21 22:59:24 +08:00
Samson-W
b84fb622b5 Modify 8.1.34 for apply --dont-auditd-by-uid, and add aide-common pkg for 8.4.1 2021-06-21 22:23:49 +08:00
Samson-W
d825beb240 Fix a bug of check_audit_path function. 2021-06-21 02:17:08 +08:00
Samson-W
f6b1ea8286 Modify function check_audit_path to check whether the pathname of the rule in the from of 'auditctl -w' is valid. 2021-06-21 01:18:16 +08:00
Samson-W
20a266a774 Modify related auditd checklist for --dont-auditd-by-uid 2021-06-21 00:07:36 +08:00
Samson-W
6209e876e1 Fix a bug: when --dont-auditd-by-uid is not set a valid value, it's continues running 2021-06-20 23:53:35 +08:00
Samson.W
2330cea519
Merge pull request #23 from Samson-W/master 
Add 8.1.32 8.1.33 8.1.34 for auditd rules, and rename 8.1.32 to 8.1.35
 2021-06-20 21:46:34 +08:00
Samson-W
a9dc7057ae Add 8.1.32 8.1.33 8.1.34 for auditd rules, and rename 8.1.32 to 8.1.35. Add global variable DONT_AUDITD_BY_UID for enable/disable use UID in the auditd rules. 2021-06-15 21:38:36 +08:00
Samson-W
88983fe3a9 Call backup_file when modify some conf file in 1.2 and 1.3 2021-06-09 23:08:25 +08:00
Samson-W
d6fca32f10 Fix a bug: when the Debian version is the Codename, an error will occur 2021-02-22 12:08:40 +08:00
Samson-W
64bececd2d Fix some bugs for Debian11(bullseye). 2021-02-22 03:53:02 +08:00
Samson-W
5e8b093cd5 Add exception method for --allow-service to skip audit and apply. 2020-11-06 14:54:58 +08:00
Samson-W
fad60e595b Modify 9.3.11 9.3.21 9.3.24 to adapt the check of default parameter values through the runtime state of sshd configuration. 2020-11-06 01:42:22 +08:00
Samson-W
385bd6e8ba Apply check_sshd_conf_for_one_value_runtime for 9.3.12 2020-11-05 14:20:55 +08:00
Samson-W
7eb3f188f5 Optimize the error message for sshd configuration relate. 2020-11-05 02:47:53 +08:00
Samson-W
822d6ef2c8 Fix some bugs related to sshd configuration. 2020-11-05 02:23:42 +08:00
Samson-W
d9d2609e84 Apply check_sshd_conf_for_one_value_runtime for sshd config relate 2020-11-04 18:35:17 +08:00
Samson-W
cbf85fe443 Add check_sshd_conf_for_one_value_runtime method, and modify 9.3.2 2020-11-03 19:50:50 +08:00
Samson-W
34de8084d7 Modify apply method of 14.1 2020-11-02 21:56:30 +08:00
Samson-W
6bf8a58bef Add 14.1 for defense NAT slipstreaming and add method to utils 2020-11-02 21:26:48 +08:00
Samson-W
c24e12541e Fix issues #20 2020-09-22 12:52:12 +08:00
Samson-W
f2e49b69cc Update README.md README-CN.md 2020-09-19 10:52:58 +08:00
Samson-W
b550c2ddc2 Update some format of how_to_fix_SELinux_access_denied.mkd 2020-09-15 14:59:08 +08:00
Samson-W
a2c498537f Add how_to_fix_SELinux_access_denied.mkd 2020-09-15 05:47:16 +08:00
Samson-W
56bfb5e495 Update README.md and README-CN.md 2020-08-20 15:53:29 +08:00
Samson-W
cdc65bb494 Add auditd's rules of SELinux to 8.1.7 2020-07-07 17:27:14 +08:00
Samson-W
985ce35353 Modify description of 9.3.13 2020-07-06 23:22:47 +08:00
Samson-W
3fbb8a8452 Eliminate duplicate audit items 9.3.26 2020-07-05 17:36:36 +08:00
Samson-W
0e20dd251a Added function: Check the default value of the parameter that has not been set. 2020-07-05 17:28:20 +08:00
Samson-W
6598eb4b43 Fix a bug for apply method of 4.7 2020-07-03 00:47:28 +08:00
Samson-W
68f56e4f93 Fix a bug for apply method of 4.6 2020-07-01 02:42:49 +08:00
Samson-W
e72e87e45d Fix some bugs for 4.6 4.7 2020-06-29 18:27:51 +08:00
Samson-W
bf73f53554 Add check AppArmor status method to utils, and modify 4.6 and 4.7 2020-06-29 17:51:19 +08:00
Samson-W
9c29558fad Fix a bug for 4.7 2020-06-26 03:33:53 +08:00
Samson-W
3f7cb765d1 Fix some bugs for 4.6 2020-06-25 21:35:50 +08:00
Samson-W
b93743847d Fix a bug for 6.1 2020-06-21 04:55:34 +08:00
Samson-W
72c0d63343 Add exception config for X11 server to 6.1. 2020-06-21 04:37:32 +08:00
Samson-W
4ebc44d476 Add exception config for X11 server. 2020-06-21 04:29:18 +08:00
Samson-W
b50f38808c Fix spelling error. 2020-06-05 16:34:54 +08:00
Samson-W
a7ae943c52 Rename 4.7 to 4.8, and add audit and apply methods for 4.7_enable_selinux_policy.sh 2020-06-04 21:00:35 +08:00
Samson-W
303f280bb4 Fix a bug of 4.6 2020-06-04 17:48:55 +08:00
Samson-W
243d6b57af Add audit and apply methods for CentOS8 to 4.6 2020-06-04 17:43:13 +08:00
Samson-W
9b09558bba Modify 4.6 for compatible with Debian 9.* 2020-06-04 03:57:37 +08:00
Samson-W
fc24c6bc35 Add a function to detect MAC that has been activated. 2020-06-04 02:52:06 +08:00
Samson-W
2d1e57dca9 Fix spelling errors. 2020-06-02 16:17:39 +08:00
Samson-W
0c5dedf5d5 Rename 4.6_disable_usb_devices.sh to 4.7_disable_usb_devices.sh, and add audit and apply methods for 4.6 Enable selinux. 2020-06-02 04:05:48 +08:00
Samson-W
44dbfbac01 Fix issues #16 8.1.3_audit_bootloader check not accounting entire configs 2020-05-18 18:43:57 +08:00
Samson-W
7e80cdc2aa Fix a bug for 8.1.31 #15 2020-05-18 16:43:32 +08:00
Samson-W
41b813d795 Merge branch 'master' of github.com:hardenedlinux/harbian-audit 2020-05-17 03:33:38 +08:00
Samson-W
33c9611cc5 Fix issues #15 auditd check has duplicates. 2020-05-17 03:32:12 +08:00
Samson-W
175486964e Fix issues #14 auditd check has duplicates. 2020-05-17 03:31:07 +08:00
Samson-W
654813d8b4 According to the latest STIG, modify minlen to 15. 2020-05-17 01:39:21 +08:00
Samson-W
1570943606 Add a method to determine the system version for compatibility. 2020-05-14 18:14:43 +08:00
Samson-W
2e0435363c Fix issues #14 Check 4.5_enable_apparmor too narrow 2020-05-14 18:05:56 +08:00
Samson-W
7bee47fbf1 Update some docs. 2020-04-26 01:02:36 +08:00
Samson-W
d54fa4f75c Remove the sudo command from docs. 2020-04-26 00:50:30 +08:00
Samson-W
2678bb54b4 Optimize the method of uninstallation. 2020-04-17 14:20:04 +08:00
Samson-W
0333022739 Fix spelling error 2020-04-16 17:24:48 +08:00
Samson-W
da61977969 Modify the check_audit_path method to pass check when audited record path does not exist in OS. 2020-04-16 17:21:08 +08:00
Samson-W
93031e98fe Update harbianaudit.sh 2020-04-15 15:49:18 +08:00
Samson-W
76bf0a6809 Update how-to-build-deb-package.md 2020-04-15 00:08:26 +08:00
Samson-W
b52bca5270 Update simple cdd profiles. 2020-04-15 00:04:28 +08:00
Samson-W
869d015f85 Fix spelling errors. 2020-04-14 17:49:41 +08:00
183 changed files with 4917 additions and 2867 deletions
Show Stats Expand all files Collapse all files

67
README-CN.md
View File

@ -1,12 +1,12 @@
# harbian-audit审计与加固
## 简介
此项目是一个Debian GNU/Linux及CentOS 8发行版加固的审计工具。主要的测试环境是基于Debian GNU/Linux 9/10及CentOS 8其它版本未充分测试。此项目主要是针对的Debian GNU/Linux服务器版本,对桌面版本及SELinux相关的项没有实现。
此项目是一个Debian GNU/Linux及CentOS 8及Ubuntu发行版加固的审计工具。主要的测试环境是基于Debian GNU/Linux 9/10/11/12及CentOS 8及Ubuntu22,其它版本未充分测试。此项目主要是针对服务器版本,对桌面版本的项没有实现。
此项目的框架基于[OVH-debian-cis](https://github.com/ovh/debian-cis)根据Debian GNU/Linux 9的一些特性进行了优化并根据安全部署合规STIG[STIG Red_Hat_Enterprise_Linux_7_V2R5](redhat-STIG-DOCs/U_Red_Hat_Enterprise_Linux_7_V2R5_STIG.zip)及[STIG Ubuntu V1R2](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Canonical_Ubuntu_16-04_LTS_V1R2_STIG.zip)及CIS[cisecurity.org](https://www.cisecurity.org/)进行了安全检查项的添加同时也根据HardenedLinux社区就具体生产环境添加了一些安全检查项的审计功能的实现。此项目不仅具有安全项的审计功能同时也有自动修改的功能。
审计功能的使用示例:
```console
$ sudo bash bin/hardening.sh --audit-all
# bash bin/hardening.sh --audit-all
[...]
hardening [INFO] Treating /home/test/harbian-audit/bin/hardening/13.15_check_duplicate_gid.sh
13.15_check_duplicate_gid [INFO] Working on 13.15_check_duplicate_gid
@ -17,25 +17,25 @@ hardening [INFO] Treating /home/test/harbian-audit/bin/hardening
[...]
################### SUMMARY ###################
Total Available Checks : 278
Total Runned Checks : 278
Total Passed Checks : [ 239/278 ]
Total Failed Checks : [ 39/278 ]
Total Available Checks : 271
Total Runned Checks : 271
Total Passed Checks : [ 226/271 ]
Total Failed Checks : [ 44/271 ]
Enabled Checks Percentage : 100.00 %
Conformity Percentage : 85.97 %
Conformity Percentage : 83.39 %
```
## 快速上手使用介绍
### 下载及初始化
```console
$ git clone https://github.com/hardenedlinux/harbian-audit.git && cd harbian-audit
$ sudo cp etc/default.cfg /etc/default/cis-hardening
$ sudo sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
$ sudo bin/hardening.sh --init
# cp etc/default.cfg /etc/default/cis-hardening
# sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
# bin/hardening.sh --init
```
### 对所有的安全检查项进行审计
```
$ sudo bin/hardening.sh --audit-all
# bin/hardening.sh --audit-all
hardening [INFO] Treating /home/test/harbian-audit/bin/hardening/1.1_install_updates.sh
1.1_install_updates [INFO] Working on 1.1_install_updates
1.1_install_updates [INFO] Checking Configuration
@ -46,17 +46,17 @@ hardening [INFO] Treating /home/test/harbian-audit/bin/hardening
1.1_install_updates [ OK ] Check Passed
[...]
################### SUMMARY ###################
Total Available Checks : 278
Total Runned Checks : 278
Total Passed Checks : [ 239/278 ]
Total Failed Checks : [ 39/278 ]
Total Available Checks : 270
Total Runned Checks : 270
Total Passed Checks : [ 226/270 ]
Total Failed Checks : [ 44/270 ]
Enabled Checks Percentage : 100.00 %
Conformity Percentage : 85.97 %
Conformity Percentage : 83.70 %
```
### 设置加固级别并进行自动修复
```
$ sudo bin/hardening.sh --set-hardening-level 5
$ sudo bin/hardening.sh --apply
# bin/hardening.sh --set-hardening-level 5
# bin/hardening.sh --apply
hardening [INFO] Treating /home/test/harbian-audit/bin/hardening/1.1_install_updates.sh
1.1_install_updates [INFO] Working on 1.1_install_updates
1.1_install_updates [INFO] Checking Configuration
@ -75,17 +75,17 @@ hardening [INFO] Treating /home/test/harbian-audit/bin/hardening
### 需要预装的软件
如果是使用的最小安装方式安装的Debian GNU/Linux系统在使用此项目之前需要安装如下的软件
```
sudo apt-get install -y bc net-tools pciutils
# apt-get install -y bc net-tools pciutils
```
如果系统是Redhat/CentOS在使用此项目前需要安装如下的软件包
```
sudo yum install -y bc net-tools pciutils NetworkManager epel-release
# yum install -y bc net-tools pciutils NetworkManager epel-release
```
### 需要预先进行的配置
在使用此项目前,必须给所有要用到的用户设置了密码。如果没有设置密码的话,将在进行自动化加固后不能够登录到系统。例如(用户root和test:
```
$ sudo -s
# passwd
# passwd test
```
@ -131,7 +131,7 @@ EXCEPTIONS=""
## 修复后必须进行的操作 (非常重要)
当set-hardening-level配置为5最高等级且使用--apply运行了后需要进行如下的操作
1) 当9.5项被修复后(Restrict Access to the su Command), 如果必须使用su的场景例如如果使用ssh远程登录当以普通用户登录后需要使用su命令时可以使用如下命令进行解除限制
1) 当9.4项被修复后(Restrict Access to the su Command), 如果必须使用su的场景例如如果使用ssh远程登录当以普通用户登录后需要使用su命令时可以使用如下命令进行解除限制
```
# sed -i '/^[^#].*pam_wheel.so.*/s/^/# &/' /etc/pam.d/su
```
@ -155,8 +155,8 @@ EXCEPTIONS=""
基于iptables的部署:
```
$ INTERFACENAME="your network interfacename(Example eth0)"
$ sudo bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME
$ sudo -s
# bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME
# iptables-save > /etc/iptables/rules.v4
# ip6tables-save > /etc/iptables/rules.v6
```
@ -164,19 +164,19 @@ $ sudo -s
按照以下命令修改nftables.conf(你的对外网口的名称例如eth0):
```
$ sed -i 's/^define int_if = ens33/define int_if = eth0/g' etc.nftables.conf
$ sudo nft -f ./etc.nftables.conf
# nft -f ./etc.nftables.conf
```
5) 当所有安全基线项都修复完成后,使用--final方法将完成以下的最终的工作
1.使用passwd命令去重新设置常规用户及root用户的密码以满足pam_cracklib模块配置的密码强度和健壮性。
2. 重新初始化aide工具的数据库。
```
$ sudo bin/hardening.sh --final
# bin/hardening.sh --final
```
## 特别注意
### 必须在第一次修复应用后进行修复的项
8.1.32 因为此项一旦设置,审计规则将不能够再进行添加。
8.1.35 因为此项一旦设置,审计规则将不能够再进行添加。
### 必须在所有项都修复应用后进行修复的项
8.4.1 8.4.2 这都是与aide检测文件完整性相关的项最好是在所有项都修复好后再进行修复以修复好的系统中的文件进行完整性的数据库的初始化。
@ -223,6 +223,9 @@ This document is a description of the additions to the sections not included in
[How to config grub2 password protection](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_config_grub2_password_protection.mkd)
[How to persistent iptables rules with debian 9](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_persistent_iptables_rules_with_debian_9.mkd)
[How to deploy audisp-remote for auditd log](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_deploy_audisp_remote_for_audit_log.mkd)
[How to migrating from iptables to nftables in debian10](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_migrating_from_iptables_to_nftables_in_debian10.md)
[How to persistent nft rules with debian 10](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_persistent_nft_rules_with_debian_10.mkd)
[How to fix SELinux access denied](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_fix_SELinux_access_denied.mkd)
### 应用场景示例文档列表
[Nodejs + redis + mysql demo](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/use-cases/nodejs-redis-mysql-usecase/README.md)
@ -233,20 +236,12 @@ This document is a description of the additions to the sections not included in
## harbian-audit合规制定的镜像
### AMI(Amazon Machine Image) Public
The HardenedLinux community has created public AMI images for three different regions.
Destination region: US East(Ohio)
AMI ID: ami-091d37e9d358aaa84
AMI Name: harbian-audit complianced for Debian GNU/Linux 9
The HardenedLinux community has created public AMI images for Frankfurt regions.
Destination region: EU(Frankfurt)
AMI ID: ami-073725a8c2cf45418
AMI Name: harbian-audit complianced for Debian GNU/Linux 9
Destination region: Asia Pacific(Tokyo)
AMI ID: ami-06c0adb6ee5e7d417
AMI Name: harbian-audit complianced for Debian GNU/Linux 9
#### 相关文档
[how to creating and making an AMI public](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd)
[how to use harbian-audit complianced for GNU/Linux Debian 9](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/AMI/how_to_use_harbian_audit_complianced_Debian_9.mkd)

91
README.md Normal file → Executable file
View File

@ -4,13 +4,13 @@
Hardened Debian GNU/Linux and CentOS 8 distro auditing.
The main test environment is in debian GNU/Linux 9/10 and CentOS 8, and other versions are not fully tested. There are no implementations of desktop and SELinux related items in this release.
The main test environment is in debian GNU/Linux 9/10/11/12 and CentOS 8 and ubuntu 22, and other versions are not fully tested. There are no implementations of desktop related items in this release.
The code framework is based on the [OVH-debian-cis](https://github.com/ovh/debian-cis) project, Modified some of the original implementations according to the features of Debian 9/10 and CentOS 8, added and implemented check items for [STIG Red_Hat_Enterprise_Linux_7_V2R5](https://github.com/hardenedlinux/STIG-OS-mirror/blob/master/redhat-STIG-DOCs/U_Red_Hat_Enterprise_Linux_7_V2R5_STIG.zip) [STIG Ubuntu V1R2](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Canonical_Ubuntu_16-04_LTS_V1R2_STIG.zip) and [cisecurity.org](https://www.cisecurity.org/) recommendations, and also added and implemented some check items by the HardenedLinux community. The audit and apply functions of the infrastructure are implemented, and the automatic fix function is implemented for the items that can be automatically fixed.
The code framework is based on the [OVH-debian-cis](https://github.com/ovh/debian-cis) project, Modified some of the original implementations according to the features of Debian 9/10/11/12 and CentOS 8, added and implemented check items for [STIG Red_Hat_Enterprise_Linux_7_V2R5](https://github.com/hardenedlinux/STIG-OS-mirror/blob/master/redhat-STIG-DOCs/U_Red_Hat_Enterprise_Linux_7_V2R5_STIG.zip) [STIG Ubuntu V1R2](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Canonical_Ubuntu_16-04_LTS_V1R2_STIG.zip) and [cisecurity.org](https://www.cisecurity.org/) recommendations, and also added and implemented some check items by the HardenedLinux community. The audit and apply functions of the infrastructure are implemented, and the automatic fix function is implemented for the items that can be automatically fixed.
```console
$ sudo bash bin/hardening.sh --audit-all
# bash bin/hardening.sh --audit-all
[...]
hardening [INFO] Treating /home/test/harbian-audit/bin/hardening/13.15_check_duplicate_gid.sh
13.15_check_duplicate_gid [INFO] Working on 13.15_check_duplicate_gid
@ -21,21 +21,22 @@ hardening [INFO] Treating /home/test/harbian-audit/bin/hardening
[...]
################### SUMMARY ###################
Total Available Checks : 278
Total Runned Checks : 278
Total Passed Checks : [ 239/278 ]
Total Failed Checks : [ 39/278 ]
Total Available Checks : 271
Total Runned Checks : 271
Total Passed Checks : [ 226/271 ]
Total Failed Checks : [ 44/271 ]
Enabled Checks Percentage : 100.00 %
Conformity Percentage : 85.97 %
Conformity Percentage : 83.39 %
```
## Quickstart
```console
$ git clone https://github.com/hardenedlinux/harbian-audit.git && cd harbian-audit
$ sudo cp etc/default.cfg /etc/default/cis-hardening
$ sudo sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
$ sudo bin/hardening.sh --init
$ sudo bin/hardening.sh --audit-all
# cp etc/default.cfg /etc/default/cis-hardening
# sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
# bin/hardening.sh --init
# bin/hardening.sh --audit-all
hardening [INFO] Treating /home/test/harbian-audit/bin/hardening/1.1_install_updates.sh
1.1_install_updates [INFO] Working on 1.1_install_updates
1.1_install_updates [INFO] Checking Configuration
@ -46,14 +47,14 @@ hardening [INFO] Treating /home/test/harbian-audit/bin/hardening
1.1_install_updates [ OK ] Check Passed
[...]
################### SUMMARY ###################
Total Available Checks : 278
Total Runned Checks : 278
Total Passed Checks : [ 239/278 ]
Total Failed Checks : [ 39/278 ]
Total Available Checks : 270
Total Runned Checks : 270
Total Passed Checks : [ 226/270 ]
Total Failed Checks : [ 44/270 ]
Enabled Checks Percentage : 100.00 %
Conformity Percentage : 85.97 %
$ sudo bin/hardening.sh --set-hardening-level 5
$ sudo bin/hardening.sh --apply
Conformity Percentage : 83.70 %
# bin/hardening.sh --set-hardening-level 5
# bin/hardening.sh --apply
hardening [INFO] Treating /home/test/harbian-audit/bin/hardening/1.1_install_updates.sh
1.1_install_updates [INFO] Working on 1.1_install_updates
1.1_install_updates [INFO] Checking Configuration
@ -73,18 +74,18 @@ hardening [INFO] Treating /home/test/harbian-audit/bin/hardening
If use Network install from a minimal CD to installed Debian GNU/Linux, need install packages before use the hardening tool.
```
sudo apt-get install -y bc net-tools pciutils network-manager
# apt-get install -y bc net-tools pciutils network-manager
```
Redhat/CentOS need install packages before use the hardening tool:
```
sudo yum install -y bc net-tools pciutils NetworkManager epel-release
# yum install -y bc net-tools pciutils NetworkManager epel-release
```
### Pre-Set
You must set a password for all users before hardening. Otherwise, you will not be able to log in after the hardening is completed. Example(OS user: root and test):
```
$ sudo -s
# passwd
# passwd test
```
@ -140,10 +141,24 @@ Use the command to harden your OS:
# bash bin/hardening.sh --apply
```
### rsyslog config
If rsyslog is used, and you want to print the harbian-audit log to a separate log file, the configuration is as follows:
```
user.info /var/log/harbian-audit.log
user.* -/var/log/user.log
```
The log will be output to the file /var/log/harbian-audit.log.
If you apply docs/configurations/etc.iptables.rules.v4.sh to your firewall rules, and want to print the iptables log to a separate log file, insert the following lines to rsyslog.conf:
```
:msg,contains,"FW-" -/var/log/firewalllog.log
& stop
```
## After remediation (Very important)
When exec --apply and set-hardening-level are set to 5 (the highest level), you need to do the following:
1) When applying 9.5(Restrict Access to the su Command), you must use the root account to log in to the OS because ordinary users cannot perform subsequent operations.
1) When applying 9.4(Restrict Access to the su Command), you must use the root account to log in to the OS because ordinary users cannot perform subsequent operations.
If you can only use ssh for remote login, you must use the su command when the normal user logs in. Then do the following:
```
# sed -i '/^[^#].*pam_wheel.so.*/s/^/# &/' /etc/pam.d/su
@ -169,8 +184,8 @@ Set the corresponding firewall rules according to the applications used. Hardene
to do the following:
```
$ INTERFACENAME="your network interfacename(Example eth0)"
$ sudo bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME
$ sudo -s
# bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME
# iptables-save > /etc/iptables/rules.v4
# ip6tables-save > /etc/iptables/rules.v6
```
@ -180,20 +195,20 @@ $ sudo -s
to do the following(your network interfacename(Example eth0)):
```
$ sed -i 's/^define int_if = ens33/define int_if = eth0/g' etc.nftables.conf
$ sudo nft -f ./etc.nftables.conf
# nft -f ./etc.nftables.conf
```
5) When all repairs are completed. --final method will:
1. Use passwd command to change the password of the regular and root user to apply the password complexity and robustness of the pam_cracklib module configuration.
2. Aide reinitializes.
```
$ sudo bin/hardening.sh --final
# bin/hardening.sh --final
```
## Special Note
Some check items check a variety of situations and are interdependent, they must be applied (fix) multiple times, and the OS must be a reboot after each applies (fix).
### Items that must be applied after the first application(reboot after is better)
8.1.32 Because this item is set, the audit rules will not be added.
8.1.35 Because this item is set, the audit rules will not be added.
### Items that must be applied after all application is ok
8.4.1
@ -201,9 +216,6 @@ Some check items check a variety of situations and are interdependent, they must
These are all related to the aide. It is best to fix all the items after they have been fixed to fix the integrity of the database in the system.
### Items that need to be fix twice
8.1.1.2
8.1.1.3
8.1.12
4.5
## Hacking
@ -245,6 +257,7 @@ This document is a description of the additions to the sections not included in
[How to deploy audisp-remote for auditd log](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_deploy_audisp_remote_for_audit_log.mkd)
[How to migrating from iptables to nftables in debian10](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_migrating_from_iptables_to_nftables_in_debian10.md)
[How to persistent nft rules with debian 10](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_persistent_nft_rules_with_debian_10.mkd)
[How to fix SELinux access denied](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_fix_SELinux_access_denied.mkd)
### Use case docs
[Nodejs + redis + mysql demo](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/use-cases/nodejs-redis-mysql-usecase/README.md)
@ -255,20 +268,12 @@ This document is a description of the additions to the sections not included in
## harbian-audit complianced image
### AMI(Amazon Machine Image) Public
The HardenedLinux community has created public AMI images for three different regions.
Destination region: US East(Ohio)
AMI ID: ami-091d37e9d358aaa84
AMI Name: harbian-audit complianced for Debian GNU/Linux 9
The HardenedLinux community has created public AMI images for Frankfurt regions.
Destination region: EU(Frankfurt)
AMI ID: ami-073725a8c2cf45418
AMI Name: harbian-audit complianced for Debian GNU/Linux 9
Destination region: Asia Pacific(Tokyo)
AMI ID: ami-06c0adb6ee5e7d417
AMI Name: harbian-audit complianced for Debian GNU/Linux 9
#### Docs
[how to creating and making an AMI public](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd)
[how to use harbian-audit complianced for GNU/Linux Debian 9](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/AMI/how_to_use_harbian_audit_complianced_Debian_9.mkd)
@ -279,7 +284,6 @@ AMI Name: harbian-audit complianced for Debian GNU/Linux 9
[How to creating and making a QEMU image of harbian-audit complianced Debian GNU/Linux 9](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img.mkd)
[How to use QEMU image of harbian-audit complicanced Debian GNU/Linux 9](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/QEMU/how_to_use_QEMU_image_of_harbian_audit_complianced_Debian_9.mkd)
## harbian-audit License
GPL 3.0
@ -307,13 +311,8 @@ Additionally, quoting the License:
3-Clause BSD
## Reference
- **Center for Internet Security**: [https://www.cisecurity.org](https://www.cisecurity.org)
- **STIG V1R4**: [https://iasecontent.disa.mil/stigs/zip/U_Red_Hat_Enterprise_Linux_7_V1R4_STIG.zip](https://iasecontent.disa.mil/stigs/zip/U_Red_Hat_Enterprise_Linux_7_V1R4_STIG.zip)
- **Firewall Rules**: [https://github.com/citypw/arsenal-4-sec-testing/blob/master/bt5_firewall/debian_fw](https://github.com/citypw/arsenal-4-sec-testing/blob/master/bt5_firewall/debian_fw)

14
bin/harbianaudit.sh
View File

@ -4,20 +4,14 @@
/opt/harbianaudit/bin/hardening.sh --audit-all
/opt/harbianaudit/bin/hardening.sh --set-hardening-level 5
sed -i 's/^status=.*/status=disabled/' /opt/harbianaudit/etc/conf.d/7.4.4_hosts_deny.cfg
sed -i 's/^status=.*/status=disabled/' /opt/harbianaudit/etc/conf.d/8.1.32_freeze_auditd_conf.cfg
sed -i 's/^status=.*/status=disabled/' /opt/harbianaudit/etc/conf.d/8.1.35_freeze_auditd_conf.cfg
sed -i 's/^status=.*/status=disabled/' /opt/harbianaudit/etc/conf.d/8.4.1_install_aide.cfg
sed -i 's/^status=.*/status=disabled/' /opt/harbianaudit/etc/conf.d/8.4.2_aide_cron.cfg
sed -i 's/^status=.*/status=disabled/' /opt/harbianaudit/etc/conf.d/9.5_pam_restrict_su.cfg
sed -i 's/^status=.*/status=disabled/' /opt/harbianaudit/etc/conf.d/9.4_pam_restrict_su.cfg
/opt/harbianaudit/bin/hardening.sh --apply
sed -i 's/^status=.*/status=enabled/' /opt/harbianaudit/etc/conf.d/8.1.32_freeze_auditd_conf.cfg
sed -i 's/^status=.*/status=enabled/' /opt/harbianaudit/etc/conf.d/8.1.35_freeze_auditd_conf.cfg
sed -i 's/^status=.*/status=enabled/' /opt/harbianaudit/etc/conf.d/8.4.1_install_aide.cfg
sed -i 's/^status=.*/status=enabled/' /opt/harbianaudit/etc/conf.d/8.4.2_aide_cron.cfg
/opt/harbianaudit/bin/hardening.sh --apply --only 8.4.1
/opt/harbianaudit/bin/hardening.sh --apply --only 8.4.2
/opt/harbianaudit/bin/hardening.sh --apply --only 8.1.32
NETINTERFACE=$(ip link | grep -v "link/.*" | grep -v -w "lo" | awk -F: '{print $2}' | tr "\n" " ")
/opt/harbianaudit/bin/etc.iptables.rules.v4.sh $NETINTERFACE
/opt/harbianaudit/bin/etc.iptables.rules.v6.sh $NETINTERFACE
/sbin/iptables-save -f /etc/iptables/rules.v4
/sbin/ip6tables-save -f /etc/iptables/rules.v6
/opt/harbianaudit/bin/hardening.sh --apply --only 8.1.35

74
bin/hardening.sh
View File

@ -25,6 +25,7 @@ SET_HARDENING_LEVEL=0
SUDO_MODE=''
INIT_G_CONFIG=0
FINAL_G_CONFIG=0
DONT_BY_UID_G_CONFIG=127
usage() {
cat << EOF
@ -90,6 +91,10 @@ $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
password strength and robustness;
2. Aide reinitializes.
--dont-auditd-by-uid <1/0>
Auditd rules do not use uid parameter, for all user to auditd. If set 1 will not use uid, else if
set 0 will use uid. Default is 0.
OPTIONS:
--only <test_number>
@ -158,6 +163,10 @@ while [[ $# > 0 ]]; do
--final)
FINAL_G_CONFIG=1
;;
--dont-auditd-by-uid)
DONT_BY_UID_G_CONFIG="$2"
shift
;;
*)
usage
;;
@ -175,20 +184,45 @@ if [ -z "$CIS_ROOT_DIR" ]; then
exit 128
fi
# For --dont-auditd-by-uid
if [ -z "$DONT_BY_UID_G_CONFIG" ]; then
usage
else
if [ $DONT_BY_UID_G_CONFIG -ne 127 ]; then
if [ $DONT_BY_UID_G_CONFIG -eq 1 ]; then
echo "Set dont use uid for auditd rules"
sed -i 's/^DONT_AUDITD_BY_UID=.*/DONT_AUDITD_BY_UID=1/g' $CIS_ROOT_DIR/etc/hardening.cfg
else
echo "Set use uid for auditd rules"
sed -i 's/^DONT_AUDITD_BY_UID=.*/DONT_AUDITD_BY_UID=0/g' $CIS_ROOT_DIR/etc/hardening.cfg
fi
exit 0
fi
fi
[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh
[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
### Debian: OS_RELEASE=1 Redhat/centos: OS_RELEASE=2 Ubuntu: OS_RELEASE=3 Debian9~12: OS_RELEASE=9~12
# For --init
if [ $INIT_G_CONFIG -eq 1 ]; then
if [ -r /etc/redhat-release ]; then
info "This OS is redhat/CentOS."
sed -i 's/^OS_RELEASE=.*/OS_RELEASE=2/g' /etc/default/cis-hardening
. /etc/default/cis-hardening
elif [ -r /etc/lsb-release ]; then
if [ $(grep -i Ubuntu /etc/lsb-release -c) -ge 1 ]; then
info "This OS is Ubuntu."
sed -i 's/^OS_RELEASE=.*/OS_RELEASE=3/g' /etc/default/cis-hardening
. /etc/default/cis-hardening
fi
elif [ -r /etc/debian_version ]; then
info "This OS is Debian."
:
get_debian_ver
sed -i "s/^OS_RELEASE=.*/OS_RELEASE=${FNRET}/g" /etc/default/cis-hardening
info "This OS is Debian $FNRET."
. /etc/default/cis-hardening
else
crit "This OS not support!"
exit 128
@ -198,8 +232,18 @@ fi
if [ $OS_RELEASE -eq 1 ]; then
info "Start auditing for Debian."
elif [ $OS_RELEASE -eq 9 ]; then
info "Start auditing for Debian9."
elif [ $OS_RELEASE -eq 10 ]; then
info "Start auditing for Debian10."
elif [ $OS_RELEASE -eq 11 ]; then
info "Start auditing for Debian11."
elif [ $OS_RELEASE -eq 12 ]; then
info "Start auditing for Debian12."
elif [ $OS_RELEASE -eq 2 ]; then
info "Start auditing for redhat/CentOS."
elif [ $OS_RELEASE -eq 3 ]; then
info "Start auditing for Ubuntu."
else
crit "This OS not support!"
exit 128
@ -226,10 +270,12 @@ if [ $FINAL_G_CONFIG -eq 1 ]; then
# Reinit aide database
info "Will reinitialize the AIDE database"
if [ $OS_RELEASE -eq 1 ]; then
if [ $OS_RELEASE -eq 1 -o $OS_RELEASE -eq 3 ]; then
aideinit
elif [ $OS_RELEASE -eq 2 ]; then
aide --init
else
aide --config /etc/aide/aide.conf --init
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
fi
exit 0
@ -339,14 +385,20 @@ done
TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS-DISABLED_CHECKS))
printf "%40s\n" "################### SUMMARY ###################"
printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"
printf "%30s %s\n" "Total Runned Checks :" "$TOTAL_TREATED_CHECKS"
printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
printf "%30s %.2f %%\n" "Enabled Checks Percentage :" "$( echo "($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100" | bc -l)"
HARSUMMARY="/dev/shm/harbian-audit.summary"
printf "%40s\n" "################### SUMMARY ###################" > ${HARSUMMARY}
printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS" >> ${HARSUMMARY}
printf "%30s %s\n" "Total Runned Checks :" "$TOTAL_TREATED_CHECKS" >> ${HARSUMMARY}
printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS" >> ${HARSUMMARY}
printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS" >> ${HARSUMMARY}
printf "%30s %.2f %%\n" "Enabled Checks Percentage :" "$( echo "($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100" | bc -l)" >> ${HARSUMMARY}
if [ $TOTAL_TREATED_CHECKS != 0 ]; then
printf "%30s %.2f %%\n" "Conformity Percentage :" "$( echo "($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100" | bc -l)"
printf "%30s %.2f %%\n" "Conformity Percentage :" "$( echo "($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100" | bc -l)" >> ${HARSUMMARY}
else
printf "%30s %s %%\n" "Conformity Percentage :" "N.A" # No check runned, avoid division by 0
printf "%30s %s %%\n" "Conformity Percentage :" "N.A" >> ${HARSUMMARY} # No check runned, avoid division by 0
fi
cat ${HARSUMMARY}
cat ${HARSUMMARY} | /usr/bin/logger -t "[CIS_Hardening] $SCRIPT_NAME" -p "user.info"
rm -f ${HARSUMMARY}

15
bin/hardening/1.1_install_updates.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux Debian 9 or CentOS 8 Hardening
# harbian-audit for Debian GNU/Linux Debian 9/10/11/12 or CentOS 8 Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
@ -47,13 +47,10 @@ audit_centos ()
# This function will be called if the script status is on enabled / audit mode
audit ()
{
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
elif [ $OS_RELEASE -eq 2 ]; then
if [ $OS_RELEASE -eq 2 ]; then
audit_centos
else
crit "Current OS is not support!"
FNRET=44
audit_debian
fi
}
@ -82,12 +79,10 @@ apply_centos ()
# This function will be called if the script status is on enabled mode
apply ()
{
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
elif [ $OS_RELEASE -eq 2 ]; then
if [ $OS_RELEASE -eq 2 ]; then
apply_centos
else
crit "Current OS is not support!"
apply_debian
fi
}

26
bin/hardening/1.2_enable_verify_sign_packages_from_repository.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux Debian 9 or CentOS 8 Hardening
# harbian-audit for Debian GNU/Linux Debian 9/10/11/12 or CentOS 8 Hardening
#
#
@ -19,7 +19,7 @@ YUM_CONF='/etc/yum.conf'
audit_debian ()
{
if [ $(grep -v "^#" /etc/apt/ -r | grep -c "${OPTION}.*true") -gt 0 ]; then
if [ $(grep -v "^#" /etc/apt/ -Ir | grep -c "${OPTION}.*true") -gt 0 ]; then
crit "The signature of packages option is disable "
FNRET=1
else
@ -47,13 +47,10 @@ audit_centos ()
# This function will be called if the script status is on enabled / audit mode
audit ()
{
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
elif [ $OS_RELEASE -eq 2 ]; then
if [ $OS_RELEASE -eq 2 ]; then
audit_centos
else
crit "Current OS is not support!"
FNRET=44
audit_debian
fi
}
@ -63,10 +60,10 @@ apply_debian () {
ok "The signature of packages option is enable "
else
warn "Set to enabled signature of packages option"
for CONFFILE in $(grep -i "${OPTION}" /etc/apt/ -r | grep -v "^#" | awk -F: '{print $1}')
for CONFFILE in $(grep -i "${OPTION}" /etc/apt/ -Ir | grep -v "^#" | awk -F: '{print $1}')
do
sed -i "/${OPTION}/d" ${CONFFILE}
#sed -i "s/${OPTION}.*true.*/${OPTION} \"false\";/g" ${CONFFILE}
backup_file ${CONFFILE}
sed -i "s/${OPTION}.*true.*/${OPTION} \"false\";/g" ${CONFFILE}
done
fi
}
@ -75,21 +72,22 @@ apply_centos () {
ok "The signature of packages option is enable "
elif [ $FNRET = 1 ]; then
warn "Set to enabled signature of packages option"
backup_file $YUM_CONF
sed -i "s/$YUM_OPTION=.*/$YUM_OPTION=1/g" $YUM_CONF
else
warn "Add $YUM_OPTION option to $YUM_CONF"
backup_file $YUM_CONF
add_end_of_file $YUM_CONF "$YUM_OPTION=1"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
elif [ $OS_RELEASE -eq 2 ]; then
if [ $OS_RELEASE -eq 2 ]; then
apply_centos
else
crit "Current OS is not support!"
apply_debian
fi
}

22
bin/hardening/1.3_enable_verify_sign_of_local_packages.sh
View File

@ -1,11 +1,12 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux Debian 9 or CentOS 8 Hardening
# harbian-audit for Debian GNU/Linux Debian 9/10/11/12 or CentOS 8 Hardening
#
#
# 1.3 Enable verify the signature of local packages (Scored)
# Dependance pkg: debsig-verify
# Author : Samson wen, Samson <sccxboy@gmail.com>
#
@ -48,13 +49,10 @@ audit_centos ()
# This function will be called if the script status is on enabled / audit mode
audit()
{
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
elif [ $OS_RELEASE -eq 2 ]; then
if [ $OS_RELEASE -eq 2 ]; then
audit_centos
else
crit "Current OS is not support!"
FNRET=44
audit_debian
fi
}
@ -63,8 +61,8 @@ apply_debian () {
ok "The signature of local packages option is enable "
else
warn "Set to enabled signature of local packages option"
sed -i "/^${OPTION}/d" ${CONFFILE}
#sed -i "s/${OPTION}.*true.*/${OPTION} \"false\";/g" ${CONFFILE}
backup_file $CONFFILE
sed -i "s/^${OPTION}/#&/" ${CONFFILE}
fi
}
@ -72,9 +70,11 @@ apply_centos () {
if [ $FNRET = 0 ]; then
ok "The signature of packages option is enable "
elif [ $FNRET = 1 ]; then
backup_file $YUM_CONFFILE
warn "Set to enabled signature of packages option"
sed -i "s/$YUM_OPTION=.*/$YUM_OPTION=1/g" $YUM_CONFFILE
else
backup_file $YUM_CONFFILE
warn "Add $YUM_OPTION option to $YUM_CONFFILE"
add_end_of_file $YUM_CONFFILE "$YUM_OPTION=1"
fi
@ -83,12 +83,10 @@ apply_centos () {
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
elif [ $OS_RELEASE -eq 2 ]; then
if [ $OS_RELEASE -eq 2 ]; then
apply_centos
else
crit "Current OS is not support!"
apply_debian
fi
}
# This function will check config parameters required

19
bin/hardening/1.4_set_no_allow_insecure_repository_by_apt.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux Debian 9 or CentOS 8 Hardening
# harbian-audit for Debian GNU/Linux Debian 9/10/11/12 or CentOS 8 Hardening
#
#
@ -19,7 +19,7 @@ YUM_OPTION='repo_gpgcheck'
YUM_CONFFILE='/etc/yum.conf'
audit_debian () {
if [ $(grep -v "^#" /etc/apt/ -r | grep -c "${OPTION}.*true") -gt 0 ]; then
if [ $(grep -v "^#" /etc/apt/ -rI | grep -c "${OPTION}.*true") -gt 0 ]; then
crit "The allow insecure repository when by apt update is enable"
FNRET=1
else
@ -46,13 +46,10 @@ audit_centos ()
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
elif [ $OS_RELEASE -eq 2 ]; then
if [ $OS_RELEASE -eq 2 ]; then
audit_centos
else
crit "Current OS is not support!"
FNRET=44
audit_debian
fi
}
@ -61,7 +58,7 @@ apply_debian () {
ok "The allow insecure repository when by apt update is disable"
else
warn "Set no allow insecure repository when by apt update"
for CONFFILE in $(grep -i "${OPTION}" /etc/apt/ -r | grep -v "^#" | awk -F: '{print $1}')
for CONFFILE in $(grep -i "${OPTION}" /etc/apt/ -rI | grep -v "^#" | awk -F: '{print $1}')
do
sed -i "s/${OPTION}.*true.*/${OPTION} \"false\";/g" ${CONFFILE}
done
@ -82,12 +79,10 @@ apply_centos () {
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
elif [ $OS_RELEASE -eq 2 ]; then
if [ $OS_RELEASE -eq 2 ]; then
apply_centos
else
crit "Current OS is not support!"
apply_debian
fi
}
# This function will check config parameters required

20
bin/hardening/10.1.5_set_password_lock_inactive_user.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 Hardening
#
#
@ -61,12 +61,10 @@ audit_centos () {
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
elif [ $OS_RELEASE -eq 2 ]; then
if [ $OS_RELEASE -eq 2 ]; then
audit_centos
else
warn "Current OS is not support!"
audit_debian
fi
}
@ -144,23 +142,19 @@ apply_centos () {
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
elif [ $OS_RELEASE -eq 2 ]; then
if [ $OS_RELEASE -eq 2 ]; then
apply_centos
else
warn "Current OS is not support!"
apply_debian
fi
}
# This function will check config parameters required
check_config() {
if [ $OS_RELEASE -eq 1 ]; then
:
elif [ $OS_RELEASE -eq 2 ]; then
if [ $OS_RELEASE -eq 2 ]; then
OPTIONS=$OPTIONS_CENTOS
else
warn "Current OS is not support!"
:
fi
}

4
bin/hardening/12.12_etc_group_backup_permissions.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 or CentOS 8 Hardening
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 or CentOS 8 Hardening
#
#
@ -15,7 +15,7 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/group-'
PERMISSIONS='600'
PERMISSIONS='644'
USER='root'
GROUP='root'

4
bin/hardening/12.13_etc_gshadow_backup_permissions.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 or CentOS 8 Hardening
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 or CentOS 8 Hardening
#
#
@ -15,7 +15,7 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/gshadow-'
PERMISSIONS='600'
PERMISSIONS='640'
PERMISSIONS_CENTOS='0'
USER='root'
GROUP='shadow'

4
bin/hardening/12.5_etc_passwd_backup_permissions.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 or CentOS 8 Hardening
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 or CentOS 8 Hardening
#
#
@ -15,7 +15,7 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/passwd-'
PERMISSIONS='600'
PERMISSIONS='644'
USER='root'
GROUP='root'

2
bin/hardening/12.6_etc_shadow_backup_permissions.sh
View File

@ -15,7 +15,7 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/shadow-'
PERMISSIONS='600'
PERMISSIONS='640'
PERMISSIONS_CENTOS='0'
USER='root'
GROUP='shadow'

3
bin/hardening/12.7_find_world_writable_file.sh
View File

@ -1,14 +1,13 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 or CentOS 8 Hardening
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 or CentOS 8 Hardening
#
#
# 12.7 Find World Writable Files (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3

3
bin/hardening/12.8_find_unowned_files.sh
View File

@ -1,14 +1,13 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 or CentOS 8 Hardening
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 or CentOS 8 Hardening
#
#
# 12.8 Find Un-owned Files and Directories (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2

3
bin/hardening/12.9_find_ungrouped_files.sh
View File

@ -1,14 +1,13 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 or CentOS 8 Hardening
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 or CentOS 8 Hardening
#
#
# 12.9 Find Un-grouped Files and Directories (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2

124
bin/hardening/14.1_security_related_NAT_slipstreaming.sh Executable file
View File

@ -0,0 +1,124 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9/10/11/12 Hardening
# Author: Samson-W (samson@hardenedlinux.org)
#
#
# 14.1 Defense for NAT Slipstreaming (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
HARDENING_EXCEPTION=sechardened
HARBIAN_SEC_CONF_FILE='/etc/modprobe.d/harbian-security-workaround.conf'
BLACKLIST_CONF_ITEMS='nf_nat_sip nf_conntrack_sip'
SYSCTL_PARAM='net.netfilter.nf_conntrack_helper'
SYSCTL_EXP_RESULT=0
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $ISEXCEPTION -eq 1 ]; then
warn "Exception is set to 1, so it's pass!"
else
for BLACKLIST_CONF in $BLACKLIST_CONF_ITEMS; do
check_blacklist_module_set $BLACKLIST_CONF
if [ $FNRET = 0 ]; then
ok "$BLACKLIST_CONF was set to blacklist"
else
crit "$BLACKLIST_CONF is not set to blacklist"
fi
done
if [ -r /proc/sys/net/netfilter/nf_conntrack_helper ]; then
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
else
crit "/proc/sys/net/netfilter/nf_conntrack_helper is not exist, connection tracking may not be enabled, so please determine the risk yourself."
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $ISEXCEPTION -eq 1 ]; then
warn "Exception is set to 1, so it's pass!"
else
for BLACKLIST_CONF in $BLACKLIST_CONF_ITEMS; do
check_blacklist_module_set $BLACKLIST_CONF
if [ $FNRET = 0 ]; then
ok "$BLACKLIST_CONF was set to blacklist"
else
warn "$BLACKLIST_CONF is not set to blacklist, add to config file $HARBIAN_SEC_CONF_FILE"
if [ -w $HARBIAN_SEC_CONF_FILE ]; then
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $BLACKLIST_CONF /bin/true"
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $BLACKLIST_CONF"
else
touch $HARBIAN_SEC_CONF_FILE
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $BLACKLIST_CONF /bin/true"
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $BLACKLIST_CONF"
fi
fi
done
if [ -r /proc/sys/net/netfilter/nf_conntrack_helper ]; then
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w $SYSCTL_PARAM=$SYSCTL_EXP_RESULT > /dev/null
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
else
warn "/proc/sys/net/netfilter/nf_conntrack_helper is not exist, just set $SYSCTL_PARAM = $SYSCTL_EXP_RESULT to /etc/sysctl.conf"
if [ $(grep "^$SYSCTL_PARAM = $SYSCTL_EXP_RESULT" /etc/sysctl.conf | wc -l) -eq 0 ]; then
echo "$SYSCTL_PARAM = $SYSCTL_EXP_RESULT" >> /etc/sysctl.conf
else
:
fi
fi
fi
}
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=disabled
# Put here exception to pass this case, if set is 1, don't need apply, let to pass.
ISEXCEPTION=0
EOF
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

48
bin/hardening/8.2.3_configure_rsyslog.sh → bin/hardening/14.2_check_abuse_777_permissions.sh
View File

@ -1,46 +1,58 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
# harbian-audit for Debian GNU/Linux 9/10/11 Hardening
#
#
# 8.2.3 Configure /etc/rsyslog.conf (Not Scored)
# Author : Samson wen, Samson <sccxboy@gmail.com>
# 14.2 To ensure there are no files permissions are set to 777 (Scored)
# Author: Samson-W (samson@hardenedlinux.org) author add this
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
SERVICE_NAME="rsyslog"
PACKAGE_NG='syslog-ng'
HARDENING_EXCEPTION=sechardened
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE_NG
if [ $FNRET = 0 ]; then
ok "$PACKAGE_NG has installed, so pass."
FNRET=0
if [ $ISEXCEPTION -eq 1 ]; then
warn "Exception is set to 1, so it's pass!"
else
info "Ensure default and local facilities are preserved on the system"
info "No measure here, please review the file by yourself"
ABUSECOUNT=$(find / -xdev -type f -perm -777 | wc -l )
if [ $ABUSECOUNT -gt 0 ]; then
crit "$ABUSECOUNT files abuse the 777 permission."
FNRET=1
else
ok "There are no files that abuse 777 permissions."
FNRET=0
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE_NG
if [ $FNRET = 0 ]; then
ok "$PACKAGE_NG has installed, so pass."
FNRET=0
if [ $ISEXCEPTION -eq 1 ]; then
warn "Exception is set to 1, so it's pass!"
else
info "Ensure default and local facilities are preserved on the system"
info "No measure here, please review the file by yourself"
if [ $FNRET -eq 0 ]; then
ok "There are no files that abuse 777 permissions."
else
warn "Some files abuse 777 permissions. Please check and correct yourself!"
fi
fi
}
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=disabled
# Put here exception to pass this case, if set is 1, don't need apply, let to pass.
ISEXCEPTION=0
EOF
}
# This function will check config parameters required
check_config() {
:

2
bin/hardening/2.17_sticky_bit_world_writable_folder.sh
View File

@ -8,7 +8,7 @@
# 2.17 Set Sticky Bit on All World-Writable Directories (Scored)
#
set -e # One error, it's over
#set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2

34
bin/hardening/2.18_disable_cramfs.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
@ -13,6 +14,7 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2
HARBIAN_SEC_CONF_FILE='/etc/modprobe.d/harbian-security-workaround.conf'
KERNEL_OPTION="CONFIG_CRAMFS"
MODULE_NAME="cramfs"
@ -21,22 +23,40 @@ MODULE_NAME="cramfs"
audit () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
crit "$MODULE_NAME is not set to blacklist"
fi
else
ok "$KERNEL_OPTION is disabled"
ok "$MODULE_NAME's kernel option is disabled"
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
is_kernel_option_enabled $KERNEL_OPTION
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
warn "$MODULE_NAME is not set to blacklist, add to config file $HARBIAN_SEC_CONF_FILE"
if [ -w $HARBIAN_SEC_CONF_FILE ]; then
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
else
touch $HARBIAN_SEC_CONF_FILE
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
fi
fi
else
ok "$KERNEL_OPTION is disabled, nothing to do"
fi
:
}
# This function will check config parameters required

34
bin/hardening/2.19_disable_freevxfs.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
@ -13,6 +14,7 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2
HARBIAN_SEC_CONF_FILE='/etc/modprobe.d/harbian-security-workaround.conf'
KERNEL_OPTION="CONFIG_VXFS_FS"
MODULE_NAME="freevxfs"
@ -21,22 +23,40 @@ MODULE_NAME="freevxfs"
audit () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
crit "$MODULE_NAME is not set to blacklist"
fi
else
ok "$KERNEL_OPTION is disabled"
ok "$MODULE_NAME's kernel option is disabled"
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
is_kernel_option_enabled $KERNEL_OPTION
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
warn "$MODULE_NAME is not set to blacklist, add to config file $HARBIAN_SEC_CONF_FILE"
if [ -w $HARBIAN_SEC_CONF_FILE ]; then
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
else
touch $HARBIAN_SEC_CONF_FILE
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
fi
fi
else
ok "$KERNEL_OPTION is disabled, nothing to do"
fi
:
}
# This function will check config parameters required

35
bin/hardening/2.20_disable_jffs2.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
@ -13,30 +14,48 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2
HARBIAN_SEC_CONF_FILE='/etc/modprobe.d/harbian-security-workaround.conf'
KERNEL_OPTION="CONFIG_JFFS2_FS"
MODULE_NAME="jffs2"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
crit "$MODULE_NAME is not set to blacklist"
fi
else
ok "$KERNEL_OPTION is disabled"
ok "$MODULE_NAME's kernel option is disabled"
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
is_kernel_option_enabled $KERNEL_OPTION
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
warn "$MODULE_NAME is not set to blacklist, add to config file $HARBIAN_SEC_CONF_FILE"
if [ -w $HARBIAN_SEC_CONF_FILE ]; then
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
else
touch $HARBIAN_SEC_CONF_FILE
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
fi
fi
else
ok "$KERNEL_OPTION is disabled, nothing to do"
fi
:
}
# This function will check config parameters required

39
bin/hardening/2.21_disable_hfs.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
@ -13,30 +14,48 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2
HARBIAN_SEC_CONF_FILE='/etc/modprobe.d/harbian-security-workaround.conf'
KERNEL_OPTION="CONFIG_HFS_FS"
MODULE_FILE="hfs"
MODULE_NAME="hfs"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
crit "$MODULE_NAME is not set to blacklist"
fi
else
ok "$KERNEL_OPTION is disabled"
ok "$MODULE_NAME's kernel option is disabled"
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
is_kernel_option_enabled $KERNEL_OPTION
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
warn "$MODULE_NAME is not set to blacklist, add to config file $HARBIAN_SEC_CONF_FILE"
if [ -w $HARBIAN_SEC_CONF_FILE ]; then
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
else
touch $HARBIAN_SEC_CONF_FILE
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
fi
fi
else
ok "$KERNEL_OPTION is disabled, nothing to do"
fi
:
}
# This function will check config parameters required

39
bin/hardening/2.22_disable_hfsplus.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
@ -13,30 +14,48 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2
HARBIAN_SEC_CONF_FILE='/etc/modprobe.d/harbian-security-workaround.conf'
KERNEL_OPTION="CONFIG_HFSPLUS_FS"
MODULE_FILE="hfsplus"
MODULE_NAME="hfsplus"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
crit "$MODULE_NAME is not set to blacklist"
fi
else
ok "$KERNEL_OPTION is disabled"
ok "$MODULE_NAME's kernel option is disabled"
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
is_kernel_option_enabled $KERNEL_OPTION
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
warn "$MODULE_NAME is not set to blacklist, add to config file $HARBIAN_SEC_CONF_FILE"
if [ -w $HARBIAN_SEC_CONF_FILE ]; then
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
else
touch $HARBIAN_SEC_CONF_FILE
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
fi
fi
else
ok "$KERNEL_OPTION is disabled, nothing to do"
fi
:
}
# This function will check config parameters required

39
bin/hardening/2.23_disable_squashfs.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
@ -13,30 +14,48 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2
HARBIAN_SEC_CONF_FILE='/etc/modprobe.d/harbian-security-workaround.conf'
KERNEL_OPTION="CONFIG_SQUASHFS"
MODULE_FILE="squashfs"
MODULE_NAME="squashfs"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
crit "$MODULE_NAME is not set to blacklist"
fi
else
ok "$KERNEL_OPTION is disabled"
ok "$MODULE_NAME's kernel option is disabled"
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
is_kernel_option_enabled $KERNEL_OPTION
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
warn "$MODULE_NAME is not set to blacklist, add to config file $HARBIAN_SEC_CONF_FILE"
if [ -w $HARBIAN_SEC_CONF_FILE ]; then
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
else
touch $HARBIAN_SEC_CONF_FILE
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
fi
fi
else
ok "$KERNEL_OPTION is disabled, nothing to do"
fi
:
}
# This function will check config parameters required

39
bin/hardening/2.24_disable_udf.sh
View File

@ -1,7 +1,8 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
@ -13,30 +14,48 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2
HARBIAN_SEC_CONF_FILE='/etc/modprobe.d/harbian-security-workaround.conf'
KERNEL_OPTION="CONFIG_UDF_FS"
MODULE_FILE="udf"
MODULE_NAME="udf"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
crit "$MODULE_NAME is not set to blacklist"
fi
else
ok "$KERNEL_OPTION is disabled"
ok "$MODULE_NAME's kernel option is disabled"
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
is_kernel_option_enabled $KERNEL_OPTION
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
warn "$MODULE_NAME is not set to blacklist, add to config file $HARBIAN_SEC_CONF_FILE"
if [ -w $HARBIAN_SEC_CONF_FILE ]; then
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
else
touch $HARBIAN_SEC_CONF_FILE
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
fi
fi
else
ok "$KERNEL_OPTION is disabled, nothing to do"
fi
:
}
# This function will check config parameters required

14
bin/hardening/2.2_tmp_nodev.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux Debian 7/8/9 or CentOS Hardening
# harbian-audit for Debian GNU/Linux Debian 7/8/9/10/11/12 or CentOS Hardening
# Modify by: Samson-W (sccxboy@gmail.com)
#
@ -47,10 +47,10 @@ audit () {
fi
else
warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service"
if [ $OS_RELEASE -eq 1 ]; then
if [ $OS_RELEASE -eq 2 ]; then
UNITSERVICEPATH=$CENTOS_SERVICEPATHa
else
UNITSERVICEPATH=$DEBIAN_SERVICEPATH
elif [ $OS_RELEASE -eq 2 ]; then
UNITSERVICEPATH=$CENTOS_SERVICEPATH
fi
if [ -e $UNITSERVICEPATH ]; then
has_mount_option_systemd $UNITSERVICEPATH $OPTION
@ -77,10 +77,10 @@ audit () {
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
UNITSERVICEPATH=$DEBIAN_SERVICEPATH
elif [ $OS_RELEASE -eq 2 ]; then
if [ $OS_RELEASE -eq 2 ]; then
UNITSERVICEPATH=$CENTOS_SERVICEPATH
else
UNITSERVICEPATH=$DEBIAN_SERVICEPATH
fi
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"

14
bin/hardening/2.3_tmp_nosuid.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux Debian 7/8/9/10 or CentOS Hardening
# harbian-audit for Debian GNU/Linux Debian 7/8/9/10/11/12 or CentOS Hardening
# Modify by: Samson-W (sccxboy@gmail.com)
#
@ -47,10 +47,10 @@ audit () {
fi
else
warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service"
if [ $OS_RELEASE -eq 1 ]; then
UNITSERVICEPATH=$DEBIAN_SERVICEPATH
elif [ $OS_RELEASE -eq 2 ]; then
if [ $OS_RELEASE -eq 2 ]; then
UNITSERVICEPATH=$CENTOS_SERVICEPATH
else
UNITSERVICEPATH=$DEBIAN_SERVICEPATH
fi
if [ -e $UNITSERVICEPATH ]; then
has_mount_option_systemd $UNITSERVICEPATH $OPTION
@ -77,10 +77,10 @@ audit () {
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
UNITSERVICEPATH=$DEBIAN_SERVICEPATH
elif [ $OS_RELEASE -eq 2 ]; then
if [ $OS_RELEASE -eq 2 ]; then
UNITSERVICEPATH=$CENTOS_SERVICEPATH
else
UNITSERVICEPATH=$DEBIAN_SERVICEPATH
fi
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"

14
bin/hardening/2.4_tmp_noexec.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux Debian 7/8/9/10 or CentOS Hardening
# harbian-audit for Debian GNU/Linux Debian 7/8/9/10/11/12 or CentOS Hardening
# Modify by: Samson-W (sccxboy@gmail.com)
#
@ -47,10 +47,10 @@ audit () {
fi
else
warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service"
if [ $OS_RELEASE -eq 1 ]; then
UNITSERVICEPATH=$DEBIAN_SERVICEPATH
elif [ $OS_RELEASE -eq 2 ]; then
if [ $OS_RELEASE -eq 2 ]; then
UNITSERVICEPATH=$CENTOS_SERVICEPATH
else
UNITSERVICEPATH=$DEBIAN_SERVICEPATH
fi
if [ -e $UNITSERVICEPATH ]; then
has_mount_option_systemd $UNITSERVICEPATH $OPTION
@ -77,10 +77,10 @@ audit () {
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
UNITSERVICEPATH=$DEBIAN_SERVICEPATH
elif [ $OS_RELEASE -eq 2 ]; then
if [ $OS_RELEASE -eq 2 ]; then
UNITSERVICEPATH=$CENTOS_SERVICEPATH
else
UNITSERVICEPATH=$DEBIAN_SERVICEPATH
fi
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"

15
bin/hardening/4.1_restrict_core_dumps.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 or CentOS Hardening
#Modify by: Samson-W (samson@hardenedlinux.org)
#
@ -50,13 +50,10 @@ audit_centos () {
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
elif [ $OS_RELEASE -eq 2 ]; then
if [ $OS_RELEASE -eq 2 ]; then
audit_centos
else
crit "Current OS is not support!"
FNRET=44
audit_debian
fi
}
@ -92,12 +89,10 @@ apply_centos () {
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
elif [ $OS_RELEASE -eq 2 ]; then
if [ $OS_RELEASE -eq 2 ]; then
apply_centos
else
crit "Current OS is not support!"
apply_debian
fi
}

5
bin/hardening/4.4_disable_prelink.sh
View File

@ -33,7 +33,7 @@ apply () {
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
"$(which $PACKAGE)" -ua
yum autoremove $PACKAGE -y
uninstall_pkg $PACKAGE
else
ok "$PACKAGE is absent"
fi
@ -41,8 +41,7 @@ apply () {
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
/usr/sbin/prelink -ua
apt-get purge $PACKAGE -y
apt-get autoremove
uninstall_pkg $PACKAGE
else
ok "$PACKAGE is absent"
fi

86
bin/hardening/4.5_enable_apparmor.sh
View File

@ -1,12 +1,11 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
# todo: SELinux
#
# 4.5 Activate AppArmor/SELinux (Scored)
# 4.5 Activate AppArmor (Scored)
# Add by Author : Samson wen, Samson <sccxboy@gmail.com>
#
@ -20,8 +19,14 @@ KEYWORD="GRUB_CMDLINE_LINUX"
PATTERN="apparmor=1[[:space:]]*security=apparmor"
SETSTRING="apparmor=1 security=apparmor"
GRUBFILE='/etc/default/grub'
SERVICENAME='apparmor.service'
SELINUXSETSTRING="security=selinux"
audit_debian () {
if [ $(grep -c "${SELINUXSETSTRING}" /proc/cmdline) -eq 1 ]; then
ok "SELinux was actived. So pass."
return 0
fi
for PACKAGE in ${PACKAGES}
do
is_pkg_installed $PACKAGE
@ -32,41 +37,54 @@ audit_debian () {
done
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
if [ $( grep -w "^${KEYWORD}" ${GRUBFILE} | grep -c ${PATTERN}) -eq 1 ]; then
ok "There are ${SETSTRING} to ${KEYWORD} in ${GRUBFILE}"
is_mounted "/sys/kernel/security"
if [ ${FNRET} -eq 0 -a $(/usr/sbin/apparmor_status 2>&1 | grep -c "apparmor filesystem is not mounted.") -eq 1 ]; then
crit "AppArmor profiles not enable in the system "
FNRET=3
elif [ ${FNRET} -eq 0 -a $(/usr/sbin/apparmor_status | grep 'profiles are loaded' | awk '{print $1}') -gt 0 ]; then
ok "AppArmor profiles is enable in the system "
# Since Debian 10 (Buster), AppArmor is enabled by default. It's a system service
is_debian_ge_10
if [ $FNRET = 0 ]; then
is_service_active $SERVICENAME
if [ $FNRET -eq 0 ]; then
ok "$SERVICENAME is active!"
FNRET=0
fi
else
crit "There are not set ${SETSTRING} to ${KEYWORD} in ${GRUBFILE}"
FNRET=2
fi
else
crit "$SERVICENAME is inactive!"
FNRET=2
fi
else
if [ $(grep -c "${SETSTRING}" /proc/cmdline) -eq 1 ]; then
ok "There are ${SETSTRING} to ${KEYWORD} in ${GRUBFILE}"
is_mounted "/sys/kernel/security"
if [ ${FNRET} -eq 0 -a $(/usr/sbin/aa-status 2>&1 | grep -c "apparmor filesystem is not mounted.") -eq 1 ]; then
crit "AppArmor profiles not enable in the system "
FNRET=3
elif [ ${FNRET} -eq 0 -a $(/usr/sbin/aa-status | grep 'profiles are loaded' | awk '{print $1}') -gt 0 ]; then
ok "AppArmor profiles is enable in the system "
FNRET=0
fi
else
crit "There are ${SETSTRING} to ${KEYWORD} not in ${GRUBFILE}"
FNRET=2
fi
fi
fi
}
# Todo
audit_centos () {
:
ok "AppArmor is only support for Debian, So pass!"
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
elif [ $OS_RELEASE -eq 2 ]; then
if [ $OS_RELEASE -eq 2 ]; then
audit_centos
else
crit "Current OS is not support!"
FNRET=44
audit_debian
fi
}
apply_debian () {
if [ $(grep -c "${SELINUXSETSTRING}" /proc/cmdline) -eq 1 ]; then
ok "SELinux was actived. So pass."
return 0
fi
if [ $FNRET = 0 ]; then
ok "AppArmor profiles is enable in the system "
elif [ $FNRET = 1 ]; then
@ -76,28 +94,32 @@ apply_debian () {
apt_install $PACKAGE
done
elif [ $FNRET = 2 ]; then
warn "Set ${SETSTRING} to ${GRUBFILE} in ${GRUBFILE}, need to reboot the system and enable AppArmor profiles after setting it."
sed -i "s;\(${KEYWORD}=\)\(\".*\)\(\"\);\1\2 ${SETSTRING}\3;" ${GRUBFILE}
/usr/sbin/update-grub2
# Since Debian 10 (Buster), AppArmor is enabled by default. It's a system service
is_debian_ge_10
if [ $FNRET = 0 ]; then
warn "Start $SERVICENAME"
systemctl start $SERVICENAME
else
warn "Set ${SETSTRING} to ${GRUBFILE} in ${GRUBFILE}, need to reboot the system and enable AppArmor profiles after setting it."
sed -i "s;\(${KEYWORD}=\)\(\".*\)\(\"\);\1\2 ${SETSTRING}\3;" ${GRUBFILE}
/usr/sbin/update-grub2
fi
elif [ $FNRET = 3 ]; then
warn "Enable AppArmor profiles in the system "
/usr/sbin/aa-enforce /etc/apparmor.d/*
fi
}
# Todo
apply_centos () {
:
ok "AppArmor is only support for Debian, So pass!"
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
elif [ $OS_RELEASE -eq 2 ]; then
if [ $OS_RELEASE -eq 2 ]; then
apply_centos
else
crit "Current OS is not support!"
apply_debian
fi
}

189
bin/hardening/4.6_enable_selinux.sh Executable file
View File

@ -0,0 +1,189 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9/10/11/12 or CentOS 8 Hardening
#
#
# 4.6 Activate SELinux (Scored)
# Add by Author : Samson-W (samson@hardenedlinux.org)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGES='selinux-basics selinux-policy-default'
SETSTRING="security=selinux"
PROC_CMDLINE='/proc/cmdline'
SELINUXCONF_FILE='/etc/selinux/config'
SELINUXENFORCE_MODE='SELINUX=enforcing'
LSM_RUN_STATUS_FILE='/sys/kernel/security/lsm'
audit_debian () {
set +e
check_aa_status
set -e
if [ $FNRET = 0 ]; then
ok "AppArmor was actived. So pass."
return 0
fi
for PACKAGE in ${PACKAGES}
do
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is absent!"
FNRET=1
return
fi
done
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
fi
if [ $(grep -c "${SETSTRING}" $PROC_CMDLINE) -eq 1 ]; then
ok "SELinux is actived."
does_valid_pattern_exist_in_file $SELINUXCONF_FILE $SELINUXENFORCE_MODE
if [ ${FNRET} -eq 0 -a $(getenforce | grep -c 'Enforcing') -eq 1 ]; then
ok "SELinux is in Enforcing mode."
FNRET=0
else
crit "SELinux is not in Enforcing mode."
FNRET=3
return
fi
else
crit "SELinux is inactived."
FNRET=2
return
fi
}
audit_centos () {
for PACKAGE in ${PACKAGES}
do
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is absent!"
FNRET=1
else
FNRET=0
fi
done
if [ $FNRET -eq 0 ]; then
if [ $(grep -c selinux $LSM_RUN_STATUS_FILE) -eq 1 ]; then
ok "SELinux was activated."
does_valid_pattern_exist_in_file $SELINUXCONF_FILE $SELINUXENFORCE_MODE
if [ ${FNRET} -eq 0 -a $(getenforce | grep -c 'Enforcing') -eq 1 ]; then
ok "SELinux is in Enforcing mode."
FNRET=0
else
crit "SELinux is not in Enforcing mode."
FNRET=3
fi
else
crit "SELinux is inactived."
FNRET=2
fi
else
crit "SELinux related packages are not installed."
FNRET=1
fi
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
audit_centos
else
audit_debian
fi
}
apply_debian () {
set +e
check_aa_status
set -e
if [ $FNRET = 0 ]; then
ok "AppArmor was actived. So pass."
return 0
fi
case $FNRET in
0) ok "SELinux is active and in Enforcing mode."
;;
2) warn "Set SELinux to activate, and need reboot"
selinux-activate
warn "Set SELinux to enforcing mode, and need reboot"
replace_in_file $SELINUXCONF_FILE 'SELINUX=.*' $SELINUXENFORCE_MODE
;;
3) warn "Set SELinux to enforcing mode, and need reboot"
replace_in_file $SELINUXCONF_FILE 'SELINUX=.*' $SELINUXENFORCE_MODE
;;
# When return 1 or 5
*) warn "$PACKAGE is not installed, install $PACKAGES"
for PACKAGE in ${PACKAGES}
do
install_package $PACKAGE
done
warn "Set SELinux to activate, and need reboot"
selinux-activate
warn "Set SELinux to enforcing mode, and need reboot"
replace_in_file $SELINUXCONF_FILE 'SELINUX=.*' $SELINUXENFORCE_MODE
;;
esac
}
apply_centos () {
if [ $FNRET = 0 ]; then
ok "SELinux is active and in Enforcing mode."
elif [ $FNRET = 1 ]; then
warn "$PACKAGE is not installed, install $PACKAGES"
for PACKAGE in ${PACKAGES}
do
install_package $PACKAGE
done
elif [ $FNRET = 2 ]; then
warn "Set SELinux to activate, and need reboot"
elif [ $FNRET = 3 ]; then
warn "Set SELinux to enforcing mode, and need reboot"
replace_in_file $SELINUXCONF_FILE 'SELINUX=.*' $SELINUXENFORCE_MODE
else
:
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
apply_centos
else
apply_debian
fi
}
# This function will check config parameters required
check_config() {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES='libselinux libselinux-utils selinux-policy-targeted'
else
:
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

121
bin/hardening/4.7_enable_selinux_policy.sh Executable file
View File

@ -0,0 +1,121 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9/10/11/12 or CentOS 8 Hardening
#
#
# 4.7 Enable SELinux targeted policy (Scored)
# Add by Author : Samson-W (samson@hardenedlinux.org)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
SELINUXCONF_FILE='/etc/selinux/config'
SELINUXTYPE_VALUE='SELINUXTYPE=default'
audit_debian () {
set +e
check_aa_status
set -e
if [ $FNRET = 0 ]; then
ok "AppArmor was actived. So pass."
return 0
fi
does_valid_pattern_exist_in_file $SELINUXCONF_FILE $SELINUXTYPE_VALUE
if [ ${FNRET} -eq 0 ]; then
ok "SELinux targeted policy was enabled."
FNRET=0
else
crit "SELinux targeted policy is not enable."
FNRET=1
fi
}
audit_centos () {
does_valid_pattern_exist_in_file $SELINUXCONF_FILE $SELINUXTYPE_VALUE
if [ ${FNRET} -eq 0 ]; then
ok "SELinux targeted policy was enabled."
FNRET=0
else
crit "SELinux targeted policy is not enable."
FNRET=1
fi
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
audit_centos
else
audit_debian
fi
}
apply_debian () {
set +e
check_aa_status
set -e
if [ $FNRET = 0 ]; then
ok "AppArmor was actived. So pass."
return 0
fi
if [ $FNRET = 0 ]; then
ok "SELinux targeted policy was enabled."
elif [ $FNRET = 1 ]; then
warn "Set SELinux targeted policy to enable, and need reboot"
replace_in_file $SELINUXCONF_FILE 'SELINUXTYPE=.*' $SELINUXTYPE_VALUE
else
:
fi
}
apply_centos () {
if [ $FNRET = 0 ]; then
ok "SELinux targeted policy was enabled."
elif [ $FNRET = 1 ]; then
warn "Set SELinux targeted policy to enable, and need reboot"
replace_in_file $SELINUXCONF_FILE 'SELINUXTYPE=.*' $SELINUXTYPE_VALUE
else
:
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
apply_centos
else
apply_debian
fi
}
# This function will check config parameters required
check_config() {
if [ $OS_RELEASE -eq 2 ]; then
SELINUXTYPE_VALUE='SELINUXTYPE=targeted'
else
:
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

81
bin/hardening/4.6_disable_usb_devices.sh → bin/hardening/4.8_disable_usb_devices.sh
View File

@ -1,13 +1,13 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
# harbian-audit for Debian GNU/Linux 9/10/11/12 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
# 4.6 Disable USB Devices
# TODO test
# 4.8 Disable USB storage Devices
# TODO: CentOS
#
set -e # One error, it's over
@ -15,43 +15,39 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4
USER='root'
PATTERN='ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"' # We do test disabled by default, whitelist is up to you
FILES_TO_SEARCH='/etc/udev/rules.d'
FILE='/etc/udev/rules.d/CIS_4.6_usb_devices.conf'
BLACKRULEPATTERN='^blacklist[[:blank:]].*usb-storage'
BLACKRULE='blacklist usb-storage'
BLACKRULEPATTERN='install[[:blank:]].*usb_storage[[:blank:]].*/bin/true'
BLACKRULE='install usb_storage /bin/true'
BLACKCONFILE='/etc/modprobe.d/blacklist.conf'
BLACKCONDIR='/etc/modprobe.d'
audit_debian () {
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
for FILE_SEARCHED in $BLACKCONDIR; do
if [ $SEARCH_RES = 1 ]; then break; fi
if test -d $FILE_SEARCHED; then
debug "$FILE_SEARCHED is a directory"
for file_in_dir in $(ls $FILE_SEARCHED); do
does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN"
does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$BLACKRULEPATTERN"
if [ $FNRET != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
debug "$BLACKRULEPATTERN is not present in $FILE_SEARCHED/$file_in_dir"
else
ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir"
ok "$BLACKRULEPATTERN is present in $FILE_SEARCHED/$file_in_dir"
SEARCH_RES=1
break
fi
done
else
does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
does_pattern_exist_in_file "$FILE_SEARCHED" "^$BLACKRULEPATTERN"
if [ $FNRET != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED"
debug "$BLACKRULEPATTERN is not present in $FILE_SEARCHED"
else
ok "$PATTERN is present in $FILES_TO_SEARCH"
ok "$BLACKRULEPATTERN is present in $BLACKCONDIR"
SEARCH_RES=1
fi
fi
done
if [ $SEARCH_RES = 0 ]; then
crit "$PATTERN is not present in $FILES_TO_SEARCH"
crit "$BLACKRULEPATTERN is not present in $BLACKCONDIR"
fi
}
@ -61,60 +57,53 @@ audit_centos () {
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
elif [ $OS_RELEASE -eq 2 ]; then
if [ $OS_RELEASE -eq 2 ]; then
audit_centos
else
crit "Current OS is not support!"
FNRET=44
audit_debian
fi
}
# This function will be called if the script status is on enabled mode
apply () {
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
for FILE_SEARCHED in $BLACKCONDIR; do
if [ $SEARCH_RES = 1 ]; then break; fi
if test -d $FILE_SEARCHED; then
debug "$FILE_SEARCHED is a directory"
for file_in_dir in $(ls $FILE_SEARCHED); do
does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN"
does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$BLACKRULEPATTERN"
if [ $FNRET != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
debug "$BLACKRULEPATTERN is not present in $FILE_SEARCHED/$file_in_dir"
else
ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir"
ok "$BLACKRULEPATTERN is present in $FILE_SEARCHED/$file_in_dir"
SEARCH_RES=1
break
fi
done
else
does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
does_pattern_exist_in_file "$FILE_SEARCHED" "^$BLACKRULEPATTERN "
if [ $FNRET != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED"
debug "$BLACKRULEPATTERN is not present in $FILE_SEARCHED"
else
ok "$PATTERN is present in $FILES_TO_SEARCH"
ok "$BLACKRULEPATTERN is present in $BLACKCONDIR"
SEARCH_RES=1
fi
fi
done
if [ $SEARCH_RES = 0 ]; then
warn "$PATTERN is not present in $FILES_TO_SEARCH"
touch $FILE
chmod 644 $FILE
add_end_of_file $FILE '
# By default, disable all.
ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"
# Enable hub devices.
ACTION=="add", ATTR{bDeviceClass}=="09", TEST=="authorized", ATTR{authorized}="1"
# Enables keyboard devices
ACTION=="add", ATTR{product}=="*[Kk]eyboard*", TEST=="authorized", ATTR{authorized}="1"
# PS2-USB converter
ACTION=="add", ATTR{product}=="*Thinnet TM*", TEST=="authorized", ATTR{authorized}="1"
'
warn "$BLACKRULEPATTERN is not present in $BLACKCONDIR"
if [ -f $BLACKCONFILE ]; then
warn "Add $BLACKRULE to $BLACKCONFILE"
add_end_of_file $BLACKCONFILE "$BLACKRULE"
add_end_of_file $BLACKCONFILE "blacklist usb_storage"
else
warn "Create $BLACKCONFILE and add $BLACKRULE to $BLACKCONFILE"
touch $BLACKCONFILE
chmod 644 $BLACKCONFILE
add_end_of_file $BLACKCONFILE "blacklist usb_storage"
add_end_of_file $BLACKCONFILE "$BLACKRULE"
fi
fi
}

7
bin/hardening/5.1.1_disable_nis.sh
View File

@ -39,12 +39,7 @@ apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
if [ $OS_RELEASE -eq 2 ]; then
yum -y autoremove $PACKAGE
else
apt-get purge $PACKAGE -y
apt-get autoremove
fi
uninstall_pkg $PACKAGE
else
ok "$PACKAGE is absent"
fi

20
bin/hardening/5.1.2_disable_rsh.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
@ -52,13 +52,10 @@ audit_centos () {
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
elif [ $OS_RELEASE -eq 2 ]; then
if [ $OS_RELEASE -eq 2 ]; then
audit_centos
else
crit "Current OS is not support!"
FNRET=44
audit_debian
fi
}
@ -67,8 +64,7 @@ apply_debian () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
uninstall_pkg $PACKAGE
else
ok "$PACKAGE is absent"
fi
@ -94,7 +90,7 @@ apply_centos () {
is_pkg_installed $PACKAGE_CENTOS
if [ $FNRET = 0 ]; then
crit "$PACKAGE_CENTOS is installed, purging it"
yum -y remove $PACKAGE_CENTOS
uninstall_pkg $PACKAGE_CENTOS
else
ok "$PACKAGE_CENTOS is absent"
fi
@ -102,12 +98,10 @@ apply_centos () {
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
elif [ $OS_RELEASE -eq 2 ]; then
if [ $OS_RELEASE -eq 2 ]; then
apply_centos
else
crit "Current OS is not support!"
apply_debian
fi
}

3
bin/hardening/5.1.3_disable_rsh_client.sh
View File

@ -42,8 +42,7 @@ apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, purging"
apt-get purge $PACKAGE -y
apt-get autoremove
uninstall_pkg $PACKAGE
else
ok "$PACKAGE is absent"
fi

20
bin/hardening/5.1.4_disable_talk.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
@ -54,13 +54,10 @@ audit_centos () {
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
elif [ $OS_RELEASE -eq 2 ]; then
if [ $OS_RELEASE -eq 2 ]; then
audit_centos
else
crit "Current OS is not support!"
FNRET=44
audit_debian
fi
}
@ -69,8 +66,7 @@ apply_debian () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
uninstall_pkg $PACKAGE
else
ok "$PACKAGE is absent"
fi
@ -97,7 +93,7 @@ apply_centos () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
yum remove $PACKAGE -y
uninstall_pkg $PACKAGE
else
ok "$PACKAGE is absent"
fi
@ -106,12 +102,10 @@ apply_centos () {
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
elif [ $OS_RELEASE -eq 2 ]; then
if [ $OS_RELEASE -eq 2 ]; then
apply_centos
else
crit "Current OS is not support!"
apply_debian
fi
}
# This function will check config parameters required

7
bin/hardening/5.1.5_disable_talk_client.sh
View File

@ -41,12 +41,7 @@ apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, purging"
if [ $OS_RELEASE -eq 2 ]; then
yum remove $PACKAGE -y
else
apt-get purge $PACKAGE -y
apt-get autoremove
fi
uninstall_pkg $PACKAGE
else
ok "$PACKAGE is absent"
fi

20
bin/hardening/5.1.6_disable_telnet_server.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
@ -53,13 +53,10 @@ audit_centos () {
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
elif [ $OS_RELEASE -eq 2 ]; then
if [ $OS_RELEASE -eq 2 ]; then
audit_centos
else
crit "Current OS is not support!"
FNRET=44
audit_debian
fi
}
@ -68,8 +65,7 @@ apply_debian () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
uninstall_pkg $PACKAGE
else
ok "$PACKAGE is absent"
fi
@ -95,7 +91,7 @@ apply_centos () {
is_pkg_installed $PACKAGE_CENTOS
if [ $FNRET = 0 ]; then
crit "$PACKAGE_CENTOS is installed, purging it"
yum remove $PACKAGE_CENTOS -y
uninstall_pkg $PACKAGE_CENTOS
else
ok "$PACKAGE_CENTOS is absent"
fi
@ -103,12 +99,10 @@ apply_centos () {
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
elif [ $OS_RELEASE -eq 2 ]; then
if [ $OS_RELEASE -eq 2 ]; then
apply_centos
else
crit "Current OS is not support!"
apply_debian
fi
}

7
bin/hardening/5.1.7_disable_inetd.sh
View File

@ -41,12 +41,7 @@ apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, purging"
if [ $OS_RELEASE -eq 2 ]; then
yum remove $PACKAGE -y
else
apt-get purge $PACKAGE -y
apt-get autoremove
fi
uninstall_pkg $PACKAGE
else
ok "$PACKAGE is absent"
fi

7
bin/hardening/6.10_disable_http_server.sh
View File

@ -50,12 +50,7 @@ apply () {
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else
crit "$PACKAGE is installed, purging it"
if [ $OS_RELEASE -eq 2 ]; then
yum autoremove $PACKAGE
else
apt-get purge $PACKAGE
apt-get autoremove
fi
uninstall_pkg $PACKAGE
fi
else
ok "$PACKAGE is absent"

3
bin/hardening/6.11_disable_imap_pop.sh
View File

@ -49,8 +49,7 @@ apply () {
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
uninstall_pkg $PACKAGE
fi
else
ok "$PACKAGE is absent"

7
bin/hardening/6.13_disable_http_proxy.sh
View File

@ -49,12 +49,7 @@ apply () {
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else
crit "$PACKAGE is installed, purging it"
if [ $OS_RELEASE -eq 2 ]; then
yum autoremove $PACKAGE -y
else
apt-get purge $PACKAGE -y
apt-get autoremove
fi
uninstall_pkg $PACKAGE
fi
else
ok "$PACKAGE is absent"

44
bin/hardening/6.17_ensure_virul_scan_server_is_enabled.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 Hardening
# todo test for centos
#
@ -18,7 +18,7 @@ VIRULSERVER_CENTOS='clamav-server clamav-data clamav-update clamav-filesystem cl
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 1 ]; then
if [ $OS_RELEASE -ne 2 ]; then
if [ $(dpkg -l | grep -c $VIRULSERVER) -ge 1 ]; then
if [ $(systemctl | grep $VIRULSERVER | grep -c "active running") -ne 1 ]; then
crit "$VIRULSERVER is not runing"
@ -31,7 +31,8 @@ audit () {
crit "$VIRULSERVER is not installed"
FNRET=1
fi
elif [ $OS_RELEASE -eq 2 ]; then
#CentOS:OS_RELEASE -eq 2
else
if [ $(rpm -qa | grep -c clamd) -ge 1 ]; then
ok "Clamav is installed"
FNRET=0
@ -39,33 +40,32 @@ audit () {
crit "Clamav is not install"
FNRET=1
fi
else
crit "Current OS is not support!"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
if [ $OS_RELEASE -ne 2 ]; then
if [ $FNRET = 0 ]; then
ok "$VIRULSERVER is enable"
elif [ $FNRET = 1 ]; then
warn "Install $VIRULSERVER"
apt-get install -y $VIRULSERVER
else
warn "Start server $VIRULSERVER"
systemctl start $VIRULSERVER
fi
elif [ $OS_RELEASE -eq 2 ]; then
if [ $FNRET = 0 ]; then
ok "$VIRULSERVER_CENTOS is enable"
elif [ $FNRET = 1 ]; then
warn "Install $VIRULSERVER_CENTOS"
yum install -y $VIRULSERVER_CENTOS
else
warn "Start server $VIRULSERVER"
systemctl start $VIRULSERVER
fi
warn "Install $VIRULSERVER"
apt-get install -y $VIRULSERVER
else
warn "Start server $VIRULSERVER"
systemctl start $VIRULSERVER
fi
#Centos: OS_RELEASE -eq 2
else
if [ $FNRET = 0 ]; then
ok "$VIRULSERVER_CENTOS is enable"
elif [ $FNRET = 1 ]; then
warn "Install $VIRULSERVER_CENTOS"
yum install -y $VIRULSERVER_CENTOS
else
warn "Start server $VIRULSERVER"
systemctl start $VIRULSERVER
fi
fi
}

14
bin/hardening/6.18_ensure_virusscan_program_update_is_enabled.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9 Hardening
# harbian-audit for Debian GNU/Linux 9/10/11/12 Hardening
# todo test for centos
#
@ -49,12 +49,10 @@ audit_centos () {
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
elif [ $OS_RELEASE -eq 2 ]; then
if [ $OS_RELEASE -eq 2 ]; then
audit_centos
else
crit "Current OS is not support!"
audit_debian
fi
}
@ -81,12 +79,10 @@ apply_centos () {
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
elif [ $OS_RELEASE -eq 2 ]; then
if [ $OS_RELEASE -eq 2 ]; then
apply_centos
else
crit "Current OS is not support!"
apply_debian
fi
}

19
bin/hardening/6.19_configure_ntp.sh
View File

@ -15,7 +15,7 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=3
HARDENING_EXCEPTION=ntp
ANALOGONS_PKG='chrony'
ANALOGOUS_PKG='chrony systemd-timesyncd'
PACKAGE='ntp'
NTP_CONF_DEFAULT_PATTERN='^restrict -4 default (kod nomodify notrap nopeer noquery|ignore)'
NTP_CONF_FILE='/etc/ntp.conf'
@ -26,10 +26,14 @@ NTP_POOL_CFG='pool 2.debian.pool.ntp.org iburst'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $ANALOGONS_PKG
if [ $FNRET = 0 ]; then
ok "Analogons pagkage $ANALOGONS_PKG is installed. So pass check."
else
for PKG in $ANALOGOUS_PKG; do
is_pkg_installed $PKG
if [ $FNRET = 0 ]; then
ok "Analogous pagkage $PKG is installed. So pass check."
exit
fi
done
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
@ -54,14 +58,13 @@ audit () {
ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $ANALOGONS_PKG
is_pkg_installed $ANALOGOUS_PKG
if [ $FNRET = 0 ]; then
ok "Analogons pagkage $ANALOGONS_PKG is installed. So pass check. "
ok "Analogous pagkage $ANALOGOUS_PKG is installed. So pass check. "
else
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then

54
bin/hardening/6.1_disable_xwindow_system.sh
View File

@ -20,33 +20,49 @@ PACKAGES='xserver-xorg-core xserver-xorg-core-dbg xserver-common xserver-xephyr
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed!"
else
ok "$PACKAGE is absent"
fi
done
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
if [ $ISEXCEPTION -eq 1 ]; then
warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!"
else
crit "$PACKAGE is installed!"
fi
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
done
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
if [ $ISEXCEPTION -eq 1 ]; then
warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!"
else
crit "$PACKAGE is installed, purging it"
uninstall_pkg $PACKAGE
fi
else
ok "$PACKAGE is absent"
fi
done
}
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=disabled
# Put here exception to pass this case, if set is 1, don't need apply, let to pass.
ISEXCEPTION=0
EOF
}
# This function will check config parameters required
check_config() {
:
:
}
# Source Root Dir Parameter

18
bin/hardening/6.20_configure_chrony.sh
View File

@ -15,7 +15,7 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=3
HARDENING_EXCEPTION=ntp
ANALOGONS_PKG='ntp'
ANALOGOUS_PKG='ntp systemd-timesyncd'
PACKAGE='chrony'
NTP_CONF_FILE='/etc/chrony/chrony.conf'
NTP_SERVER_PATTERN='^(server|pool)'
@ -26,10 +26,13 @@ audit () {
if [ $OS_RELEASE -eq 2 ]; then
ok "Redhat or CentOS does not have this check, so PASS"
else
is_pkg_installed $ANALOGONS_PKG
if [ $FNRET = 0 ]; then
ok "Analogons pagkage $ANALOGONS_PKG is installed. So pass check."
else
for PKG in $ANALOGOUS_PKG; do
is_pkg_installed $PKG
if [ $FNRET = 0 ]; then
ok "Analogous pagkage $PKG is installed. So pass check."
exit
fi
done
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
@ -42,7 +45,6 @@ audit () {
ok "$NTP_SERVER_PATTERN found in $NTP_CONF_FILE"
fi
fi
fi
fi
}
@ -51,9 +53,9 @@ apply () {
if [ $OS_RELEASE -eq 2 ]; then
ok "Redhat or CentOS does not have this check, so PASS"
else
is_pkg_installed $ANALOGONS_PKG
is_pkg_installed $ANALOGOUS_PKG
if [ $FNRET = 0 ]; then
ok "Analogons pagkage $ANALOGONS_PKG is installed. So pass check."
ok "Analogous pagkage $ANALOGOUS_PKG is installed. So pass check."
else
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then

7
bin/hardening/6.3_disable_print_server.sh
View File

@ -49,12 +49,7 @@ apply () {
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else
crit "$PACKAGE is installed, purging it"
if [ $OS_RELEASE -eq 2 ]; then
yum autoremove $PACKAGE -y
else
apt-get purge $PACKAGE -y
apt-get autoremove
fi
uninstall_pkg $PACKAGE
fi
else
ok "$PACKAGE is absent"

7
bin/hardening/6.4_disable_dhcp.sh
View File

@ -49,12 +49,7 @@ apply () {
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else
crit "$PACKAGE is installed, purging it"
if [ $OS_RELEASE -eq 2 ]; then
yum autoremove $PACKAGE -y
else
apt-get purge $PACKAGE -y
apt-get autoremove
fi
uninstall_pkg $PACKAGE
fi
else
ok "$PACKAGE is absent"

2
bin/hardening/6.5_ensure_time_sync_server_is_installed.sh
View File

@ -13,7 +13,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGES='ntp chrony'
PACKAGES='ntp chrony systemd-timesyncd'
# This function will be called if the script status is on enabled / audit mode
audit () {

7
bin/hardening/6.6_disable_ldap.sh
View File

@ -49,12 +49,7 @@ apply () {
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else
crit "$PACKAGE is installed, purging it"
if [ $OS_RELEASE -eq 2 ]; then
yum autoremove $PACKAGE -y
else
apt-get purge $PACKAGE -y
apt-get autoremove
fi
uninstall_pkg $PACKAGE
fi
else
ok "$PACKAGE is absent"

3
bin/hardening/6.7_disable_nfs_rpc.sh
View File

@ -49,8 +49,7 @@ apply () {
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
uninstall_pkg $PACKAGE
fi
else
ok "$PACKAGE is absent"

7
bin/hardening/6.8_disable_dns_server.sh
View File

@ -49,12 +49,7 @@ apply () {
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else
crit "$PACKAGE is installed, purging it"
if [ $OS_RELEASE -eq 2 ]; then
yum autoremove $PACKAGE -y
else
apt-get purge $PACKAGE -y
apt-get autoremove
fi
uninstall_pkg $PACKAGE
fi
else
ok "$PACKAGE is absent"

7
bin/hardening/6.9_disable_ftp.sh
View File

@ -50,12 +50,7 @@ apply () {
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else
crit "$PACKAGE is installed, purging it"
if [ $OS_RELEASE -eq 2 ]; then
yum autoremove $PACKAGE -y
else
apt-get purge $PACKAGE -y
apt-get autoremove
fi
uninstall_pkg $PACKAGE
fi
else
ok "$PACKAGE is absent"

47
bin/hardening/7.5.1_disable_dccp.sh
View File

@ -1,47 +0,0 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 7.5.1 Disable DCCP (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Not implemented yet"
}
# This function will be called if the script status is on enabled mode
apply () {
info "Not implemented yet"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

47
bin/hardening/7.5.2_disable_sctp.sh
View File

@ -1,47 +0,0 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 7.5.2 Disable SCTP (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Not implemented yet"
}
# This function will be called if the script status is on enabled mode
apply () {
info "Not implemented yet"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

47
bin/hardening/7.5.3_disable_rds.sh
View File

@ -1,47 +0,0 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 7.5.3 Disable RDS (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Not implemented yet"
}
# This function will be called if the script status is on enabled mode
apply () {
info "Not implemented yet"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

47
bin/hardening/7.5.4_disable_tipc.sh
View File

@ -1,47 +0,0 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 7.5.4 Disable TIPC (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Not implemented yet"
}
# This function will be called if the script status is on enabled mode
apply () {
info "Not implemented yet"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

4
bin/hardening/7.6_disable_wireless.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9 or CentOS Hardening
# harbian-audit for Debian GNU/Linux 9/10/11/12 or CentOS Hardening
#
#
@ -17,7 +17,7 @@ HARDENING_LEVEL=3
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $(lspci | grep -ic wireless ) -eq 0 ]; then
info "The OS is not wireless device! "
ok "The OS is not wireless device! "
FNRET=0
else
if [ $(wc -l /proc/net/wireless) -lt 3 ]; then

89
bin/hardening/7.7.1_enable_firewall.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 or CentOS Hardening
#
#
@ -22,28 +22,52 @@ PACKAGES='iptables iptables-persistent'
PACKAGES_CENTOS='iptables iptables-services nftables firewalld'
SERVICENAME='netfilter-persistent'
SERVICENAME_CENTOS='iptables ip6tables'
PACKAGE_NFT='nftables'
SERVICENAME_NFT='nftables.service'
audit_debian () {
for PACKAGE in $PACKAGES
do
is_pkg_installed $PACKAGE
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
for PACKAGE in $PACKAGES
do
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=1
break
else
ok "$PACKAGE is installed"
FNRET=0
fi
done
if [ $FNRET = 0 ]; then
if [ $(systemctl status ${SERVICENAME} | grep -c "Active:.active") -ne 1 ]; then
crit "${SERVICENAME} service is not actived"
FNRET=2
else
ok "${SERVICENAME} service is actived"
FNRET=0
fi
fi
# check nftables
else
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=1
break
crit "$PACKAGE_NFT is not installed!"
FNRET=3
else
ok "$PACKAGE is installed"
FNRET=0
fi
done
if [ $FNRET = 0 ]; then
if [ $(systemctl status ${SERVICENAME} | grep -c "Active:.active") -ne 1 ]; then
crit "${SERVICENAME} service is not actived"
FNRET=2
else
ok "${SERVICENAME} service is actived"
ok "$PACKAGE_NFT is installed"
FNRET=0
fi
if [ $FNRET = 0 ]; then
if [ $(systemctl status ${SERVICENAME_NFT} | grep -c "Active:.active") -ne 1 ]; then
crit "${SERVICENAME_NFT} service is not actived"
FNRET=4
else
ok "${SERVICENAME_NFT} service is actived"
FNRET=0
fi
fi
fi
}
@ -76,35 +100,43 @@ audit_centos () {
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
elif [ $OS_RELEASE -eq 2 ]; then
if [ $OS_RELEASE -eq 2 ]; then
audit_centos
else
crit "Current OS is not support!"
FNRET=44
audit_debian
fi
}
apply_debian () {
if [ $FNRET = 0 ]; then
ok "$PACKAGES is installed"
ok "Firewall is enabled"
elif [ $FNRET = 1 ]; then
for PACKAGE in $PACKAGES
do
warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
done
elif [ $FNRET = 3 ]; then
warn "$PACKAGE_NFT is absent, installing it"
apt_install $PACKAGE_NFT
elif [ $FNRET = 2 ]; then
warn "Enable ${SERVICENAME} service to actived"
is_service_enabled ${SERVICENAME}
if [ $FNRET = 1 ]; then
systemctl enable ${SERVICENAME}
systemctl daemon-reload
else
:
fi
systemctl start ${SERVICENAME}
elif [ $FNRET = 4 ]; then
warn "Enable ${SERVICENAME_NFT} service to actived"
is_service_enabled ${SERVICENAME_NFT}
if [ $FNRET = 1 ]; then
systemctl enable ${SERVICENAME_NFT}
systemctl daemon-reload
fi
systemctl start ${SERVICENAME_NFT}
else
:
fi
}
@ -135,13 +167,10 @@ apply_centos () {
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
elif [ $OS_RELEASE -eq 2 ]; then
if [ $OS_RELEASE -eq 2 ]; then
apply_centos
else
crit "Current OS is not support!"
FNRET=44
apply_debian
fi
}

36
bin/hardening/7.7.2_ensure_set_firewall_rules.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9 Hardening
# harbian-audit for Debian GNU/Linux 9/10/11/12 Hardening
#
#
@ -10,34 +10,50 @@
# Add this feature:Author : Samson wen, Samson <sccxboy@gmail.com>
#
set -e # One error, it's over
#set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
IPS4=$(which iptables)
IPS6=$(which ip6tables)
PACKAGE_NFT='nftables'
# Quick note here : CIS recommends your iptables rules to be persistent.
# Do as you want, but this script does not handle this
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $(${IPS4} -S | grep -Ec "^-A|^-I") -eq 0 -o $(${IPS6} -S | grep -Ec "^-A|^-I") -eq 0 ]; then
crit "Iptables/Ip6tables is not set rule!"
FNRET=1
else
ok "Iptables/Ip6tables rules are set!"
FNRET=0
fi
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
if [ $(${IPS4} -S | grep -Ec "^-A|^-I") -eq 0 -o $(${IPS6} -S | grep -Ec "^-A|^-I") -eq 0 ]; then
crit "Iptables/Ip6tables is not set rule!"
FNRET=1
else
ok "Iptables/Ip6tables rules are set!"
FNRET=0
fi
else
if [ $(nft list ruleset 2>/dev/null | grep -v '^table' | grep -v 'chain.*{' | grep -v '}' | grep -v 'policy' | grep -v '^$' | wc -l) -gt 0 ]; then
ok "nftables rules are set!"
FNRET=10
else
crit "Nftables is not set rule!"
FNRET=2
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "Iptables/Ip6tables rules are set!"
else
elif [ $FNRET = 10 ]; then
ok "Nftables rules are set!"
elif [ $FNRET = 1 ]; then
warn "Iptables/Ip6tables rules are not set, need the administrator to manually add it."
elif [ $FNRET = 2 ]; then
warn "Nftables rules are not set, need the administrator to manually add it."
fi
}

80
bin/hardening/7.7.3_ensure_firewall_set_protect_dos_attacks.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9 Hardening
# harbian-audit for Debian GNU/Linux 9/10/11/12 Hardening
#
#
@ -10,13 +10,14 @@
# Add this feature:Author : Samson wen, Samson <sccxboy@gmail.com>
#
set -e # One error, it's over
#set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
IPS4=$(which iptables)
IPS6=$(which ip6tables)
PACKAGE_NFT='nftables'
IPV4_RET=1
IPV6_RET=1
@ -27,48 +28,63 @@ IPV6_ISENABLE=1
# This function will be called if the script status is on enabled / audit mode
audit () {
# ipv4
if [ $(${IPS4} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then
info "Iptables is not set rules of protect DOS attacks!"
IPV4_RET=1
else
info "Iptables has set rules for protect DOS attacks!"
IPV4_RET=0
fi
# ipv6
check_ipv6_is_enable
IPV6_ISENABLE=$FNRET
if [ $IPV6_ISENABLE = 0 ]; then
if [ $(${IPS6} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then
info "Ip6tables is not set rules of protect DOS attacks!"
IPV6_RET=1
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
# ipv4
if [ $(${IPS4} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then
info "Iptables is not set rules of protect DOS attacks!"
IPV4_RET=1
else
info "Ip6tables has set rules for protect DOS attacks!"
IPV6_RET=0
info "Iptables has set rules for protect DOS attacks!"
IPV4_RET=0
fi
fi
if [ $IPV6_ISENABLE -eq 0 ]; then
if [ $IPV4_RET -eq 1 -o $IPV6_RET -eq 1 ]; then
crit "Iptables/ip6tables is not set rules of protect DOS attacks!"
FNRET=1
# ipv6
check_ipv6_is_enable
IPV6_ISENABLE=$FNRET
if [ $IPV6_ISENABLE = 0 ]; then
if [ $(${IPS6} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then
info "Ip6tables is not set rules of protect DOS attacks!"
IPV6_RET=1
else
info "Ip6tables has set rules for protect DOS attacks!"
IPV6_RET=0
fi
fi
if [ $IPV6_ISENABLE -eq 0 ]; then
if [ $IPV4_RET -eq 1 -o $IPV6_RET -eq 1 ]; then
crit "Iptables/ip6tables is not set rules of protect DOS attacks!"
FNRET=1
else
ok "Iptables/ip6tables has set rules for protect DOS attacks!"
FNRET=0
fi
else
ok "Iptables/ip6tables has set rules for protect DOS attacks!"
FNRET=0
if [ $IPV4_RET -eq 1 ]; then
crit "Iptables is not set rules of protect DOS attacks!"
FNRET=1
else
ok "Iptables has set rules for protect DOS attacks!"
FNRET=0
fi
fi
else
if [ $IPV4_RET -eq 1 ]; then
crit "Iptables is not set rules of protect DOS attacks!"
FNRET=1
if [ $(nft list ruleset 2>/dev/null | grep -v '^$' | grep -c 'limit.*burst') -gt 0 ]; then
FNRET=10
ok "nftables has set rules for protect DOS attacks!"
else
ok "Iptables has set rules for protect DOS attacks!"
FNRET=0
FNRET=11
crit "nftables is not set rules for protect DOS attacks!"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
if [ $FNRET = 10 ]; then
ok "nftables has set rules for protect DOS attacks!"
elif [ $FNRET = 11 ]; then
crit "nftables is not set rules for protect DOS attacks!"
elif [ $FNRET = 0 ]; then
if [ $IPV6_ISENABLE -eq 0 ]; then
ok "Iptables/Ip6tables has set rules for protect DOS attacks!"
else

35
bin/hardening/7.7.4.1_ensure_default_deny_firewall_policy.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9 Hardening
# harbian-audit for Debian GNU/Linux 9/10/11/12 Hardening
#
#
@ -10,27 +10,43 @@
# Add this feature:Author : Samson wen, Samson <sccxboy@gmail.com>
#
set -e # One error, it's over
#set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
IPS4=$(which iptables)
PACKAGE_NFT='nftables'
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $(${IPS4} -S | grep -c "\-P INPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P OUTPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P FORWARD DROP") -eq 0 ]; then
crit "Iptables: Firewall policy is not default deny!"
FNRET=1
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
if [ $(${IPS4} -S | grep -c "\-P INPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P OUTPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P FORWARD DROP") -eq 0 ]; then
crit "Iptables: Firewall policy is not default deny!"
FNRET=1
else
ok "Iptables has set default deny for firewall policy!"
FNRET=0
fi
else
ok "Iptables has set default deny for firewall policy!"
FNRET=0
fi
if [ $(nft list chain ip filter INPUT 2>/dev/null | grep -c 'input.*policy drop') -eq 0 -o $(nft list chain ip filter OUTPUT 2>/dev/null | grep -c 'output.*policy drop') -eq 0 -o $(nft list chain ip filter FORWARD 2>/dev/null | grep -c 'forward.*policy drop') -eq 0 ]; then
crit "nftables: Firewall policy is not default deny!"
FNRET=11
else
ok "nftables has set default deny for firewall policy!"
FNRET=10
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
if [ $FNRET = 10 ]; then
ok "nftables has set default deny for firewall policy!"
elif [ $FNRET = 11 ]; then
warn "nftables is not set default deny for firewall policy! need the administrator to manually add it."
elif [ $FNRET = 0 ]; then
ok "Iptables has set default deny for firewall policy!"
else
warn "Iptables is not set default deny for firewall policy! need the administrator to manually add it. Howto set: iptables -P INPUT DROP; iptables -P OUTPUT DROP; iptables -P FORWARD DROP."
@ -41,7 +57,6 @@ apply () {
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening

106
bin/hardening/7.7.4.2_ensure_loopback_traffic_is_configured.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9 Hardening
# harbian-audit for Debian GNU/Linux 9/10/11/12 Hardening
#
#
@ -19,61 +19,79 @@ INPUT_ACCEPT=1
OUTPUT_ACCEPT=1
INPUT_DENY=1
IP4VERSION="IPS4"
PACKAGE_NFT='nftables'
# This function will be called if the script status is on enabled / audit mode
audit () {
# Check the loopback interface to accept INPUT traffic.
ensure_lo_traffic_input_is_accept "$IP4VERSION"
if [ $FNRET = 0 ]; then
INPUT_ACCEPT=0
info "Iptables loopback traffic INPUT has configured!"
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
# Check the loopback interface to accept INPUT traffic.
ensure_lo_traffic_input_is_accept "$IP4VERSION"
if [ $FNRET = 0 ]; then
INPUT_ACCEPT=0
info "Iptables loopback traffic INPUT has configured!"
else
INPUT_ACCEPT=1
info "Iptables: loopback traffic INPUT is not configured!"
fi
# Check the loopback interface to accept OUTPUT traffic.
ensure_lo_traffic_output_is_accept "$IP4VERSION"
if [ $FNRET = 0 ]; then
OUTPUT_ACCEPT=0
info "Iptables loopback traffic OUTPUT has configured!"
else
OUTPUT_ACCEPT=1
info "Iptables: loopback traffic OUTPUT is not configured!"
fi
# all other interfaces to deny traffic to the loopback network.
ensure_lo_traffic_other_if_input_is_deny "$IP4VERSION"
if [ $FNRET = 0 ]; then
INPUT_DENY=0
info "Iptables loopback traffic INPUT deny from other interfaces has configured!"
else
INPUT_DENY=1
info "Iptables: loopback traffic INPUT deny from other interfaces is not configured!"
fi
if [ $INPUT_ACCEPT -eq 0 -a $OUTPUT_ACCEPT -eq 0 -a $INPUT_DENY -eq 0 ]; then
ok "Loopback traffic rules are configured!"
else
crit "Loopback traffic rules are not configured!"
fi
else
INPUT_ACCEPT=1
info "Iptables: loopback traffic INPUT is not configured!"
fi
# Check the loopback interface to accept OUTPUT traffic.
ensure_lo_traffic_output_is_accept "$IP4VERSION"
if [ $FNRET = 0 ]; then
OUTPUT_ACCEPT=0
info "Iptables loopback traffic OUTPUT has configured!"
else
OUTPUT_ACCEPT=1
info "Iptables: loopback traffic OUTPUT is not configured!"
fi
# all other interfaces to deny traffic to the loopback network.
ensure_lo_traffic_other_if_input_is_deny "$IP4VERSION"
if [ $FNRET = 0 ]; then
INPUT_DENY=0
info "Iptables loopback traffic INPUT deny from other interfaces has configured!"
else
INPUT_DENY=1
info "Iptables: loopback traffic INPUT deny from other interfaces is not configured!"
fi
if [ $INPUT_ACCEPT -eq 0 -a $OUTPUT_ACCEPT -eq 0 -a $INPUT_DENY -eq 0 ]; then
ok "Loopback traffic rules are configured!"
else
crit "Loopback traffic rules are not configured!"
if [ $(nft list chain ip filter INPUT 2>/dev/null | grep -c 'lo.*accept') -gt 0 -a $(nft list chain ip filter OUTPUT 2>/dev/null | grep -c 'lo.*accept') -gt 0 -a $(nft list chain ip filter INPUT 2>/dev/null | grep -c 'saddr.*127.0.0.0/8.*drop') -gt 0 ]; then
ok "nftables loopback traffic INPUT/OUTPUT/deny-other-loopback-interfaces has configured!"
FNRET=10
else
crit "nftables loopback traffic INPUT/OUTPUT/deny-other-loopback-interfaces is not configured!"
FNRET=11
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $INPUT_ACCEPT = 0 ]; then
ok "Iptables loopback traffic INPUT has configured!"
if [ $FNRET = 10 ]; then
ok "nftables loopback traffic INPUT/OUTPUT/deny-other-loopback-interfaces has configured!"
elif [ $FNRET = 11 ]; then
warn "nftables loopback traffic INPUT/OUTPUT/deny-other-loopback-interfaces is not configured! Need the administrator to manually add it. "
else
warn "Iptables loopback traffic INPUT is not configured! need the administrator to manually add it. Howto set: iptables -A INPUT -i lo -j ACCEPT"
fi
if [ $INPUT_ACCEPT = 0 ]; then
ok "Iptables loopback traffic INPUT has configured!"
else
warn "Iptables loopback traffic INPUT is not configured! Need the administrator to manually add it. Howto set: iptables -A INPUT -i lo -j ACCEPT"
fi
if [ $OUTPUT_ACCEPT = 0 ]; then
ok "Iptables loopback traffic OUTPUT has configured!"
else
warn "Iptables loopback traffic OUTPUT is not configured! need the administrator to manually add it. Howto set: iptables -A OUTPUT -o lo -j ACCEPT"
fi
if [ $OUTPUT_ACCEPT = 0 ]; then
ok "Iptables loopback traffic OUTPUT has configured!"
else
warn "Iptables loopback traffic OUTPUT is not configured! Need the administrator to manually add it. Howto set: iptables -A OUTPUT -o lo -j ACCEPT"
fi
if [ $INPUT_DENY = 0 ]; then
ok "Iptables loopback traffic INPUT deny from other interfaces has configured!"
else
warn "Iptables loopback traffic INPUT deny from 127.0.0.0/8 is not configured! need the administrator to manually add it. Howto set: iptables -A INPUT -s 127.0.0.0/8 -j DROP"
if [ $INPUT_DENY = 0 ]; then
ok "Iptables loopback traffic INPUT deny from other interfaces has configured!"
else
warn "Iptables loopback traffic INPUT deny from 127.0.0.0/8 is not configured! Need the administrator to manually add it. Howto set: iptables -A INPUT -s 127.0.0.0/8 -j DROP"
fi
fi
}

60
bin/hardening/7.7.4.3_ensure_firewall_rules_exist_for_all_open_ports.sh
View File

@ -1,27 +1,33 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9 Hardening
# harbian-audit for Debian GNU/Linux 9/10/11/12 Hardening
#
#
# 7.7.4.3 Ensure default deny firewall policy (Scored)
# For ipv4
# 7.7.4.3 Ensure firewall rules exist for all open ports (Scored)
# Add this feature:Author : Samson wen, Samson <sccxboy@gmail.com>
#
set -e # One error, it's over
#set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
IPS4=$(which iptables)
PACKAGE_NFT='nftables'
NETLISTENLIST="/dev/shm/7.7.4.3"
PROTO_PORT="/dev/shm/proto_port_pair"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
ISNFTABLES=1
else
ISNFTABLES=0
fi
# For ipv4
rm -f $NETLISTENLIST
rm -f $PROTO_PORT
@ -30,18 +36,36 @@ audit () {
do
PROTO_TYPE=$(echo ${LISTENING} | awk '{print $1}')
LISTEN_PORT=$(echo ${LISTENING} | awk '{print $4}' | awk -F: '{print $2}')
if [ $($IPS4 -S | grep "^\-A INPUT \-p $PROTO_TYPE" | grep -c "\-\-dport $LISTEN_PORT \-m state \-\-state NEW \-j ACCEPT") -ge 1 ]; then
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT was set firewall rules."
else
echo "${PROTO_TYPE} ${LISTEN_PORT}" >> $PROTO_PORT
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules."
if [ $ISNFTABLES = 1 ]; then
if [ $($IPS4 -S | grep "^\-A INPUT \-p $PROTO_TYPE" | grep -c "\-\-dport $LISTEN_PORT \-m state \-\-state NEW \-j ACCEPT") -ge 1 ]; then
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT was set firewall rules."
else
echo "${PROTO_TYPE} ${LISTEN_PORT}" >> $PROTO_PORT
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules."
fi
else
if [ $(nft list chain ip filter INPUT 2>/dev/null | grep -c "dport.*$LISTEN_PORT.*new.*accept") -ge 1 ]; then
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT was set firewall(nft) rules."
else
echo "${PROTO_TYPE} ${LISTEN_PORT}" >> $PROTO_PORT
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall(nft) rules."
fi
fi
done
rm -f $NETLISTENLIST
if [ -f $PROTO_PORT ]; then
crit "Iptables is not set firewall rules exist for all open ports!"
if [ $ISNFTABLES = 1 ]; then
if [ -f $PROTO_PORT ]; then
crit "Iptables is not set firewall rules exist for all open ports!"
else
ok "Iptables has set firewall rules exist for all open ports!"
fi
else
ok "Iptables has set firewall rules exist for all open ports!"
if [ -f $PROTO_PORT ]; then
crit "Nftables is not set firewall rules exist for all open ports!"
else
ok "Nftables has set firewall rules exist for all open ports!"
fi
fi
}
@ -52,11 +76,19 @@ apply () {
do
PROTO_TYPE=$(echo ${NOSETPAIR} | awk '{print $1}')
LISTEN_PORT=$(echo ${NOSETPAIR} | awk '{print $2}')
warn "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules, need the administrator to manually add it. Howto set: iptables -A INPUT -p <protocol> --dport <port> -m state --state NEW -j ACCEPT"
if [ $ISNFTABLES = 1 ]; then
warn "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules, need the administrator to manually add it. Howto set: iptables -A INPUT -p <protocol> --dport <port> -m state --state NEW -j ACCEPT"
else
warn "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules, need the administrator to manually add it. "
fi
done
rm -f $PROTO_PORT
else
ok "Iptables has set firewall rules exist for all open ports!"
if [ $ISNFTABLES = 1 ]; then
ok "Iptables has set firewall rules exist for all open ports!"
else
ok "Nftables has set firewall rules exist for all open ports!"
fi
fi
}

83
bin/hardening/7.7.4.4_ensure_outbound_and_established_connections_are_configured.sh
View File

@ -1,16 +1,15 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9 Hardening
# harbian-audit for Debian GNU/Linux 9/10/11/12 Hardening
#
#
# 7.7.4.4 Ensure outbound and established connections are configured (Not Scored)
# For ipv4
# Add this feature:Author : Samson wen, Samson <sccxboy@gmail.com>
#
set -e # One error, it's over
#set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
@ -20,52 +19,72 @@ RET_VALUE2=1
PROTOCOL_LIST="tcp udp icmp"
IP4VERSION="IPS4"
PACKAGE_NFT='nftables'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
IS_NFT=1
else
IS_NFT=0
fi
for protocol in $PROTOCOL_LIST
do
# Check INPUT with ESTABLISHED is config
check_input_with_established_is_accept "${protocol}" "$IP4VERSION"
if [ $FNRET = 0 ]; then
RET_VALUE1=0
info "Portocol $protocol INPUT is conf"
if [ $IS_NFT = 1 ]; then
# Check INPUT with ESTABLISHED is config
check_input_with_established_is_accept "${protocol}" "$IP4VERSION"
if [ $FNRET = 0 ]; then
RET_VALUE1=0
info "Portocol $protocol INPUT is conf"
else
RET_VALUE1=1
info "Portocol $protocol INPUT is not conf"
break
fi
# Check outbound is config
check_outbound_connect_is_accept "${protocol}" "$IP4VERSION"
if [ $FNRET = 0 ]; then
RET_VALUE2=0
info "Portocol $protocol outbound is conf"
else
RET_VALUE2=1
info "Portocol $protocol outbound is not conf"
break
fi
else
RET_VALUE1=1
info "Portocol $protocol INPUT is not conf"
fi
# Check outbound is config
check_outbound_connect_is_accept "${protocol}" "$IP4VERSION"
if [ $FNRET = 0 ]; then
RET_VALUE2=0
info "Portocol $protocol outbound is conf"
else
RET_VALUE2=1
info "Portocol $protocol outbound is not conf"
if [ $(nft list chain ip filter INPUT 2>/dev/null | grep -c "${protocol}.*established.*accept") -ge 1 -a $(nft list chain ip filter OUTPUT 2>/dev/null | grep -c "${protocol}.*established.*accept") -ge 1 ]; then
ok "Portocol $protocol INPUT was conf(nft). Outbound and established connections are configured!"
FNRET=10
else
crit "Portocol $protocol INPUT is not conf(nft). Outbound and established connections are not configured!"
FNRET=11
fi
return
fi
done
if [ $RET_VALUE1 -eq 0 -a $RET_VALUE2 -eq 0 ]; then
ok "Outbound and established connections are configured!"
FNRET=0
else
crit "Outbound and established connections are not configured!"
FNRET=1
fi
}
# This function will be called if the script status is on enabled mode
apply () {
for protocol in $PROTOCOL_LIST
do
# Apply INPUT with ESTABLISHED
check_input_with_established_is_accept "${protocol}" $IP4VERSION
if [ $FNRET = 1 ]; then
warn "Portocol $protocol INPUT is not set, need the administrator to manually add it. Howto apply: iptables -A INPUT -p $protocol -m state --state ESTABLISHED -j ACCEPT"
fi
# Apply outbound
check_outbound_connect_is_accept "${protocol}" $IP4VERSION
if [ $FNRET = 1 ]; then
warn "Portocol $protocol outbound is not set, need the administrator to manually add it. Howto apply: iptables -A OUTPUT -p $protocol -m state --state NEW,ESTABLISHED -j ACCEPT"
fi
done
if [ $FNRET = 0 ]; then
ok "Portocol $protocol INPUT was conf. Outbound and established connections are configured!"
elif [ $FNRET = 11 ]; then
warn "Portocol $protocol INPUT is not conf(nft). Outbound and established connections are not configured!"
elif [ $FNRET = 10 ]; then
ok "Portocol $protocol INPUT was conf(nft). Outbound and established connections are configured!"
elif [ $FNRET = 1 ]; then
warn "Portocol $protocol INPUT is not conf(nft). Outbound and established connections are not configured!"
else
:
fi
}
# This function will check config parameters required

32
bin/hardening/7.7.5.1_ensure_default_deny_firewall_policy_for_v6.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9 Hardening
# harbian-audit for Debian GNU/Linux 9/10/11/12 Hardening
#
#
@ -10,25 +10,37 @@
# Add this feature:Author : Samson wen, Samson <sccxboy@gmail.com>
#
set -e # One error, it's over
#set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
IPS6=$(which ip6tables)
IPV6_ENABLE=1
PACKAGE_NFT='nftables'
# This function will be called if the script status is on enabled / audit mode
audit () {
check_ipv6_is_enable
IPV6_ENABLE=$FNRET
if [ $IPV6_ENABLE -eq 0 ]; then
if [ $(${IPS6} -S | grep -c "\-P INPUT DROP") -eq 0 -o $(${IPS6} -S | grep -c "\-P OUTPUT DROP") -eq 0 -o $(${IPS6} -S | grep -c "\-P FORWARD DROP") -eq 0 ]; then
crit "Ip6tables: Firewall policy is not default deny!"
FNRET=1
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
if [ $(${IPS6} -S | grep -c "\-P INPUT DROP") -eq 0 -o $(${IPS6} -S | grep -c "\-P OUTPUT DROP") -eq 0 -o $(${IPS6} -S | grep -c "\-P FORWARD DROP") -eq 0 ]; then
crit "Ip6tables: Firewall policy is not default deny!"
FNRET=1
else
ok "Ip6tables has set default deny for firewall policy!"
FNRET=0
fi
else
ok "Ip6tables has set default deny for firewall policy!"
FNRET=0
if [ $(nft list chain ip6 filter INPUT 2>/dev/null | grep -c 'input.*policy.*drop') -eq 0 -o $(nft list chain ip6 filter OUTPUT 2>/dev/null | grep -c 'output.*policy.*drop') -eq 0 -o $(nft list chain ip6 filter FORWARD 2>/dev/null | grep -c 'forward.*policy.*drop') -eq 0 ]; then
crit "nftables's ipv6: Firewall policy is not default deny!"
FNRET=11
else
ok "nftables's ipv6 has set default deny for firewall policy!"
FNRET=10
fi
fi
else
ok "Ipv6 has set disabled, so pass."
@ -41,8 +53,12 @@ apply () {
if [ $IPV6_ENABLE -eq 0 ]; then
if [ $FNRET = 0 ]; then
ok "Ip6tables has set default deny for firewall policy!"
else
elif [ $FNRET = 1 ]; then
warn "Ip6tables is not set default deny for firewall policy! need the administrator to manually add it. Howto set: ip6tables -P INPUT DROP; ip6tables -P OUTPUT DROP; ip6tables -P FORWARD DROP."
elif [ $FNRET = 10 ]; then
ok "nftables's ipv6 has set default deny for firewall policy!"
elif [ $FNRET = 11 ]; then
warn "nftables's ipv6: Firewall policy is not default deny!"
fi
else
ok "Ipv6 has set disabled, so pass."

114
bin/hardening/7.7.5.2_ensure_loopback_traffic_is_configured_for_v6.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9 Hardening
# harbian-audit for Debian GNU/Linux 9/10/11/12 Hardening
#
#
@ -10,7 +10,7 @@
# Add this feature:Author : Samson wen, Samson <sccxboy@gmail.com>
#
set -e # One error, it's over
#set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
@ -20,45 +20,57 @@ OUTPUT_ACCEPT=1
INPUT_DENY=1
IP6VERSION="IPS6"
IPV6_ENABLE=1
PACKAGE_NFT='nftables'
# This function will be called if the script status is on enabled / audit mode
audit () {
check_ipv6_is_enable
IPV6_ENABLE=$FNRET
if [ $IPV6_ENABLE -eq 0 ]; then
# Check the loopback interface to accept INPUT traffic.
ensure_lo_traffic_input_is_accept $IP6VERSION
if [ $FNRET = 0 ]; then
INPUT_ACCEPT=0
info "Ip6tables loopback traffic INPUT has configured!"
else
INPUT_ACCEPT=1
info "Ip6tables: loopback traffic INPUT is not configured!"
fi
# Check the loopback interface to accept OUTPUT traffic.
ensure_lo_traffic_output_is_accept $IP6VERSION
if [ $FNRET = 0 ]; then
OUTPUT_ACCEPT=0
info "Ip6tables loopback traffic OUTPUT has configured!"
else
OUTPUT_ACCEPT=1
info "Ip6tables: loopback traffic OUTPUT is not configured!"
fi
# all other interfaces to deny traffic to the loopback network.
ensure_lo_traffic_other_if_input_is_deny $IP6VERSION
if [ $FNRET = 0 ]; then
INPUT_DENY=0
info "Ip6tables loopback traffic INPUT deny from other interfaces has configured!"
else
INPUT_DENY=1
info "Ip6tables: loopback traffic INPUT deny from other interfaces is not configured!"
fi
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
# Check the loopback interface to accept INPUT traffic.
ensure_lo_traffic_input_is_accept $IP6VERSION
if [ $FNRET = 0 ]; then
INPUT_ACCEPT=0
info "Ip6tables loopback traffic INPUT has configured!"
else
INPUT_ACCEPT=1
info "Ip6tables: loopback traffic INPUT is not configured!"
fi
# Check the loopback interface to accept OUTPUT traffic.
ensure_lo_traffic_output_is_accept $IP6VERSION
if [ $FNRET = 0 ]; then
OUTPUT_ACCEPT=0
info "Ip6tables loopback traffic OUTPUT has configured!"
else
OUTPUT_ACCEPT=1
info "Ip6tables: loopback traffic OUTPUT is not configured!"
fi
# all other interfaces to deny traffic to the loopback network.
ensure_lo_traffic_other_if_input_is_deny $IP6VERSION
if [ $FNRET = 0 ]; then
INPUT_DENY=0
info "Ip6tables loopback traffic INPUT deny from other interfaces has configured!"
else
INPUT_DENY=1
info "Ip6tables: loopback traffic INPUT deny from other interfaces is not configured!"
fi
if [ $INPUT_ACCEPT -eq 0 -a $OUTPUT_ACCEPT -eq 0 -a $OUTPUT_ACCEPT -eq 0 ]; then
ok "Loopback traffic rules were configured for v6!"
else
crit "Loopback traffic rules are not configured for v6!"
fi
if [ $INPUT_ACCEPT -eq 0 -a $OUTPUT_ACCEPT -eq 0 -a $OUTPUT_ACCEPT -eq 0 ]; then
ok "Loopback traffic rules were configured for v6!"
else
crit "Loopback traffic rules are not configured for v6!"
fi
else
if [ $(nft list chain ip6 filter INPUT 2>/dev/null | grep -c 'lo.*accept') -gt 0 -a $(nft list chain ip6 filter OUTPUT 2>/dev/null | grep -c 'lo.*accept') -gt 0 -a $(nft list chain ip6 filter INPUT 2>/dev/null | grep -c 'saddr.*fe80::/64.*drop') -gt 0 ]; then
ok "nftables's ipv6 loopback traffic INPUT/OUTPUT/deny-other-loopback-interfaces has configured!"
FNRET=10
else
crit "nftables's ipv6 loopback traffic INPUT/OUTPUT/deny-other-loopback-interfaces is not configured!"
FNRET=11
fi
fi
else
ok "Ipv6 has set disabled, so pass."
fi
@ -67,22 +79,28 @@ audit () {
# This function will be called if the script status is on enabled mode
apply () {
if [ $IPV6_ENABLE -eq 0 ]; then
if [ $INPUT_ACCEPT = 0 ]; then
ok "Ip6tables loopback traffic INPUT has configured!"
else
warn "Ip6tables loopback traffic INPUT is not configured! need the administrator to manually add it. Howto set: ip6tables -A INPUT -i lo -j ACCEPT"
fi
if [ $FNRET = 10 ]; then
ok "nftables's ipv6 loopback traffic INPUT/OUTPUT/deny-other-loopback-interfaces has configured!"
elif [ $FNRET = 11 ]; then
warn "nftables's ipv6 loopback traffic INPUT/OUTPUT/deny-other-loopback-interfaces is not configured!"
else
if [ $INPUT_ACCEPT = 0 ]; then
ok "Ip6tables loopback traffic INPUT has configured!"
else
warn "Ip6tables loopback traffic INPUT is not configured! need the administrator to manually add it. Howto set: ip6tables -A INPUT -i lo -j ACCEPT"
fi
if [ $OUTPUT_ACCEPT = 0 ]; then
ok "Ip6tables loopback traffic OUTPUT has configured!"
else
warn "Ip6tables loopback traffic OUTPUT is not configured! need the administrator to manually add it. Howto set: ip6tables -A OUTPUT -o lo -j ACCEPT"
fi
if [ $OUTPUT_ACCEPT = 0 ]; then
ok "Ip6tables loopback traffic OUTPUT has configured!"
else
warn "Ip6tables loopback traffic OUTPUT is not configured! need the administrator to manually add it. Howto set: ip6tables -A OUTPUT -o lo -j ACCEPT"
fi
if [ $INPUT_DENY = 0 ]; then
ok "Ip6tables loopback traffic INPUT deny from other interfaces has configured!"
else
warn "Ip6tables loopback traffic INPUT deny from 127.0.0.0/8 is not configured! need the administrator to manually add it. Howto set: ip6tables -A INPUT -s ::1 -j DROP"
if [ $INPUT_DENY = 0 ]; then
ok "Ip6tables loopback traffic INPUT deny from other interfaces has configured!"
else
warn "Ip6tables loopback traffic INPUT deny from 127.0.0.0/8 is not configured! need the administrator to manually add it. Howto set: ip6tables -A INPUT -s ::1 -j DROP"
fi
fi
else
ok "Ipv6 has set disabled, so pass."

56
bin/hardening/7.7.5.3_ensure_firewall_rules_exist_for_all_open_ports_for_v6.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9 Hardening
# harbian-audit for Debian GNU/Linux 9/10/11/12 Hardening
#
#
@ -10,19 +10,26 @@
# Add this feature:Author : Samson wen, Samson <sccxboy@gmail.com>
#
set -e # One error, it's over
#set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
IPS6=$(which ip6tables)
IPV6_ENABLE=1
PACKAGE_NFT='nftables'
NETLISTENLIST="/dev/shm/7.7.5.3"
PROTO_PORT="/dev/shm/proto_port_pair_v6"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
ISNFTABLES=1
else
ISNFTABLES=0
fi
rm -f $NETLISTENLIST
rm -f $PROTO_PORT
check_ipv6_is_enable
@ -40,18 +47,35 @@ audit () {
PROTO_TYPE="udp"
fi
LISTEN_PORT=$(echo ${LISTENING} | awk '{print $4}' | awk -F: '{print $NF}')
if [ $($IPS6 -S | grep "^\-A INPUT \-p $PROTO_TYPE" | grep -c "\-\-dport $LISTEN_PORT \-m state \-\-state NEW \-j ACCEPT") -ge 1 ]; then
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT was set ipv6 firewall rules."
else
echo "${PROTO_TYPE} ${LISTEN_PORT}" >> $PROTO_PORT
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set ipv6 firewall rules."
if [ $ISNFTABLES = 1 ]; then
if [ $($IPS6 -S 2>/dev/null | grep "^\-A INPUT \-p $PROTO_TYPE" | grep -c "\-\-dport $LISTEN_PORT \-m state \-\-state NEW \-j ACCEPT") -ge 1 ]; then
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT was set ipv6 firewall rules."
else
echo "${PROTO_TYPE} ${LISTEN_PORT}" >> $PROTO_PORT
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set ipv6 firewall rules."
fi
else
if [ $(nft list chain ip6 filter INPUT 2>/dev/null | grep -c "dport.*$LISTEN_PORT.*new.*accept") -ge 1 ]; then
info "Service(nft): protocol $PROTO_TYPE listening port $LISTEN_PORT was set firewall(nft) rules."
else
echo "${PROTO_TYPE} ${LISTEN_PORT}" >> $PROTO_PORT
info "Service(nft): protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall(nft) rules."
fi
fi
done
rm -f $NETLISTENLIST
if [ -f $PROTO_PORT ]; then
crit "Ip6tables is not set firewall rules exist for all open ports!"
if [ $ISNFTABLES = 1 ]; then
if [ -f $PROTO_PORT ]; then
crit "Ip6tables is not set firewall rules exist for all open ports!"
else
ok "Ip6tables has set firewall rules exist for all open ports!"
fi
else
ok "Ip6tables has set firewall rules exist for all open ports!"
if [ -f $PROTO_PORT ]; then
crit "Nftables is not set firewall rules exist for all open ports!"
else
ok "Nftables has set firewall rules exist for all open ports!"
fi
fi
else
ok "Ipv6 has set disabled, so pass."
@ -66,11 +90,19 @@ apply () {
do
PROTO_TYPE=$(echo ${NOSETPAIR} | awk '{print $1}')
LISTEN_PORT=$(echo ${NOSETPAIR} | awk '{print $2}')
warn "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules, need the administrator to manually add it. Howto set: ip6tables -A INPUT -p <protocol> --dport <port> -m state --state NEW -j ACCEPT"
if [ $ISNFTABLES = 1 ]; then
warn "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules, need the administrator to manually add it. Howto set: ip6tables -A INPUT -p <protocol> --dport <port> -m state --state NEW -j ACCEPT"
else
warn "Nftables Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules, need the administrator to manually add it. "
fi
done
rm -f $PROTO_PORT
else
ok "Ip6tables has set firewall rules exist for all open ports!"
if [ $ISNFTABLES = 1 ]; then
ok "Ip6tables has set firewall rules exist for all open ports!"
else
ok "Nftables'ip6 has set firewall rules exist for all open ports!"
fi
fi
else
ok "Ipv6 has set disabled, so pass."

78
bin/hardening/7.7.5.4_ensure_outbound_and_established_connections_are_configured_for_v6.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9 Hardening
# harbian-audit for Debian GNU/Linux 9/10/11/12 Hardening
#
#
@ -10,7 +10,7 @@
# Add this feature:Author : Samson wen, Samson <sccxboy@gmail.com>
#
set -e # One error, it's over
#set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
@ -21,38 +21,58 @@ IPV6_ENABLE=1
RET_VALUE1=1
RET_VALUE2=1
PACKAGE_NFT='nftables'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
IS_NFT=1
else
IS_NFT=0
fi
check_ipv6_is_enable
IPV6_ENABLE=$FNRET
if [ $IPV6_ENABLE -eq 0 ]; then
for protocol in $PROTOCOL_LIST
do
# Check INPUT with ESTABLISHED is config
check_input_with_established_is_accept "${protocol}" "$IP6VERSION"
if [ $FNRET = 0 ]; then
RET_VALUE1=0
info "Portocol $protocol INPUT is conf"
if [ $IS_NFT = 1 ]; then
# Check INPUT with ESTABLISHED is config
check_input_with_established_is_accept "${protocol}" "$IP6VERSION"
if [ $FNRET = 0 ]; then
RET_VALUE1=0
info "Portocol $protocol INPUT is conf"
else
RET_VALUE1=1
info "Portocol $protocol INPUT is not conf"
fi
# Check outbound is config
check_outbound_connect_is_accept "${protocol}" $IP6VERSION
if [ $FNRET = 0 ]; then
RET_VALUE2=0
info "Portocol $protocol outbound is conf"
else
RET_VALUE2=1
info "Portocol $protocol outbound is not conf"
fi
else
RET_VALUE1=1
info "Portocol $protocol INPUT is not conf"
fi
# Check outbound is config
check_outbound_connect_is_accept "${protocol}" $IP6VERSION
if [ $FNRET = 0 ]; then
RET_VALUE2=0
info "Portocol $protocol outbound is conf"
else
RET_VALUE2=1
info "Portocol $protocol outbound is not conf"
if [ $(nft list chain ip6 filter INPUT 2>/dev/null | grep -c "${protocol}.*established.*accept") -ge 1 -a $(nft list chain ip6 filter OUTPUT 2>/dev/null | grep -c "${protocol}.*established.*accept") -ge 1 ]; then
ok "Nftables's ipv6 Portocol $protocol INPUT was conf(nft). Outbound and established connections are configured!"
FNRET=10
else
crit "Nftables's ipv6 Portocol $protocol INPUT is not conf(nft). Outbound and established connections are not configured!"
FNRET=11
fi
return
fi
done
if [ $RET_VALUE1 -eq 0 -a $RET_VALUE2 -eq 0 ]; then
ok "Outbound and established connections are configured for v6."
FNRET=0
else
crit "Outbound and established connections are not configured for v6."
FNRET=1
fi
else
ok "Ipv6 has set disabled, so pass."
@ -62,19 +82,15 @@ audit () {
# This function will be called if the script status is on enabled mode
apply () {
if [ $IPV6_ENABLE -eq 0 ]; then
for protocol in $PROTOCOL_LIST
do
# Apply INPUT with ESTABLISHED
check_input_with_established_is_accept "${protocol}" "$IP6VERSION"
if [ $FNRET = 1 ]; then
warn "Portocol $protocol INPUT is not set, need the administrator to manually add it. Howto apply: ip6tables -A INPUT -p $protocol -m state --state ESTABLISHED -j ACCEPT"
fi
# Apply outbound
check_outbound_connect_is_accept "${protocol}" "$IP6VERSION"
if [ $FNRET = 1 ]; then
warn "Portocol $protocol outbound is not set, need the administrator to manually add it. Howto apply: ip6tables -A OUTPUT -p $protocol -m state --state NEW,ESTABLISHED -j ACCEPT"
fi
done
if [ $FNRET = 0 ]; then
ok "Portocol $protocol INPUT was conf. Outbound and established connections are configured!"
elif [ $FNRET = 11 ]; then
warn "Nftables's ipv6 Portocol $protocol INPUT is not conf(nft). Outbound and established connections are not configured!"
elif [ $FNRET = 10 ]; then
ok "Portocol $protocol INPUT was conf(nft). Outbound and established connections are configured!"
elif [ $FNRET = 1 ]; then
warn "Nftables's ipv6 Portocol $protocol INPUT is not conf(nft). Outbound and established connections are not configured!"
fi
else
ok "Ipv6 has set disabled, so pass."
fi

8
bin/hardening/8.1.1.5_ensure_set_remote_server.sh
View File

@ -15,7 +15,6 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4
PACKAGE='audispd-plugins'
FILE='/etc/audisp/audisp-remote.conf'
PATTERN='remote_server'
# This function will be called if the script status is on enabled / audit mode
@ -59,7 +58,12 @@ apply () {
# This function will check config parameters required
check_config() {
:
#Ubuntu
if [ $OS_RELEASE -eq 3 ]; then
FILE='/etc/audit/audisp-remote.conf'
else
FILE='/etc/audisp/audisp-remote.conf'
fi
}
# Source Root Dir Parameter

8
bin/hardening/8.1.1.6_ensure_set_encrypt_for_audit_remote.sh
View File

@ -15,7 +15,6 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4
PACKAGE='audispd-plugins'
FILE='/etc/audisp/audisp-remote.conf'
PATTERN='enable_krb5'
SETVALUE='yes'
@ -68,7 +67,12 @@ apply () {
# This function will check config parameters required
check_config() {
:
#Ubuntu
if [ $OS_RELEASE -eq 3 ]; then
FILE='/etc/audit/audisp-remote.conf'
else
FILE='/etc/audisp/audisp-remote.conf'
fi
}
# Source Root Dir Parameter

8
bin/hardening/8.1.1.7_ensure_set_action_for_audit_storage_full.sh
View File

@ -15,7 +15,6 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4
PACKAGE='audispd-plugins'
FILE='/etc/audisp/audisp-remote.conf'
PATTERN='disk_full_action'
SETVALUE='syslog'
@ -70,7 +69,12 @@ apply () {
# This function will check config parameters required
check_config() {
:
#Ubuntu
if [ $OS_RELEASE -eq 3 ]; then
FILE='/etc/audit/audisp-remote.conf'
else
FILE='/etc/audisp/audisp-remote.conf'
fi
}
# Source Root Dir Parameter

8
bin/hardening/8.1.1.8_ensure_set_action_for_net_fail.sh
View File

@ -15,7 +15,6 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4
PACKAGE='audispd-plugins'
FILE='/etc/audisp/audisp-remote.conf'
PATTERN='network_failure_action'
SETVALUE='syslog'
@ -70,7 +69,12 @@ apply () {
# This function will check config parameters required
check_config() {
:
#Ubuntu
if [ $OS_RELEASE -eq 3 ]; then
FILE='/etc/audit/audisp-remote.conf'
else
FILE='/etc/audisp/audisp-remote.conf'
fi
}
# Source Root Dir Parameter

3
bin/hardening/8.1.1.9_set_space_left_audit.sh
View File

@ -6,6 +6,7 @@
#
# 8.1.1.9 Set space left for auditd service (Scored)
# If the value of the "space_left" keyword is set to more than 25 percent of the total partition size, this is a finding.
# Author : Samson wen, Samson <sccxboy@gmail.com>
#
@ -34,7 +35,7 @@ audit () {
FNRET=3
else
SETSIZE=$(grep "^space_left.=.*" $FILE | awk '{printf $3}')
if [ "${SETSIZE}" -lt "${LEFTSIZE}" ]; then
if [ "${SETSIZE}" -gt "${LEFTSIZE}" ]; then
crit "Space left value: ${SETSIZE} is more than audit log filesystem 25%"
FNRET=4
else

65
bin/hardening/8.1.10_record_dac_edit.sh
View File

@ -14,15 +14,6 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
@ -38,11 +29,17 @@ audit () {
fi
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
ok "$AUDIT_VALUE is present in $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
@ -54,13 +51,19 @@ apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
@ -68,7 +71,27 @@ apply () {
# This function will check config parameters required
check_config() {
:
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k perm_mod'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k perm_mod'
else
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
fi
}
# Source Root Dir Parameter

22
bin/hardening/8.1.11_record_failed_access_file.sh
View File

@ -14,12 +14,6 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
@ -65,7 +59,21 @@ apply () {
# This function will check config parameters required
check_config() {
:
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -k access'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -k access'
else
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
fi
}
# Source Root Dir Parameter

2
bin/hardening/8.1.31_record_syscall_execve.sh → bin/hardening/8.1.12_record_syscall_execve.sh
View File

@ -5,7 +5,7 @@
#
#
# 8.1.31 Collect the execution of privileged functions Events (Scored)
# 8.1.12 Collect the execution of privileged functions Events (Scored)
# Author: Samson-W (sccxboy@gmail.com)
#

14
bin/hardening/8.1.13_record_successful_mount.sh
View File

@ -14,10 +14,6 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
@ -63,7 +59,15 @@ apply () {
# This function will check config parameters required
check_config() {
:
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -k mounts
-a always,exit -F arch=b32 -S mount -k mounts'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S mount -k mounts'
else
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts'
fi
}
# Source Root Dir Parameter

13
bin/hardening/8.1.14_record_file_deletions.sh
View File

@ -14,9 +14,6 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
@ -63,7 +60,15 @@ apply () {
# This function will check config parameters required
check_config() {
:
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -k delete'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -k delete'
else
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete'
fi
}
# Source Root Dir Parameter

36
bin/hardening/8.1.15_record_sudoers_edit.sh
View File

@ -24,11 +24,17 @@ audit () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
@ -40,13 +46,19 @@ apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS

21
bin/hardening/8.1.16_record_sudo_usage.sh
View File

@ -22,12 +22,17 @@ audit () {
# define custom IFS and save default one
d_IFS=$IFS
IFS=$'\n'
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
FNRET=1
else
ok "$AUDIT_VALUE is present in $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
FNRET=2
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
IFS=$d_IFS
}
@ -37,10 +42,12 @@ apply () {
# define custom IFS and save default one
d_IFS=$IFS
IFS=$'\n'
if [ $FNRET = 1 ]; then
if [ $FNRET = 2 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
elif [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
else
ok "$AUDIT_VALUE is present in $FILE"
fi

38
bin/hardening/8.1.17_record_kernel_modules.sh
View File

@ -41,12 +41,18 @@ audit () {
fi
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
@ -57,13 +63,19 @@ apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS

30
bin/hardening/8.1.18_record_Events_netfilter.sh
View File

@ -1,11 +1,11 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 10 Hardening
# harbian-audit for Debian GNU/Linux 10/11/12 Hardening
#
#
# 8.1.32 Record netfilter related Events (Scored)
# 8.1.18 Record netfilter related Events (Scored)
# Author: Samson-W (samson@hardenedlinux.org) author add this
# todo test for centos
@ -14,17 +14,13 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4
AUDIT_PARAMS='-w /etc/nftables.conf -p wa -k nft_config_file_change
-w /usr/share/netfilter-persistent/plugins.d/ -p wa -k nft_config_file_change
-a always,exit -F path=/usr/sbin/netfilter-persistent -F perm=x -F auid>=1000 -F auid!=4294967295 -k nft_persistent_use
-a always,exit -F path=/usr/sbin/nft -F perm=x -F auid>=1000 -F auid!=4294967295 -k nft_cmd_use'
FILE='/etc/audit/rules.d/audit.rules'
PACKAGE_NFT='nftables'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_debian_10
if [ $FNRET != 0 ]; then
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
ok "OS not support nft, so pass"
else
# define custom IFS and save default one
@ -48,8 +44,8 @@ audit () {
# This function will be called if the script status is on enabled mode
apply () {
is_debian_10
if [ $FNRET != 0 ]; then
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
ok "OS not support nft, so pass"
else
IFS=$'\n'
@ -69,7 +65,17 @@ apply () {
# This function will check config parameters required
check_config() {
:
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS='-w /etc/nftables.conf -p wa -k nft_config_file_change
-w /usr/share/netfilter-persistent/plugins.d/ -p wa -k nft_config_file_change
-w /usr/sbin/netfilter-persistent -p x -k nft_persistent_use
-w /usr/sbin/nft -p x -k nft_cmd_use'
else
AUDIT_PARAMS='-w /etc/nftables.conf -p wa -k nft_config_file_change
-w /usr/share/netfilter-persistent/plugins.d/ -p wa -k nft_config_file_change
-w /usr/sbin/netfilter-persistent -p x -F auid>=1000 -F auid!=4294967295 -k nft_persistent_use
-w /usr/sbin/nft -p x -F auid>=1000 -F auid!=4294967295 -k nft_cmd_use'
fi
}
# Source Root Dir Parameter

31
bin/hardening/8.1.19_record_sshkeysign_usage.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 or CentOS Hardening
#
#
@ -10,16 +10,11 @@
#
set -u # One variable unset, it's over
set -e # One error, it's over
#set -e # One error, it's over
HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules'
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode
@ -31,7 +26,7 @@ audit () {
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
crit "path is not exsit! Please check file path is exist!"
warn "path is not exsit! Please check file path is exist!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
@ -54,7 +49,7 @@ apply () {
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
crit "path is not exsit! Please check file path is exist!"
warn "path is not exsit! Please check file path is exist!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
@ -72,10 +67,22 @@ apply () {
# This function will check config parameters required
check_config() {
if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -k privileged-ssh
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -k privileged-ssh"
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -k privileged-ssh
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -k privileged-ssh"
else
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
fi
if [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
else
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
fi
}

10
bin/hardening/8.1.20_record_open_by_handle_at_syscall.sh
View File

@ -14,8 +14,6 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4
AUDIT_PARAMS='-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
@ -56,7 +54,13 @@ apply () {
# This function will check config parameters required
check_config() {
:
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS='-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -k access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -k access'
else
AUDIT_PARAMS='-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
fi
}
# Source Root Dir Parameter

41
bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 or CentOS Hardening
#
#
@ -15,15 +15,6 @@ set -e # One error, it's over
HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules'
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode
@ -35,7 +26,7 @@ audit () {
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
crit "path is not exsit! Please check file path is exist!"
warn "path is not exsit! Please check file path is exist!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
@ -58,7 +49,7 @@ apply () {
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
crit "path is not exsit! Please check file path is exist!"
warn "path is not exsit! Please check file path is exist!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
@ -76,10 +67,30 @@ apply () {
# This function will check config parameters required
check_config() {
if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/bin/passwd -F perm=x -k privileged-passwd
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -k privileged-passwd
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -k privileged-passwd
-a always,exit -F path=/usr/bin/chage -F perm=x -k privileged-passwd"
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/bin/passwd -F perm=x -k privileged-passwd
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -k privileged-passwd
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -k privileged-passwd
-a always,exit -F path=/bin/chage -F perm=x -k privileged-passwd"
else
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
fi
if [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
else
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
fi
}

53
bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 or CentOS Hardening
#
#
@ -15,19 +15,6 @@ set -e # One error, it's over
HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules'
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change"
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change"
AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode
@ -39,7 +26,7 @@ audit () {
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
crit "path is not exsit! Please check file path is exist!"
warn "path is not exsit! Please check file path is exist!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
@ -62,7 +49,7 @@ apply () {
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
crit "path is not exsit! Please check file path is exist!"
warn "path is not exsit! Please check file path is exist!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
@ -80,10 +67,38 @@ apply () {
# This function will check config parameters required
check_config() {
if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/bin/su -F perm=x -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudo -F perm=x -k privileged-priv_change
-a always,exit -F path=/usr/bin/newgrp -F perm=x -k privileged-priv_change
-a always,exit -F path=/usr/bin/chsh -F perm=x -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -k privileged-priv_change
-a always,exit -F path=/usr/bin/chfn -F perm=x -k privileged-priv_change"
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/bin/su -F perm=x -k privileged-priv_change
-a always,exit -F path=/bin/sudo -F perm=x -k privileged-priv_change
-a always,exit -F path=/bin/newgrp -F perm=x -k privileged-priv_change
-a always,exit -F path=/bin/chsh -F perm=x -k privileged-priv_change
-a always,exit -F path=/bin/sudoedit -F perm=x -k privileged-priv_change
-a always,exit -F path=/bin/chfn -F perm=x -k privileged-priv_change"
else
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change"
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change"
fi
if [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
else
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
fi
}

29
bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 or CentOS Hardening
#
#
@ -15,11 +15,6 @@ set -e # One error, it's over
HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules'
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
-a always,exit -F path=/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode
@ -31,7 +26,7 @@ audit () {
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
crit "path is not exsit! Please check file path is exist!"
warn "path is not exsit! Please check file path is exist!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
@ -54,7 +49,7 @@ apply () {
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
crit "path is not exsit! Please check file path is exist!"
warn "path is not exsit! Please check file path is exist!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
@ -72,10 +67,22 @@ apply () {
# This function will check config parameters required
check_config() {
if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/postdrop -F perm=x -k privileged-postfix
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -k privileged-postfix'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/postdrop -F perm=x -k privileged-postfix
-a always,exit -F path=/sbin/postqueue -F perm=x -k privileged-postfix'
else
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
-a always,exit -F path=/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
fi
if [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
else
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
fi
}

22
bin/hardening/8.1.24_record_crontab_cmd_usage.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 or CentOS Hardening
#
#
@ -15,8 +15,6 @@ HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules'
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode
@ -28,7 +26,7 @@ audit () {
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
crit "path is not exsit! Please check file path is exist!"
warn "path is not exsit! Please check file path is exist!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
@ -51,7 +49,7 @@ apply () {
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
crit "path is not exsit! Please check file path is exist!"
warn "path is not exsit! Please check file path is exist!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
@ -69,10 +67,18 @@ apply () {
# This function will check config parameters required
check_config() {
if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/bin/crontab -F perm=x -k privileged-cron'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/bin/crontab -F perm=x -k privileged-cron'
else
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
fi
if [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
else
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
fi
}

22
bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 or CentOS Hardening
#
#
@ -15,8 +15,6 @@ set -e # One error, it's over
HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules'
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode
@ -28,7 +26,7 @@ audit () {
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
crit "path is not exsit! Please check file path is exist!"
warn "path is not exsit! Please check file path is exist!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
@ -51,7 +49,7 @@ apply () {
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
crit "path is not exsit! Please check file path is exist!"
warn "path is not exsit! Please check file path is exist!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
@ -69,10 +67,18 @@ apply () {
# This function will check config parameters required
check_config() {
if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -k privileged-pam'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -k privileged-pam'
else
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
fi
if [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
else
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
fi
}

40
bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh
View File

@ -1,11 +1,12 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 or CentOS Hardening
#
#
# 8.1.26 Recored pam_tally/pam_tally2 command usage(Only for Debian) (Scored)
# Replaced pam_tally2 with faillock in debian 11
# Author : Samson wen, Samson <sccxboy@gmail.com> Author add this
#
@ -15,15 +16,12 @@ FILE='/etc/audit/rules.d/audit.rules'
HARDENING_LEVEL=4
AUDIT_PARAMS='-a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
-a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
# This function will be called if the script status is on enabled / audit mode
audit () {
# This feature is only for debian
if [ $OS_RELEASE -eq 2 ]; then
ok "CentOS/Redhat is not support, so pass"
elif [ $OS_RELEASE -eq 1 ]; then
else
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
@ -31,7 +29,7 @@ audit () {
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
crit "path is not exsit! Please check file path is exist!"
warn "path is not exsit! Please check file path is exist!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
@ -54,12 +52,12 @@ apply () {
# This feature is only for debian
if [ $OS_RELEASE -eq 2 ]; then
ok "CentOS/Redhat is not support, so pass"
elif [ $OS_RELEASE -eq 1 ]; then
else
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
crit "path is not exsit! Please check file path is exist!"
warn "path is not exsit! Please check file path is exist!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
@ -77,8 +75,32 @@ apply () {
}
# This function will check config parameters required
# Replaced pam_tally2 with faillock in debian 11
check_config() {
:
# support to ubuntu
if [ $OS_RELEASE -eq 3 ]; then
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS='-a always,exit -F path=/usr/sbin/faillock -F perm=wxa -k privileged-pam'
else
AUDIT_PARAMS='-a always,exit -F path=/usr/sbin/faillock -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
fi
else
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
if [ $OS_RELEASE -lt 11 ]; then
AUDIT_PARAMS='-a always,exit -F path=/sbin/pam_tally -F perm=wxa -k privileged-pam
-a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -k privileged-pam'
else
AUDIT_PARAMS='-a always,exit -F path=/usr/sbin/faillock -F perm=wxa -k privileged-pam'
fi
else
if [ $OS_RELEASE -lt 11 ]; then
AUDIT_PARAMS='-a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
-a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
else
AUDIT_PARAMS='-a always,exit -F path=/usr/sbin/faillock -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
fi
fi
fi
}
# Source Root Dir Parameter

38
bin/hardening/8.1.27_record_Events_that_modify_conf_files.sh
View File

@ -26,7 +26,7 @@ audit () {
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
crit "path is not exsit! Please check file path is exist! Rule: $AUDIT_VALUE"
warn "path is not exsit! Please check file path is exist! Rule: $AUDIT_VALUE"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
@ -49,7 +49,7 @@ apply () {
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
crit "Path is not exsit when apply a rule: $AUDIT_VALUE ! Please check file path is exist!"
warn "Path is not exsit when apply a rule: $AUDIT_VALUE ! Please check file path is exist!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
@ -84,9 +84,31 @@ check_config() {
-a always,exit -F dir=/etc/sysconfig/ip6tables -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/sysconfig/ip6tables-config -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/sysconfig/iptables-config -F perm=wa -k config_file_change
-a always,exit -F path=/etc/sysctl.conf -F perm=wa -k config_file_change'
-a always,exit -F path=/etc/sysctl.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/rsyslog.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/audisp/plugins.d/au-remote.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/logrotate.conf -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/logrotate.d/ -F perm=wa -k config_file_change'
# Ubuntu
elif [ $OS_RELEASE -eq 3 ]; then
AUDIT_PARAMS='-a always,exit -F path=/etc/audit/audisp-remote.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/audit/auditd.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/default/grub -F perm=wa -k config_file_change
-a always,exit -F path=/etc/fstab -F perm=wa -k config_file_change
-a always,exit -F path=/etc/hosts.deny -F perm=wa -k config_file_change
-a always,exit -F path=/etc/login.defs -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/audit/rules.d/ -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/pam.d/ -F perm=wa -k config_file_change
-a always,exit -F path=/etc/profile -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/profile.d/ -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/security/ -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/iptables/ -F perm=wa -k config_file_change
-a always,exit -F path=/etc/sysctl.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/rsyslog.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/audit/plugins.d/au-remote.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/logrotate.conf -F perm=wa -k config_file_change'
# Debian
else
elif [ $OS_RELEASE -eq 1 -o $OS_RELEASE -eq 9 -o $OS_RELEASE -eq 10 -o $OS_RELEASE -eq 11 -o $OS_RELEASE -eq 12 ]; then
AUDIT_PARAMS='-a always,exit -F path=/etc/audisp/audisp-remote.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/audit/auditd.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/default/grub -F perm=wa -k config_file_change
@ -99,7 +121,13 @@ check_config() {
-a always,exit -F dir=/etc/profile.d/ -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/security/ -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/iptables/ -F perm=wa -k config_file_change
-a always,exit -F path=/etc/sysctl.conf -F perm=wa -k config_file_change'
-a always,exit -F path=/etc/sysctl.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/rsyslog.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/audisp/plugins.d/au-remote.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/logrotate.conf -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/logrotate.d/ -F perm=wa -k config_file_change'
else
warn "No support!!!"
fi
}

15
bin/hardening/8.1.28_record_acl_cmd_usage.sh
View File

@ -16,9 +16,6 @@ FILE='/etc/audit/rules.d/audit.rules'
HARDENING_LEVEL=4
AUDIT_PARAMS='-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng'
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
@ -28,7 +25,7 @@ audit () {
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
crit "path is not exsit! Please check file path is exist!"
warn "path is not exsit! Please check file path is exist!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
@ -51,7 +48,7 @@ apply () {
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
crit "path is not exsit! Please check file path is exist!"
warn "path is not exsit! Please check file path is exist!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
@ -69,7 +66,13 @@ apply () {
# This function will check config parameters required
check_config() {
:
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS='-a always,exit -F path=/usr/bin/setfacl -F perm=x -k perm_chng
-a always,exit -F path=/usr/bin/chacl -F perm=x -k perm_chng'
else
AUDIT_PARAMS='-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng'
fi
}
# Source Root Dir Parameter

22
bin/hardening/8.1.29_record_usermod_cmd_usage.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 or CentOS Hardening
#
#
@ -15,8 +15,6 @@ FILE='/etc/audit/rules.d/audit.rules'
HARDENING_LEVEL=4
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod'
AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode
@ -28,7 +26,7 @@ audit () {
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
crit "path is not exsit! Please check file path is exist!"
warn "path is not exsit! Please check file path is exist!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
@ -51,7 +49,7 @@ apply () {
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
crit "path is not exsit! Please check file path is exist!"
warn "path is not exsit! Please check file path is exist!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
@ -69,10 +67,18 @@ apply () {
# This function will check config parameters required
check_config() {
if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/usermod -F perm=x -k privileged-usermod'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/usermod -F perm=x -k privileged-usermod'
else
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod'
fi
if [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
else
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
fi
}

12
bin/hardening/8.1.30_record_unix_update_cmd_usage.sh
View File

@ -15,8 +15,6 @@ FILE='/etc/audit/rules.d/audit.rules'
HARDENING_LEVEL=4
AUDIT_PARAMS='-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update'
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
@ -26,7 +24,7 @@ audit () {
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
crit "path is not exsit! Please check file path is exist!"
warn "path is not exsit! Please check file path is exist!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
@ -49,7 +47,7 @@ apply () {
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
crit "path is not exsit! Please check file path is exist!"
warn "path is not exsit! Please check file path is exist!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
@ -67,7 +65,11 @@ apply () {
# This function will check config parameters required
check_config() {
:
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS='-a always,exit -F path=/sbin/unix_update -F perm=x -k privileged-unix-update'
else
AUDIT_PARAMS='-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update'
fi
}
# Source Root Dir Parameter

101
bin/hardening/8.1.31_record_file_transfer_related.sh Executable file
View File

@ -0,0 +1,101 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9/10 Hardening
#
#
# 8.1.31 Collect file transfer related items (Scored)
# Add by Author : Samson wen, Samson <sccxboy@gmail.com>
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
echo "DONT_AUDITD_BY_UID $DONT_AUDITD_BY_UID"
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
IFS=$d_IFS
RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
does_valid_pattern_exist_in_file $FILE "$RESULT"
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$RESULT is not in file $FILE"
else
ok "$RESULT is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode
apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
does_valid_pattern_exist_in_file $FILE "$RESULT"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
}
# This function will check config parameters required
check_config() {
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS='-a always,exit -F path=/usr/bin/scp -F perm=x -k file_transfer_exec
-a always,exit -F path=/usr/bin/wget -F perm=x -k file_transfer_exec
-a always,exit -F path=/usr/bin/sftp -F perm=x -k file_transfer_exec
-a always,exit -F path=/usr/bin/curl -F perm=x -k file_transfer_exec'
else
AUDIT_PARAMS='-a always,exit -F path=/usr/bin/scp -F perm=x -F auid>=1000 -F auid!=4294967295 -k file_transfer_exec
-a always,exit -F path=/usr/bin/wget -F perm=x -F auid>=1000 -F auid!=4294967295 -k file_transfer_exec
-a always,exit -F path=/usr/bin/sftp -F perm=x -F auid>=1000 -F auid!=4294967295 -k file_transfer_exec
-a always,exit -F path=/usr/bin/curl -F perm=x -F auid>=1000 -F auid!=4294967295 -k file_transfer_exec'
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

Some files were not shown because too many files have changed in this diff Show More