diff --git a/bin/hardening/10.1.5_set_password_lock_inactive_user.sh b/bin/hardening/10.1.5_set_password_lock_inactive_user.sh index 21b0350..cf152ec 100755 --- a/bin/hardening/10.1.5_set_password_lock_inactive_user.sh +++ b/bin/hardening/10.1.5_set_password_lock_inactive_user.sh @@ -18,7 +18,7 @@ set -u # One variable unset, it's over HARDENING_LEVEL=3 OPTIONS='INACTIVE=30' -OPTIONS_REDHAT='INACTIVE=0' +OPTIONS_CENTOS='INACTIVE=0' SHA_FILE='/etc/shadow' DISABLE_V='-1' FILE='/etc/default/useradd' @@ -158,7 +158,7 @@ check_config() { if [ $OS_RELEASE -eq 1 ]; then : elif [ $OS_RELEASE -eq 2 ]; then - OPTIONS=$OPTIONS_REDHAT + OPTIONS=$OPTIONS_CENTOS else warn "Current OS is not support!" fi diff --git a/bin/hardening/12.13_etc_gshadow_backup_permissions.sh b/bin/hardening/12.13_etc_gshadow_backup_permissions.sh index 6745cae..75ad596 100755 --- a/bin/hardening/12.13_etc_gshadow_backup_permissions.sh +++ b/bin/hardening/12.13_etc_gshadow_backup_permissions.sh @@ -16,16 +16,16 @@ HARDENING_LEVEL=1 FILE='/etc/gshadow-' PERMISSIONS='600' -PERMISSIONS_REDHAT='0' +PERMISSIONS_CENTOS='0' USER='root' GROUP='shadow' -GROUP_REDHAT='root' +GROUP_CENTOS='root' # This function will be called if the script status is on enabled / audit mode audit () { if [ $OS_RELEASE -eq 2 ]; then - PERMISSIONS=$PERMISSIONS_REDHAT - GROUP=$GROUP_REDHAT + PERMISSIONS=$PERMISSIONS_CENTOS + GROUP=$GROUP_CENTOS else : fi @@ -46,8 +46,8 @@ audit () { # This function will be called if the script status is on enabled mode apply () { if [ $OS_RELEASE -eq 2 ]; then - PERMISSIONS=$PERMISSIONS_REDHAT - GROUP=$GROUP_REDHAT + PERMISSIONS=$PERMISSIONS_CENTOS + GROUP=$GROUP_CENTOS else : fi diff --git a/bin/hardening/12.2_etc_shadow_permissions.sh b/bin/hardening/12.2_etc_shadow_permissions.sh index 19c1d75..e2e02a8 100755 --- a/bin/hardening/12.2_etc_shadow_permissions.sh +++ b/bin/hardening/12.2_etc_shadow_permissions.sh @@ -16,16 +16,16 @@ HARDENING_LEVEL=1 FILE='/etc/shadow' PERMISSIONS='640' -PERMISSIONS_REDHAT='0' +PERMISSIONS_CENTOS='0' USER='root' GROUP='shadow' -GROUP_REDHAT='root' +GROUP_CENTOS='root' # This function will be called if the script status is on enabled / audit mode audit () { if [ $OS_RELEASE -eq 2 ]; then - PERMISSIONS=$PERMISSIONS_REDHAT - GROUP=$GROUP_REDHAT + PERMISSIONS=$PERMISSIONS_CENTOS + GROUP=$GROUP_CENTOS else : fi @@ -46,8 +46,8 @@ audit () { # This function will be called if the script status is on enabled mode apply () { if [ $OS_RELEASE -eq 2 ]; then - PERMISSIONS=$PERMISSIONS_REDHAT - GROUP=$GROUP_REDHAT + PERMISSIONS=$PERMISSIONS_CENTOS + GROUP=$GROUP_CENTOS else : fi diff --git a/bin/hardening/12.4_etc_gshadow_permissions.sh b/bin/hardening/12.4_etc_gshadow_permissions.sh index 3f26ba0..587568b 100755 --- a/bin/hardening/12.4_etc_gshadow_permissions.sh +++ b/bin/hardening/12.4_etc_gshadow_permissions.sh @@ -16,16 +16,16 @@ HARDENING_LEVEL=1 FILE='/etc/gshadow' PERMISSIONS='640' -PERMISSIONS_REDHAT='0' +PERMISSIONS_CENTOS='0' USER='root' GROUP='shadow' -GROUP_REDHAT='root' +GROUP_CENTOS='root' # This function will be called if the script status is on enabled / audit mode audit () { if [ $OS_RELEASE -eq 2 ]; then - PERMISSIONS=$PERMISSIONS_REDHAT - GROUP=$GROUP_REDHAT + PERMISSIONS=$PERMISSIONS_CENTOS + GROUP=$GROUP_CENTOS else : fi @@ -46,8 +46,8 @@ audit () { # This function will be called if the script status is on enabled mode apply () { if [ $OS_RELEASE -eq 2 ]; then - PERMISSIONS=$PERMISSIONS_REDHAT - GROUP=$GROUP_REDHAT + PERMISSIONS=$PERMISSIONS_CENTOS + GROUP=$GROUP_CENTOS else : fi diff --git a/bin/hardening/12.6_etc_shadow_backup_permissions.sh b/bin/hardening/12.6_etc_shadow_backup_permissions.sh index 4e1e2bb..39b95b7 100755 --- a/bin/hardening/12.6_etc_shadow_backup_permissions.sh +++ b/bin/hardening/12.6_etc_shadow_backup_permissions.sh @@ -16,16 +16,16 @@ HARDENING_LEVEL=1 FILE='/etc/shadow-' PERMISSIONS='600' -PERMISSIONS_REDHAT='0' +PERMISSIONS_CENTOS='0' USER='root' GROUP='shadow' -GROUP_REDHAT='root' +GROUP_CENTOS='root' # This function will be called if the script status is on enabled / audit mode audit () { if [ $OS_RELEASE -eq 2 ]; then - PERMISSIONS=$PERMISSIONS_REDHAT - GROUP=$GROUP_REDHAT + PERMISSIONS=$PERMISSIONS_CENTOS + GROUP=$GROUP_CENTOS else : fi @@ -46,8 +46,8 @@ audit () { # This function will be called if the script status is on enabled mode apply () { if [ $OS_RELEASE -eq 2 ]; then - PERMISSIONS=$PERMISSIONS_REDHAT - GROUP=$GROUP_REDHAT + PERMISSIONS=$PERMISSIONS_CENTOS + GROUP=$GROUP_CENTOS else : fi diff --git a/bin/hardening/2.1_tmp_partition.sh b/bin/hardening/2.1_tmp_partition.sh index f91afe5..08bcdc4 100755 --- a/bin/hardening/2.1_tmp_partition.sh +++ b/bin/hardening/2.1_tmp_partition.sh @@ -18,7 +18,7 @@ HARDENING_LEVEL=2 PARTITION="/tmp" SERVICENAME="tmp.mount" SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount" -REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount" +CENTOS_SERVICEPATH="/usr/lib/systemd/system/tmp.mount" DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount" # This function will be called if the script status is on enabled / audit mode @@ -75,12 +75,12 @@ apply () { fi fi elif [ $OS_RELEASE -eq 2 ]; then - if [ -e $REDHAT_SERVICEPATH ]; then + if [ -e $CENTOS_SERVICEPATH ]; then $SUDO_CMD systemctl enable "$SERVICENAME" $SUDO_CMD systemctl daemon-reload $SUDO_CMD systemctl start "$SERVICENAME" else - crit "System unit file $REDHAT_SERVICEPATH is not exist!" + crit "System unit file $CENTOS_SERVICEPATH is not exist!" fi fi fi diff --git a/bin/hardening/2.2_tmp_nodev.sh b/bin/hardening/2.2_tmp_nodev.sh index b8e29a4..8c499a0 100755 --- a/bin/hardening/2.2_tmp_nodev.sh +++ b/bin/hardening/2.2_tmp_nodev.sh @@ -19,7 +19,7 @@ PARTITION="/tmp" OPTION="nodev" SERVICENAME="tmp.mount" SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount" -REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount" +CENTOS_SERVICEPATH="/usr/lib/systemd/system/tmp.mount" DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount" # This function will be called if the script status is on enabled / audit mode @@ -50,7 +50,7 @@ audit () { if [ $OS_RELEASE -eq 1 ]; then UNITSERVICEPATH=$DEBIAN_SERVICEPATH elif [ $OS_RELEASE -eq 2 ]; then - UNITSERVICEPATH=$REDHAT_SERVICEPATH + UNITSERVICEPATH=$CENTOS_SERVICEPATH fi if [ -e $UNITSERVICEPATH ]; then has_mount_option_systemd $UNITSERVICEPATH $OPTION @@ -80,7 +80,7 @@ apply () { if [ $OS_RELEASE -eq 1 ]; then UNITSERVICEPATH=$DEBIAN_SERVICEPATH elif [ $OS_RELEASE -eq 2 ]; then - UNITSERVICEPATH=$REDHAT_SERVICEPATH + UNITSERVICEPATH=$CENTOS_SERVICEPATH fi if [ $FNRET = 0 ]; then ok "$PARTITION is correctly set" diff --git a/bin/hardening/2.3_tmp_nosuid.sh b/bin/hardening/2.3_tmp_nosuid.sh index 95d9bfd..b55bb8b 100755 --- a/bin/hardening/2.3_tmp_nosuid.sh +++ b/bin/hardening/2.3_tmp_nosuid.sh @@ -19,7 +19,7 @@ PARTITION="/tmp" OPTION="nosuid" SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount" SERVICENAME="tmp.mount" -REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount" +CENTOS_SERVICEPATH="/usr/lib/systemd/system/tmp.mount" DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount" # This function will be called if the script status is on enabled / audit mode @@ -50,7 +50,7 @@ audit () { if [ $OS_RELEASE -eq 1 ]; then UNITSERVICEPATH=$DEBIAN_SERVICEPATH elif [ $OS_RELEASE -eq 2 ]; then - UNITSERVICEPATH=$REDHAT_SERVICEPATH + UNITSERVICEPATH=$CENTOS_SERVICEPATH fi if [ -e $UNITSERVICEPATH ]; then has_mount_option_systemd $UNITSERVICEPATH $OPTION @@ -80,7 +80,7 @@ apply () { if [ $OS_RELEASE -eq 1 ]; then UNITSERVICEPATH=$DEBIAN_SERVICEPATH elif [ $OS_RELEASE -eq 2 ]; then - UNITSERVICEPATH=$REDHAT_SERVICEPATH + UNITSERVICEPATH=$CENTOS_SERVICEPATH fi if [ $FNRET = 0 ]; then ok "$PARTITION is correctly set" diff --git a/bin/hardening/2.4_tmp_noexec.sh b/bin/hardening/2.4_tmp_noexec.sh index 1077ada..cd4f926 100755 --- a/bin/hardening/2.4_tmp_noexec.sh +++ b/bin/hardening/2.4_tmp_noexec.sh @@ -19,7 +19,7 @@ PARTITION="/tmp" OPTION="noexec" SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount" SERVICENAME="tmp.mount" -REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount" +CENTOS_SERVICEPATH="/usr/lib/systemd/system/tmp.mount" DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount" # This function will be called if the script status is on enabled / audit mode @@ -50,7 +50,7 @@ audit () { if [ $OS_RELEASE -eq 1 ]; then UNITSERVICEPATH=$DEBIAN_SERVICEPATH elif [ $OS_RELEASE -eq 2 ]; then - UNITSERVICEPATH=$REDHAT_SERVICEPATH + UNITSERVICEPATH=$CENTOS_SERVICEPATH fi if [ -e $UNITSERVICEPATH ]; then has_mount_option_systemd $UNITSERVICEPATH $OPTION @@ -80,7 +80,7 @@ apply () { if [ $OS_RELEASE -eq 1 ]; then UNITSERVICEPATH=$DEBIAN_SERVICEPATH elif [ $OS_RELEASE -eq 2 ]; then - UNITSERVICEPATH=$REDHAT_SERVICEPATH + UNITSERVICEPATH=$CENTOS_SERVICEPATH fi if [ $FNRET = 0 ]; then ok "$PARTITION is correctly set" diff --git a/bin/hardening/5.1.1_disable_nis.sh b/bin/hardening/5.1.1_disable_nis.sh index a3eec69..997a945 100755 --- a/bin/hardening/5.1.1_disable_nis.sh +++ b/bin/hardening/5.1.1_disable_nis.sh @@ -15,12 +15,12 @@ set -u # One variable unset, it's over HARDENING_LEVEL=3 PACKAGE='nis' -PACKAGE_REDHAT='ypserv' +PACKAGE_CENTOS='ypserv' # This function will be called if the script status is on enabled / audit mode audit () { if [ $OS_RELEASE -eq 2 ]; then - PACKAGE=$PACKAGE_REDHAT + PACKAGE=$PACKAGE_CENTOS fi is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then @@ -34,7 +34,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { if [ $OS_RELEASE -eq 2 ]; then - PACKAGE=$PACKAGE_REDHAT + PACKAGE=$PACKAGE_CENTOS fi is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then diff --git a/bin/hardening/5.1.2_disable_rsh.sh b/bin/hardening/5.1.2_disable_rsh.sh index 2340e1d..f0d2257 100755 --- a/bin/hardening/5.1.2_disable_rsh.sh +++ b/bin/hardening/5.1.2_disable_rsh.sh @@ -16,7 +16,7 @@ HARDENING_LEVEL=2 # Based on aptitude search '~Prsh-server' PACKAGES='rsh-server rsh-redone-server heimdal-servers' -PACKAGE_REDHAT='rsh-server' +PACKAGE_CENTOS='rsh-server' FILE='/etc/inetd.conf' PATTERN='^(shell|login|exec)' @@ -43,11 +43,11 @@ audit_debian () { } audit_centos () { - is_pkg_installed $PACKAGE_REDHAT + is_pkg_installed $PACKAGE_CENTOS if [ $FNRET = 0 ]; then - crit "$PACKAGE_REDHAT is installed!" + crit "$PACKAGE_CENTOS is installed!" else - ok "$PACKAGE_REDHAT is absent" + ok "$PACKAGE_CENTOS is absent" fi } # This function will be called if the script status is on enabled / audit mode @@ -91,12 +91,12 @@ apply_debian () { } apply_centos () { - is_pkg_installed $PACKAGE_REDHAT + is_pkg_installed $PACKAGE_CENTOS if [ $FNRET = 0 ]; then - crit "$PACKAGE_REDHAT is installed, purging it" - yum -y remove $PACKAGE_REDHAT + crit "$PACKAGE_CENTOS is installed, purging it" + yum -y remove $PACKAGE_CENTOS else - ok "$PACKAGE_REDHAT is absent" + ok "$PACKAGE_CENTOS is absent" fi } diff --git a/bin/hardening/5.1.4_disable_talk.sh b/bin/hardening/5.1.4_disable_talk.sh index f680fe6..1753ac4 100755 --- a/bin/hardening/5.1.4_disable_talk.sh +++ b/bin/hardening/5.1.4_disable_talk.sh @@ -17,7 +17,7 @@ HARDENING_LEVEL=2 PACKAGES='inetutils-talkd talkd' FILE='/etc/inetd.conf' PATTERN='^(talk|ntalk)' -PACKAGES_REDHAT='talk-server' +PACKAGES_CENTOS='talk-server' audit_debian () { for PACKAGE in $PACKAGES; do @@ -42,7 +42,7 @@ audit_debian () { } audit_centos () { - for PACKAGE in $PACKAGES_REDHAT; do + for PACKAGE in $PACKAGES_CENTOS; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then crit "$PACKAGE is installed" @@ -93,7 +93,7 @@ apply_debian () { } apply_centos () { - for PACKAGE in $PACKAGES_REDHAT; do + for PACKAGE in $PACKAGES_CENTOS; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then crit "$PACKAGE is installed, purging it" diff --git a/bin/hardening/5.1.5_disable_talk_client.sh b/bin/hardening/5.1.5_disable_talk_client.sh index d89287a..d182586 100755 --- a/bin/hardening/5.1.5_disable_talk_client.sh +++ b/bin/hardening/5.1.5_disable_talk_client.sh @@ -15,12 +15,12 @@ set -u # One variable unset, it's over HARDENING_LEVEL=2 PACKAGES='talk inetutils-talk' -PACKAGES_REDHAT='talk' +PACKAGES_CENTOS='talk' # This function will be called if the script status is on enabled / audit mode audit () { if [ $OS_RELEASE -eq 2 ]; then - PACKAGES=$PACKAGES_REDHAT + PACKAGES=$PACKAGES_CENTOS fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE @@ -35,7 +35,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { if [ $OS_RELEASE -eq 2 ]; then - PACKAGES=$PACKAGES_REDHAT + PACKAGES=$PACKAGES_CENTOS fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE diff --git a/bin/hardening/5.1.6_disable_telnet_server.sh b/bin/hardening/5.1.6_disable_telnet_server.sh index 4c4306f..12382c5 100755 --- a/bin/hardening/5.1.6_disable_telnet_server.sh +++ b/bin/hardening/5.1.6_disable_telnet_server.sh @@ -18,7 +18,7 @@ HARDENING_LEVEL=2 PACKAGES='telnetd inetutils-telnetd telnetd-ssl krb5-telnetd heimdal-servers' FILE='/etc/inetd.conf' PATTERN='^telnet' -PACKAGE_REDHAT='telnet-server' +PACKAGE_CENTOS='telnet-server' audit_debian () { for PACKAGE in $PACKAGES; do @@ -43,11 +43,11 @@ audit_debian () { } audit_centos () { - is_pkg_installed $PACKAGE_REDHAT + is_pkg_installed $PACKAGE_CENTOS if [ $FNRET = 0 ]; then - crit "$PACKAGE_REDHAT is installed" + crit "$PACKAGE_CENTOS is installed" else - ok "$PACKAGE_REDHAT is absent" + ok "$PACKAGE_CENTOS is absent" fi } @@ -92,12 +92,12 @@ apply_debian () { } apply_centos () { - is_pkg_installed $PACKAGE_REDHAT + is_pkg_installed $PACKAGE_CENTOS if [ $FNRET = 0 ]; then - crit "$PACKAGE_REDHAT is installed, purging it" - yum remove $PACKAGE_REDHAT -y + crit "$PACKAGE_CENTOS is installed, purging it" + yum remove $PACKAGE_CENTOS -y else - ok "$PACKAGE_REDHAT is absent" + ok "$PACKAGE_CENTOS is absent" fi } diff --git a/bin/hardening/5.1.7_disable_inetd.sh b/bin/hardening/5.1.7_disable_inetd.sh index 8dbbb85..619cc0e 100755 --- a/bin/hardening/5.1.7_disable_inetd.sh +++ b/bin/hardening/5.1.7_disable_inetd.sh @@ -15,12 +15,12 @@ set -u # One variable unset, it's over HARDENING_LEVEL=3 PACKAGES='openbsd-inetd xinetd rlinetd' -PACKAGES_REDHAT='xinetd' +PACKAGES_CENTOS='xinetd' # This function will be called if the script status is on enabled / audit mode audit () { if [ $OS_RELEASE -eq 2 ]; then - PACKAGES=$PACKAGES_REDHAT + PACKAGES=$PACKAGES_CENTOS fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE @@ -35,7 +35,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { if [ $OS_RELEASE -eq 2 ]; then - PACKAGES=$PACKAGES_REDHAT + PACKAGES=$PACKAGES_CENTOS fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE diff --git a/bin/hardening/5.3_enable_openssh_server.sh b/bin/hardening/5.3_enable_openssh_server.sh index c44e8c4..6d88eb0 100755 --- a/bin/hardening/5.3_enable_openssh_server.sh +++ b/bin/hardening/5.3_enable_openssh_server.sh @@ -16,7 +16,7 @@ HARDENING_LEVEL=2 PACKAGES='openssh-server openssh-client' SERVICE_NAME='ssh.service' -SERVICE_NAME_REDHAT='sshd.service' +SERVICE_NAME_CENTOS='sshd.service' # This function will be called if the script status is on enabled / audit mode audit () { @@ -30,7 +30,7 @@ audit () { fi done if [ $OS_RELEASE -eq 2 ]; then - SERVICE_NAME=$SERVICE_NAME_REDHAT + SERVICE_NAME=$SERVICE_NAME_CENTOS fi is_service_active $SERVICE_NAME if [ $FNRET = 0 ]; then @@ -57,7 +57,7 @@ apply () { fi done if [ $OS_RELEASE -eq 2 ]; then - SERVICE_NAME=$SERVICE_NAME_REDHAT + SERVICE_NAME=$SERVICE_NAME_CENTOS fi is_service_active $SERVICE_NAME if [ $FNRET = 0 ]; then diff --git a/bin/hardening/6.10_disable_http_server.sh b/bin/hardening/6.10_disable_http_server.sh index cc2ab03..44d7d62 100755 --- a/bin/hardening/6.10_disable_http_server.sh +++ b/bin/hardening/6.10_disable_http_server.sh @@ -17,12 +17,12 @@ HARDENING_EXCEPTION=http # Based on aptitude search '~Phttpd' PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd' -PACKAGES_REDHAT='httpd pcp-pmda-nginx' +PACKAGES_CENTOS='httpd pcp-pmda-nginx' # This function will be called if the script status is on enabled / audit mode audit () { if [ $OS_RELEASE -eq 2 ]; then - PACKAGES=$PACKAGES_REDHAT + PACKAGES=$PACKAGES_CENTOS fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE @@ -41,7 +41,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { if [ $OS_RELEASE -eq 2 ]; then - PACKAGES=$PACKAGES_REDHAT + PACKAGES=$PACKAGES_CENTOS fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE diff --git a/bin/hardening/6.13_disable_http_proxy.sh b/bin/hardening/6.13_disable_http_proxy.sh index 6426085..1cf11fe 100755 --- a/bin/hardening/6.13_disable_http_proxy.sh +++ b/bin/hardening/6.13_disable_http_proxy.sh @@ -16,12 +16,12 @@ HARDENING_LEVEL=3 HARDENING_EXCEPTION=http PACKAGES='squid3 squid' -PACKAGES_REDHAT='squid gssproxy haproxy' +PACKAGES_CENTOS='squid gssproxy haproxy' # This function will be called if the script status is on enabled / audit mode audit () { if [ $OS_RELEASE -eq 2 ]; then - PACKAGES=$PACKAGES_REDHAT + PACKAGES=$PACKAGES_CENTOS fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE @@ -40,7 +40,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { if [ $OS_RELEASE -eq 2 ]; then - PACKAGES=$PACKAGES_REDHAT + PACKAGES=$PACKAGES_CENTOS fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE diff --git a/bin/hardening/6.17_ensure_virul_scan_server_is_enabled.sh b/bin/hardening/6.17_ensure_virul_scan_server_is_enabled.sh index e46e2e2..a434640 100755 --- a/bin/hardening/6.17_ensure_virul_scan_server_is_enabled.sh +++ b/bin/hardening/6.17_ensure_virul_scan_server_is_enabled.sh @@ -14,7 +14,7 @@ set -u # One variable unset, it's over HARDENING_LEVEL=4 VIRULSERVER='clamav-daemon' -VIRULSERVER_REDHAT='clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd' +VIRULSERVER_CENTOS='clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd' # This function will be called if the script status is on enabled / audit mode audit () { @@ -58,10 +58,10 @@ apply () { fi elif [ $OS_RELEASE -eq 2 ]; then if [ $FNRET = 0 ]; then - ok "$VIRULSERVER_REDHAT is enable" + ok "$VIRULSERVER_CENTOS is enable" elif [ $FNRET = 1 ]; then - warn "Install $VIRULSERVER_REDHAT" - yum install -y $VIRULSERVER_REDHAT + warn "Install $VIRULSERVER_CENTOS" + yum install -y $VIRULSERVER_CENTOS else warn "Start server $VIRULSERVER" systemctl start $VIRULSERVER diff --git a/bin/hardening/6.2_disable_avahi_server.sh b/bin/hardening/6.2_disable_avahi_server.sh index 14ff01a..66837b5 100755 --- a/bin/hardening/6.2_disable_avahi_server.sh +++ b/bin/hardening/6.2_disable_avahi_server.sh @@ -16,12 +16,12 @@ HARDENING_LEVEL=3 HARDENING_EXCEPTION=dns PACKAGES='avahi-daemon libavahi-common-data libavahi-common3 libavahi-core7' -PKGS_PATTERN_REDHAT='avahi' +PKGS_PATTERN_CENTOS='avahi' # This function will be called if the script status is on enabled / audit mode audit () { if [ $OS_RELEASE -eq 2 ]; then - PACKAGES=$PKGS_PATTERN_REDHAT + PACKAGES=$PKGS_PATTERN_CENTOS fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE @@ -40,7 +40,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { if [ $OS_RELEASE -eq 2 ]; then - PACKAGES=$PKGS_PATTERN_REDHAT + PACKAGES=$PKGS_PATTERN_CENTOS fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE diff --git a/bin/hardening/6.3_disable_print_server.sh b/bin/hardening/6.3_disable_print_server.sh index f32b0b4..b79471a 100755 --- a/bin/hardening/6.3_disable_print_server.sh +++ b/bin/hardening/6.3_disable_print_server.sh @@ -16,12 +16,12 @@ HARDENING_LEVEL=3 HARDENING_EXCEPTION=cups PACKAGES='libcups2 libcupscgi1 libcupsimage2 libcupsmime1 libcupsppdc1 cups-common cups-client cups-ppdc libcupsfilters1 cups-filters cups' -PACKAGES_REDHAT='cups' +PACKAGES_CENTOS='cups' # This function will be called if the script status is on enabled / audit mode audit () { if [ $OS_RELEASE -eq 2 ]; then - PACKAGES=$PACKAGES_REDHAT + PACKAGES=$PACKAGES_CENTOS fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE @@ -40,7 +40,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { if [ $OS_RELEASE -eq 2 ]; then - PACKAGES=$PACKAGES_REDHAT + PACKAGES=$PACKAGES_CENTOS fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE diff --git a/bin/hardening/6.4_disable_dhcp.sh b/bin/hardening/6.4_disable_dhcp.sh index 313bc8f..e8b1341 100755 --- a/bin/hardening/6.4_disable_dhcp.sh +++ b/bin/hardening/6.4_disable_dhcp.sh @@ -16,12 +16,12 @@ HARDENING_LEVEL=3 HARDENING_EXCEPTION=dhcp PACKAGES='udhcpd isc-dhcp-server' -PACKAGES_REDHAT='dnsmasq' +PACKAGES_CENTOS='dnsmasq' # This function will be called if the script status is on enabled / audit mode audit () { if [ $OS_RELEASE -eq 2 ]; then - PACKAGES=$PACKAGES_REDHAT + PACKAGES=$PACKAGES_CENTOS fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE @@ -40,7 +40,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { if [ $OS_RELEASE -eq 2 ]; then - PACKAGES=$PACKAGES_REDHAT + PACKAGES=$PACKAGES_CENTOS fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE diff --git a/bin/hardening/6.6_disable_ldap.sh b/bin/hardening/6.6_disable_ldap.sh index 7cd0d73..8d32f1b 100755 --- a/bin/hardening/6.6_disable_ldap.sh +++ b/bin/hardening/6.6_disable_ldap.sh @@ -16,12 +16,12 @@ HARDENING_LEVEL=3 HARDENING_EXCEPTION=ldap PACKAGES='slapd' -PACKAGES_REDHAT='openldap-servers' +PACKAGES_CENTOS='openldap-servers' # This function will be called if the script status is on enabled / audit mode audit () { if [ $OS_RELEASE -eq 2 ]; then - PACKAGES=$PACKAGES_REDHAT + PACKAGES=$PACKAGES_CENTOS fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE @@ -40,7 +40,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { if [ $OS_RELEASE -eq 2 ]; then - PACKAGES=$PACKAGES_REDHAT + PACKAGES=$PACKAGES_CENTOS fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE diff --git a/bin/hardening/6.8_disable_dns_server.sh b/bin/hardening/6.8_disable_dns_server.sh index d24cecb..6e7cad0 100755 --- a/bin/hardening/6.8_disable_dns_server.sh +++ b/bin/hardening/6.8_disable_dns_server.sh @@ -16,12 +16,12 @@ HARDENING_LEVEL=3 HARDENING_EXCEPTION=dns PACKAGES='bind9 unbound' -PACKAGES_REDHAT='bind unbound bind-utils' +PACKAGES_CENTOS='bind unbound bind-utils' # This function will be called if the script status is on enabled / audit mode audit () { if [ $OS_RELEASE -eq 2 ]; then - PACKAGES=$PACKAGES_REDHAT + PACKAGES=$PACKAGES_CENTOS fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE @@ -40,7 +40,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { if [ $OS_RELEASE -eq 2 ]; then - PACKAGES=$PACKAGES_REDHAT + PACKAGES=$PACKAGES_CENTOS fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE diff --git a/bin/hardening/6.9_disable_ftp.sh b/bin/hardening/6.9_disable_ftp.sh index fa20da2..e131229 100755 --- a/bin/hardening/6.9_disable_ftp.sh +++ b/bin/hardening/6.9_disable_ftp.sh @@ -17,12 +17,12 @@ HARDENING_EXCEPTION=ftp # Based on aptitude search '~Pftp-server' PACKAGES='ftpd ftpd-ssl heimdal-servers inetutils-ftpd krb5-ftpd muddleftpd proftpd-basic pure-ftpd pure-ftpd-ldap pure-ftpd-mysql pure-ftpd-postgresql twoftpd-run vsftpd wzdftpd' -PACKAGE_REDHAT='tftp-server vsftpd' +PACKAGE_CENTOS='tftp-server vsftpd' # This function will be called if the script status is on enabled / audit mode audit () { if [ $OS_RELEASE -eq 2 ]; then - PACKAGES=$PACKAGE_REDHAT + PACKAGES=$PACKAGE_CENTOS fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE @@ -41,7 +41,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { if [ $OS_RELEASE -eq 2 ]; then - PACKAGES=$PACKAGE_REDHAT + PACKAGES=$PACKAGE_CENTOS fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE diff --git a/bin/hardening/7.4.1_install_tcp_wrapper.sh b/bin/hardening/7.4.1_install_tcp_wrapper.sh index efe707d..7982b03 100755 --- a/bin/hardening/7.4.1_install_tcp_wrapper.sh +++ b/bin/hardening/7.4.1_install_tcp_wrapper.sh @@ -15,7 +15,7 @@ set -u # One variable unset, it's over HARDENING_LEVEL=3 PACKAGE='tcpd' -PACKAGE_REDHAT='tcp_wrappers' +PACKAGE_CENTOS='tcp_wrappers' # This function will be called if the script status is on enabled / audit mode audit () { @@ -26,7 +26,7 @@ audit () { ok "So PASS." return 0 else - PACKAGE=$PACKAGE_REDHAT + PACKAGE=$PACKAGE_CENTOS fi fi is_pkg_installed $PACKAGE @@ -46,7 +46,7 @@ apply () { ok "So PASS." return 0 else - PACKAGE=$PACKAGE_REDHAT + PACKAGE=$PACKAGE_CENTOS fi fi is_pkg_installed $PACKAGE diff --git a/bin/hardening/7.7.1_enable_firewall.sh b/bin/hardening/7.7.1_enable_firewall.sh index 978df76..0d7ca0e 100755 --- a/bin/hardening/7.7.1_enable_firewall.sh +++ b/bin/hardening/7.7.1_enable_firewall.sh @@ -19,9 +19,9 @@ HARDENING_LEVEL=2 # Do as you want, but this script does not handle this PACKAGES='iptables iptables-persistent' -PACKAGES_REDHAT='iptables iptables-services nftables firewalld' +PACKAGES_CENTOS='iptables iptables-services nftables firewalld' SERVICENAME='netfilter-persistent' -SERVICENAME_REDHAT='iptables ip6tables' +SERVICENAME_CENTOS='iptables ip6tables' audit_debian () { for PACKAGE in $PACKAGES @@ -48,7 +48,7 @@ audit_debian () { } audit_centos () { - for PACKAGE in $PACKAGES_REDHAT + for PACKAGE in $PACKAGES_CENTOS do is_pkg_installed $PACKAGE if [ $FNRET != 0 ]; then @@ -61,7 +61,7 @@ audit_centos () { fi done if [ $FNRET = 0 ]; then - for SERVICENAME in $SERVICENAME_REDHAT + for SERVICENAME in $SERVICENAME_CENTOS do if [ $(systemctl status ${SERVICENAME} | grep -c "Active:.active") -ne 1 ]; then crit "${SERVICENAME} service is not actived" @@ -110,16 +110,16 @@ apply_debian () { apply_centos () { if [ $FNRET = 0 ]; then - ok "$PACKAGES_REDHAT is installed" + ok "$PACKAGES_CENTOS is installed" elif [ $FNRET = 1 ]; then - for PACKAGE in $PACKAGES_REDHAT + for PACKAGE in $PACKAGES_CENTOS do warn "$PACKAGE is absent, installing it" yum_install $PACKAGE done elif [ $FNRET = 2 ]; then - warn "Enable ${SERVICENAME_REDHAT} service to actived" - for SERVICENAME in ${SERVICENAME_REDHAT} + warn "Enable ${SERVICENAME_CENTOS} service to actived" + for SERVICENAME in ${SERVICENAME_CENTOS} do is_service_enabled ${SERVICENAME} if [ $FNRET = 1 ]; then diff --git a/bin/hardening/8.1.19_record_sshkeysign_usage.sh b/bin/hardening/8.1.19_record_sshkeysign_usage.sh index ee2b0e9..5d7fc70 100755 --- a/bin/hardening/8.1.19_record_sshkeysign_usage.sh +++ b/bin/hardening/8.1.19_record_sshkeysign_usage.sh @@ -17,7 +17,7 @@ FILE='/etc/audit/rules.d/audit.rules' AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh" -AUDIT_PARAMS_REDHAT="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh +AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh" AUDIT_PARAMS="" @@ -75,7 +75,7 @@ check_config() { if [ $OS_RELEASE -eq 1 ]; then AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN elif [ $OS_RELEASE -eq 2 ]; then - AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT + AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS fi } diff --git a/bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh b/bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh index 7d12170..8897b3e 100755 --- a/bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh +++ b/bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh @@ -19,7 +19,7 @@ AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1 -a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd" -AUDIT_PARAMS_REDHAT="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd +AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd -a always,exit -F path=/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd" @@ -79,7 +79,7 @@ check_config() { if [ $OS_RELEASE -eq 1 ]; then AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN elif [ $OS_RELEASE -eq 2 ]; then - AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT + AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS fi } diff --git a/bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh b/bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh index d5ec62d..ea48d58 100755 --- a/bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh +++ b/bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh @@ -21,7 +21,7 @@ AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F a -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change" -AUDIT_PARAMS_REDHAT="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +AUDIT_PARAMS_CENTOS="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change @@ -83,7 +83,7 @@ check_config() { if [ $OS_RELEASE -eq 1 ]; then AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN elif [ $OS_RELEASE -eq 2 ]; then - AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT + AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS fi } diff --git a/bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh b/bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh index 80fcd71..034ae2b 100755 --- a/bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh +++ b/bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh @@ -17,7 +17,7 @@ FILE='/etc/audit/rules.d/audit.rules' AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix' -AUDIT_PARAMS_REDHAT='-a always,exit -F path=/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix +AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix -a always,exit -F path=/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix' AUDIT_PARAMS="" @@ -75,7 +75,7 @@ check_config() { if [ $OS_RELEASE -eq 1 ]; then AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN elif [ $OS_RELEASE -eq 2 ]; then - AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT + AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS fi } diff --git a/bin/hardening/8.1.24_record_crontab_cmd_usage.sh b/bin/hardening/8.1.24_record_crontab_cmd_usage.sh index ed5f5eb..7a61b4f 100755 --- a/bin/hardening/8.1.24_record_crontab_cmd_usage.sh +++ b/bin/hardening/8.1.24_record_crontab_cmd_usage.sh @@ -16,7 +16,7 @@ HARDENING_LEVEL=4 FILE='/etc/audit/rules.d/audit.rules' AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron' -AUDIT_PARAMS_REDHAT='-a always,exit -F path=/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron' +AUDIT_PARAMS_CENTOS='-a always,exit -F path=/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron' AUDIT_PARAMS="" # This function will be called if the script status is on enabled / audit mode @@ -72,7 +72,7 @@ check_config() { if [ $OS_RELEASE -eq 1 ]; then AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN elif [ $OS_RELEASE -eq 2 ]; then - AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT + AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS fi } diff --git a/bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh b/bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh index a098a60..8595dab 100755 --- a/bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh +++ b/bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh @@ -16,7 +16,7 @@ HARDENING_LEVEL=4 FILE='/etc/audit/rules.d/audit.rules' AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam' -AUDIT_PARAMS_REDHAT='-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam' +AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam' AUDIT_PARAMS="" # This function will be called if the script status is on enabled / audit mode @@ -72,7 +72,7 @@ check_config() { if [ $OS_RELEASE -eq 1 ]; then AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN elif [ $OS_RELEASE -eq 2 ]; then - AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT + AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS fi } diff --git a/bin/hardening/8.1.29_record_usermod_cmd_usage.sh b/bin/hardening/8.1.29_record_usermod_cmd_usage.sh index 359dfce..2a52dbf 100755 --- a/bin/hardening/8.1.29_record_usermod_cmd_usage.sh +++ b/bin/hardening/8.1.29_record_usermod_cmd_usage.sh @@ -16,7 +16,7 @@ FILE='/etc/audit/rules.d/audit.rules' HARDENING_LEVEL=4 AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod' -AUDIT_PARAMS_REDHAT='-a always,exit -F path=/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod' +AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod' AUDIT_PARAMS="" # This function will be called if the script status is on enabled / audit mode @@ -72,7 +72,7 @@ check_config() { if [ $OS_RELEASE -eq 1 ]; then AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN elif [ $OS_RELEASE -eq 2 ]; then - AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT + AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS fi } diff --git a/bin/hardening/8.1.2_enable_auditd.sh b/bin/hardening/8.1.2_enable_auditd.sh index b435daf..b2afb8d 100755 --- a/bin/hardening/8.1.2_enable_auditd.sh +++ b/bin/hardening/8.1.2_enable_auditd.sh @@ -15,13 +15,13 @@ set -u # One variable unset, it's over HARDENING_LEVEL=4 PACKAGE='auditd' -PACKAGE_REDHAT='audit' +PACKAGE_CENTOS='audit' SERVICE_NAME='auditd' # This function will be called if the script status is on enabled / audit mode audit () { if [ $OS_RELEASE -eq 2 ]; then - PACKAGE=$PACKAGE_REDHAT + PACKAGE=$PACKAGE_CENTOS fi is_pkg_installed $PACKAGE if [ $FNRET != 0 ]; then @@ -40,7 +40,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { if [ $OS_RELEASE -eq 2 ]; then - PACKAGE=$PACKAGE_REDHAT + PACKAGE=$PACKAGE_CENTOS fi is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then diff --git a/bin/hardening/8.1.7_record_mac_edit.sh b/bin/hardening/8.1.7_record_mac_edit.sh index f9b45be..d9501ab 100755 --- a/bin/hardening/8.1.7_record_mac_edit.sh +++ b/bin/hardening/8.1.7_record_mac_edit.sh @@ -16,7 +16,7 @@ set -e # One error, it's over HARDENING_LEVEL=4 SELINUX_PKG="selinux-basics" -SELINUX_PKG_REDHAT="selinux-policy" +SELINUX_PKG_CENTOS="selinux-policy" SE_AUDIT_PARAMS="-a always,exit -F dir=/etc/selinux/ -F perm=wa -k MAC-policy -a always,exit -F dir=/usr/share/selinux/ -F perm=wa -k MAC-policy @@ -40,7 +40,7 @@ audit () { d_IFS=$IFS IFS=$'\n' if [ $OS_RELEASE -eq 2 ]; then - SELINUX_PKG=$SELINUX_PKG_REDHAT + SELINUX_PKG=$SELINUX_PKG_CENTOS fi is_pkg_installed $SELINUX_PKG if [ $FNRET = 0 ]; then @@ -72,7 +72,7 @@ apply () { d_IFS=$IFS IFS=$'\n' if [ $OS_RELEASE -eq 2 ]; then - SELINUX_PKG=$SELINUX_PKG_REDHAT + SELINUX_PKG=$SELINUX_PKG_CENTOS fi is_pkg_installed $SELINUX_PKG if [ $FNRET = 0 ]; then diff --git a/bin/hardening/8.1.8_record_login_logout.sh b/bin/hardening/8.1.8_record_login_logout.sh index d8c8932..dbbb410 100755 --- a/bin/hardening/8.1.8_record_login_logout.sh +++ b/bin/hardening/8.1.8_record_login_logout.sh @@ -18,14 +18,14 @@ HARDENING_LEVEL=4 AUDIT_PARAMS='-w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/log/tallylog -p wa -k logins' -AUDIT_PARAMS_REDHAT='-w /var/log/lastlog -p wa -k logins +AUDIT_PARAMS_CENTOS='-w /var/log/lastlog -p wa -k logins -w /var/log/tallylog -p wa -k logins' FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode audit () { if [ $OS_RELEASE -eq 2 ]; then - AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT + AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS fi # define custom IFS and save default one d_IFS=$IFS @@ -45,7 +45,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { if [ $OS_RELEASE -eq 2 ]; then - AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT + AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS fi d_IFS=$IFS IFS=$'\n' diff --git a/bin/hardening/8.1.9_record_session_init.sh b/bin/hardening/8.1.9_record_session_init.sh index 4d393c6..ac91ac2 100755 --- a/bin/hardening/8.1.9_record_session_init.sh +++ b/bin/hardening/8.1.9_record_session_init.sh @@ -17,14 +17,14 @@ HARDENING_LEVEL=4 AUDIT_PARAMS='-w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /var/log/btmp -p wa -k session' -AUDIT_PARAMS_REDHAT='-w /var/log/wtmp -p wa -k session +AUDIT_PARAMS_CENTOS='-w /var/log/wtmp -p wa -k session -w /var/log/btmp -p wa -k session' FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode audit () { if [ $OS_RELEASE -eq 2 ]; then - AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT + AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS fi # define custom IFS and save default one d_IFS=$IFS @@ -44,7 +44,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { if [ $OS_RELEASE -eq 2 ]; then - AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT + AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS fi d_IFS=$IFS IFS=$'\n' diff --git a/bin/hardening/9.1.1_enable_cron.sh b/bin/hardening/9.1.1_enable_cron.sh index e1eb9fd..5395b63 100755 --- a/bin/hardening/9.1.1_enable_cron.sh +++ b/bin/hardening/9.1.1_enable_cron.sh @@ -17,14 +17,14 @@ HARDENING_LEVEL=3 PACKAGE="cron" SERVICE_NAME="cron" -PACKAGE_REDHAT="cronie" -SERVICE_NAME_REDHAT="crond" +PACKAGE_CENTOS="cronie" +SERVICE_NAME_CENTOS="crond" # This function will be called if the script status is on enabled / audit mode audit () { if [ $OS_RELEASE -eq 2 ]; then - PACKAGE=$PACKAGE_REDHAT - SERVICE_NAME=$SERVICE_NAME_REDHAT + PACKAGE=$PACKAGE_CENTOS + SERVICE_NAME=$SERVICE_NAME_CENTOS fi is_pkg_installed $PACKAGE if [ $FNRET != 0 ]; then @@ -43,8 +43,8 @@ audit () { # This function will be called if the script status is on enabled mode apply () { if [ $OS_RELEASE -eq 2 ]; then - PACKAGE=$PACKAGE_REDHAT - SERVICE_NAME=$SERVICE_NAME_REDHAT + PACKAGE=$PACKAGE_CENTOS + SERVICE_NAME=$SERVICE_NAME_CENTOS fi is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then diff --git a/bin/hardening/9.2.10_pam_maxclassrepeat_cracklib.sh b/bin/hardening/9.2.10_pam_maxclassrepeat_cracklib.sh index a7b46fb..dbef38d 100755 --- a/bin/hardening/9.2.10_pam_maxclassrepeat_cracklib.sh +++ b/bin/hardening/9.2.10_pam_maxclassrepeat_cracklib.sh @@ -20,7 +20,7 @@ PATTERN='^password.*pam_cracklib.so' FILE='/etc/pam.d/common-password' # Redhat/CentOS default use pam_pwquality -FILE_REDHAT='/etc/security/pwquality.conf' +FILE_CENTOS='/etc/security/pwquality.conf' OPTIONNAME='maxclassrepeat' @@ -52,15 +52,15 @@ audit_debian () { } audit_centos () { - check_param_pair_by_value $FILE_REDHAT $OPTIONNAME le $CONDT_VAL + check_param_pair_by_value $FILE_CENTOS $OPTIONNAME le $CONDT_VAL if [ $FNRET = 0 ]; then - ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT" + ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS" elif [ $FNRET = 1 ]; then - crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_REDHAT" + crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_CENTOS" elif [ $FNRET = 2 ]; then - crit "Option $OPTIONNAME is not conf in $FILE_REDHAT" + crit "Option $OPTIONNAME is not conf in $FILE_CENTOS" elif [ $FNRET = 3 ]; then - crit "Config file $FILE_REDHAT is not exist!" + crit "Config file $FILE_CENTOS is not exist!" fi } @@ -98,15 +98,15 @@ apply_debian () { apply_centos () { if [ $FNRET = 0 ]; then - ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT" + ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS" elif [ $FNRET = 1 ]; then - warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_REDHAT" - replace_in_file $FILE_REDHAT "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL" + warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_CENTOS" + replace_in_file $FILE_CENTOS "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL" elif [ $FNRET = 2 ]; then - warn "$OPTIONNAME is not conf, add to $FILE_REDHAT" - add_end_of_file $FILE_REDHAT "$OPTIONNAME = $CONDT_VAL" + warn "$OPTIONNAME is not conf, add to $FILE_CENTOS" + add_end_of_file $FILE_CENTOS "$OPTIONNAME = $CONDT_VAL" elif [ $FNRET = 3 ]; then - crit "Config file $FILE_REDHAT is not exist!" + crit "Config file $FILE_CENTOS is not exist!" fi } diff --git a/bin/hardening/9.2.1_pam_retry_cracklib.sh b/bin/hardening/9.2.1_pam_retry_cracklib.sh index 0c68ed9..6a53697 100755 --- a/bin/hardening/9.2.1_pam_retry_cracklib.sh +++ b/bin/hardening/9.2.1_pam_retry_cracklib.sh @@ -20,10 +20,10 @@ PATTERN='^password.*pam_cracklib.so' FILE='/etc/pam.d/common-password' # Redhat/CentOS default use pam_pwquality -PACKAGE_REDHAT='libpwquality' -PAMLIBNAME_REDHAT='pam_pwquality.so' -PATTERN_REDHAT='^password.*pam_pwquality.so' -FILE_REDHAT='/etc/pam.d/system-auth' +PACKAGE_CENTOS='libpwquality' +PAMLIBNAME_CENTOS='pam_pwquality.so' +PATTERN_CENTOS='^password.*pam_pwquality.so' +FILE_CENTOS='/etc/pam.d/system-auth' OPTIONNAME='retry' @@ -33,10 +33,10 @@ CONDT_VAL=3 # This function will be called if the script status is on enabled / audit mode audit () { if [ $OS_RELEASE -eq 2 ]; then - PACKAGE=$PACKAGE_REDHAT - PAMLIBNAME=$PAMLIBNAME_REDHAT - PATTERN=$PATTERN_REDHAT - FILE=$FILE_REDHAT + PACKAGE=$PACKAGE_CENTOS + PAMLIBNAME=$PAMLIBNAME_CENTOS + PATTERN=$PATTERN_CENTOS + FILE=$FILE_CENTOS fi is_pkg_installed $PACKAGE if [ $FNRET != 0 ]; then @@ -64,10 +64,10 @@ audit () { # This function will be called if the script status is on enabled mode apply () { if [ $OS_RELEASE -eq 2 ]; then - PACKAGE=$PACKAGE_REDHAT - PAMLIBNAME=$PAMLIBNAME_REDHAT - PATTERN=$PATTERN_REDHAT - FILE=$FILE_REDHAT + PACKAGE=$PACKAGE_CENTOS + PAMLIBNAME=$PAMLIBNAME_CENTOS + PATTERN=$PATTERN_CENTOS + FILE=$FILE_CENTOS fi if [ $FNRET = 0 ]; then ok "$PACKAGE is installed" diff --git a/bin/hardening/9.2.2_pam_minlen_cracklib.sh b/bin/hardening/9.2.2_pam_minlen_cracklib.sh index ce7a154..3f97117 100755 --- a/bin/hardening/9.2.2_pam_minlen_cracklib.sh +++ b/bin/hardening/9.2.2_pam_minlen_cracklib.sh @@ -20,7 +20,7 @@ PATTERN='^password.*pam_cracklib.so' FILE='/etc/pam.d/common-password' # Redhat/CentOS default use pam_pwquality -FILE_REDHAT='/etc/security/pwquality.conf' +FILE_CENTOS='/etc/security/pwquality.conf' OPTIONNAME='minlen' @@ -52,15 +52,15 @@ audit_debian () { } audit_centos () { - check_param_pair_by_value $FILE_REDHAT $OPTIONNAME ge $CONDT_VAL + check_param_pair_by_value $FILE_CENTOS $OPTIONNAME ge $CONDT_VAL if [ $FNRET = 0 ]; then - ok "Option $OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_REDHAT" + ok "Option $OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_CENTOS" elif [ $FNRET = 1 ]; then - crit "Option $OPTIONNAME set condition is less than $CONDT_VAL in $FILE_REDHAT" + crit "Option $OPTIONNAME set condition is less than $CONDT_VAL in $FILE_CENTOS" elif [ $FNRET = 2 ]; then - crit "Option $OPTIONNAME is not conf in $FILE_REDHAT" + crit "Option $OPTIONNAME is not conf in $FILE_CENTOS" elif [ $FNRET = 3 ]; then - crit "Config file $FILE_REDHAT is not exist!" + crit "Config file $FILE_CENTOS is not exist!" fi } @@ -98,15 +98,15 @@ apply_debian () { apply_centos () { if [ $FNRET = 0 ]; then - ok "$OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_REDHAT" + ok "$OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_CENTOS" elif [ $FNRET = 1 ]; then - warn "Set option $OPTIONNAME to $CONDT_VAL in $FILE_REDHAT" - replace_in_file $FILE_REDHAT "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL" + warn "Set option $OPTIONNAME to $CONDT_VAL in $FILE_CENTOS" + replace_in_file $FILE_CENTOS "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL" elif [ $FNRET = 2 ]; then - warn "$OPTIONNAME is not conf, add to $FILE_REDHAT" - add_end_of_file $FILE_REDHAT "$OPTIONNAME = $CONDT_VAL" + warn "$OPTIONNAME is not conf, add to $FILE_CENTOS" + add_end_of_file $FILE_CENTOS "$OPTIONNAME = $CONDT_VAL" elif [ $FNRET = 3 ]; then - crit "Config file $FILE_REDHAT is not exist!" + crit "Config file $FILE_CENTOS is not exist!" fi } diff --git a/bin/hardening/9.2.3_pam_dcredit_cracklib.sh b/bin/hardening/9.2.3_pam_dcredit_cracklib.sh index 8b84a5c..4f5368f 100755 --- a/bin/hardening/9.2.3_pam_dcredit_cracklib.sh +++ b/bin/hardening/9.2.3_pam_dcredit_cracklib.sh @@ -20,7 +20,7 @@ PATTERN='^password.*pam_cracklib.so' FILE='/etc/pam.d/common-password' # Redhat/CentOS default use pam_pwquality -FILE_REDHAT='/etc/security/pwquality.conf' +FILE_CENTOS='/etc/security/pwquality.conf' OPTIONNAME='dcredit' @@ -52,15 +52,15 @@ audit_debian () { } audit_centos () { - check_param_pair_by_value $FILE_REDHAT $OPTIONNAME le $CONDT_VAL + check_param_pair_by_value $FILE_CENTOS $OPTIONNAME le $CONDT_VAL if [ $FNRET = 0 ]; then - ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT" + ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS" elif [ $FNRET = 1 ]; then - crit "Option $OPTIONNAME set condition is not set greater than $CONDT_VAL in $FILE_REDHAT" + crit "Option $OPTIONNAME set condition is not set greater than $CONDT_VAL in $FILE_CENTOS" elif [ $FNRET = 2 ]; then - crit "Option $OPTIONNAME is not conf in $FILE_REDHAT" + crit "Option $OPTIONNAME is not conf in $FILE_CENTOS" elif [ $FNRET = 3 ]; then - crit "Config file $FILE_REDHAT is not exist!" + crit "Config file $FILE_CENTOS is not exist!" fi } @@ -98,15 +98,15 @@ apply_debian () { apply_centos () { if [ $FNRET = 0 ]; then - ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT" + ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS" elif [ $FNRET = 1 ]; then - warn "Set option $OPTIONNAME to $CONDT_VAL in $FILE_REDHAT" - replace_in_file $FILE_REDHAT "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL" + warn "Set option $OPTIONNAME to $CONDT_VAL in $FILE_CENTOS" + replace_in_file $FILE_CENTOS "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL" elif [ $FNRET = 2 ]; then - warn "$OPTIONNAME is not conf, add to $FILE_REDHAT" - add_end_of_file $FILE_REDHAT "$OPTIONNAME = $CONDT_VAL" + warn "$OPTIONNAME is not conf, add to $FILE_CENTOS" + add_end_of_file $FILE_CENTOS "$OPTIONNAME = $CONDT_VAL" elif [ $FNRET = 3 ]; then - crit "Config file $FILE_REDHAT is not exist!" + crit "Config file $FILE_CENTOS is not exist!" fi } diff --git a/bin/hardening/9.2.4_pam_ucredit_cracklib.sh b/bin/hardening/9.2.4_pam_ucredit_cracklib.sh index 200867e..efc3de8 100755 --- a/bin/hardening/9.2.4_pam_ucredit_cracklib.sh +++ b/bin/hardening/9.2.4_pam_ucredit_cracklib.sh @@ -20,7 +20,7 @@ PATTERN='^password.*pam_cracklib.so' FILE='/etc/pam.d/common-password' # Redhat/CentOS default use pam_pwquality -FILE_REDHAT='/etc/security/pwquality.conf' +FILE_CENTOS='/etc/security/pwquality.conf' OPTIONNAME='ucredit' @@ -52,15 +52,15 @@ audit_debian () { } audit_centos () { - check_param_pair_by_value $FILE_REDHAT $OPTIONNAME le $CONDT_VAL + check_param_pair_by_value $FILE_CENTOS $OPTIONNAME le $CONDT_VAL if [ $FNRET = 0 ]; then - ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT" + ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS" elif [ $FNRET = 1 ]; then - crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_REDHAT" + crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_CENTOS" elif [ $FNRET = 2 ]; then - crit "Option $OPTIONNAME is not conf in $FILE_REDHAT" + crit "Option $OPTIONNAME is not conf in $FILE_CENTOS" elif [ $FNRET = 3 ]; then - crit "Config file $FILE_REDHAT is not exist!" + crit "Config file $FILE_CENTOS is not exist!" fi } @@ -99,15 +99,15 @@ apply_debian () { apply_centos () { if [ $FNRET = 0 ]; then - ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT" + ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS" elif [ $FNRET = 1 ]; then - warn "Set option $OPTIONNAME to $CONDT_VAL in $FILE_REDHAT" - replace_in_file $FILE_REDHAT "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL" + warn "Set option $OPTIONNAME to $CONDT_VAL in $FILE_CENTOS" + replace_in_file $FILE_CENTOS "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL" elif [ $FNRET = 2 ]; then - warn "$OPTIONNAME is not conf, add to $FILE_REDHAT" - add_end_of_file $FILE_REDHAT "$OPTIONNAME = $CONDT_VAL" + warn "$OPTIONNAME is not conf, add to $FILE_CENTOS" + add_end_of_file $FILE_CENTOS "$OPTIONNAME = $CONDT_VAL" elif [ $FNRET = 3 ]; then - crit "Config file $FILE_REDHAT is not exist!" + crit "Config file $FILE_CENTOS is not exist!" fi } diff --git a/bin/hardening/9.2.5_pam_ocredit_cracklib.sh b/bin/hardening/9.2.5_pam_ocredit_cracklib.sh index 168624c..31d0d63 100755 --- a/bin/hardening/9.2.5_pam_ocredit_cracklib.sh +++ b/bin/hardening/9.2.5_pam_ocredit_cracklib.sh @@ -20,7 +20,7 @@ PATTERN='^password.*pam_cracklib.so' FILE='/etc/pam.d/common-password' # Redhat/CentOS default use pam_pwquality -FILE_REDHAT='/etc/security/pwquality.conf' +FILE_CENTOS='/etc/security/pwquality.conf' OPTIONNAME='ocredit' @@ -52,15 +52,15 @@ audit_debian () { } audit_centos () { - check_param_pair_by_value $FILE_REDHAT $OPTIONNAME le $CONDT_VAL + check_param_pair_by_value $FILE_CENTOS $OPTIONNAME le $CONDT_VAL if [ $FNRET = 0 ]; then - ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT" + ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS" elif [ $FNRET = 1 ]; then - crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_REDHAT" + crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_CENTOS" elif [ $FNRET = 2 ]; then - crit "Option $OPTIONNAME is not conf in $FILE_REDHAT" + crit "Option $OPTIONNAME is not conf in $FILE_CENTOS" elif [ $FNRET = 3 ]; then - crit "Config file $FILE_REDHAT is not exist!" + crit "Config file $FILE_CENTOS is not exist!" fi } @@ -98,15 +98,15 @@ apply_debian () { apply_centos () { if [ $FNRET = 0 ]; then - ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT" + ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS" elif [ $FNRET = 1 ]; then - warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_REDHAT" - replace_in_file $FILE_REDHAT "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL" + warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_CENTOS" + replace_in_file $FILE_CENTOS "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL" elif [ $FNRET = 2 ]; then - warn "$OPTIONNAME is not conf, add to $FILE_REDHAT" - add_end_of_file $FILE_REDHAT "$OPTIONNAME = $CONDT_VAL" + warn "$OPTIONNAME is not conf, add to $FILE_CENTOS" + add_end_of_file $FILE_CENTOS "$OPTIONNAME = $CONDT_VAL" elif [ $FNRET = 3 ]; then - crit "Config file $FILE_REDHAT is not exist!" + crit "Config file $FILE_CENTOS is not exist!" fi } diff --git a/bin/hardening/9.2.6_pam_lcredit_cracklib.sh b/bin/hardening/9.2.6_pam_lcredit_cracklib.sh index a85a1bd..7c3078d 100755 --- a/bin/hardening/9.2.6_pam_lcredit_cracklib.sh +++ b/bin/hardening/9.2.6_pam_lcredit_cracklib.sh @@ -20,7 +20,7 @@ PATTERN='^password.*pam_cracklib.so' FILE='/etc/pam.d/common-password' # Redhat/CentOS default use pam_pwquality -FILE_REDHAT='/etc/security/pwquality.conf' +FILE_CENTOS='/etc/security/pwquality.conf' OPTIONNAME='lcredit' @@ -52,15 +52,15 @@ audit_debian () { } audit_centos () { - check_param_pair_by_value $FILE_REDHAT $OPTIONNAME le $CONDT_VAL + check_param_pair_by_value $FILE_CENTOS $OPTIONNAME le $CONDT_VAL if [ $FNRET = 0 ]; then - ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT" + ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS" elif [ $FNRET = 1 ]; then - crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_REDHAT" + crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_CENTOS" elif [ $FNRET = 2 ]; then - crit "Option $OPTIONNAME is not conf in $FILE_REDHAT" + crit "Option $OPTIONNAME is not conf in $FILE_CENTOS" elif [ $FNRET = 3 ]; then - crit "Config file $FILE_REDHAT is not exist!" + crit "Config file $FILE_CENTOS is not exist!" fi } @@ -98,15 +98,15 @@ apply_debian () { apply_centos () { if [ $FNRET = 0 ]; then - ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT" + ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS" elif [ $FNRET = 1 ]; then - warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_REDHAT" - replace_in_file $FILE_REDHAT "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL" + warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_CENTOS" + replace_in_file $FILE_CENTOS "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL" elif [ $FNRET = 2 ]; then - warn "$OPTIONNAME is not conf, add to $FILE_REDHAT" - add_end_of_file $FILE_REDHAT "$OPTIONNAME = $CONDT_VAL" + warn "$OPTIONNAME is not conf, add to $FILE_CENTOS" + add_end_of_file $FILE_CENTOS "$OPTIONNAME = $CONDT_VAL" elif [ $FNRET = 3 ]; then - crit "Config file $FILE_REDHAT is not exist!" + crit "Config file $FILE_CENTOS is not exist!" fi } diff --git a/bin/hardening/9.2.7_pam_difok_cracklib.sh b/bin/hardening/9.2.7_pam_difok_cracklib.sh index 5bcc6f1..4afcc46 100755 --- a/bin/hardening/9.2.7_pam_difok_cracklib.sh +++ b/bin/hardening/9.2.7_pam_difok_cracklib.sh @@ -20,7 +20,7 @@ PATTERN='^password.*pam_cracklib.so' FILE='/etc/pam.d/common-password' # Redhat/CentOS default use pam_pwquality -FILE_REDHAT='/etc/security/pwquality.conf' +FILE_CENTOS='/etc/security/pwquality.conf' OPTIONNAME='difok' @@ -52,15 +52,15 @@ audit_debian () { } audit_centos () { - check_param_pair_by_value $FILE_REDHAT $OPTIONNAME ge $CONDT_VAL + check_param_pair_by_value $FILE_CENTOS $OPTIONNAME ge $CONDT_VAL if [ $FNRET = 0 ]; then - ok "Option $OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_REDHAT" + ok "Option $OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_CENTOS" elif [ $FNRET = 1 ]; then - crit "Option $OPTIONNAME set condition is less than $CONDT_VAL in $FILE_REDHAT" + crit "Option $OPTIONNAME set condition is less than $CONDT_VAL in $FILE_CENTOS" elif [ $FNRET = 2 ]; then - crit "Option $OPTIONNAME is not conf in $FILE_REDHAT" + crit "Option $OPTIONNAME is not conf in $FILE_CENTOS" elif [ $FNRET = 3 ]; then - crit "Config file $FILE_REDHAT is not exist!" + crit "Config file $FILE_CENTOS is not exist!" fi } @@ -98,15 +98,15 @@ apply_debian () { apply_centos () { if [ $FNRET = 0 ]; then - ok "$OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_REDHAT" + ok "$OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_CENTOS" elif [ $FNRET = 1 ]; then - warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_REDHAT" - replace_in_file $FILE_REDHAT "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL" + warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_CENTOS" + replace_in_file $FILE_CENTOS "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL" elif [ $FNRET = 2 ]; then - warn "$OPTIONNAME is not conf, add to $FILE_REDHAT" - add_end_of_file $FILE_REDHAT "$OPTIONNAME = $CONDT_VAL" + warn "$OPTIONNAME is not conf, add to $FILE_CENTOS" + add_end_of_file $FILE_CENTOS "$OPTIONNAME = $CONDT_VAL" elif [ $FNRET = 3 ]; then - crit "Config file $FILE_REDHAT is not exist!" + crit "Config file $FILE_CENTOS is not exist!" fi } diff --git a/bin/hardening/9.2.8_pam_minclass_cracklib.sh b/bin/hardening/9.2.8_pam_minclass_cracklib.sh index d81a5c9..bd14a07 100755 --- a/bin/hardening/9.2.8_pam_minclass_cracklib.sh +++ b/bin/hardening/9.2.8_pam_minclass_cracklib.sh @@ -20,7 +20,7 @@ PATTERN='^password.*pam_cracklib.so' FILE='/etc/pam.d/common-password' # Redhat/CentOS default use pam_pwquality -FILE_REDHAT='/etc/security/pwquality.conf' +FILE_CENTOS='/etc/security/pwquality.conf' OPTIONNAME='minclass' @@ -52,15 +52,15 @@ audit_debian () { } audit_centos () { - check_param_pair_by_value $FILE_REDHAT $OPTIONNAME ge $CONDT_VAL + check_param_pair_by_value $FILE_CENTOS $OPTIONNAME ge $CONDT_VAL if [ $FNRET = 0 ]; then - ok "Option $OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_REDHAT" + ok "Option $OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_CENTOS" elif [ $FNRET = 1 ]; then - crit "Option $OPTIONNAME set condition is less than $CONDT_VAL in $FILE_REDHAT" + crit "Option $OPTIONNAME set condition is less than $CONDT_VAL in $FILE_CENTOS" elif [ $FNRET = 2 ]; then - crit "Option $OPTIONNAME is not conf in $FILE_REDHAT" + crit "Option $OPTIONNAME is not conf in $FILE_CENTOS" elif [ $FNRET = 3 ]; then - crit "Config file $FILE_REDHAT is not exist!" + crit "Config file $FILE_CENTOS is not exist!" fi } @@ -98,15 +98,15 @@ apply_debian () { apply_centos () { if [ $FNRET = 0 ]; then - ok "$OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_REDHAT" + ok "$OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_CENTOS" elif [ $FNRET = 1 ]; then - warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_REDHAT" - replace_in_file $FILE_REDHAT "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL" + warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_CENTOS" + replace_in_file $FILE_CENTOS "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL" elif [ $FNRET = 2 ]; then - warn "$OPTIONNAME is not conf, add to $FILE_REDHAT" - add_end_of_file $FILE_REDHAT "$OPTIONNAME = $CONDT_VAL" + warn "$OPTIONNAME is not conf, add to $FILE_CENTOS" + add_end_of_file $FILE_CENTOS "$OPTIONNAME = $CONDT_VAL" elif [ $FNRET = 3 ]; then - crit "Config file $FILE_REDHAT is not exist!" + crit "Config file $FILE_CENTOS is not exist!" fi } diff --git a/bin/hardening/9.2.9_pam_maxrepeat_cracklib.sh b/bin/hardening/9.2.9_pam_maxrepeat_cracklib.sh index 01f0efb..2495379 100755 --- a/bin/hardening/9.2.9_pam_maxrepeat_cracklib.sh +++ b/bin/hardening/9.2.9_pam_maxrepeat_cracklib.sh @@ -20,7 +20,7 @@ PATTERN='^password.*pam_cracklib.so' FILE='/etc/pam.d/common-password' # Redhat/CentOS default use pam_pwquality -FILE_REDHAT='/etc/security/pwquality.conf' +FILE_CENTOS='/etc/security/pwquality.conf' OPTIONNAME='maxrepeat' @@ -52,15 +52,15 @@ audit_debian () { } audit_centos () { - check_param_pair_by_value $FILE_REDHAT $OPTIONNAME le $CONDT_VAL + check_param_pair_by_value $FILE_CENTOS $OPTIONNAME le $CONDT_VAL if [ $FNRET = 0 ]; then - ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT" + ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS" elif [ $FNRET = 1 ]; then - crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_REDHAT" + crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_CENTOS" elif [ $FNRET = 2 ]; then - crit "Option $OPTIONNAME is not conf in $FILE_REDHAT" + crit "Option $OPTIONNAME is not conf in $FILE_CENTOS" elif [ $FNRET = 3 ]; then - crit "Config file $FILE_REDHAT is not exist!" + crit "Config file $FILE_CENTOS is not exist!" fi } @@ -98,15 +98,15 @@ apply_debian () { apply_centos () { if [ $FNRET = 0 ]; then - ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT" + ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS" elif [ $FNRET = 1 ]; then - warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_REDHAT" - replace_in_file $FILE_REDHAT "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL" + warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_CENTOS" + replace_in_file $FILE_CENTOS "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL" elif [ $FNRET = 2 ]; then - warn "$OPTIONNAME is not conf, add to $FILE_REDHAT" - add_end_of_file $FILE_REDHAT "$OPTIONNAME = $CONDT_VAL" + warn "$OPTIONNAME is not conf, add to $FILE_CENTOS" + add_end_of_file $FILE_CENTOS "$OPTIONNAME = $CONDT_VAL" elif [ $FNRET = 3 ]; then - crit "Config file $FILE_REDHAT is not exist!" + crit "Config file $FILE_CENTOS is not exist!" fi } diff --git a/bin/hardening/9.5_pam_restrict_su.sh b/bin/hardening/9.5_pam_restrict_su.sh index 885da98..e5197f6 100755 --- a/bin/hardening/9.5_pam_restrict_su.sh +++ b/bin/hardening/9.5_pam_restrict_su.sh @@ -14,14 +14,14 @@ set -u # One variable unset, it's over HARDENING_LEVEL=3 PACKAGE='login' -PACKAGE_REDHAT='util-linux' +PACKAGE_CENTOS='util-linux' PATTERN='^auth[[:space:]]*required[[:space:]]*pam_wheel.so' FILE='/etc/pam.d/su' # This function will be called if the script status is on enabled / audit mode audit () { if [ $OS_RELEASE -eq 2 ]; then - PACKAGE=$PACKAGE_REDHAT + PACKAGE=$PACKAGE_CENTOS else : fi