Merge pull request #12 from hardenedlinux/master

Pull from master to harbian-audit-deepin

README-CN.md

@@ -151,24 +151,41 @@ EXCEPTIONS=""
 4) 设置基本的iptables防火墙规则 
 根据实现场景进行防火墙规则的配置，可参考HardenedLinux社区归纳的基于Debian GNU/Linux的防火墙规则的基本规则：
 [etc.iptables.rules.v4.sh](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/etc.iptables.rules.v4.sh)
-执行如下的命令进行部署:
+
+基于iptables的部署:
 ```
 $ INTERFACENAME="your network interfacename(Example eth0)"
-$ sed -i "s/PUB_IFS=.*/PUB_IFS=\"$INTERFACENAME\"/g" docs/configurations/etc.iptables.rules.v4.sh 
-$ sudo bash docs/configurations/etc.iptables.rules.v4.sh 
+$ sudo bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME
 $ sudo -s
 # iptables-save > /etc/iptables/rules.v4 
 # ip6tables-save > /etc/iptables/rules.v6 
 ```
-5) 使用passwd命令改变所有用户的密码，以满足pam_cracklib模块配置的密码复杂度及健壮性。
+基于nft的部署：
+按照以下命令修改nftables.conf(你的对外网口的名称，例如：eth0):
+```
+$ sed -i 's/^define int_if = ens33/define int_if = eth0/g' etc.nftables.conf 
+$ sudo nft -f ./etc.nftables.conf 
+```
+5) 当所有安全基线项都修复完成后，使用--final方法将完成以下的最终的工作：
+   1.使用passwd命令去重新设置常规用户及root用户的密码，以满足pam_cracklib模块配置的密码强度和健壮性。
+   2. 重新初始化aide工具的数据库。
+```
+$ sudo bin/hardening.sh --final
+```
 
 ## 特别注意 
-一些检查项需要依赖多次修复，且操作系统需要多次重启。需要进行两次修复的项有： 
+
+### 必须在第一次修复应用后进行修复的项  
+8.1.32  因为此项一旦设置，审计规则将不能够再进行添加。
+
+### 必须在所有项都修复应用后进行修复的项  
+8.4.1  8.4.2 这都是与aide检测文件完整性相关的项，最好是在所有项都修复好后再进行修复，以修复好的系统中的文件进行完整性的数据库的初始化。
+
+### 一些检查项需要依赖多次修复，且操作系统需要多次重启 
+#### 需要进行两次修复的项  
 8.1.1.2  
 8.1.1.3  
 8.1.12  
-
-需要修复3次的项： 
 4.5  
 
 ## 玩（如何添加检查项）
@@ -219,15 +236,15 @@ This document is a description of the additions to the sections not included in
 The HardenedLinux community has created public AMI images for three different regions.
 
 Destination region: US East(Ohio)   
-AMI ID: ami-0459b7f679f8941a4   
+AMI ID: ami-091d37e9d358aaa84   
 AMI Name: harbian-audit complianced for Debian GNU/Linux 9   
 
 Destination region: EU(Frankfurt)  
-AMI ID: ami-022f30970530a0c5b   
+AMI ID: ami-073725a8c2cf45418   
 AMI Name: harbian-audit complianced for Debian GNU/Linux 9   
 
 Destination region: Asia Pacific(Tokyo)  
-AMI ID: ami-003de0c48c2711265   
+AMI ID: ami-06c0adb6ee5e7d417   
 AMI Name: harbian-audit complianced for Debian GNU/Linux 9   
 
 #### 相关文档  

README.md

@@ -169,8 +169,7 @@ Set the corresponding firewall rules according to the applications used. Hardene
 to do the following:
 ```
 $ INTERFACENAME="your network interfacename(Example eth0)"
-$ sed -i "s/PUB_IFS=.*/PUB_IFS=\"$INTERFACENAME\"/g" docs/configurations/etc.iptables.rules.v4.sh 
-$ sudo bash docs/configurations/etc.iptables.rules.v4.sh 
+$ sudo bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME
 $ sudo -s
 # iptables-save > /etc/iptables/rules.v4 
 # ip6tables-save > /etc/iptables/rules.v6 
@@ -183,18 +182,28 @@ to do the following(your network interfacename(Example eth0)):
 $ sed -i 's/^define int_if = ens33/define int_if = eth0/g' etc.nftables.conf 
 $ sudo nft -f ./etc.nftables.conf 
 ```
-
-5) Use the passwd command to change the passwords of all users, and change the password to a secure and reliable password entry with the same password complexity set by the pam_cracklib module.
+5) When all repairs are completed. --final method will:
+   1. Use passwd command to change the password of the regular and root user to apply the password complexity and robustness of the pam_cracklib module configuration.
+   2. Aide reinitializes.
+```
+$ sudo bin/hardening.sh --final
+```
 
 ## Special Note 
 Some check items check a variety of situations and are interdependent, they must be applied (fix) multiple times, and the OS must be a reboot after each applies (fix). 
 
-Items that need to be fix twice:  
+### Items that must be applied after the first application(reboot after is better)
+8.1.32  Because this item is set, the audit rules will not be added. 
+
+### Items that must be applied after all application is ok
+8.4.1   
+8.4.2   
+These are all related to the aide. It is best to fix all the items after they have been fixed to fix the integrity of the database in the system. 
+
+### Items that need to be fix twice  
 8.1.1.2  
 8.1.1.3  
 8.1.12  
-
-Items that need to be fix three times:   
 4.5  
 
 ## Hacking
@@ -249,15 +258,15 @@ This document is a description of the additions to the sections not included in
 The HardenedLinux community has created public AMI images for three different regions.
 
 Destination region: US East(Ohio)   
-AMI ID: ami-0459b7f679f8941a4   
+AMI ID: ami-091d37e9d358aaa84   
 AMI Name: harbian-audit complianced for Debian GNU/Linux 9   
 
 Destination region: EU(Frankfurt)  
-AMI ID: ami-022f30970530a0c5b   
+AMI ID: ami-073725a8c2cf45418  
 AMI Name: harbian-audit complianced for Debian GNU/Linux 9   
 
 Destination region: Asia Pacific(Tokyo)  
-AMI ID: ami-003de0c48c2711265   
+AMI ID: ami-06c0adb6ee5e7d417   
 AMI Name: harbian-audit complianced for Debian GNU/Linux 9   
 
 #### Docs  

bin/hardening.sh

@@ -24,6 +24,7 @@ ALLOW_SERVICE_LIST=0
 SET_HARDENING_LEVEL=0
 SUDO_MODE=''
 INIT_G_CONFIG=0
+FINAL_G_CONFIG=0
 
 usage() {
     cat << EOF
@@ -32,11 +33,11 @@ $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
     --help -h
         Show this help
 	
-	--init 
-		Initialize the global configuration file(/etc/default/cis-hardening) based 
-		on the release version number.
+    --init 
+        Initialize the global configuration file(/etc/default/cis-hardening) based 
+        on the release version number.
     
-	--apply
+    --apply
         Apply hardening for enabled scripts.
         Beware that NO confirmation is asked whatsoever, which is why you're warmly
         advised to use --audit before, which can be regarded as a dry-run mode.
@@ -81,7 +82,13 @@ $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
         as http, mail, etc. Can be specified multiple times to allow multiple services.
         Use --allow-service-list to get a list of supported services.
         Example: 
-            bin/hardening.sh --set-hardening-level 5 --allow-service dns,http
+            bin/hardening.sh --set-hardening-level 5 --allow-service dns,http	
+
+    --final 
+        The final action that needs to be done when all repairs are completed. The action items are:
+        1. Use passwd to change the password of the regular and root user to update the user 
+           password strength and robustness;
+        2. Aide reinitializes.
 
 OPTIONS:
 
@@ -148,6 +155,9 @@ while [[ $# > 0 ]]; do
 		--init)
 			INIT_G_CONFIG=1
 		;;
+		--final)
+			FINAL_G_CONFIG=1
+		;;
         *)
             usage
         ;;
@@ -170,6 +180,7 @@ fi
 [ -r $CIS_ROOT_DIR/lib/common.sh     ] && . $CIS_ROOT_DIR/lib/common.sh
 [ -r $CIS_ROOT_DIR/lib/utils.sh      ] && . $CIS_ROOT_DIR/lib/utils.sh
 
+# For --init
 if [ $INIT_G_CONFIG -eq 1 ]; then
 	if [ -r /etc/redhat-release ]; then
 		info "This OS is redhat/CentOS."
@@ -194,6 +205,36 @@ else
 	exit 128
 fi
 
+# For --final 
+if [ $FINAL_G_CONFIG -eq 1 ]; then
+	# Reset passwd for regular and root user 
+	USERSNAME=$(cat /etc/passwd | awk -F':' '{if($3>=1000 && $3<65534) {print $1}}')
+	for USER in $USERSNAME; do
+		RESETCONTIN="n"
+		read -p "Will password of $USER be reset, are you sure to continue?(y/N)"  RESETCONTIN
+		if [ "$RESETCONTIN" == "y" ]; then
+			passwd $USER 
+		else
+			continue
+		fi
+	done
+	RESETCONTIN="n"
+	read -p "Will password of root be reset, are you sure to continue?(y/N)"  RESETCONTIN
+	if [ "$RESETCONTIN" == "y" ]; then
+		passwd
+	fi
+
+	# Reinit aide database 
+	info "Will reinitialize the AIDE database"
+	if [ $OS_RELEASE -eq 1 ]; then
+		aideinit
+	elif [ $OS_RELEASE -eq 2 ]; then
+		aide --init
+        mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
+	fi
+	exit 0
+fi
+
 # If --allow-service-list is specified, don't run anything, just list the supported services
 if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then
     declare -a HARDENING_EXCEPTIONS_LIST

bin/hardening/2.1_tmp_partition.sh

@@ -16,7 +16,10 @@ HARDENING_LEVEL=2
 
 # Quick factoring as many script use the same logic
 PARTITION="/tmp"
-TMPMOUNTNAME="tmp.mount"
+SERVICENAME="tmp.mount"
+SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount"
+REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
+DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount"
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
@@ -36,19 +39,12 @@ audit () {
 		fi
 	else
     	warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service"
-		if [ $(systemctl | grep -c "tmp.mount[[:space:]]*loaded[[:space:]]active[[:space:]]mounted") -eq 1 ]; then
-	 		ok "$TMPMOUNTNAME service is active!"
-       		is_mounted "$PARTITION"
-			if [ $FNRET -gt 0 ]; then
-       			warn "$PARTITION is not mounted"
-           		FNRET=3
-        	else
-       			ok "$PARTITION is mounted"
-          		FNRET=0
-			fi
+		is_service_active $SERVICENAME
+		if [ $FNRET -eq 0 ]; then
+	 		ok "$SERVICENAME service is active!"
 		else
-    		crit "$TMPMOUNTNAME service is not active!"
-			FNRET=4			
+    		crit "$SERVICENAME service is inactive!"
+			FNRET=3			
 		fi
 	fi
 }
@@ -63,12 +59,30 @@ apply () {
 		warn "mounting $PARTITION"
         mount $PARTITION
 	elif [ $FNRET = 3 ]; then
-        $SUDO_CMD systemctl daemon-reload
-        $SUDO_CMD systemctl start "$TMPMOUNTNAME"
-	elif [ $FNRET = 4 ]; then
-        $SUDO_CMD systemctl enable "$TMPMOUNTNAME"
-	    $SUDO_CMD systemctl daemon-reload 
-	    $SUDO_CMD systemctl start "$TMPMOUNTNAME"
+		if [ $OS_RELEASE -eq 1 ]; then 
+			if [ -e $DEBIAN_SERVICEPATH ]; then
+				$SUDO_CMD systemctl enable "$SERVICENAME"
+				$SUDO_CMD systemctl daemon-reload
+				$SUDO_CMD systemctl start "$SERVICENAME"
+			else
+				if [ -e $SERVICEPATH_DEBIAN ]; then
+					cp $SERVICEPATH_DEBIAN $DEBIAN_SERVICEPATH
+					$SUDO_CMD systemctl enable "$SERVICENAME"
+					$SUDO_CMD systemctl daemon-reload
+					$SUDO_CMD systemctl start "$SERVICENAME"
+				else
+					crit "System unit file $DEBIAN_SERVICEPATH is not exist!"
+				fi
+			fi
+		elif [ $OS_RELEASE -eq 2 ]; then 
+			if [ -e $REDHAT_SERVICEPATH ]; then
+				$SUDO_CMD systemctl enable "$SERVICENAME"
+				$SUDO_CMD systemctl daemon-reload
+				$SUDO_CMD systemctl start "$SERVICENAME"
+			else
+				crit "System unit file $REDHAT_SERVICEPATH is not exist!"
+			fi
+		fi
 	fi
 }
 

bin/hardening/2.2_tmp_nodev.sh

@@ -18,8 +18,9 @@ HARDENING_LEVEL=2
 PARTITION="/tmp"
 OPTION="nodev"
 SERVICENAME="tmp.mount"
-SERVICEPATH="/usr/share/systemd/tmp.mount"
+SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount"
 REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
+DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount"
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
@@ -46,43 +47,45 @@ audit () {
        fi
     else
         warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service"
-        if [ -e $SERVICEPATH -o -e $REDHAT_SERVICEPATH ]; then
-			if [ $OS_RELEASE -eq 2 ]; then
-				has_mount_option_systemd $REDHAT_SERVICEPATH $OPTION 
-			else
-				has_mount_option_systemd $SERVICEPATH $OPTION 
-			fi
-            if [ $FNRET -gt 0 ]; then
-                crit "$PARTITION has no option $OPTION in systemd service!"
-                FNRET=3
-            else
-                ok "$PARTITION has $OPTION in systemd service"
-                has_mounted_option $PARTITION $OPTION
-                if [ $FNRET -gt 0 ]; then
-                    warn "$PARTITION is not mounted with $OPTION at runtime"
+		if [ $OS_RELEASE -eq 1 ]; then
+			UNITSERVICEPATH=$DEBIAN_SERVICEPATH
+		elif [ $OS_RELEASE -eq 2 ]; then
+			UNITSERVICEPATH=$REDHAT_SERVICEPATH
+		fi
+        if [ -e $UNITSERVICEPATH ]; then
+			has_mount_option_systemd $UNITSERVICEPATH $OPTION 
+           	if [ $FNRET -gt 0 ]; then
+               	crit "$PARTITION has no option $OPTION in systemd service!"
+               	FNRET=3
+           	else
+               	ok "$PARTITION has $OPTION in systemd service"
+               	has_mounted_option $PARTITION $OPTION
+               	if [ $FNRET -gt 0 ]; then
+                  	warn "$PARTITION is not mounted with $OPTION at runtime"
                     FNRET=5
                 else
                     ok "$PARTITION mounted with $OPTION"
 		            FNRET=0
                 fi
             fi
-        else
-			if [ $OS_RELEASE -eq 2 ]; then
-				crit "$REDHAT_SERVICEPATH is not exist!"	
-			else
-				crit "$SERVICEPATH is not exist!"
-			fi
-            FNRET=2  
-        fi
-    fi
+		else
+			crit "$UNITSERVICEPATH is not exist! Please apply 2.1 first!"
+			FNRET=2 
+		fi
+	fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply () {
+	if [ $OS_RELEASE -eq 1 ]; then
+		UNITSERVICEPATH=$DEBIAN_SERVICEPATH		
+	elif [ $OS_RELEASE -eq 2 ]; then
+		UNITSERVICEPATH=$REDHAT_SERVICEPATH
+	fi
     if [ $FNRET = 0 ]; then
         ok "$PARTITION is correctly set"
     elif [ $FNRET = 2 ]; then
-        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
+		crit "System unit $UNITSERVICEPATH is not exist! Please apply 2.1 first!"
     elif [ $FNRET = 1 ]; then
         info "Adding $OPTION to fstab"
         add_option_to_fstab $PARTITION $OPTION
@@ -95,11 +98,7 @@ apply () {
         fi
     elif [ $FNRET = 3 ]; then
         info "Adding $OPTION to systemd"
-		if [ $OS_RELEASE -eq 2 ]; then
-			add_option_to_systemd $REDHAT_SERVICEPATH $OPTION $SERVICENAME
-		else
-			add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME
-		fi
+		add_option_to_systemd $UNITSERVICEPATH $OPTION $SERVICENAME
         remount_partition_by_systemd $SERVICENAME $PARTITION
     elif [ $FNRET = 4 ]; then
         info "Remounting $PARTITION from fstab"