diff --git a/README-CN.md b/README-CN.md index c4b52d0..82b732c 100644 --- a/README-CN.md +++ b/README-CN.md @@ -151,24 +151,41 @@ EXCEPTIONS="" 4) 设置基本的iptables防火墙规则 根据实现场景进行防火墙规则的配置,可参考HardenedLinux社区归纳的基于Debian GNU/Linux的防火墙规则的基本规则: [etc.iptables.rules.v4.sh](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/etc.iptables.rules.v4.sh) -执行如下的命令进行部署: + +基于iptables的部署: ``` $ INTERFACENAME="your network interfacename(Example eth0)" -$ sed -i "s/PUB_IFS=.*/PUB_IFS=\"$INTERFACENAME\"/g" docs/configurations/etc.iptables.rules.v4.sh -$ sudo bash docs/configurations/etc.iptables.rules.v4.sh +$ sudo bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME $ sudo -s # iptables-save > /etc/iptables/rules.v4 # ip6tables-save > /etc/iptables/rules.v6 ``` -5) 使用passwd命令改变所有用户的密码,以满足pam_cracklib模块配置的密码复杂度及健壮性。 +基于nft的部署: +按照以下命令修改nftables.conf(你的对外网口的名称,例如:eth0): +``` +$ sed -i 's/^define int_if = ens33/define int_if = eth0/g' etc.nftables.conf +$ sudo nft -f ./etc.nftables.conf +``` +5) 当所有安全基线项都修复完成后,使用--final方法将完成以下的最终的工作: + 1.使用passwd命令去重新设置常规用户及root用户的密码,以满足pam_cracklib模块配置的密码强度和健壮性。 + 2. 重新初始化aide工具的数据库。 +``` +$ sudo bin/hardening.sh --final +``` ## 特别注意 -一些检查项需要依赖多次修复,且操作系统需要多次重启。需要进行两次修复的项有: + +### 必须在第一次修复应用后进行修复的项 +8.1.32 因为此项一旦设置,审计规则将不能够再进行添加。 + +### 必须在所有项都修复应用后进行修复的项 +8.4.1 8.4.2 这都是与aide检测文件完整性相关的项,最好是在所有项都修复好后再进行修复,以修复好的系统中的文件进行完整性的数据库的初始化。 + +### 一些检查项需要依赖多次修复,且操作系统需要多次重启 +#### 需要进行两次修复的项 8.1.1.2 8.1.1.3 8.1.12 - -需要修复3次的项: 4.5 ## 玩(如何添加检查项) @@ -219,15 +236,15 @@ This document is a description of the additions to the sections not included in The HardenedLinux community has created public AMI images for three different regions. Destination region: US East(Ohio) -AMI ID: ami-0459b7f679f8941a4 +AMI ID: ami-091d37e9d358aaa84 AMI Name: harbian-audit complianced for Debian GNU/Linux 9 Destination region: EU(Frankfurt) -AMI ID: ami-022f30970530a0c5b +AMI ID: ami-073725a8c2cf45418 AMI Name: harbian-audit complianced for Debian GNU/Linux 9 Destination region: Asia Pacific(Tokyo) -AMI ID: ami-003de0c48c2711265 +AMI ID: ami-06c0adb6ee5e7d417 AMI Name: harbian-audit complianced for Debian GNU/Linux 9 #### 相关文档 diff --git a/README.md b/README.md index c70294e..00af8e5 100644 --- a/README.md +++ b/README.md @@ -169,8 +169,7 @@ Set the corresponding firewall rules according to the applications used. Hardene to do the following: ``` $ INTERFACENAME="your network interfacename(Example eth0)" -$ sed -i "s/PUB_IFS=.*/PUB_IFS=\"$INTERFACENAME\"/g" docs/configurations/etc.iptables.rules.v4.sh -$ sudo bash docs/configurations/etc.iptables.rules.v4.sh +$ sudo bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME $ sudo -s # iptables-save > /etc/iptables/rules.v4 # ip6tables-save > /etc/iptables/rules.v6 @@ -183,18 +182,28 @@ to do the following(your network interfacename(Example eth0)): $ sed -i 's/^define int_if = ens33/define int_if = eth0/g' etc.nftables.conf $ sudo nft -f ./etc.nftables.conf ``` - -5) Use the passwd command to change the passwords of all users, and change the password to a secure and reliable password entry with the same password complexity set by the pam_cracklib module. +5) When all repairs are completed. --final method will: + 1. Use passwd command to change the password of the regular and root user to apply the password complexity and robustness of the pam_cracklib module configuration. + 2. Aide reinitializes. +``` +$ sudo bin/hardening.sh --final +``` ## Special Note Some check items check a variety of situations and are interdependent, they must be applied (fix) multiple times, and the OS must be a reboot after each applies (fix). -Items that need to be fix twice: +### Items that must be applied after the first application(reboot after is better) +8.1.32 Because this item is set, the audit rules will not be added. + +### Items that must be applied after all application is ok +8.4.1 +8.4.2 +These are all related to the aide. It is best to fix all the items after they have been fixed to fix the integrity of the database in the system. + +### Items that need to be fix twice 8.1.1.2 8.1.1.3 8.1.12 - -Items that need to be fix three times: 4.5 ## Hacking @@ -249,15 +258,15 @@ This document is a description of the additions to the sections not included in The HardenedLinux community has created public AMI images for three different regions. Destination region: US East(Ohio) -AMI ID: ami-0459b7f679f8941a4 +AMI ID: ami-091d37e9d358aaa84 AMI Name: harbian-audit complianced for Debian GNU/Linux 9 Destination region: EU(Frankfurt) -AMI ID: ami-022f30970530a0c5b +AMI ID: ami-073725a8c2cf45418 AMI Name: harbian-audit complianced for Debian GNU/Linux 9 Destination region: Asia Pacific(Tokyo) -AMI ID: ami-003de0c48c2711265 +AMI ID: ami-06c0adb6ee5e7d417 AMI Name: harbian-audit complianced for Debian GNU/Linux 9 #### Docs diff --git a/bin/hardening.sh b/bin/hardening.sh index efb4108..6635e1f 100755 --- a/bin/hardening.sh +++ b/bin/hardening.sh @@ -24,6 +24,7 @@ ALLOW_SERVICE_LIST=0 SET_HARDENING_LEVEL=0 SUDO_MODE='' INIT_G_CONFIG=0 +FINAL_G_CONFIG=0 usage() { cat << EOF @@ -32,11 +33,11 @@ $LONG_SCRIPT_NAME [OPTIONS], where RUN_MODE is one of: --help -h Show this help - --init - Initialize the global configuration file(/etc/default/cis-hardening) based - on the release version number. + --init + Initialize the global configuration file(/etc/default/cis-hardening) based + on the release version number. - --apply + --apply Apply hardening for enabled scripts. Beware that NO confirmation is asked whatsoever, which is why you're warmly advised to use --audit before, which can be regarded as a dry-run mode. @@ -81,7 +82,13 @@ $LONG_SCRIPT_NAME [OPTIONS], where RUN_MODE is one of: as http, mail, etc. Can be specified multiple times to allow multiple services. Use --allow-service-list to get a list of supported services. Example: - bin/hardening.sh --set-hardening-level 5 --allow-service dns,http + bin/hardening.sh --set-hardening-level 5 --allow-service dns,http + + --final + The final action that needs to be done when all repairs are completed. The action items are: + 1. Use passwd to change the password of the regular and root user to update the user + password strength and robustness; + 2. Aide reinitializes. OPTIONS: @@ -148,6 +155,9 @@ while [[ $# > 0 ]]; do --init) INIT_G_CONFIG=1 ;; + --final) + FINAL_G_CONFIG=1 + ;; *) usage ;; @@ -170,6 +180,7 @@ fi [ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh [ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh +# For --init if [ $INIT_G_CONFIG -eq 1 ]; then if [ -r /etc/redhat-release ]; then info "This OS is redhat/CentOS." @@ -194,6 +205,36 @@ else exit 128 fi +# For --final +if [ $FINAL_G_CONFIG -eq 1 ]; then + # Reset passwd for regular and root user + USERSNAME=$(cat /etc/passwd | awk -F':' '{if($3>=1000 && $3<65534) {print $1}}') + for USER in $USERSNAME; do + RESETCONTIN="n" + read -p "Will password of $USER be reset, are you sure to continue?(y/N)" RESETCONTIN + if [ "$RESETCONTIN" == "y" ]; then + passwd $USER + else + continue + fi + done + RESETCONTIN="n" + read -p "Will password of root be reset, are you sure to continue?(y/N)" RESETCONTIN + if [ "$RESETCONTIN" == "y" ]; then + passwd + fi + + # Reinit aide database + info "Will reinitialize the AIDE database" + if [ $OS_RELEASE -eq 1 ]; then + aideinit + elif [ $OS_RELEASE -eq 2 ]; then + aide --init + mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz + fi + exit 0 +fi + # If --allow-service-list is specified, don't run anything, just list the supported services if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then declare -a HARDENING_EXCEPTIONS_LIST diff --git a/bin/hardening/2.1_tmp_partition.sh b/bin/hardening/2.1_tmp_partition.sh index f062691..499d273 100755 --- a/bin/hardening/2.1_tmp_partition.sh +++ b/bin/hardening/2.1_tmp_partition.sh @@ -16,7 +16,10 @@ HARDENING_LEVEL=2 # Quick factoring as many script use the same logic PARTITION="/tmp" -TMPMOUNTNAME="tmp.mount" +SERVICENAME="tmp.mount" +SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount" +REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount" +DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount" # This function will be called if the script status is on enabled / audit mode audit () { @@ -36,19 +39,12 @@ audit () { fi else warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service" - if [ $(systemctl | grep -c "tmp.mount[[:space:]]*loaded[[:space:]]active[[:space:]]mounted") -eq 1 ]; then - ok "$TMPMOUNTNAME service is active!" - is_mounted "$PARTITION" - if [ $FNRET -gt 0 ]; then - warn "$PARTITION is not mounted" - FNRET=3 - else - ok "$PARTITION is mounted" - FNRET=0 - fi + is_service_active $SERVICENAME + if [ $FNRET -eq 0 ]; then + ok "$SERVICENAME service is active!" else - crit "$TMPMOUNTNAME service is not active!" - FNRET=4 + crit "$SERVICENAME service is inactive!" + FNRET=3 fi fi } @@ -63,12 +59,30 @@ apply () { warn "mounting $PARTITION" mount $PARTITION elif [ $FNRET = 3 ]; then - $SUDO_CMD systemctl daemon-reload - $SUDO_CMD systemctl start "$TMPMOUNTNAME" - elif [ $FNRET = 4 ]; then - $SUDO_CMD systemctl enable "$TMPMOUNTNAME" - $SUDO_CMD systemctl daemon-reload - $SUDO_CMD systemctl start "$TMPMOUNTNAME" + if [ $OS_RELEASE -eq 1 ]; then + if [ -e $DEBIAN_SERVICEPATH ]; then + $SUDO_CMD systemctl enable "$SERVICENAME" + $SUDO_CMD systemctl daemon-reload + $SUDO_CMD systemctl start "$SERVICENAME" + else + if [ -e $SERVICEPATH_DEBIAN ]; then + cp $SERVICEPATH_DEBIAN $DEBIAN_SERVICEPATH + $SUDO_CMD systemctl enable "$SERVICENAME" + $SUDO_CMD systemctl daemon-reload + $SUDO_CMD systemctl start "$SERVICENAME" + else + crit "System unit file $DEBIAN_SERVICEPATH is not exist!" + fi + fi + elif [ $OS_RELEASE -eq 2 ]; then + if [ -e $REDHAT_SERVICEPATH ]; then + $SUDO_CMD systemctl enable "$SERVICENAME" + $SUDO_CMD systemctl daemon-reload + $SUDO_CMD systemctl start "$SERVICENAME" + else + crit "System unit file $REDHAT_SERVICEPATH is not exist!" + fi + fi fi } diff --git a/bin/hardening/2.2_tmp_nodev.sh b/bin/hardening/2.2_tmp_nodev.sh index eafa7f2..a79d443 100755 --- a/bin/hardening/2.2_tmp_nodev.sh +++ b/bin/hardening/2.2_tmp_nodev.sh @@ -18,8 +18,9 @@ HARDENING_LEVEL=2 PARTITION="/tmp" OPTION="nodev" SERVICENAME="tmp.mount" -SERVICEPATH="/usr/share/systemd/tmp.mount" +SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount" REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount" +DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount" # This function will be called if the script status is on enabled / audit mode audit () { @@ -46,43 +47,45 @@ audit () { fi else warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service" - if [ -e $SERVICEPATH -o -e $REDHAT_SERVICEPATH ]; then - if [ $OS_RELEASE -eq 2 ]; then - has_mount_option_systemd $REDHAT_SERVICEPATH $OPTION - else - has_mount_option_systemd $SERVICEPATH $OPTION - fi - if [ $FNRET -gt 0 ]; then - crit "$PARTITION has no option $OPTION in systemd service!" - FNRET=3 - else - ok "$PARTITION has $OPTION in systemd service" - has_mounted_option $PARTITION $OPTION - if [ $FNRET -gt 0 ]; then - warn "$PARTITION is not mounted with $OPTION at runtime" + if [ $OS_RELEASE -eq 1 ]; then + UNITSERVICEPATH=$DEBIAN_SERVICEPATH + elif [ $OS_RELEASE -eq 2 ]; then + UNITSERVICEPATH=$REDHAT_SERVICEPATH + fi + if [ -e $UNITSERVICEPATH ]; then + has_mount_option_systemd $UNITSERVICEPATH $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION has no option $OPTION in systemd service!" + FNRET=3 + else + ok "$PARTITION has $OPTION in systemd service" + has_mounted_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" FNRET=5 else ok "$PARTITION mounted with $OPTION" FNRET=0 fi fi - else - if [ $OS_RELEASE -eq 2 ]; then - crit "$REDHAT_SERVICEPATH is not exist!" - else - crit "$SERVICEPATH is not exist!" - fi - FNRET=2 - fi - fi + else + crit "$UNITSERVICEPATH is not exist! Please apply 2.1 first!" + FNRET=2 + fi + fi } # This function will be called if the script status is on enabled mode apply () { + if [ $OS_RELEASE -eq 1 ]; then + UNITSERVICEPATH=$DEBIAN_SERVICEPATH + elif [ $OS_RELEASE -eq 2 ]; then + UNITSERVICEPATH=$REDHAT_SERVICEPATH + fi if [ $FNRET = 0 ]; then ok "$PARTITION is correctly set" elif [ $FNRET = 2 ]; then - crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + crit "System unit $UNITSERVICEPATH is not exist! Please apply 2.1 first!" elif [ $FNRET = 1 ]; then info "Adding $OPTION to fstab" add_option_to_fstab $PARTITION $OPTION @@ -95,11 +98,7 @@ apply () { fi elif [ $FNRET = 3 ]; then info "Adding $OPTION to systemd" - if [ $OS_RELEASE -eq 2 ]; then - add_option_to_systemd $REDHAT_SERVICEPATH $OPTION $SERVICENAME - else - add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME - fi + add_option_to_systemd $UNITSERVICEPATH $OPTION $SERVICENAME remount_partition_by_systemd $SERVICENAME $PARTITION elif [ $FNRET = 4 ]; then info "Remounting $PARTITION from fstab" diff --git a/bin/hardening/2.3_tmp_nosuid.sh b/bin/hardening/2.3_tmp_nosuid.sh index e41e267..e403c7f 100755 --- a/bin/hardening/2.3_tmp_nosuid.sh +++ b/bin/hardening/2.3_tmp_nosuid.sh @@ -17,9 +17,10 @@ HARDENING_LEVEL=2 # Quick factoring as many script use the same logic PARTITION="/tmp" OPTION="nosuid" -SERVICEPATH="/usr/share/systemd/tmp.mount" +SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount" SERVICENAME="tmp.mount" REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount" +DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount" # This function will be called if the script status is on enabled / audit mode audit () { @@ -45,44 +46,46 @@ audit () { FNRET=1 fi else - warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service" - if [ -e $SERVICEPATH -o -e $REDHAT_SERVICEPATH ]; then - if [ $OS_RELEASE -eq 2 ]; then - has_mount_option_systemd $REDHAT_SERVICEPATH $OPTION + warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service" + if [ $OS_RELEASE -eq 1 ]; then + UNITSERVICEPATH=$DEBIAN_SERVICEPATH + elif [ $OS_RELEASE -eq 2 ]; then + UNITSERVICEPATH=$REDHAT_SERVICEPATH + fi + if [ -e $UNITSERVICEPATH ]; then + has_mount_option_systemd $UNITSERVICEPATH $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION has no option $OPTION in systemd service!" + FNRET=3 else - has_mount_option_systemd $SERVICEPATH $OPTION + ok "$PARTITION has $OPTION in systemd service" + has_mounted_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=5 + else + ok "$PARTITION mounted with $OPTION" + FNRET=0 + fi fi - if [ $FNRET -gt 0 ]; then - crit "$PARTITION has no option $OPTION in systemd service!" - FNRET=3 - else - ok "$PARTITION has $OPTION in systemd service" - has_mounted_option $PARTITION $OPTION - if [ $FNRET -gt 0 ]; then - warn "$PARTITION is not mounted with $OPTION at runtime" - FNRET=5 - else - ok "$PARTITION mounted with $OPTION" - FNRET=0 - fi - fi - else - if [ $OS_RELEASE -eq 2 ]; then - crit "$REDHAT_SERVICEPATH is not exist!" - else - crit "$SERVICEPATH is not exist!" - fi - FNRET=2 - fi - fi + else + crit "$UNITSERVICEPATH is not exist! Please apply 2.1 first!" + FNRET=2 + fi + fi } # This function will be called if the script status is on enabled mode apply () { + if [ $OS_RELEASE -eq 1 ]; then + UNITSERVICEPATH=$DEBIAN_SERVICEPATH + elif [ $OS_RELEASE -eq 2 ]; then + UNITSERVICEPATH=$REDHAT_SERVICEPATH + fi if [ $FNRET = 0 ]; then ok "$PARTITION is correctly set" elif [ $FNRET = 2 ]; then - crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + crit "System unit $UNITSERVICEPATH is not exist! Please apply 2.1 first!" elif [ $FNRET = 1 ]; then info "Adding $OPTION to fstab" add_option_to_fstab $PARTITION $OPTION @@ -95,11 +98,7 @@ apply () { fi elif [ $FNRET = 3 ]; then info "Adding $OPTION to systemd" - if [ $OS_RELEASE -eq 2 ]; then - add_option_to_systemd $REDHAT_SERVICEPATH $OPTION $SERVICENAME - else - add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME - fi + add_option_to_systemd $UNITSERVICEPATH $OPTION $SERVICENAME remount_partition_by_systemd $SERVICENAME $PARTITION elif [ $FNRET = 4 ]; then info "Remounting $PARTITION from fstab" diff --git a/bin/hardening/2.4_tmp_noexec.sh b/bin/hardening/2.4_tmp_noexec.sh index 52f16cb..618d75a 100755 --- a/bin/hardening/2.4_tmp_noexec.sh +++ b/bin/hardening/2.4_tmp_noexec.sh @@ -17,9 +17,10 @@ HARDENING_LEVEL=2 # Quick factoring as many script use the same logic PARTITION="/tmp" OPTION="noexec" -SERVICEPATH="/usr/share/systemd/tmp.mount" +SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount" SERVICENAME="tmp.mount" REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount" +DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount" # This function will be called if the script status is on enabled / audit mode audit () { @@ -46,43 +47,45 @@ audit () { fi else warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service" - if [ -e $SERVICEPATH -o -e $REDHAT_SERVICEPATH ]; then - if [ $OS_RELEASE -eq 2 ]; then - has_mount_option_systemd $REDHAT_SERVICEPATH $OPTION + if [ $OS_RELEASE -eq 1 ]; then + UNITSERVICEPATH=$DEBIAN_SERVICEPATH + elif [ $OS_RELEASE -eq 2 ]; then + UNITSERVICEPATH=$REDHAT_SERVICEPATH + fi + if [ -e $UNITSERVICEPATH ]; then + has_mount_option_systemd $UNITSERVICEPATH $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION has no option $OPTION in systemd service!" + FNRET=3 else - has_mount_option_systemd $SERVICEPATH $OPTION + ok "$PARTITION has $OPTION in systemd service" + has_mounted_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=5 + else + ok "$PARTITION mounted with $OPTION" + FNRET=0 + fi fi - if [ $FNRET -gt 0 ]; then - crit "$PARTITION has no option $OPTION in systemd service!" - FNRET=3 - else - ok "$PARTITION has $OPTION in systemd service" - has_mounted_option $PARTITION $OPTION - if [ $FNRET -gt 0 ]; then - warn "$PARTITION is not mounted with $OPTION at runtime" - FNRET=5 - else - ok "$PARTITION mounted with $OPTION" - FNRET=0 - fi - fi - else - if [ $OS_RELEASE -eq 2 ]; then - crit "$REDHAT_SERVICEPATH is not exist!" - else - crit "$SERVICEPATH is not exist!" - fi - FNRET=2 - fi - fi + else + crit "$UNITSERVICEPATH is not exist! Please apply 2.1 first!" + FNRET=2 + fi + fi } # This function will be called if the script status is on enabled mode apply () { + if [ $OS_RELEASE -eq 1 ]; then + UNITSERVICEPATH=$DEBIAN_SERVICEPATH + elif [ $OS_RELEASE -eq 2 ]; then + UNITSERVICEPATH=$REDHAT_SERVICEPATH + fi if [ $FNRET = 0 ]; then ok "$PARTITION is correctly set" elif [ $FNRET = 2 ]; then - crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + crit "System unit $UNITSERVICEPATH is not exist! Please apply 2.1 first!" elif [ $FNRET = 1 ]; then info "Adding $OPTION to fstab" add_option_to_fstab $PARTITION $OPTION @@ -95,11 +98,7 @@ apply () { fi elif [ $FNRET = 3 ]; then info "Adding $OPTION to systemd" - if [ $OS_RELEASE -eq 2 ]; then - add_option_to_systemd $REDHAT_SERVICEPATH $OPTION $SERVICENAME - else - add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME - fi + add_option_to_systemd $UNITSERVICEPATH $OPTION $SERVICENAME remount_partition_by_systemd $SERVICENAME $PARTITION elif [ $FNRET = 4 ]; then info "Remounting $PARTITION from fstab" diff --git a/bin/hardening/6.17_ensure_virul_scan_server_is_enabled.sh b/bin/hardening/6.17_ensure_virul_scan_server_is_enabled.sh index 228e24b..2d236f4 100755 --- a/bin/hardening/6.17_ensure_virul_scan_server_is_enabled.sh +++ b/bin/hardening/6.17_ensure_virul_scan_server_is_enabled.sh @@ -17,31 +17,53 @@ VIRULSERVER='clamav-daemon' # This function will be called if the script status is on enabled / audit mode audit () { - if [ $(dpkg -l | grep -c $VIRULSERVER) -ge 1 ]; then - if [ $(systemctl | grep $VIRULSERVER | grep -c "active running") -ne 1 ]; then - crit "$VIRULSERVER is not runing" - FNRET=2 - else - ok "$VIRULSERVER is enable" - FNRET=0 - fi - else - crit "$VIRULSERVER is not installed" - FNRET=1 - fi + if [ $OS_RELEASE -eq 1 ]; then + if [ $(dpkg -l | grep -c $VIRULSERVER) -ge 1 ]; then + if [ $(systemctl | grep $VIRULSERVER | grep -c "active running") -ne 1 ]; then + crit "$VIRULSERVER is not runing" + FNRET=2 + else + ok "$VIRULSERVER is enable" + FNRET=0 + fi + else + crit "$VIRULSERVER is not installed" + FNRET=1 + fi + elif [ $OS_RELEASE -eq 2 ]; then + if [ $(rpm -qa | grep -c clamd) -ge 1 ]; then + ok "Clamav is installed" + else + crit "Clamav is not install" + fi + else + crit "Current OS is not support!" + fi } # This function will be called if the script status is on enabled mode apply () { - if [ $FNRET = 0 ]; then - ok "$VIRULSERVER is enable" - elif [ $FNRET = 1 ]; then - warn "Install $VIRULSERVER" - apt-get install -y $VIRULSERVER - else - warn "Start server $VIRULSERVER" - systemctl start $VIRULSERVER - fi + if [ $OS_RELEASE -eq 1 ]; then + if [ $FNRET = 0 ]; then + ok "$VIRULSERVER is enable" + elif [ $FNRET = 1 ]; then + warn "Install $VIRULSERVER" + apt-get install -y $VIRULSERVER + else + warn "Start server $VIRULSERVER" + systemctl start $VIRULSERVER + fi + elif [ $OS_RELEASE -eq 2 ]; then + if [ $FNRET = 0 ]; then + ok "$VIRULSERVER is enable" + elif [ $FNRET = 1 ]; then + warn "Install $VIRULSERVER" + yum install -y $VIRULSERVER + else + warn "Start server $VIRULSERVER" + systemctl start $VIRULSERVER + fi + fi } # This function will check config parameters required diff --git a/bin/hardening/6.18_ensure_virusscan_program_update_is_enabled.sh b/bin/hardening/6.18_ensure_virusscan_program_update_is_enabled.sh index d7956ec..10fe2f8 100755 --- a/bin/hardening/6.18_ensure_virusscan_program_update_is_enabled.sh +++ b/bin/hardening/6.18_ensure_virusscan_program_update_is_enabled.sh @@ -13,53 +13,73 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 -VIRULSERVER='clamav-daemon' CLAMAVCONF_DIR='/etc/clamav/clamd.conf' UPDATE_SERVER='clamav-freshclam' +audit_debian () { + UPDATE_DIR=$(grep -i databasedirectory "$CLAMAVCONF_DIR" | awk '{print $2}') + if [ -d $UPDATE_DIR -a -e $CLAMAVCONF_DIR ]; then + NOWTIME=$(date +"%s") + # This file extension name maybe change to .cvd or .cld + VIRUSTIME=$(stat -c "%Y" "$UPDATE_DIR"/daily.*) + INTERVALTIME=$((${NOWTIME}-${VIRUSTIME})) + if [ "${INTERVALTIME}" -ge 604800 ];then + crit "Clamav database file has a date older than seven days from the current date" + FNRET=3 + else + ok "Clamav database file has a date less than seven days from the current date" + FNRET=0 + fi + else + crit "Clamav config file or update dir is not exist" + FNRET=2 + fi +} + +# todo +audit_redhat () { + : +} + # This function will be called if the script status is on enabled / audit mode audit () { - if [ $(systemctl | grep $VIRULSERVER | grep "active running" | wc -l) -ne 1 ]; then - crit "$VIRULSERVER is not runing" - FNRET=1 - else - ok "$VIRULSERVER is runing" - UPDATE_DIR=$(grep -i databasedirectory "$CLAMAVCONF_DIR" | awk '{print $2}') - if [ -d $UPDATE_DIR -a -e $CLAMAVCONF_DIR ]; then - NOWTIME=$(date +"%s") - # This file extension name maybe change to .cvd or .cld - VIRUSTIME=$(stat -c "%Y" "$UPDATE_DIR"/daily.*) - INTERVALTIME=$((${NOWTIME}-${VIRUSTIME})) - if [ "${INTERVALTIME}" -ge 604800 ];then - crit "Database file has a date older than seven days from the current date" - FNRET=3 - else - ok "Database file has a date less than seven days from the current date" - FNRET=0 - fi - else - crit "Clamav config file or update dir is not exist" - FNRET=2 - fi - fi + if [ $OS_RELEASE -eq 1 ]; then + audit_debian + elif [ $OS_RELEASE -eq 2 ]; then + audit_redhat + else + crit "Current OS is not support!" + fi } -# This function will be called if the script status is on enabled mode -apply () { +apply_debian () { if [ $FNRET = 0 ]; then - ok "Database file has a date less than seven days from the current date" - elif [ $FNRET = 1 ]; then - warn "Install $VIRULSERVER" - apt-get install -y $VIRULSERVER + ok "Clamav database file has a date less than seven days from the current date" elif [ $FNRET = 2 ]; then warn "Clamav config file or update dir is not exist, please check that is exist or check config" elif [ $FNRET = 3 ]; then - warn "Database file has a date older than seven days from the current date, start clamav-freshclam.service to update" + warn "Clamav database file has a date older than seven days from the current date, start clamav-freshclam.service to update" apt-get install -y $UPDATE_SERVER systemctl start $UPDATE_SERVER fi } +# todo +apply_redhat () { + : +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $OS_RELEASE -eq 1 ]; then + apply_debian + elif [ $OS_RELEASE -eq 2 ]; then + apply_redhat + else + crit "Current OS is not support!" + fi +} + # This function will check config parameters required check_config() { : diff --git a/bin/hardening/7.7.5.3_ensure_firewall_rules_exist_for_all_open_ports_for_v6.sh b/bin/hardening/7.7.5.3_ensure_firewall_rules_exist_for_all_open_ports_for_v6.sh index 2a498da..3b2a18e 100755 --- a/bin/hardening/7.7.5.3_ensure_firewall_rules_exist_for_all_open_ports_for_v6.sh +++ b/bin/hardening/7.7.5.3_ensure_firewall_rules_exist_for_all_open_ports_for_v6.sh @@ -39,7 +39,7 @@ audit () { if [ "$PROTO_TYPE" == 'udp6' ]; then PROTO_TYPE="udp" fi - LISTEN_PORT=$(echo ${LISTENING} | awk '{print $4}' | awk -F: '{print $4}') + LISTEN_PORT=$(echo ${LISTENING} | awk '{print $4}' | awk -F: '{print $NF}') if [ $($IPS6 -S | grep "^\-A INPUT \-p $PROTO_TYPE" | grep -c "\-\-dport $LISTEN_PORT \-m state \-\-state NEW \-j ACCEPT") -ge 1 ]; then info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT was set ipv6 firewall rules." else diff --git a/bin/hardening/8.1.16_record_sudo_usage.sh b/bin/hardening/8.1.16_record_sudo_usage.sh index 7c588aa..66e6f80 100755 --- a/bin/hardening/8.1.16_record_sudo_usage.sh +++ b/bin/hardening/8.1.16_record_sudo_usage.sh @@ -14,7 +14,6 @@ set -u # One variable unset, it's over HARDENING_LEVEL=4 -SUDOLOG='/var/log/sudo.log' AUDIT_VALUE='-w /var/log/sudo.log -p wa -k sudoaction' FILE='/etc/audit/rules.d/audit.rules' @@ -23,18 +22,12 @@ audit () { # define custom IFS and save default one d_IFS=$IFS IFS=$'\n' - if [ -f $SUDOLOG ]; then - debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - if [ $FNRET != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - FNRET=2 - else - ok "$AUDIT_VALUE is present in $FILE" - fi - else - crit "file $SUDOLOG is not exist!" + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" FNRET=1 + else + ok "$AUDIT_VALUE is present in $FILE" fi IFS=$d_IFS } @@ -45,15 +38,6 @@ apply () { d_IFS=$IFS IFS=$'\n' if [ $FNRET = 1 ]; then - warn "file $SUDOLOG is not exist! Set default logfile path in /etc/sudoers." - sed -i '$aDefaults logfile="/var/log/sudo.log"' /etc/sudoers - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - if [ $FNRET != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - check_auditd_is_immutable_mode - fi - elif [ $FNRET = 2 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE check_auditd_is_immutable_mode diff --git a/bin/hardening/8.1.17_record_kernel_modules.sh b/bin/hardening/8.1.17_record_kernel_modules.sh index b00ef48..fe43549 100755 --- a/bin/hardening/8.1.17_record_kernel_modules.sh +++ b/bin/hardening/8.1.17_record_kernel_modules.sh @@ -14,13 +14,13 @@ set -u # One variable unset, it's over HARDENING_LEVEL=4 -ARCH64_AUDIT_PARAMS='-w /sbin/insmod -p x -k modules +ARCH64_AUDIT_PARAMS='-w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -w /bin/kmod -p x -k modules -a always,exit -F arch=b32 -S init_module -S delete_module -S create_module -S finit_module -k modules -a always,exit -F arch=b64 -S init_module -S delete_module -S create_module -S finit_module -k modules' -ARCH32_AUDIT_PARAMS='-w /sbin/insmod -p x -k modules +ARCH32_AUDIT_PARAMS='-w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -w /bin/kmod -p x -k modules @@ -34,8 +34,8 @@ audit () { d_IFS=$IFS IFS=$'\n' is_64bit_arch - if [ $FNRET=0 ]; then - AUDIT_PARAMS=$ARCH64_AUDIT_PARAMS + if [ $FNRET=0 ]; then + AUDIT_PARAMS=$ARCH64_AUDIT_PARAMS else AUDIT_PARAMS=$ARCH32_AUDIT_PARAMS fi diff --git a/bin/hardening/8.1.32_record_Events_netfilter.sh b/bin/hardening/8.1.18_record_Events_netfilter.sh similarity index 100% rename from bin/hardening/8.1.32_record_Events_netfilter.sh rename to bin/hardening/8.1.18_record_Events_netfilter.sh diff --git a/bin/hardening/8.1.19_record_sshkeysign_usage.sh b/bin/hardening/8.1.19_record_sshkeysign_usage.sh index f89d331..a6eed36 100755 --- a/bin/hardening/8.1.19_record_sshkeysign_usage.sh +++ b/bin/hardening/8.1.19_record_sshkeysign_usage.sh @@ -10,16 +10,17 @@ # set -u # One variable unset, it's over +set -e # One error, it's over HARDENING_LEVEL=4 +FILE='/etc/audit/rules.d/audit.rules' +AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh +-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh" +AUDIT_PARAMS_REDHAT="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh +-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh" -AUDIT_PARAMS="-a always,exit -F path=$(find /usr/ -name "ssh-keysign") -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh --a always,exit -F path=$(which ssh-agent 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh" - -set -e # One error, it's over - -FILE='/etc/audit/rules.d/audit.rules' +AUDIT_PARAMS="" # This function will be called if the script status is on enabled / audit mode audit () { @@ -71,7 +72,11 @@ apply () { # This function will check config parameters required check_config() { - : + if [ $OS_RELEASE -eq 1 ]; then + AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN + elif [ $OS_RELEASE -eq 2 ]; then + AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT + fi } # Source Root Dir Parameter diff --git a/bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh b/bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh index 242f564..f5a3c93 100755 --- a/bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh +++ b/bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh @@ -10,16 +10,21 @@ # set -u # One variable unset, it's over +set -e # One error, it's over HARDENING_LEVEL=4 +FILE='/etc/audit/rules.d/audit.rules' -AUDIT_PARAMS="-a always,exit -F path=$(which passwd 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd --a always,exit -F path=$(which unix_chkpwd 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd --a always,exit -F path=$(which gpasswd 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd --a always,exit -F path=$(which chage 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd" +AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd +-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd +-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd" +AUDIT_PARAMS_REDHAT="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd +-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd +-a always,exit -F path=/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd" -set -e # One error, it's over -FILE='/etc/audit/rules.d/audit.rules' +AUDIT_PARAMS="" # This function will be called if the script status is on enabled / audit mode audit () { @@ -71,7 +76,11 @@ apply () { # This function will check config parameters required check_config() { - : + if [ $OS_RELEASE -eq 1 ]; then + AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN + elif [ $OS_RELEASE -eq 2 ]; then + AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT + fi } # Source Root Dir Parameter diff --git a/bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh b/bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh index 229fac8..3605dc8 100755 --- a/bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh +++ b/bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh @@ -10,18 +10,25 @@ # set -u # One variable unset, it's over +set -e # One error, it's over HARDENING_LEVEL=4 +FILE='/etc/audit/rules.d/audit.rules' -AUDIT_PARAMS="-a always,exit -F path=$(which su 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=$(which sudo 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=$(which newgrp 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=$(which chsh 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=$(which sudoedit 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=$(which chfn 2>/dev/null) -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change" +AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change" +AUDIT_PARAMS_REDHAT="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change" -set -e # One error, it's over -FILE='/etc/audit/rules.d/audit.rules' +AUDIT_PARAMS="" # This function will be called if the script status is on enabled / audit mode audit () { @@ -73,7 +80,11 @@ apply () { # This function will check config parameters required check_config() { - : + if [ $OS_RELEASE -eq 1 ]; then + AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN + elif [ $OS_RELEASE -eq 2 ]; then + AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT + fi } # Source Root Dir Parameter diff --git a/bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh b/bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh index 0f2791f..7a062fd 100755 --- a/bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh +++ b/bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh @@ -10,14 +10,17 @@ # set -u # One variable unset, it's over +set -e # One error, it's over HARDENING_LEVEL=4 +FILE='/etc/audit/rules.d/audit.rules' -AUDIT_PARAMS='-a always,exit -F path=$(which postdrop 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix --a always,exit -F path=$(which postqueue 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix' +AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix +-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix' +AUDIT_PARAMS_REDHAT='-a always,exit -F path=/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix +-a always,exit -F path=/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix' -set -e # One error, it's over -FILE='/etc/audit/rules.d/audit.rules' +AUDIT_PARAMS="" # This function will be called if the script status is on enabled / audit mode audit () { @@ -69,7 +72,11 @@ apply () { # This function will check config parameters required check_config() { - : + if [ $OS_RELEASE -eq 1 ]; then + AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN + elif [ $OS_RELEASE -eq 2 ]; then + AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT + fi } # Source Root Dir Parameter diff --git a/bin/hardening/8.1.24_record_crontab_cmd_usage.sh b/bin/hardening/8.1.24_record_crontab_cmd_usage.sh index 4abed4f..8011aa3 100755 --- a/bin/hardening/8.1.24_record_crontab_cmd_usage.sh +++ b/bin/hardening/8.1.24_record_crontab_cmd_usage.sh @@ -10,14 +10,15 @@ # set -u # One variable unset, it's over - +set -e # One error, it's over HARDENING_LEVEL=4 -AUDIT_PARAMS='-a always,exit -F path=$(which crontab 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron' - -set -e # One error, it's over FILE='/etc/audit/rules.d/audit.rules' +AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron' +AUDIT_PARAMS_REDHAT='-a always,exit -F path=/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron' +AUDIT_PARAMS="" + # This function will be called if the script status is on enabled / audit mode audit () { # define custom IFS and save default one @@ -68,7 +69,11 @@ apply () { # This function will check config parameters required check_config() { - : + if [ $OS_RELEASE -eq 1 ]; then + AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN + elif [ $OS_RELEASE -eq 2 ]; then + AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT + fi } # Source Root Dir Parameter diff --git a/bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh b/bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh index 90de0a5..0f664ba 100755 --- a/bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh +++ b/bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh @@ -10,14 +10,15 @@ # set -u # One variable unset, it's over +set -e # One error, it's over HARDENING_LEVEL=4 - -AUDIT_PARAMS='-a always,exit -F path=$(which pam_timestamp_check 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam' - -set -e # One error, it's over FILE='/etc/audit/rules.d/audit.rules' +AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam' +AUDIT_PARAMS_REDHAT='-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam' +AUDIT_PARAMS="" + # This function will be called if the script status is on enabled / audit mode audit () { # define custom IFS and save default one @@ -68,7 +69,11 @@ apply () { # This function will check config parameters required check_config() { - : + if [ $OS_RELEASE -eq 1 ]; then + AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN + elif [ $OS_RELEASE -eq 2 ]; then + AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT + fi } # Source Root Dir Parameter diff --git a/bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh b/bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh index ccdb5ca..0654a5c 100755 --- a/bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh +++ b/bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh @@ -5,66 +5,75 @@ # # -# 8.1.26 Recored pam_tally/pam_tally2 command usage (Scored) +# 8.1.26 Recored pam_tally/pam_tally2 command usage(Only for Debian) (Scored) # Author : Samson wen, Samson Author add this # set -u # One variable unset, it's over +set -e # One error, it's over +FILE='/etc/audit/rules.d/audit.rules' HARDENING_LEVEL=4 -AUDIT_PARAMS='-a always,exit -F path=$(which pam_tally 2>/dev/null) -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam --a always,exit -F path=$(which pam_tally2 2>/dev/null) -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam' - -set -e # One error, it's over -FILE='/etc/audit/rules.d/audit.rules' +AUDIT_PARAMS='-a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam +-a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam' # This function will be called if the script status is on enabled / audit mode audit () { - # define custom IFS and save default one - d_IFS=$IFS - c_IFS=$'\n' - IFS=$c_IFS - for AUDIT_VALUE in $AUDIT_PARAMS; do - check_audit_path $AUDIT_VALUE - if [ $FNRET -eq 1 ];then - crit "path is not exsit! Please check file path is exist!" - continue - else - debug "$AUDIT_VALUE should be in file $FILE" - IFS=$d_IFS - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - IFS=$c_IFS - if [ $FNRET != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - else - ok "$AUDIT_VALUE is present in $FILE" - fi - fi - done - IFS=$d_IFS + # This feature is only for debian + if [ $OS_RELEASE -eq 2 ]; then + ok "CentOS/Redhat is not support, so pass" + elif [ $OS_RELEASE -eq 1 ]; then + # define custom IFS and save default one + d_IFS=$IFS + c_IFS=$'\n' + IFS=$c_IFS + for AUDIT_VALUE in $AUDIT_PARAMS; do + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + crit "path is not exsit! Please check file path is exist!" + continue + else + debug "$AUDIT_VALUE should be in file $FILE" + IFS=$d_IFS + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + IFS=$c_IFS + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE is present in $FILE" + fi + fi + done + IFS=$d_IFS + fi } # This function will be called if the script status is on enabled mode apply () { - IFS=$'\n' - for AUDIT_VALUE in $AUDIT_PARAMS; do - check_audit_path $AUDIT_VALUE - if [ $FNRET -eq 1 ];then - crit "path is not exsit! Please check file path is exist!" - continue - else - debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - if [ $FNRET != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - check_auditd_is_immutable_mode - else - ok "$AUDIT_VALUE is present in $FILE" - fi - fi - done + # This feature is only for debian + if [ $OS_RELEASE -eq 2 ]; then + ok "CentOS/Redhat is not support, so pass" + elif [ $OS_RELEASE -eq 1 ]; then + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + crit "path is not exsit! Please check file path is exist!" + continue + else + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + check_auditd_is_immutable_mode + else + ok "$AUDIT_VALUE is present in $FILE" + fi + fi + done + fi } # This function will check config parameters required diff --git a/bin/hardening/8.1.27_record_Events_that_modify_conf_files.sh b/bin/hardening/8.1.27_record_Events_that_modify_conf_files.sh index 71c594d..0c4f984 100755 --- a/bin/hardening/8.1.27_record_Events_that_modify_conf_files.sh +++ b/bin/hardening/8.1.27_record_Events_that_modify_conf_files.sh @@ -10,16 +10,17 @@ # set -u # One variable unset, it's over +set -e # One error, it's over HARDENING_LEVEL=4 -AUDIT_PARAMS='-a always,exit -F path=$(find /etc/ -name audisp-remote.conf) -F perm=wa -k config_file_change --a always,exit -F path=$(find /etc/ -name auditd.conf) -F perm=wa -k config_file_change --a always,exit -F dir=$(find /etc/audit/ -name rules.d) -F perm=wa -k config_file_change --a always,exit -F path=$(find /etc/ -name grub) -F perm=wa -k config_file_change --a always,exit -F path=$(find /etc/ -name fstab) -F perm=wa -k config_file_change --a always,exit -F path=$(find /etc/ -name hosts.deny) -F perm=wa -k config_file_change --a always,exit -F path=$(find /etc/ -name login.defs) -F perm=wa -k config_file_change +AUDIT_PARAMS='-a always,exit -F path=/etc/audisp/audisp-remote.conf -F perm=wa -k config_file_change +-a always,exit -F path=/etc/audit/auditd.conf -F perm=wa -k config_file_change +-a always,exit -F path=/etc/default/grub -F perm=wa -k config_file_change +-a always,exit -F path=/etc/fstab -F perm=wa -k config_file_change +-a always,exit -F path=/etc/hosts.deny -F perm=wa -k config_file_change +-a always,exit -F path=/etc/login.defs -F perm=wa -k config_file_change +-a always,exit -F dir=/etc/audit/rules.d/ -F perm=wa -k config_file_change -a always,exit -F dir=/etc/pam.d/ -F perm=wa -k config_file_change -a always,exit -F path=/etc/profile -F perm=wa -k config_file_change -a always,exit -F dir=/etc/profile.d/ -F perm=wa -k config_file_change @@ -27,7 +28,6 @@ AUDIT_PARAMS='-a always,exit -F path=$(find /etc/ -name audisp-remote.conf) -F p -a always,exit -F dir=/etc/iptables/ -F perm=wa -k config_file_change -a always,exit -F path=/etc/sysctl.conf -F perm=wa -k config_file_change' -set -e # One error, it's over FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode @@ -39,7 +39,7 @@ audit () { for AUDIT_VALUE in $AUDIT_PARAMS; do check_audit_path $AUDIT_VALUE if [ $FNRET -eq 1 ];then - crit "path is not exsit! Please check file path is exist!" + crit "path is not exsit! Please check file path is exist! Rule: $AUDIT_VALUE" continue else debug "$AUDIT_VALUE should be in file $FILE" diff --git a/bin/hardening/8.1.28_record_acl_cmd_usage.sh b/bin/hardening/8.1.28_record_acl_cmd_usage.sh index 41ce2b0..3d8405e 100755 --- a/bin/hardening/8.1.28_record_acl_cmd_usage.sh +++ b/bin/hardening/8.1.28_record_acl_cmd_usage.sh @@ -8,16 +8,16 @@ # 8.1.28 Recored Events that privileged-acl command usage (Scored) # Author : Samson wen, Samson # +# todo to ensure path in debian set -u # One variable unset, it's over +set -e # One error, it's over +FILE='/etc/audit/rules.d/audit.rules' HARDENING_LEVEL=4 -AUDIT_PARAMS='-a always,exit -F path=$(which setfacl 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng --a always,exit -F path=$(which chacl 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng' - -set -e # One error, it's over -FILE='/etc/audit/rules.d/audit.rules' +AUDIT_PARAMS='-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng' # This function will be called if the script status is on enabled / audit mode audit () { diff --git a/bin/hardening/8.1.29_record_usermod_cmd_usage.sh b/bin/hardening/8.1.29_record_usermod_cmd_usage.sh index fd2e4ed..f470d58 100755 --- a/bin/hardening/8.1.29_record_usermod_cmd_usage.sh +++ b/bin/hardening/8.1.29_record_usermod_cmd_usage.sh @@ -10,13 +10,14 @@ # set -u # One variable unset, it's over +set -e # One error, it's over +FILE='/etc/audit/rules.d/audit.rules' HARDENING_LEVEL=4 -AUDIT_PARAMS='-a always,exit -F path=$(which usermod 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod' - -set -e # One error, it's over -FILE='/etc/audit/rules.d/audit.rules' +AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod' +AUDIT_PARAMS_REDHAT='-a always,exit -F path=/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod' +AUDIT_PARAMS="" # This function will be called if the script status is on enabled / audit mode audit () { @@ -68,7 +69,11 @@ apply () { # This function will check config parameters required check_config() { - : + if [ $OS_RELEASE -eq 1 ]; then + AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN + elif [ $OS_RELEASE -eq 2 ]; then + AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT + fi } # Source Root Dir Parameter diff --git a/bin/hardening/8.1.30_record_unix_update_cmd_usage.sh b/bin/hardening/8.1.30_record_unix_update_cmd_usage.sh index b152ba6..a8011ca 100755 --- a/bin/hardening/8.1.30_record_unix_update_cmd_usage.sh +++ b/bin/hardening/8.1.30_record_unix_update_cmd_usage.sh @@ -10,13 +10,12 @@ # set -u # One variable unset, it's over +set -e # One error, it's over +FILE='/etc/audit/rules.d/audit.rules' HARDENING_LEVEL=4 -AUDIT_PARAMS='-a always,exit -F path=$(which unix_update 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update' - -set -e # One error, it's over -FILE='/etc/audit/rules.d/audit.rules' +AUDIT_PARAMS='-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update' # This function will be called if the script status is on enabled / audit mode audit () { diff --git a/bin/hardening/8.1.18_freeze_auditd_conf.sh b/bin/hardening/8.1.32_freeze_auditd_conf.sh similarity index 100% rename from bin/hardening/8.1.18_freeze_auditd_conf.sh rename to bin/hardening/8.1.32_freeze_auditd_conf.sh diff --git a/bin/hardening/8.1.7_record_mac_edit.sh b/bin/hardening/8.1.7_record_mac_edit.sh index ea261ce..18154d6 100755 --- a/bin/hardening/8.1.7_record_mac_edit.sh +++ b/bin/hardening/8.1.7_record_mac_edit.sh @@ -11,6 +11,7 @@ # todo test for centos set -u # One variable unset, it's over +set -e # One error, it's over HARDENING_LEVEL=4 @@ -19,17 +20,16 @@ SELINUX_PKG_REDHAT="selinux-policy" SE_AUDIT_PARAMS="-a always,exit -F dir=/etc/selinux/ -F perm=wa -k MAC-policy -a always,exit -F dir=/usr/share/selinux/ -F perm=wa -k MAC-policy --a always,exit -F path=$(which chcon 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng --a always,exit -F path=$(which semanage 2>/dev/null) -F auid>=1000 -F auid!=4294967295 -k perm_chng --a always,exit -F path=$(which setsebool 2>/dev/null) -F auid>=1000 -F auid!=4294967295 -k perm_chng --a always,exit -F path=$(which setfiles 2>/dev/null) -F auid>=1000 -F auid!=4294967295 -k perm_chng" +-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng +-a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=4294967295 -k perm_chng +-a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=4294967295 -k perm_chng +-a always,exit -F path=/usr/sbin/setfiles -F auid>=1000 -F auid!=4294967295 -k perm_chng" APPARMOR_PKG="apparmor" AA_AUDIT_PARAMS='-w /etc/apparmor/ -p wa -k MAC-policy -w /etc/apparmor.d/ -p wa -k MAC-policy -a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k MAC-policy' -set -e # One error, it's over FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode diff --git a/bin/hardening/8.4.1_install_aide.sh b/bin/hardening/8.4.1_install_aide.sh index 60c11c9..e5b9277 100755 --- a/bin/hardening/8.4.1_install_aide.sh +++ b/bin/hardening/8.4.1_install_aide.sh @@ -40,7 +40,7 @@ apply () { mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz else apt_install $PACKAGE - aideinit + aideinit -y -f info "${PACKAGE} is now installed but not fully functionnal, please see readme to go further" fi fi diff --git a/bin/hardening/8.5_ensure_permissions_on_all_logfiles.sh b/bin/hardening/8.5_ensure_permissions_on_all_logfiles.sh index f1bf38c..985bbc9 100755 --- a/bin/hardening/8.5_ensure_permissions_on_all_logfiles.sh +++ b/bin/hardening/8.5_ensure_permissions_on_all_logfiles.sh @@ -41,7 +41,9 @@ apply () { else warn "Permissions of all log files are not correctly configured! Set it" chmod -R $PERMISS_SET $LOGDIR/* - rm $ERRPERFILELIST + if [ -r $ERRPERFILELIST ]; then + rm $ERRPERFILELIST + fi fi } diff --git a/bin/hardening/9.3.20_sshd_UsePrivilegeSeparation.sh b/bin/hardening/9.3.20_sshd_UsePrivilegeSeparation.sh deleted file mode 100755 index b17e13e..0000000 --- a/bin/hardening/9.3.20_sshd_UsePrivilegeSeparation.sh +++ /dev/null @@ -1,93 +0,0 @@ -#!/bin/bash - -# -# harbian audit 7/8/9 Hardening -# - -# -# 9.3.20 Set SSHD UsePrivilegeSeparation to sandbox (Scored) -# Author : Samson wen, Samson -# - -set -e # One error, it's over -set -u # One variable unset, it's over - -HARDENING_LEVEL=2 - -PACKAGE='openssh-server' -OPTIONS='UsePrivilegeSeparation=sandbox' -FILE='/etc/ssh/sshd_config' - -# This function will be called if the script status is on enabled / audit mode -audit () { - is_pkg_installed $PACKAGE - if [ $FNRET != 0 ]; then - crit "$PACKAGE is not installed!" - else - ok "$PACKAGE is installed" - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" - else - crit "$PATTERN is not present in $FILE" - fi - done - fi -} - -# This function will be called if the script status is on enabled mode -apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - ok "$PACKAGE is installed" - else - crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE - fi - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" - else - warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" - if [ $FNRET != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" - else - info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" - fi - /etc/init.d/ssh reload > /dev/null 2>&1 - fi - done -} - -# This function will check config parameters required -check_config() { - : -} - -# Source Root Dir Parameter -if [ -r /etc/default/cis-hardening ]; then - . /etc/default/cis-hardening -fi -if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." - exit 128 -fi - -# Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then - . $CIS_ROOT_DIR/lib/main.sh -else - echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" - exit 128 -fi diff --git a/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd b/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd index 56b72fb..3fed1ae 100644 --- a/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd +++ b/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd @@ -24,7 +24,8 @@ The creation process is as follows: ### Pre-Install ``` -$ sudo apt update && sudo apt install -y bc net-tools vim unzip +$ sudo apt update +$ sudo apt install -y bc net-tools bc net-tools pciutils network-manager vim unzip ``` ### Get harbian-audit project @@ -45,27 +46,55 @@ admin@ip:/opt/harbian-audit-master# passwd admin ``` #### Audit && Apply: + +##### First audit && apply: ``` admin@ip:/opt/harbian-audit-master$ sudo cp debian/default /etc/default/cis-hardening admin@ip:/opt/harbian-audit-master$ sudo sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening +admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --init admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --audit-all admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --set-hardening-level 5 +admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/7.4.4_hosts_deny.cfg -admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/10.1.7_remove_nopasswd_sudoers.cfg +admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/10.1.6_remove_nopasswd_sudoers.cfg +admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.1_install_aide.cfg +admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.2_aide_cron.cfg +admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/10.1.1_set_password_exp_days.cfg admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply -admin@ip:/opt/harbian-audit-master$ sudo sed -i "/^root/a\admin ALL=(ALL:ALL) ALL" /etc/sudoers admin@ip:/opt/harbian-audit-master$ sudo reboot ``` -After reboot: +##### Second audit && apply(After reboot) +Configuring the firewall: ``` -admin@ip:/opt/harbian-audit-master$ sudo bash ./docs/configurations/etc.iptables.rules.v4.sh +admin@ip:/opt/harbian-audit-master$ INTERFACENAME="eth0" +admin@ip:/opt/harbian-audit-master$ sudo bash /opt/harbian-audit-master/docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME +admin@ip:/opt/harbian-audit-master$ sudo bash /opt/harbian-audit-master/docs/configurations/etc.iptables.rules.v6.sh $INTERFACENAME admin@ip:/opt/harbian-audit-master$ sudo -s admin@ip:/opt/harbian-audit-master# iptables-save > /etc/iptables/rules.v4 admin@ip:/opt/harbian-audit-master# ip6tables-save > /etc/iptables/rules.v6 +admin@ip:/opt/harbian-audit-master# exit +``` + +Apply need to apply twice items and that items of must apply after first apply: +``` +admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.1.1.2 +admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.1.1.3 +admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.1.12 +admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg +admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.1.32 +admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 4.5 +admin@ip:/opt/harbian-audit-master$ sudo reboot ``` -Related how to use harbian-audit to adit and apply, please reference: -[https://github.com/hardenedlinux/harbian-audit/blob/master/README.md](https://github.com/hardenedlinux/harbian-audit/blob/master/README.md) +##### Third apply(after reboot) +Apply need to apply three times items: +``` +admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.1_install_aide.cfg +admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.2_aide_cron.cfg +admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.4.1 +admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.4.2 +admin@ip:/opt/harbian-audit-master$ sudo reboot +``` ### Set issues ``` @@ -86,9 +115,9 @@ $ sudo rm /opt/harbian-audit-master/tmp/backups/* $ sudo rm /opt/harbian-audit-master/etc/conf.d/*.cfg ``` -#### AIDE RE-INIT +#### Uninstall ``` -$ sudo aideinit -y -f +$ sudo apt-get purge --autoremove unzip -y ``` #### Clear the current log: @@ -110,6 +139,13 @@ $ sudo -s # echo > /var/log/tallylog # echo > /var/log/lastlog # echo > /var/log/wtmp +# echo > /var/log/sudo.log +``` + +#### Final apply +Reset password for all users and reinit aide database: +``` +admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --final ``` #### Clear bash hostory @@ -144,8 +180,9 @@ $ history -cw ![17](./picture/create-AMI-from-instance-17.png) -## Reference +## Reference +[https://github.com/hardenedlinux/harbian-audit/blob/master/README.md](https://github.com/hardenedlinux/harbian-audit/blob/master/README.md) [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html) [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/CopyingAMIs.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/CopyingAMIs.html) [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-ebs.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-ebs.html) diff --git a/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img.mkd b/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img.mkd index 4fadd95..5e384f8 100644 --- a/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img.mkd +++ b/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img.mkd @@ -1,5 +1,9 @@ # How to creating and making a QEMU image of harbian-audit complianced Debian GNU/Linux 9 +In the following context, deploy with the following name: +Network interface: eth0 +username: harbian-audit + ## Pre-work In the example below, the vul-manager visual tool will be used to remotely connect to the QEMU server for operation. @@ -42,14 +46,14 @@ Then follow the wizard to install step by step. ### Pre-Install ``` -root@harbian:/home/harbian-audit# apt update && apt install -y bc net-tools vim unzip +root@harbian:/home/harbian-audit# apt update && apt install -y bc net-tools vim unzip pciutils network-manager ``` ### Get harbian-audit project ``` $ cd /opt root@harbian:/opt# wget https://github.com/hardenedlinux/harbian-audit/archive/master.zip -root@harbian:/opt# sudo unzip master.zip +root@harbian:/opt# unzip master.zip root@harbian:/opt# cd harbian-audit-master/ ``` @@ -59,17 +63,21 @@ root@harbian:/opt# cd harbian-audit-master/ ``` root@harbian:/opt/harbian-audit-master# cp debian/default /etc/default/cis-hardening root@harbian:/opt/harbian-audit-master# sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening -root@harbian:/opt/harbian-audit-master# ./bin/hardening.sh --audit-all +root@harbian:/opt/harbian-audit-master# bash bin/hardening.sh --init +root@harbian:/opt/harbian-audit-master# ./bin/hardening.sh --audit-all root@harbian:/opt/harbian-audit-master# ./bin/hardening.sh --set-hardening-level 5 root@harbian:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/7.4.4_hosts_deny.cfg +root@harbian:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg +root@harbian:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.1_install_aide.cfg +root@harbian:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.2_aide_cron.cfg root@harbian:/opt/harbian-audit-master# ./bin/hardening.sh --apply root@harbian:/opt/harbian-audit-master# sed -i "/^root/a\harbian-audit ALL=(ALL:ALL) ALL" /etc/sudoers root@harbian:/opt/harbian-audit-master# reboot ``` -After reboot: +After reboot: ``` -harbian-audit@harbian:/opt/harbian-audit-master$ sudo bash ./docs/configurations/etc.iptables.rules.v4.sh +harbian-audit@harbian:/opt/harbian-audit-master$ sudo bash ./docs/configurations/etc.iptables.rules.v4.sh eth0 harbian-audit@harbian:/opt/harbian-audit-master$ sudo -s root@harbian:/opt/harbian-audit-master# iptables-save > /etc/iptables/rules.v4 root@harbian:/opt/harbian-audit-master# ip6tables-save > /etc/iptables/rules.v6 @@ -84,7 +92,7 @@ $ sudo sed -i "s/Debian GNU\/Linux 9/harbian-audit complianced for Debian GNU\/L ### Set grub passwd superusers: harbiansuper -passwd: harbian_AUDIT,12@) +passwd: harbian_AUDIT,09!) Related how to config grub2 password protection, please reference: [how_to_config_grub2_password_protection.mkd](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_config_grub2_password_protection.mkd) @@ -102,17 +110,31 @@ If need adds a project on AMI, add the project on such as /opt, /usr/local/bin d ### Clean up +#### Uninstall +``` +$ sudo apt-get purge --autoremove unzip -y +``` + #### Clean harbian-audit temp file and conf ``` $ sudo rm /opt/master.zip $ sudo rm /opt/harbian-audit-master/tmp/backups/* -$ sudo rm /opt/harbian-audit-master/etc/conf.d/*.cfg +$ cd /opt/harbian-audit-master/etc/conf.d +$ sudo rm -f !(8.1.32_freeze_auditd_conf.cfg|8.4.1_install_aide.cfg|8.4.2_aide_cron.cfg) ``` -#### AIDE RE-INIT +#### Final fix ``` -$ sudo aideinit -y -f -``` +$ cd /opt/harbian-audit-master +$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg +$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.1_install_aide.cfg +$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.2_aide_cron.cfg +$ sudo bash bin/hardening.sh --apply --only 8.1.32 +$ sudo bash bin/hardening.sh --apply --only 8.4.1 +$ sudo bash bin/hardening.sh --apply --only 8.4.2 +$ sudo rm /opt/harbian-audit-master/tmp/backups/* +$ sudo rm /opt/harbian-audit-master/etc/conf.d/* +``` #### Clear the current log ``` @@ -135,6 +157,11 @@ $ sudo -s # echo > /var/log/wtmp ``` +#### AIDE RE-INIT +``` +$ sudo aideinit -y -f +``` + #### Clear bash hostory ``` # echo > ~/.bash_history @@ -147,6 +174,6 @@ $ sudo poweroff ## sign QEMU image ssh to QEMU server, find QEMU image dir, sign the QEMU image: ``` -root@debian-9:/opt/images# gpg -b harbian-audit_Debian_9.qcow2 +root@debian-9:/opt/images# gpg -u Samson -b debian9.9-harbian-0910.qcow2 ``` diff --git a/docs/complianced_image/QEMU/how_to_use_QEMU_image_of_harbian_audit_complianced_Debian_9.mkd b/docs/complianced_image/QEMU/how_to_use_QEMU_image_of_harbian_audit_complianced_Debian_9.mkd index 6aff2d7..a453a24 100644 --- a/docs/complianced_image/QEMU/how_to_use_QEMU_image_of_harbian_audit_complianced_Debian_9.mkd +++ b/docs/complianced_image/QEMU/how_to_use_QEMU_image_of_harbian_audit_complianced_Debian_9.mkd @@ -1,50 +1,32 @@ # How to use QEMU image of harbian-audit complicanced Debian GNU/Linux 9 ## Overview -Image name: harbian-audit_Debian_9.qcow2 -Disk size: 50G -File system: -``` -harbian-audit@harbian:~$ df -h -Filesystem Size Used Avail Use% Mounted on -udev 2.0G 0 2.0G 0% /dev -tmpfs 396M 5.5M 391M 2% /run -/dev/mapper/harbian--vg-root 15G 1.3G 12G 10% / -tmpfs 2.0G 8.0K 2.0G 1% /dev/shm -tmpfs 5.0M 0 5.0M 0% /run/lock -tmpfs 2.0G 0 2.0G 0% /sys/fs/cgroup -/dev/vda1 236M 37M 187M 17% /boot -tmpfs 2.0G 0 2.0G 0% /tmp -/dev/mapper/harbian--vg-home 27G 45M 25G 1% /home -tmpfs 396M 0 396M 0% /run/user/1000 -``` +Image name: debian9.9-harbian-0910.qcow2 +Disk size: 20G + grub password protection: username: harbiansuper -password: harbian_AUDIT,12@) +password: harbian_AUDIT,09!) Users info: user: root passwd: 1qaz@WSX3edc$RFV5tgb -user: harbian-audit +user: auditadmin passwd: 2wsx#EDC4rfv%TGB6yhn ## Get QEMU image ### Download address -[https://drive.google.com/file/d/1osqL0REFisSedOhL04dupC1aDM6jVpdm/view?usp=sharing](https://drive.google.com/file/d/1osqL0REFisSedOhL04dupC1aDM6jVpdm/view?usp=sharing) - -![1](./picture/download_01.png) -![2](./picture/download_02.png) -![3](./picture/download_03.png) +[debian9.9-harbian-0910.qcow2.tar.gz](https://drive.google.com/file/d/1HwaHF94AJx-95HeIVi4cUFA5aiQ_diz2/view?usp=sharing) ### Verify ``` -$ wget https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/QEMU/signature/harbian-audit_Debian_9.qcow2.sig -$ wget https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/QEMU/signature/harbian-audit_Debian_9.qcow2.tar.gz.sig -$ gpg --verify harbian-audit_Debian_9.qcow2.tar.gz.sig harbian-audit_Debian_9.qcow2.tar.gz -$ tar -xzvf harbian-audit_Debian_9.qcow2.tar.gz -$ gpg --verify harbian-audit_Debian_9.qcow2.sig harbian-audit_Debian_9.qcow2 +$ wget https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/QEMU/debian9.9-harbian-0910.qcow2.sig +$ wget https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/QEMU/signature/debian9.9-harbian-0910.qcow2.tar.gz.sig +$ gpg -u Samson --verify debian9.9-harbian-0910.qcow2.tar.gz.sig debian9.9-harbian-0910.qcow2.tar.gz +$ tar -xzvf debian9.9-harbian-0910.qcow2.tar.gz +$ gpg -u Samson --verify debian9.9-harbian-0910.qcow2.sig debian9.9-harbian-0910.qcow2 ``` ## Use the QEMU image to create virtual machine diff --git a/docs/complianced_image/QEMU/picture/download_01.png b/docs/complianced_image/QEMU/picture/download_01.png deleted file mode 100644 index 302bf38..0000000 Binary files a/docs/complianced_image/QEMU/picture/download_01.png and /dev/null differ diff --git a/docs/complianced_image/QEMU/picture/download_02.png b/docs/complianced_image/QEMU/picture/download_02.png deleted file mode 100644 index daf95ac..0000000 Binary files a/docs/complianced_image/QEMU/picture/download_02.png and /dev/null differ diff --git a/docs/complianced_image/QEMU/picture/download_03.png b/docs/complianced_image/QEMU/picture/download_03.png deleted file mode 100644 index ce6e6e1..0000000 Binary files a/docs/complianced_image/QEMU/picture/download_03.png and /dev/null differ diff --git a/docs/complianced_image/QEMU/signature/debian9.9-harbian-0910.qcow2.sig b/docs/complianced_image/QEMU/signature/debian9.9-harbian-0910.qcow2.sig new file mode 100644 index 0000000..96edd48 Binary files /dev/null and b/docs/complianced_image/QEMU/signature/debian9.9-harbian-0910.qcow2.sig differ diff --git a/docs/complianced_image/QEMU/signature/debian9.9-harbian-0910.qcow2.tar.gz.sig b/docs/complianced_image/QEMU/signature/debian9.9-harbian-0910.qcow2.tar.gz.sig new file mode 100644 index 0000000..386e0d1 Binary files /dev/null and b/docs/complianced_image/QEMU/signature/debian9.9-harbian-0910.qcow2.tar.gz.sig differ diff --git a/docs/complianced_image/QEMU/signature/harbian-audit_Debian_9.qcow2.sig b/docs/complianced_image/QEMU/signature/harbian-audit_Debian_9.qcow2.sig deleted file mode 100644 index d9fad20..0000000 Binary files a/docs/complianced_image/QEMU/signature/harbian-audit_Debian_9.qcow2.sig and /dev/null differ diff --git a/docs/complianced_image/QEMU/signature/harbian-audit_Debian_9.qcow2.tar.gz.sig b/docs/complianced_image/QEMU/signature/harbian-audit_Debian_9.qcow2.tar.gz.sig deleted file mode 100644 index 9f5f25c..0000000 Binary files a/docs/complianced_image/QEMU/signature/harbian-audit_Debian_9.qcow2.tar.gz.sig and /dev/null differ diff --git a/docs/configurations/etc.audit.rules.d.audit.rules b/docs/configurations/etc.audit.rules.d.audit.rules_for_debian similarity index 55% rename from docs/configurations/etc.audit.rules.d.audit.rules rename to docs/configurations/etc.audit.rules.d.audit.rules_for_debian index 5aeeb67..056cea5 100644 --- a/docs/configurations/etc.audit.rules.d.audit.rules +++ b/docs/configurations/etc.audit.rules.d.audit.rules_for_debian @@ -11,7 +11,6 @@ ## Set failure mode to syslog -f 1 - -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b64 -S clock_settime -k time-change @@ -28,7 +27,9 @@ -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/network -p wa -k system-locale --w /etc/selinux/ -p wa -k MAC-policy +-w /etc/apparmor/ -p wa -k MAC-policy +-w /etc/apparmor.d/ -p wa -k MAC-policy +-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k MAC-policy -w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/log/tallylog -p wa -k logins @@ -45,20 +46,49 @@ -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/bin/ping -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/pppd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/lib/dbus-1.0/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/lib/policykit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/lib/eject/dmcrypt-get-device -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/dotlock.mailutils -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/expiry -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/dotlockfile -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/screen -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/bsd-write -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete -w /etc/sudoers -p wa -k sudoers -w /etc/sudoers.d/ -p wa -k sudoers --e 2 --w /var/log/auth.log -p wa -k sudoaction +-w /var/log/sudo.log -p wa -k sudoaction -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules +-w /bin/kmod -p x -k modules -a always,exit -F arch=b32 -S init_module -S delete_module -S create_module -S finit_module -k modules -a always,exit -F arch=b64 -S init_module -S delete_module -S create_module -S finit_module -k modules -a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh +-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd @@ -70,26 +100,31 @@ -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam -a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam -a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam --a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged --a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged --a always,exit -F path=/bin/ping -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged --w /etc/audisp/audisp-remote.conf -p wa -k config_file_change --w /etc/audit/auditd.conf -p wa -k config_file_change --w /etc/audit/rules.d/ -p wa -k config_file_change --w /etc/default/grub -p wa -k config_file_change --w /etc/fstab -p wa -k config_file_change --w /etc/hosts.deny -p wa -k config_file_change --w /etc/login.defs -p wa -k config_file_change --w /etc/pam.d/ -p wa -k config_file_change --w /etc/profile -p wa -k config_file_change --w /etc/profile.d/ -p wa -k config_file_change --w /etc/security/ -p wa -k config_file_change --w /etc/iptables/ -p wa -k config_file_change --w /etc/sysctl.conf -p wa -k config_file_change +-a always,exit -F path=/etc/audisp/audisp-remote.conf -F perm=wa -k config_file_change +-a always,exit -F path=/etc/audit/auditd.conf -F perm=wa -k config_file_change +-a always,exit -F path=/etc/default/grub -F perm=wa -k config_file_change +-a always,exit -F path=/etc/fstab -F perm=wa -k config_file_change +-a always,exit -F path=/etc/hosts.deny -F perm=wa -k config_file_change +-a always,exit -F path=/etc/login.defs -F perm=wa -k config_file_change +-a always,exit -F dir=/etc/audit/rules.d/ -F perm=wa -k config_file_change +-a always,exit -F dir=/etc/pam.d/ -F perm=wa -k config_file_change +-a always,exit -F path=/etc/profile -F perm=wa -k config_file_change +-a always,exit -F dir=/etc/profile.d/ -F perm=wa -k config_file_change +-a always,exit -F dir=/etc/security/ -F perm=wa -k config_file_change +-a always,exit -F dir=/etc/iptables/ -F perm=wa -k config_file_change +-a always,exit -F path=/etc/sysctl.conf -F perm=wa -k config_file_change +-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng +-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod +-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update +-a always,exit -F arch=b64 -S execve -C uid!=euid -F key=execpriv +-a always,exit -F arch=b64 -S execve -C gid!=egid -F key=execpriv +-e 2 diff --git a/docs/configurations/etc.iptables.rules.v4.sh b/docs/configurations/etc.iptables.rules.v4.sh index 98827f8..599f23d 100644 --- a/docs/configurations/etc.iptables.rules.v4.sh +++ b/docs/configurations/etc.iptables.rules.v4.sh @@ -1,6 +1,16 @@ #!/bin/bash IPT="/sbin/iptables" - +PUB_IFS="ens33" + +if [ $# -lt 1 ]; then + echo "Must be set to greater than or equal to a public network interface. " + echo "usage: $0 eth0, or $0 eth0 eth1" + exit 1 +else + PUB_IFS="$@" + echo "Public interface is $PUB_IFS" +fi + echo "Starting IPv4 Wall..." $IPT -F $IPT -X @@ -11,7 +21,6 @@ IPT="/sbin/iptables" $IPT -N LOGDROP modprobe ip_conntrack -PUB_IFS="ens33" #unlimited $IPT -A INPUT -i lo -j ACCEPT @@ -76,11 +85,10 @@ do $IPT -A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT $IPT -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT - # allow ssh/http/ntp/dhclint only + # allow ssh/ntp/dhclint/http/https only $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT $IPT -A INPUT -p udp --dport 123 -m state --state NEW -j ACCEPT $IPT -A INPUT -p udp --dport 68 -m state --state NEW -j ACCEPT - ip6tables -A INPUT -p udp --dport 123 -m state --state NEW -j ACCEPT # $IPT -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT # $IPT -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT diff --git a/docs/configurations/etc.iptables.rules.v6.sh b/docs/configurations/etc.iptables.rules.v6.sh new file mode 100644 index 0000000..e7bb67b --- /dev/null +++ b/docs/configurations/etc.iptables.rules.v6.sh @@ -0,0 +1,107 @@ +#!/bin/bash +IPT="/sbin/ip6tables" +PUB_IFS="ens33" +if [ $# -lt 1 ]; then + echo "Must be set to greater than or equal to a public network interface. usage: $0 eth0, or $0 eth0 eth1" + exit 1 +else + PUB_IFS="$@" + echo "Public interface is $PUB_IFS" +fi + + echo "Starting IPv6 Wall..." + $IPT -F + $IPT -X + $IPT -t nat -F + $IPT -t nat -X + $IPT -t mangle -F + $IPT -t mangle -X + $IPT -N LOGDROP + modprobe ip_conntrack + + +#unlimited +$IPT -A INPUT -i lo -j ACCEPT +$IPT -A OUTPUT -o lo -j ACCEPT +# DROP all incomming traffic +$IPT -P INPUT DROP +$IPT -P OUTPUT DROP +$IPT -P FORWARD DROP + +$IPT -A INPUT -i lo -j ACCEPT +$IPT -A OUTPUT -o lo -j ACCEPT +$IPT -A INPUT -s fe80::/64 -j DROP + +$IPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT +$IPT -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT +$IPT -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT +$IPT -A INPUT -p icmp -m state --state RELATED -j ACCEPT + + +$IPT -A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options +$IPT -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT +$IPT -A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options + +for PUB_IF in $PUB_IFS +do +# sync + $IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Syn" + $IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP + +# Fragments + $IPT -A INPUT -i ${PUB_IF} -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets" + $IPT -A INPUT -i ${PUB_IF} -j DROP + + +# block bad stuff + $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP + $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP + + $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets" + $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP # NULL packets + + $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + + $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets" + $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS + + $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan" + $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans + + $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP + + # No smb/windows sharing packets - too much logging + $IPT -A INPUT -p tcp -i ${PUB_IF} --dport 137:139 -j REJECT + $IPT -A INPUT -p udp -i ${PUB_IF} --dport 137:139 -j REJECT + $IPT -I INPUT -p tcp --dport 22 -i ${PUB_IF} -m state --state NEW -m recent --set + $IPT -I INPUT -p tcp --dport 22 -i ${PUB_IF} -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j LOGDROP + done + # Allow full outgoing connection but no incomming stuff + $IPT -A INPUT -p ipv6-icmp -m ipv6-icmp --icmpv6-type 4 -j ACCEPT + $IPT -A OUTPUT -p ipv6-icmp -m ipv6-icmp --icmpv6-type 8 -j ACCEPT + + # allow ssh/ntp/dhclint/http/https only + $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT + $IPT -A INPUT -p udp --dport 123 -m state --state NEW -j ACCEPT + $IPT -A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m conntrack --ctstate NEW -j ACCEPT +# $IPT -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT +# $IPT -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT + + # allow incoming ICMP ping pong stuff + $IPT -A INPUT -p ipv6-icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT + $IPT -A OUTPUT -p ipv6-icmp -m state --state ESTABLISHED,RELATED -j ACCEPT + + # prevent ssh brute force attack + $IPT -A LOGDROP -j LOG + $IPT -A LOGDROP -j DROP + +# Log everything else +# *** Required for psad **** +$IPT -A INPUT -j LOG +$IPT -A FORWARD -j LOG +$IPT -A INPUT -j DROP + +exit 0 diff --git a/lib/utils.sh b/lib/utils.sh index 647bda3..36ba86b 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -5,6 +5,22 @@ # debian version check # +is_debian_ge_9() +{ + if [ -r /etc/debian_version ]; then + if [ $(cat /etc/debian_version | awk -F"." '{print $1}') -ge 9 ]; then + debug "Debian version is greater than or equal to 9" + FNRET=0 + else + debug "Debian version is less than 9" + FNRET=1 + fi + else + debug "Current OS is not Debian." + FNRET=2 + fi +} + is_debian_9() { if [ -r /etc/debian_version ]; then @@ -136,12 +152,16 @@ has_file_correct_ownership() { has_file_correct_permissions() { local FILE=$1 local PERMISSIONS=$2 - - if [ $($SUDO_CMD stat -L -c "%a" $1) = "$PERMISSIONS" ]; then - FNRET=0 - else + if [ -e $FILE ]; then + if [ $($SUDO_CMD stat -L -c "%a" $1) = "$PERMISSIONS" ]; then + FNRET=0 + else + FNRET=1 + fi + else FNRET=1 - fi + info "$FILE is not exist!" + fi } does_pattern_exist_in_file() { @@ -254,7 +274,7 @@ is_service_active() { if [ $OS_RELEASE -eq 2 ]; then FNRET=0 else - is_debian_9 + is_debian_ge_9 fi if [ $FNRET = 0 ]; then if [ $(systemctl is-active $SERVICE | grep -c "^active") -eq 1 ]; then