-
Notifications
You must be signed in to change notification settings - Fork 62
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #9 from hardenedlinux/master
Update from the master
- Loading branch information
Showing
153 changed files
with
3,251 additions
and
1,406 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,7 @@ | ||
#!/bin/bash | ||
|
||
# | ||
# harbian audit Debian 9 Hardening | ||
# harbian audit Debian 9 / CentOS Hardening | ||
# Authors : Thibault Dewailly, OVH <[email protected]> | ||
# Authors : Samson wen, Samson <[email protected]> | ||
|
||
|
@@ -23,15 +23,20 @@ AUDIT_ALL_ENABLE_PASSED=0 | |
ALLOW_SERVICE_LIST=0 | ||
SET_HARDENING_LEVEL=0 | ||
SUDO_MODE='' | ||
INIT_G_CONFIG=0 | ||
|
||
usage() { | ||
cat << EOF | ||
$LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of: | ||
--help -h | ||
Show this help | ||
--apply | ||
--init | ||
Initialize the global configuration file(/etc/default/cis-hardening) based | ||
on the release version number. | ||
--apply | ||
Apply hardening for enabled scripts. | ||
Beware that NO confirmation is asked whatsoever, which is why you're warmly | ||
advised to use --audit before, which can be regarded as a dry-run mode. | ||
|
@@ -140,6 +145,9 @@ while [[ $# > 0 ]]; do | |
-h|--help) | ||
usage | ||
;; | ||
--init) | ||
INIT_G_CONFIG=1 | ||
;; | ||
*) | ||
usage | ||
;; | ||
|
@@ -162,6 +170,30 @@ fi | |
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh | ||
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh | ||
|
||
if [ $INIT_G_CONFIG -eq 1 ]; then | ||
if [ -r /etc/redhat-release ]; then | ||
info "This OS is redhat/CentOS." | ||
sed -i 's/^OS_RELEASE=.*/OS_RELEASE=2/g' /etc/default/cis-hardening | ||
. /etc/default/cis-hardening | ||
elif [ -r /etc/debian_version ]; then | ||
info "This OS is Debian." | ||
: | ||
else | ||
crit "This OS not support!" | ||
exit 128 | ||
fi | ||
exit 0 | ||
fi | ||
|
||
if [ $OS_RELEASE -eq 1 ]; then | ||
info "Start auditing for Debian." | ||
elif [ $OS_RELEASE -eq 2 ]; then | ||
info "Start auditing for redhat/CentOS." | ||
else | ||
crit "This OS not support!" | ||
exit 128 | ||
fi | ||
|
||
# If --allow-service-list is specified, don't run anything, just list the supported services | ||
if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then | ||
declare -a HARDENING_EXCEPTIONS_LIST | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,8 @@ | ||
#!/bin/bash | ||
|
||
# | ||
# harbian audit Debian 9 Hardening | ||
# harbian audit Debian 9/CentOS Hardening | ||
# Modify by: Samson-W ([email protected]) | ||
# | ||
|
||
# | ||
|
@@ -13,8 +14,9 @@ set -u # One variable unset, it's over | |
|
||
HARDENING_LEVEL=3 | ||
|
||
# This function will be called if the script status is on enabled / audit mode | ||
audit () { | ||
|
||
audit_debian () | ||
{ | ||
info "Checking if apt needs an update" | ||
apt_update_if_needed | ||
info "Fetching upgrades ..." | ||
|
@@ -28,16 +30,67 @@ audit () { | |
fi | ||
} | ||
|
||
# This function will be called if the script status is on enabled mode | ||
apply () { | ||
if [ $FNRET -gt 0 ]; then | ||
audit_redhat () | ||
{ | ||
info "Checking if yum needs an update" | ||
info "Fetching upgrades ..." | ||
yum_check_updates | ||
if [ $FNRET -eq 100 ]; then | ||
crit "There are packages available for an update!" | ||
elif [ $FNRET -eq 0 ]; then | ||
ok "No upgrades available" | ||
else | ||
crit "Call yum_check_updates function error!" | ||
fi | ||
} | ||
|
||
# This function will be called if the script status is on enabled / audit mode | ||
audit () | ||
{ | ||
if [ $OS_RELEASE -eq 1 ]; then | ||
audit_debian | ||
elif [ $OS_RELEASE -eq 2 ]; then | ||
audit_redhat | ||
else | ||
crit "Current OS is not support!" | ||
FNRET=44 | ||
fi | ||
} | ||
|
||
apply_debian () | ||
{ | ||
if [ $FNRET -eq 1 ]; then | ||
info "Applying Upgrades..." | ||
DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' upgrade -y | ||
else | ||
ok "No Upgrades to apply" | ||
else | ||
ok "No Upgrades to apply" | ||
fi | ||
} | ||
|
||
apply_redhat () | ||
{ | ||
if [ $FNRET -eq 100 ]; then | ||
info "Applying Upgrades..." | ||
yum upgrade -y | ||
elif [ $FNRET -eq 0 ]; then | ||
ok "No Upgrades to apply" | ||
else | ||
crit "Call yum_check_updates function error!" | ||
fi | ||
} | ||
|
||
# This function will be called if the script status is on enabled mode | ||
apply () | ||
{ | ||
if [ $OS_RELEASE -eq 1 ]; then | ||
apply_debian | ||
elif [ $OS_RELEASE -eq 2 ]; then | ||
apply_redhat | ||
else | ||
crit "Current OS is not support!" | ||
fi | ||
} | ||
|
||
# This function will check config parameters required | ||
check_config() { | ||
# No parameters for this function | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.