Merge pull request #9 from hardenedlinux/master

Update from the master
hardenedlinux · Aug 31, 2019 · 7812833 · 7812833
2 parents 08e2cf2 + 6fab8a8
commit 7812833
Show file tree

Hide file tree

Showing 153 changed files with 3,251 additions and 1,406 deletions.
diff --git a/README-CN.md b/README-CN.md
@@ -31,6 +31,7 @@ hardening                 [INFO] Treating /home/test/harbian-audit/bin/hardening
 $ git clone https://github.com/hardenedlinux/harbian-audit.git && cd harbian-audit
 $ sudo cp debian/default /etc/default/cis-hardening
 $ sudo sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
+$ sudo bin/hardening.sh --init
 ```
 ### 对所有的安全检查项进行审计 
 ```
@@ -74,7 +75,11 @@ hardening                 [INFO] Treating /home/test/harbian-audit/bin/hardening
 ### 需要预装的软件  
 如果是使用的最小安装方式安装的Debian GNU/Linux系统，在使用此项目之前，需要安装如下的软件：
 ```
-sudo apt-get install -y bc net-tools 
+sudo apt-get install -y bc net-tools pciutils 
+```
+如果系统是Redhat/CentOS，在使用此项目前，需要安装如下的软件包：
+```
+sudo yum install -y bc net-tools pciutils NetworkManager 
 ```
 
 ### 需要预先进行的配置 

diff --git a/README.md b/README.md
@@ -34,6 +34,7 @@ hardening                 [INFO] Treating /home/test/harbian-audit/bin/hardening
 $ git clone https://github.com/hardenedlinux/harbian-audit.git && cd harbian-audit
 $ sudo cp debian/default /etc/default/cis-hardening
 $ sudo sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
+$ sudo bin/hardening.sh --init
 $ sudo bin/hardening.sh --audit-all
 hardening                 [INFO] Treating /home/test/harbian-audit/bin/hardening/1.1_install_updates.sh
 1.1_install_updates       [INFO] Working on 1.1_install_updates
@@ -70,9 +71,14 @@ hardening                 [INFO] Treating /home/test/harbian-audit/bin/hardening
 
 ### Pre-Install 
 
-If use Network install from a minimal CD to installed Debian GNU/Linux, need install bc package before use the hardening tool. 
+If use Network install from a minimal CD to installed Debian GNU/Linux, need install packages before use the hardening tool. 
 ```
-sudo apt-get install -y bc net-tools 
+sudo apt-get install -y bc net-tools pciutils network-manager 
+```
+
+Redhat/CentOS need install packages before use the hardening tool:
+```
+sudo yum install -y bc net-tools pciutils NetworkManager 
 ```
 
 ### Pre-Set 
@@ -155,8 +161,10 @@ This example only allows 192.168.1.[1-255] 192.168.5.[1-255] to access this syst
 # sed -i "/^root/a\test    ALL=(ALL:ALL) ALL" /etc/sudoers 
 ```
 
-4) Set basic iptables rules 
+4) Set basic firewall rules 
 Set the corresponding firewall rules according to the applications used. HardenedLinux community for Debian GNU/Linux basic firewall rules: 
+
+### Iptabels format rules:
 [etc.iptables.rules.v4.sh](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/etc.iptables.rules.v4.sh)
 to do the following:
 ```
@@ -168,6 +176,14 @@ $ sudo -s
 # ip6tables-save > /etc/iptables/rules.v6 
 ```
 
+### nft format rules:
+[nftables.conf](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/etc.nftables.conf)
+to do the following(your network interfacename(Example eth0)):
+```
+$ sed -i 's/^define int_if = ens33/define int_if = eth0/g' etc.nftables.conf 
+$ sudo nft -f ./etc.nftables.conf 
+```
+
 5) Use the passwd command to change the passwords of all users, and change the password to a secure and reliable password entry with the same password complexity set by the pam_cracklib module.
 
 ## Special Note 
@@ -217,7 +233,9 @@ This document is a description of the additions to the sections not included in
 ### Manual Operation docs 
 [How to config grub2 password protection](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_config_grub2_password_protection.mkd)  
 [How to persistent iptables rules with debian 9](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_persistent_iptables_rules_with_debian_9.mkd)  
-[How to deploy audisp-remote for auditd log](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_deploy_audisp_remote_for_audit_log.mkd)
+[How to deploy audisp-remote for auditd log](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_deploy_audisp_remote_for_audit_log.mkd)  
+[How to migrating from iptables to nftables in debian10](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_migrating_from_iptables_to_nftables_in_debian10.md)  
+[How to persistent nft rules with debian 10](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_persistent_nft_rules_with_debian_10.mkd)  
 
 ### Use case docs  
 [Nodejs + redis + mysql demo](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/use-cases/nodejs-redis-mysql-usecase/README.md)  

diff --git a/bin/hardening.sh b/bin/hardening.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# harbian audit Debian 9 Hardening
+# harbian audit Debian 9 / CentOS Hardening
 # Authors : Thibault Dewailly, OVH <[email protected]>
 # Authors : Samson wen, Samson <[email protected]>
 
@@ -23,15 +23,20 @@ AUDIT_ALL_ENABLE_PASSED=0
 ALLOW_SERVICE_LIST=0
 SET_HARDENING_LEVEL=0
 SUDO_MODE=''
+INIT_G_CONFIG=0
 
 usage() {
     cat << EOF
 $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
 
     --help -h
         Show this help
-
-    --apply
+	
+	--init 
+		Initialize the global configuration file(/etc/default/cis-hardening) based 
+		on the release version number.
+    
+	--apply
         Apply hardening for enabled scripts.
         Beware that NO confirmation is asked whatsoever, which is why you're warmly
         advised to use --audit before, which can be regarded as a dry-run mode.
@@ -140,6 +145,9 @@ while [[ $# > 0 ]]; do
         -h|--help)
             usage
         ;;
+		--init)
+			INIT_G_CONFIG=1
+		;;
         *)
             usage
         ;;
@@ -162,6 +170,30 @@ fi
 [ -r $CIS_ROOT_DIR/lib/common.sh     ] && . $CIS_ROOT_DIR/lib/common.sh
 [ -r $CIS_ROOT_DIR/lib/utils.sh      ] && . $CIS_ROOT_DIR/lib/utils.sh
 
+if [ $INIT_G_CONFIG -eq 1 ]; then
+	if [ -r /etc/redhat-release ]; then
+		info "This OS is redhat/CentOS."
+		sed -i 's/^OS_RELEASE=.*/OS_RELEASE=2/g' /etc/default/cis-hardening 
+		. /etc/default/cis-hardening
+	elif [ -r /etc/debian_version ]; then
+		info "This OS is Debian."
+		:
+	else
+		crit "This OS not support!"
+		exit 128
+	fi
+	exit 0
+fi
+
+if [ $OS_RELEASE -eq 1 ]; then
+	info "Start auditing for Debian."
+elif [ $OS_RELEASE -eq 2 ]; then
+	info "Start auditing for redhat/CentOS."
+else
+	crit "This OS not support!"
+	exit 128
+fi
+
 # If --allow-service-list is specified, don't run anything, just list the supported services
 if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then
     declare -a HARDENING_EXCEPTIONS_LIST

diff --git a/bin/hardening/1.1_install_updates.sh b/bin/hardening/1.1_install_updates.sh
@@ -1,7 +1,8 @@
 #!/bin/bash
 
 #
-# harbian audit Debian 9 Hardening
+# harbian audit Debian 9/CentOS Hardening
+# Modify by: Samson-W ([email protected])
 #
 
 #
@@ -13,8 +14,9 @@ set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
 
-# This function will be called if the script status is on enabled / audit mode
-audit () {
+
+audit_debian ()
+{
     info "Checking if apt needs an update"
     apt_update_if_needed 
     info "Fetching upgrades ..."
@@ -28,16 +30,67 @@ audit () {
     fi
 }
 
-# This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET -gt 0 ]; then 
+audit_redhat ()
+{
+	info "Checking if yum needs an update"
+	info "Fetching upgrades ..."
+	yum_check_updates
+	if [ $FNRET -eq 100 ]; then
+		crit "There are packages available for an update!"
+	elif [ $FNRET -eq 0 ]; then
+		ok "No upgrades available"
+	else
+		crit "Call yum_check_updates function error!"
+	fi
+}
+
+# This function will be called if the script status is on enabled / audit mode
+audit () 
+{
+	if [ $OS_RELEASE -eq 1 ]; then
+		audit_debian
+	elif [ $OS_RELEASE -eq 2 ]; then
+		audit_redhat
+	else
+		crit "Current OS is not support!"
+		FNRET=44 
+	fi
+}
+
+apply_debian ()
+{
+    if [ $FNRET -eq 1 ]; then 
         info "Applying Upgrades..."
         DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' upgrade -y
-    else
-        ok "No Upgrades to apply"
+	else
+		ok "No Upgrades to apply"
+    fi
+}
+
+apply_redhat ()
+{
+	if [ $FNRET -eq 100 ]; then 
+		info "Applying Upgrades..."
+		yum upgrade -y
+	elif [ $FNRET -eq 0 ]; then 
+		ok "No Upgrades to apply"
+	else
+		crit "Call yum_check_updates function error!"
     fi
 }
 
+# This function will be called if the script status is on enabled mode
+apply () 
+{
+	if [ $OS_RELEASE -eq 1 ]; then
+		apply_debian
+	elif [ $OS_RELEASE -eq 2 ]; then
+		apply_redhat
+	else
+		crit "Current OS is not support!"
+	fi
+}
+
 # This function will check config parameters required
 check_config() {
     # No parameters for this function

diff --git a/bin/hardening/1.2_enable_verify_sign_packages_from_repository.sh b/bin/hardening/1.2_enable_verify_sign_packages_from_repository.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# harbian audit Debian 9 Hardening
+# harbian audit Debian 9/CentOS Hardening
 #
 
 #
@@ -14,9 +14,11 @@ set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
 OPTION='AllowUnauthenticated'
+YUM_OPTION='gpgcheck'
+YUM_CONF='/etc/yum.conf'
 
-# This function will be called if the script status is on enabled / audit mode
-audit () {
+audit_debian ()
+{
     if [ $(grep -v "^#" /etc/apt/ -r | grep -c "${OPTION}.*true") -gt 0 ]; then
         crit "The signature of packages option is disable "
         FNRET=1
@@ -26,8 +28,37 @@ audit () {
     fi
 }
 
-# This function will be called if the script status is on enabled mode
-apply () {
+audit_redhat ()
+{
+	if [ $(grep -c "^$YUM_OPTION" $YUM_CONF) -gt 0 ]; then
+		if [ $(grep "^$YUM_OPTION" $YUM_CONF | awk -F"=" '{print $2}') -eq 1 ]; then
+			ok "The signature of packages option is enable "
+			FNRET=0
+		else
+			crit "The signature of packages option is disable "
+			FNRET=1
+		fi
+	else
+		crit "Option $YUM_OPTION is not set in $YUM_CONF!"
+		FNRET=2
+	fi
+}
+
+# This function will be called if the script status is on enabled / audit mode
+audit () 
+{
+	if [ $OS_RELEASE -eq 1 ]; then
+        audit_debian
+    elif [ $OS_RELEASE -eq 2 ]; then
+        audit_redhat
+    else
+        crit "Current OS is not support!"
+        FNRET=44
+    fi
+}
+
+
+apply_debian () {
     if [ $FNRET = 0 ]; then 
         ok "The signature of packages option is enable "
     else
@@ -39,6 +70,28 @@ apply () {
         done
     fi
 }
+apply_redhat () {
+	if [ $FNRET = 0 ]; then 
+		ok "The signature of packages option is enable "
+	elif [ $FNRET = 1 ]; then
+		warn "Set to enabled signature of packages option"
+		sed -i "s/$YUM_OPTION=.*/$YUM_OPTION=1/g" $YUM_CONF
+	else 
+		warn "Add $YUM_OPTION option to $YUM_CONF"
+		add_end_of_file $YUM_CONF "$YUM_OPTION=1"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+	if [ $OS_RELEASE -eq 1 ]; then
+        apply_debian
+    elif [ $OS_RELEASE -eq 2 ]; then
+        apply_redhat
+    else
+        crit "Current OS is not support!"
+    fi
+}
 
 # This function will check config parameters required
 check_config() {