diff --git a/README-CN.md b/README-CN.md index 50e01a5..c4b52d0 100644 --- a/README-CN.md +++ b/README-CN.md @@ -31,6 +31,7 @@ hardening [INFO] Treating /home/test/harbian-audit/bin/hardening $ git clone https://github.com/hardenedlinux/harbian-audit.git && cd harbian-audit $ sudo cp debian/default /etc/default/cis-hardening $ sudo sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening +$ sudo bin/hardening.sh --init ``` ### 对所有的安全检查项进行审计 ``` @@ -74,7 +75,11 @@ hardening [INFO] Treating /home/test/harbian-audit/bin/hardening ### 需要预装的软件 如果是使用的最小安装方式安装的Debian GNU/Linux系统,在使用此项目之前,需要安装如下的软件: ``` -sudo apt-get install -y bc net-tools +sudo apt-get install -y bc net-tools pciutils +``` +如果系统是Redhat/CentOS,在使用此项目前,需要安装如下的软件包: +``` +sudo yum install -y bc net-tools pciutils NetworkManager ``` ### 需要预先进行的配置 diff --git a/README.md b/README.md index e2c5a5f..c70294e 100644 --- a/README.md +++ b/README.md @@ -34,6 +34,7 @@ hardening [INFO] Treating /home/test/harbian-audit/bin/hardening $ git clone https://github.com/hardenedlinux/harbian-audit.git && cd harbian-audit $ sudo cp debian/default /etc/default/cis-hardening $ sudo sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening +$ sudo bin/hardening.sh --init $ sudo bin/hardening.sh --audit-all hardening [INFO] Treating /home/test/harbian-audit/bin/hardening/1.1_install_updates.sh 1.1_install_updates [INFO] Working on 1.1_install_updates @@ -70,9 +71,14 @@ hardening [INFO] Treating /home/test/harbian-audit/bin/hardening ### Pre-Install -If use Network install from a minimal CD to installed Debian GNU/Linux, need install bc package before use the hardening tool. +If use Network install from a minimal CD to installed Debian GNU/Linux, need install packages before use the hardening tool. ``` -sudo apt-get install -y bc net-tools +sudo apt-get install -y bc net-tools pciutils network-manager +``` + +Redhat/CentOS need install packages before use the hardening tool: +``` +sudo yum install -y bc net-tools pciutils NetworkManager ``` ### Pre-Set @@ -155,8 +161,10 @@ This example only allows 192.168.1.[1-255] 192.168.5.[1-255] to access this syst # sed -i "/^root/a\test ALL=(ALL:ALL) ALL" /etc/sudoers ``` -4) Set basic iptables rules +4) Set basic firewall rules Set the corresponding firewall rules according to the applications used. HardenedLinux community for Debian GNU/Linux basic firewall rules: + +### Iptabels format rules: [etc.iptables.rules.v4.sh](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/etc.iptables.rules.v4.sh) to do the following: ``` @@ -168,6 +176,14 @@ $ sudo -s # ip6tables-save > /etc/iptables/rules.v6 ``` +### nft format rules: +[nftables.conf](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/etc.nftables.conf) +to do the following(your network interfacename(Example eth0)): +``` +$ sed -i 's/^define int_if = ens33/define int_if = eth0/g' etc.nftables.conf +$ sudo nft -f ./etc.nftables.conf +``` + 5) Use the passwd command to change the passwords of all users, and change the password to a secure and reliable password entry with the same password complexity set by the pam_cracklib module. ## Special Note @@ -217,7 +233,9 @@ This document is a description of the additions to the sections not included in ### Manual Operation docs [How to config grub2 password protection](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_config_grub2_password_protection.mkd) [How to persistent iptables rules with debian 9](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_persistent_iptables_rules_with_debian_9.mkd) -[How to deploy audisp-remote for auditd log](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_deploy_audisp_remote_for_audit_log.mkd) +[How to deploy audisp-remote for auditd log](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_deploy_audisp_remote_for_audit_log.mkd) +[How to migrating from iptables to nftables in debian10](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_migrating_from_iptables_to_nftables_in_debian10.md) +[How to persistent nft rules with debian 10](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_persistent_nft_rules_with_debian_10.mkd) ### Use case docs [Nodejs + redis + mysql demo](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/use-cases/nodejs-redis-mysql-usecase/README.md) diff --git a/bin/hardening.sh b/bin/hardening.sh index 27fe53a..efb4108 100755 --- a/bin/hardening.sh +++ b/bin/hardening.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit Debian 9 Hardening +# harbian audit Debian 9 / CentOS Hardening # Authors : Thibault Dewailly, OVH # Authors : Samson wen, Samson @@ -23,6 +23,7 @@ AUDIT_ALL_ENABLE_PASSED=0 ALLOW_SERVICE_LIST=0 SET_HARDENING_LEVEL=0 SUDO_MODE='' +INIT_G_CONFIG=0 usage() { cat << EOF @@ -30,8 +31,12 @@ $LONG_SCRIPT_NAME [OPTIONS], where RUN_MODE is one of: --help -h Show this help - - --apply + + --init + Initialize the global configuration file(/etc/default/cis-hardening) based + on the release version number. + + --apply Apply hardening for enabled scripts. Beware that NO confirmation is asked whatsoever, which is why you're warmly advised to use --audit before, which can be regarded as a dry-run mode. @@ -140,6 +145,9 @@ while [[ $# > 0 ]]; do -h|--help) usage ;; + --init) + INIT_G_CONFIG=1 + ;; *) usage ;; @@ -162,6 +170,30 @@ fi [ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh [ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh +if [ $INIT_G_CONFIG -eq 1 ]; then + if [ -r /etc/redhat-release ]; then + info "This OS is redhat/CentOS." + sed -i 's/^OS_RELEASE=.*/OS_RELEASE=2/g' /etc/default/cis-hardening + . /etc/default/cis-hardening + elif [ -r /etc/debian_version ]; then + info "This OS is Debian." + : + else + crit "This OS not support!" + exit 128 + fi + exit 0 +fi + +if [ $OS_RELEASE -eq 1 ]; then + info "Start auditing for Debian." +elif [ $OS_RELEASE -eq 2 ]; then + info "Start auditing for redhat/CentOS." +else + crit "This OS not support!" + exit 128 +fi + # If --allow-service-list is specified, don't run anything, just list the supported services if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then declare -a HARDENING_EXCEPTIONS_LIST diff --git a/bin/hardening/1.1_install_updates.sh b/bin/hardening/1.1_install_updates.sh index e1f1165..e01a4a9 100755 --- a/bin/hardening/1.1_install_updates.sh +++ b/bin/hardening/1.1_install_updates.sh @@ -1,7 +1,8 @@ #!/bin/bash # -# harbian audit Debian 9 Hardening +# harbian audit Debian 9/CentOS Hardening +# Modify by: Samson-W (samson@hardenedlinux.org) # # @@ -13,8 +14,9 @@ set -u # One variable unset, it's over HARDENING_LEVEL=3 -# This function will be called if the script status is on enabled / audit mode -audit () { + +audit_debian () +{ info "Checking if apt needs an update" apt_update_if_needed info "Fetching upgrades ..." @@ -28,16 +30,67 @@ audit () { fi } -# This function will be called if the script status is on enabled mode -apply () { - if [ $FNRET -gt 0 ]; then +audit_redhat () +{ + info "Checking if yum needs an update" + info "Fetching upgrades ..." + yum_check_updates + if [ $FNRET -eq 100 ]; then + crit "There are packages available for an update!" + elif [ $FNRET -eq 0 ]; then + ok "No upgrades available" + else + crit "Call yum_check_updates function error!" + fi +} + +# This function will be called if the script status is on enabled / audit mode +audit () +{ + if [ $OS_RELEASE -eq 1 ]; then + audit_debian + elif [ $OS_RELEASE -eq 2 ]; then + audit_redhat + else + crit "Current OS is not support!" + FNRET=44 + fi +} + +apply_debian () +{ + if [ $FNRET -eq 1 ]; then info "Applying Upgrades..." DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' upgrade -y - else - ok "No Upgrades to apply" + else + ok "No Upgrades to apply" + fi +} + +apply_redhat () +{ + if [ $FNRET -eq 100 ]; then + info "Applying Upgrades..." + yum upgrade -y + elif [ $FNRET -eq 0 ]; then + ok "No Upgrades to apply" + else + crit "Call yum_check_updates function error!" fi } +# This function will be called if the script status is on enabled mode +apply () +{ + if [ $OS_RELEASE -eq 1 ]; then + apply_debian + elif [ $OS_RELEASE -eq 2 ]; then + apply_redhat + else + crit "Current OS is not support!" + fi +} + # This function will check config parameters required check_config() { # No parameters for this function diff --git a/bin/hardening/1.2_enable_verify_sign_packages_from_repository.sh b/bin/hardening/1.2_enable_verify_sign_packages_from_repository.sh index e445442..d978125 100755 --- a/bin/hardening/1.2_enable_verify_sign_packages_from_repository.sh +++ b/bin/hardening/1.2_enable_verify_sign_packages_from_repository.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit Debian 9 Hardening +# harbian audit Debian 9/CentOS Hardening # # @@ -14,9 +14,11 @@ set -u # One variable unset, it's over HARDENING_LEVEL=2 OPTION='AllowUnauthenticated' +YUM_OPTION='gpgcheck' +YUM_CONF='/etc/yum.conf' -# This function will be called if the script status is on enabled / audit mode -audit () { +audit_debian () +{ if [ $(grep -v "^#" /etc/apt/ -r | grep -c "${OPTION}.*true") -gt 0 ]; then crit "The signature of packages option is disable " FNRET=1 @@ -26,8 +28,37 @@ audit () { fi } -# This function will be called if the script status is on enabled mode -apply () { +audit_redhat () +{ + if [ $(grep -c "^$YUM_OPTION" $YUM_CONF) -gt 0 ]; then + if [ $(grep "^$YUM_OPTION" $YUM_CONF | awk -F"=" '{print $2}') -eq 1 ]; then + ok "The signature of packages option is enable " + FNRET=0 + else + crit "The signature of packages option is disable " + FNRET=1 + fi + else + crit "Option $YUM_OPTION is not set in $YUM_CONF!" + FNRET=2 + fi +} + +# This function will be called if the script status is on enabled / audit mode +audit () +{ + if [ $OS_RELEASE -eq 1 ]; then + audit_debian + elif [ $OS_RELEASE -eq 2 ]; then + audit_redhat + else + crit "Current OS is not support!" + FNRET=44 + fi +} + + +apply_debian () { if [ $FNRET = 0 ]; then ok "The signature of packages option is enable " else @@ -39,6 +70,28 @@ apply () { done fi } +apply_redhat () { + if [ $FNRET = 0 ]; then + ok "The signature of packages option is enable " + elif [ $FNRET = 1 ]; then + warn "Set to enabled signature of packages option" + sed -i "s/$YUM_OPTION=.*/$YUM_OPTION=1/g" $YUM_CONF + else + warn "Add $YUM_OPTION option to $YUM_CONF" + add_end_of_file $YUM_CONF "$YUM_OPTION=1" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $OS_RELEASE -eq 1 ]; then + apply_debian + elif [ $OS_RELEASE -eq 2 ]; then + apply_redhat + else + crit "Current OS is not support!" + fi +} # This function will check config parameters required check_config() { diff --git a/bin/hardening/1.3_enable_verify_sign_of_local_packages.sh b/bin/hardening/1.3_enable_verify_sign_of_local_packages.sh index f995c19..fe048fb 100755 --- a/bin/hardening/1.3_enable_verify_sign_of_local_packages.sh +++ b/bin/hardening/1.3_enable_verify_sign_of_local_packages.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit Debian 9 Hardening +# harbian audit Debian 9/CentOS Hardening # # @@ -16,8 +16,10 @@ HARDENING_LEVEL=2 OPTION='no-debsig' CONFFILE='/etc/dpkg/dpkg.cfg' -# This function will be called if the script status is on enabled / audit mode -audit () { +YUM_OPTION='localpkg_gpgcheck' +YUM_CONFFILE='/etc/yum.conf' + +audit_debian () { if [ $(grep -v "^#" ${CONFFILE} | grep -c ${OPTION}) -gt 0 ]; then crit "The signature of local packages option is disable " FNRET=1 @@ -27,8 +29,36 @@ audit () { fi } -# This function will be called if the script status is on enabled mode -apply () { +audit_redhat () +{ + if [ $(grep -c "^$YUM_OPTION" $YUM_CONFFILE) -gt 0 ]; then + if [ $(grep "^$YUM_OPTION" $YUM_CONFFILE | awk -F"=" '{print $2}') -eq 1 ]; then + ok "The signature of packages option is enable " + FNRET=0 + else + crit "The signature of packages option is disable " + FNRET=1 + fi + else + crit "Option $YUM_OPTION is not set in $YUM_CONFFILE!" + FNRET=2 + fi +} + +# This function will be called if the script status is on enabled / audit mode +audit() +{ + if [ $OS_RELEASE -eq 1 ]; then + audit_debian + elif [ $OS_RELEASE -eq 2 ]; then + audit_redhat + else + crit "Current OS is not support!" + FNRET=44 + fi +} + +apply_debian () { if [ $FNRET = 0 ]; then ok "The signature of local packages option is enable " else @@ -38,6 +68,29 @@ apply () { fi } +apply_redhat () { + if [ $FNRET = 0 ]; then + ok "The signature of packages option is enable " + elif [ $FNRET = 1 ]; then + warn "Set to enabled signature of packages option" + sed -i "s/$YUM_OPTION=.*/$YUM_OPTION=1/g" $YUM_CONFFILE + else + warn "Add $YUM_OPTION option to $YUM_CONFFILE" + add_end_of_file $YUM_CONFFILE "$YUM_OPTION=1" + fi +} + + +# This function will be called if the script status is on enabled mode +apply () { + if [ $OS_RELEASE -eq 1 ]; then + apply_debian + elif [ $OS_RELEASE -eq 2 ]; then + apply_redhat + else + crit "Current OS is not support!" + fi +} # This function will check config parameters required check_config() { # No parameters for this function diff --git a/bin/hardening/1.4_set_no_allow_insecure_repository_by_apt.sh b/bin/hardening/1.4_set_no_allow_insecure_repository_by_apt.sh index 32a4469..b95f7ac 100755 --- a/bin/hardening/1.4_set_no_allow_insecure_repository_by_apt.sh +++ b/bin/hardening/1.4_set_no_allow_insecure_repository_by_apt.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit Debian 9 Hardening +# harbian audit Debian 9/CentOS Hardening # # @@ -15,8 +15,10 @@ set -u # One variable unset, it's over HARDENING_LEVEL=2 OPTION='AllowInsecureRepositories' -# This function will be called if the script status is on enabled / audit mode -audit () { +YUM_OPTION='repo_gpgcheck' +YUM_CONFFILE='/etc/yum.conf' + +audit_debian () { if [ $(grep -v "^#" /etc/apt/ -r | grep -c "${OPTION}.*true") -gt 0 ]; then crit "The allow insecure repository when by apt update is enable" FNRET=1 @@ -26,8 +28,35 @@ audit () { fi } -# This function will be called if the script status is on enabled mode -apply () { +audit_redhat () +{ + if [ $(grep -c "^$YUM_OPTION" $YUM_CONFFILE) -gt 0 ]; then + if [ $(grep "^$YUM_OPTION" $YUM_CONFFILE | awk -F"=" '{print $2}') -eq 1 ]; then + ok "The allow insecure repository when by yum update is disable" + FNRET=0 + else + crit "The signature of repodata option is disable " + FNRET=1 + fi + else + crit "Option $YUM_OPTION is not set in $YUM_CONFFILE!" + FNRET=2 + fi +} + +# This function will be called if the script status is on enabled / audit mode +audit () { + if [ $OS_RELEASE -eq 1 ]; then + audit_debian + elif [ $OS_RELEASE -eq 2 ]; then + audit_redhat + else + crit "Current OS is not support!" + FNRET=44 + fi +} + +apply_debian () { if [ $FNRET = 0 ]; then ok "The allow insecure repository when by apt update is disable" else @@ -39,6 +68,28 @@ apply () { fi } +apply_redhat () { + if [ $FNRET = 0 ]; then + ok "The signature of repodata option is enable " + elif [ $FNRET = 1 ]; then + warn "Set to enabled signature of repodata option" + sed -i "s/$YUM_OPTION=.*/$YUM_OPTION=1/g" $YUM_CONFFILE + else + warn "Add $YUM_OPTION option to $YUM_CONFFILE" + add_end_of_file $YUM_CONFFILE "$YUM_OPTION=1" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $OS_RELEASE -eq 1 ]; then + apply_debian + elif [ $OS_RELEASE -eq 2 ]; then + apply_redhat + else + crit "Current OS is not support!" + fi +} # This function will check config parameters required check_config() { # No parameters for this function diff --git a/bin/hardening/10.1.11_ensure_no_shosts_cfg_on_system.sh b/bin/hardening/10.1.11_ensure_no_shosts_cfg_on_system.sh index c81d2ec..7050a0c 100755 --- a/bin/hardening/10.1.11_ensure_no_shosts_cfg_on_system.sh +++ b/bin/hardening/10.1.11_ensure_no_shosts_cfg_on_system.sh @@ -19,8 +19,8 @@ FILENAME1='shosts.equiv' # This function will be called if the script status is on enabled / audit mode audit () { - COUNT=$(find / -name "${FILENAME}" | wc -l) - COUNT1=$(find / -name "${FILENAME1}" | wc -l) + COUNT=$(find / -xdev -name "${FILENAME}" | wc -l) + COUNT1=$(find / -xdev -name "${FILENAME1}" | wc -l) if [ "$COUNT" -ne 0 -o "$COUNT1" -ne 0 ]; then crit "$FILENAME or $FILENAME1 file is exist on system." FNRET=1 diff --git a/bin/hardening/12.10_find_suid_files.sh b/bin/hardening/12.10_find_suid_files.sh index c28bd78..9acc183 100755 --- a/bin/hardening/12.10_find_suid_files.sh +++ b/bin/hardening/12.10_find_suid_files.sh @@ -7,9 +7,10 @@ # # 12.10 Find SUID System Executables (Not Scored) # +# set -e # One error, it's over, for some user to audit desktop evn -set -e # One error, it's over -set -u # One variable unset, it's over +# One variable unset, it's over +set -u HARDENING_LEVEL=2 diff --git a/bin/hardening/12.11_find_sgid_files.sh b/bin/hardening/12.11_find_sgid_files.sh index 99a0346..132e3db 100755 --- a/bin/hardening/12.11_find_sgid_files.sh +++ b/bin/hardening/12.11_find_sgid_files.sh @@ -8,8 +8,10 @@ # 12.11 Find SGID System Executables (Not Scored) # -set -e # One error, it's over -set -u # One variable unset, it's over +#set -e # One error, it's over, for some user to audit desktop evn + +# One variable unset, it's over +set -u HARDENING_LEVEL=2 diff --git a/bin/hardening/2.17_sticky_bit_world_writable_folder.sh b/bin/hardening/2.17_sticky_bit_world_writable_folder.sh index 119ca3d..93494d0 100755 --- a/bin/hardening/2.17_sticky_bit_world_writable_folder.sh +++ b/bin/hardening/2.17_sticky_bit_world_writable_folder.sh @@ -1,8 +1,8 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening -# +# harbian audit 7/8/9/10 or CentOS Hardening +# Modify by: Samson-W (samson@hardenedlinux.org) # # 2.17 Set Sticky Bit on All World-Writable Directories (Scored) @@ -24,6 +24,15 @@ audit () { else ok "All world writable directories have a sticky bit" fi + # Check sticky dir group-owned is root + RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -type d ! -group root \( -perm -0002 -a -perm -1000 \) -print 2>/dev/null) + if [ ! -z "$RESULT" ]; then + crit "Some world writable directories are sticky bit mode, but not group owned is root!" + FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') + crit "$FORMATTED_RESULT" + else + ok "All world writable directories have a sticky bit, and group owner is root." + fi } # This function will be called if the script status is on enabled mode @@ -34,6 +43,12 @@ apply () { else ok "All world writable directories have a sticky bit, nothing to apply" fi + RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -type d ! -group root \( -perm -0002 -a -perm -1000 \) -print 2>/dev/null) + if [ ! -z "$RESULT" ]; then + df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -type d ! -group root \( -perm -0002 -a -perm -1000 \) -print 2>/dev/null | xargs chgrp root + else + ok "All world writable directories have a sticky bit, and group owner is root." + fi } # This function will check config parameters required diff --git a/bin/hardening/2.1_tmp_partition.sh b/bin/hardening/2.1_tmp_partition.sh index e8266e2..f062691 100755 --- a/bin/hardening/2.1_tmp_partition.sh +++ b/bin/hardening/2.1_tmp_partition.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit Debian 7/8/9 Hardening +# harbian audit Debian 7/8/9 or CentOS Hardening # Modify by: Samson-W (sccxboy@gmail.com) # @@ -17,7 +17,6 @@ HARDENING_LEVEL=2 # Quick factoring as many script use the same logic PARTITION="/tmp" TMPMOUNTNAME="tmp.mount" -TMPMOUNTO="/usr/share/systemd/tmp.mount" # This function will be called if the script status is on enabled / audit mode audit () { @@ -37,25 +36,20 @@ audit () { fi else warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service" - if [ -e $TMPMOUNTO ]; then - if [ $(systemctl | grep -c "tmp.mount[[:space:]]*loaded[[:space:]]active[[:space:]]mounted") -eq 1 ]; then - ok "$TMPMOUNTNAME service is active!" - is_mounted "$PARTITION" - if [ $FNRET -gt 0 ]; then - warn "$PARTITION is not mounted" - FNRET=3 - else - ok "$PARTITION is mounted" - FNRET=0 - fi - else - crit "$TMPMOUNTNAME service is not active!" - FNRET=4 + if [ $(systemctl | grep -c "tmp.mount[[:space:]]*loaded[[:space:]]active[[:space:]]mounted") -eq 1 ]; then + ok "$TMPMOUNTNAME service is active!" + is_mounted "$PARTITION" + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted" + FNRET=3 + else + ok "$PARTITION is mounted" + FNRET=0 fi else - crit "$TMPMOUNTO is not exist!" - FNRET=1 - fi + crit "$TMPMOUNTNAME service is not active!" + FNRET=4 + fi fi } @@ -72,7 +66,7 @@ apply () { $SUDO_CMD systemctl daemon-reload $SUDO_CMD systemctl start "$TMPMOUNTNAME" elif [ $FNRET = 4 ]; then - $SUDO_CMD systemctl enable "$TMPMOUNTO" + $SUDO_CMD systemctl enable "$TMPMOUNTNAME" $SUDO_CMD systemctl daemon-reload $SUDO_CMD systemctl start "$TMPMOUNTNAME" fi diff --git a/bin/hardening/2.25_disable_automounting.sh b/bin/hardening/2.25_disable_automounting.sh index ffe4f55..b4837f7 100755 --- a/bin/hardening/2.25_disable_automounting.sh +++ b/bin/hardening/2.25_disable_automounting.sh @@ -1,7 +1,8 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening +# Modify by: Samson-W (samson@hardenedlinux.org) # # @@ -20,11 +21,11 @@ audit () { is_pkg_installed $SERVICE_NAME if [ $FNRET = 0 ]; then info "Checking if $SERVICE_NAME is enabled" - is_service_enabled $SERVICE_NAME + is_service_active $SERVICE_NAME if [ $FNRET = 0 ]; then - crit "$SERVICE_NAME is enabled" + crit "$SERVICE_NAME is actived" else - ok "$SERVICE_NAME is disabled" + ok "$SERVICE_NAME is inactived" fi else ok "$SERVICE_NAME is not installed" @@ -35,21 +36,34 @@ audit () { apply () { is_pkg_installed $SERVICE_NAME if [ $FNRET = 0 ]; then - info "Checking if $SERVICE_NAME is enabled" - is_service_enabled $SERVICE_NAME + info "Checking if $SERVICE_NAME is active" + is_service_active $SERVICE_NAME if [ $FNRET = 0 ]; then - is_debian_9 + if [ $OS_RELEASE -eq 2 ]; then + : + else + is_debian_9 + fi if [ $FNRET = 0 ]; then info "Disabling $SERVICE_NAME" systemctl stop $SERVICE_NAME systemctl disable $SERVICE_NAME - apt-get -y purge --autoremove $SERVICE_NAME + if [ $OS_RELEASE -eq 2 ]; then + yum -y autoremove $SERVICE_NAME + else + apt-get -y purge --autoremove $SERVICE_NAME + fi else info "Disabling $SERVICE_NAME" update-rc.d $SERVICE_NAME remove > /dev/null 2>&1 fi else ok "$SERVICE_NAME is disabled" + if [ $OS_RELEASE -eq 2 ]; then + yum -y autoremove $SERVICE_NAME + else + apt-get -y purge --autoremove $SERVICE_NAME + fi fi else ok "$SERVICE_NAME is not installed" diff --git a/bin/hardening/2.2_tmp_nodev.sh b/bin/hardening/2.2_tmp_nodev.sh index 18cfe8f..eafa7f2 100755 --- a/bin/hardening/2.2_tmp_nodev.sh +++ b/bin/hardening/2.2_tmp_nodev.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit Debian 7/8/9 Hardening +# harbian audit Debian 7/8/9 or CentOS Hardening # Modify by: Samson-W (sccxboy@gmail.com) # @@ -17,8 +17,9 @@ HARDENING_LEVEL=2 # Quick factoring as many script use the same logic PARTITION="/tmp" OPTION="nodev" -SERVICEPATH="/usr/share/systemd/tmp.mount" SERVICENAME="tmp.mount" +SERVICEPATH="/usr/share/systemd/tmp.mount" +REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount" # This function will be called if the script status is on enabled / audit mode audit () { @@ -45,8 +46,12 @@ audit () { fi else warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service" - if [ -e $SERVICEPATH ]; then - has_mount_option_systemd $SERVICEPATH $OPTION + if [ -e $SERVICEPATH -o -e $REDHAT_SERVICEPATH ]; then + if [ $OS_RELEASE -eq 2 ]; then + has_mount_option_systemd $REDHAT_SERVICEPATH $OPTION + else + has_mount_option_systemd $SERVICEPATH $OPTION + fi if [ $FNRET -gt 0 ]; then crit "$PARTITION has no option $OPTION in systemd service!" FNRET=3 @@ -62,7 +67,11 @@ audit () { fi fi else - crit "$TMPMOUNTO is not exist!" + if [ $OS_RELEASE -eq 2 ]; then + crit "$REDHAT_SERVICEPATH is not exist!" + else + crit "$SERVICEPATH is not exist!" + fi FNRET=2 fi fi @@ -86,7 +95,11 @@ apply () { fi elif [ $FNRET = 3 ]; then info "Adding $OPTION to systemd" - add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME + if [ $OS_RELEASE -eq 2 ]; then + add_option_to_systemd $REDHAT_SERVICEPATH $OPTION $SERVICENAME + else + add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME + fi remount_partition_by_systemd $SERVICENAME $PARTITION elif [ $FNRET = 4 ]; then info "Remounting $PARTITION from fstab" diff --git a/bin/hardening/2.3_tmp_nosuid.sh b/bin/hardening/2.3_tmp_nosuid.sh index b90deb2..e41e267 100755 --- a/bin/hardening/2.3_tmp_nosuid.sh +++ b/bin/hardening/2.3_tmp_nosuid.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit Debian 7/8/9 Hardening +# harbian audit Debian 7/8/9/10 or CentOS Hardening # Modify by: Samson-W (sccxboy@gmail.com) # @@ -19,6 +19,7 @@ PARTITION="/tmp" OPTION="nosuid" SERVICEPATH="/usr/share/systemd/tmp.mount" SERVICENAME="tmp.mount" +REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount" # This function will be called if the script status is on enabled / audit mode audit () { @@ -45,8 +46,12 @@ audit () { fi else warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service" - if [ -e $SERVICEPATH ]; then - has_mount_option_systemd $SERVICEPATH $OPTION + if [ -e $SERVICEPATH -o -e $REDHAT_SERVICEPATH ]; then + if [ $OS_RELEASE -eq 2 ]; then + has_mount_option_systemd $REDHAT_SERVICEPATH $OPTION + else + has_mount_option_systemd $SERVICEPATH $OPTION + fi if [ $FNRET -gt 0 ]; then crit "$PARTITION has no option $OPTION in systemd service!" FNRET=3 @@ -62,7 +67,11 @@ audit () { fi fi else - crit "$TMPMOUNTO is not exist!" + if [ $OS_RELEASE -eq 2 ]; then + crit "$REDHAT_SERVICEPATH is not exist!" + else + crit "$SERVICEPATH is not exist!" + fi FNRET=2 fi fi @@ -86,7 +95,11 @@ apply () { fi elif [ $FNRET = 3 ]; then info "Adding $OPTION to systemd" - add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME + if [ $OS_RELEASE -eq 2 ]; then + add_option_to_systemd $REDHAT_SERVICEPATH $OPTION $SERVICENAME + else + add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME + fi remount_partition_by_systemd $SERVICENAME $PARTITION elif [ $FNRET = 4 ]; then info "Remounting $PARTITION from fstab" diff --git a/bin/hardening/2.4_tmp_noexec.sh b/bin/hardening/2.4_tmp_noexec.sh index cf29255..52f16cb 100755 --- a/bin/hardening/2.4_tmp_noexec.sh +++ b/bin/hardening/2.4_tmp_noexec.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit Debian 7/8/9 Hardening +# harbian audit Debian 7/8/9/10 or CentOS Hardening # Modify by: Samson-W (sccxboy@gmail.com) # @@ -19,6 +19,7 @@ PARTITION="/tmp" OPTION="noexec" SERVICEPATH="/usr/share/systemd/tmp.mount" SERVICENAME="tmp.mount" +REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount" # This function will be called if the script status is on enabled / audit mode audit () { @@ -45,8 +46,12 @@ audit () { fi else warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service" - if [ -e $SERVICEPATH ]; then - has_mount_option_systemd $SERVICEPATH $OPTION + if [ -e $SERVICEPATH -o -e $REDHAT_SERVICEPATH ]; then + if [ $OS_RELEASE -eq 2 ]; then + has_mount_option_systemd $REDHAT_SERVICEPATH $OPTION + else + has_mount_option_systemd $SERVICEPATH $OPTION + fi if [ $FNRET -gt 0 ]; then crit "$PARTITION has no option $OPTION in systemd service!" FNRET=3 @@ -62,7 +67,11 @@ audit () { fi fi else - crit "$TMPMOUNTO is not exist!" + if [ $OS_RELEASE -eq 2 ]; then + crit "$REDHAT_SERVICEPATH is not exist!" + else + crit "$SERVICEPATH is not exist!" + fi FNRET=2 fi fi @@ -86,7 +95,11 @@ apply () { fi elif [ $FNRET = 3 ]; then info "Adding $OPTION to systemd" - add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME + if [ $OS_RELEASE -eq 2 ]; then + add_option_to_systemd $REDHAT_SERVICEPATH $OPTION $SERVICENAME + else + add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME + fi remount_partition_by_systemd $SERVICENAME $PARTITION elif [ $FNRET = 4 ]; then info "Remounting $PARTITION from fstab" diff --git a/bin/hardening/3.1_bootloader_ownership.sh b/bin/hardening/3.1_bootloader_ownership.sh index fdb94d1..86fb077 100755 --- a/bin/hardening/3.1_bootloader_ownership.sh +++ b/bin/hardening/3.1_bootloader_ownership.sh @@ -1,7 +1,8 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening +# Modify by: Samson-W (samson@hardenedlinux.org) # # @@ -16,53 +17,87 @@ HARDENING_LEVEL=1 # Assertion : Grub Based. FILE='/boot/grub/grub.cfg' +FILE_GRUB2='/boot/grub2/grub.cfg' USER='root' GROUP='root' # This function will be called if the script status is on enabled / audit mode audit () { - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then - ok "$FILE has correct ownership" - else - crit "$FILE ownership was not set to $USER:$GROUP" - fi + if [ $OS_RELEASE -eq 2 ]; then + has_file_correct_ownership $FILE_GRUB2 $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE_GRUB2 has correct ownership" + else + crit "$FILE_GRUB2 ownership was not set to $USER:$GROUP" + fi + else + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE ownership was not set to $USER:$GROUP" + fi + fi } # This function will be called if the script status is on enabled mode apply () { - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then - ok "$FILE has correct ownership" - else - info "fixing $FILE ownership to $USER:$GROUP" - chown $USER:$GROUP $FILE - fi + if [ $OS_RELEASE -eq 2 ]; then + has_file_correct_ownership $FILE_GRUB2 $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE_GRUB2 has correct ownership" + else + info "fixing $FILE_GRUB2 ownership to $USER:$GROUP" + chown $USER:$GROUP $FILE_GRUB2 + fi + else + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + info "fixing $FILE ownership to $USER:$GROUP" + chown $USER:$GROUP $FILE + fi + fi } # This function will check config parameters required check_config() { + if [ $OS_RELEASE -eq 2 ]; then + is_pkg_installed "grub2-pc" + else + is_pkg_installed "grub-pc" + fi + if [ $FNRET != 0 ]; then + warn "Grub is not installed, not handling configuration" + exit 128 + fi - is_pkg_installed "grub-pc" - if [ $FNRET != 0 ]; then - warn "Grub is not installed, not handling configuration" - exit 128 - fi - does_user_exist $USER - if [ $FNRET != 0 ]; then - crit "$USER does not exist" - exit 128 - fi - does_group_exist $GROUP - if [ $FNRET != 0 ]; then - crit "$GROUP does not exist" - exit 128 - fi - does_file_exist $FILE - if [ $FNRET != 0 ]; then - crit "$FILE does not exist" - exit 128 - fi + does_user_exist $USER + if [ $FNRET != 0 ]; then + crit "$USER does not exist" + exit 128 + fi + + does_group_exist $GROUP + if [ $FNRET != 0 ]; then + crit "$GROUP does not exist" + exit 128 + fi + + if [ $OS_RELEASE -eq 2 ]; then + does_file_exist $FILE_GRUB2 + if [ $FNRET != 0 ]; then + crit "$FILE_GRUB2 does not exist" + exit 128 + fi + else + does_file_exist $FILE + if [ $FNRET != 0 ]; then + crit "$FILE does not exist" + exit 128 + fi + fi } # Source Root Dir Parameter diff --git a/bin/hardening/3.2_bootloader_permissions.sh b/bin/hardening/3.2_bootloader_permissions.sh index cecc51e..0d56782 100755 --- a/bin/hardening/3.2_bootloader_permissions.sh +++ b/bin/hardening/3.2_bootloader_permissions.sh @@ -1,7 +1,8 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening +# Modify by: Samson-W (samson@hardenedlinux.org) # # @@ -16,10 +17,16 @@ HARDENING_LEVEL=1 # Assertion : Grub Based. FILE='/boot/grub/grub.cfg' +PKGNAME='grub-pc' PERMISSIONS='400' # This function will be called if the script status is on enabled / audit mode audit () { + if [ $OS_RELEASE -eq 2 ]; then + FILE='/boot/grub2/grub.cfg' + else + : + fi has_file_correct_permissions $FILE $PERMISSIONS if [ $FNRET = 0 ]; then ok "$FILE has correct permissions" @@ -32,6 +39,11 @@ audit () { # This function will be called if the script status is on enabled mode apply () { + if [ $OS_RELEASE -eq 2 ]; then + FILE='/boot/grub2/grub.cfg' + else + : + fi if [ $FNRET = 0 ]; then ok "$FILE has correct permissions" else @@ -42,9 +54,16 @@ apply () { # This function will check config parameters required check_config() { - is_pkg_installed "grub-pc" + if [ $OS_RELEASE -eq 2 ]; then + FILE='/boot/grub2/grub.cfg' + PKGNAME='grub2-pc' + else + : + fi + + is_pkg_installed "$PKGNAME" if [ $FNRET != 0 ]; then - warn "grub-pc is not installed, not handling configuration" + warn "$PKGNAME is not installed, not handling configuration" exit 128 fi if [ $FNRET != 0 ]; then diff --git a/bin/hardening/3.3_bootloader_password.sh b/bin/hardening/3.3_bootloader_password.sh index 214312b..6d5120c 100755 --- a/bin/hardening/3.3_bootloader_password.sh +++ b/bin/hardening/3.3_bootloader_password.sh @@ -1,7 +1,8 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening +# Modify by: Samson-W (samson@hardenedlinux.org) # # @@ -14,11 +15,17 @@ set -u # One variable unset, it's over HARDENING_LEVEL=3 FILE='/boot/grub/grub.cfg' +PKGNAME='grub-pc' USER_PATTERN="^set superusers" PWD_PATTERN="^password_pbkdf2" # This function will be called if the script status is on enabled / audit mode audit () { + if [ $OS_RELEASE -eq 2 ]; then + FILE='/boot/grub2/grub.cfg' + else + : + fi does_pattern_exist_in_file $FILE "$USER_PATTERN" if [ $FNRET != 0 ]; then crit "$USER_PATTERN not present in $FILE" @@ -35,6 +42,11 @@ audit () { # This function will be called if the script status is on enabled mode apply () { + if [ $OS_RELEASE -eq 2 ]; then + FILE='/boot/grub2/grub.cfg' + else + : + fi does_pattern_exist_in_file $FILE "$USER_PATTERN" if [ $FNRET != 0 ]; then warn "$USER_PATTERN not present in $FILE, please configure password for grub" @@ -52,9 +64,15 @@ apply () { # This function will check config parameters required check_config() { - is_pkg_installed "grub-pc" + if [ $OS_RELEASE -eq 2 ]; then + FILE='/boot/grub2/grub.cfg' + PKGNAME='grub2-pc' + else + : + fi + is_pkg_installed "$PKGNAME" if [ $FNRET != 0 ]; then - warn "grub-pc is not installed, not handling configuration" + warn "$PKGNAME is not installed, not handling configuration" exit 128 fi if [ $FNRET != 0 ]; then diff --git a/bin/hardening/4.1_restrict_core_dumps.sh b/bin/hardening/4.1_restrict_core_dumps.sh index 36159be..d2f967b 100755 --- a/bin/hardening/4.1_restrict_core_dumps.sh +++ b/bin/hardening/4.1_restrict_core_dumps.sh @@ -1,7 +1,8 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening +#Modify by: Samson-W (samson@hardenedlinux.org) # # @@ -17,9 +18,9 @@ LIMIT_FILE='/etc/security/limits.conf' LIMIT_PATTERN='^\*[[:space:]]*hard[[:space:]]*core[[:space:]]*0$' SYSCTL_PARAM='fs.suid_dumpable' SYSCTL_EXP_RESULT=0 +SERVICE_NAME='kdump' -# This function will be called if the script status is on enabled / audit mode -audit () { +audit_debian () { does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN if [ $FNRET != 0 ]; then crit "$LIMIT_PATTERN not present in $LIMIT_FILE" @@ -36,8 +37,30 @@ audit () { fi } -# This function will be called if the script status is on enabled mode -apply () { +audit_redhat () { + is_service_active $SERVICE_NAME + if [ $FNRET -eq 0 ]; then + crit "$SERVICE_NAME is actived" + FNRET=1 + else + ok "$SERVICE_NAME is inactived" + FNRET=0 + fi +} + +# This function will be called if the script status is on enabled / audit mode +audit () { + if [ $OS_RELEASE -eq 1 ]; then + audit_debian + elif [ $OS_RELEASE -eq 2 ]; then + audit_redhat + else + crit "Current OS is not support!" + FNRET=44 + fi +} + +apply_debian () { does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN if [ $FNRET != 0 ]; then warn "$LIMIT_PATTERN not present in $LIMIT_FILE, adding at the end of $LIMIT_FILE" @@ -57,6 +80,27 @@ apply () { } +apply_redhat () { + if [ $FNRET -eq 1 ]; then + info "Disabling $SERVICE_NAME" + systemctl stop $SERVICE_NAME + systemctl disable $SERVICE_NAME + else + ok "$SERVICE_NAME is disabled" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $OS_RELEASE -eq 1 ]; then + apply_debian + elif [ $OS_RELEASE -eq 2 ]; then + apply_redhat + else + crit "Current OS is not support!" + fi +} + # This function will check config parameters required check_config() { : diff --git a/bin/hardening/4.4_disable_prelink.sh b/bin/hardening/4.4_disable_prelink.sh index 38c97fd..284860e 100755 --- a/bin/hardening/4.4_disable_prelink.sh +++ b/bin/hardening/4.4_disable_prelink.sh @@ -1,7 +1,8 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening +# Modify by: Samson-W (samson@hardenedlinux.org) # # @@ -28,16 +29,26 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - crit "$PACKAGE is installed, purging it" - /usr/sbin/prelink -ua - apt-get purge $PACKAGE -y - apt-get autoremove - else - ok "$PACKAGE is absent" - fi - : + if [ $OS_RELEASE -eq 2 ]; then + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + "$(which $PACKAGE)" -ua + yum autoremove $PACKAGE -y + else + ok "$PACKAGE is absent" + fi + elif [ $OS_RELEASE -eq 1 ]; then + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + /usr/sbin/prelink -ua + apt-get purge $PACKAGE -y + apt-get autoremove + else + ok "$PACKAGE is absent" + fi + else + crit "Current OS is not support!" + fi } # This function will check config parameters required diff --git a/bin/hardening/4.5_enable_apparmor.sh b/bin/hardening/4.5_enable_apparmor.sh index 842c5ca..c835993 100755 --- a/bin/hardening/4.5_enable_apparmor.sh +++ b/bin/hardening/4.5_enable_apparmor.sh @@ -1,11 +1,12 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening -# +# harbian audit 7/8/9/10 or CentOS Hardening +# Modify by: Samson-W (samson@hardenedlinux.org) +# todo: SELinux # -# 4.5 Activate AppArmor (Scored) +# 4.5 Activate AppArmor/SELinux (Scored) # Add by Author : Samson wen, Samson # @@ -20,8 +21,7 @@ PATTERN="apparmor=1[[:space:]]*security=apparmor" SETSTRING="apparmor=1 security=apparmor" GRUBFILE='/etc/default/grub' -# This function will be called if the script status is on enabled / audit mode -audit () { +audit_debian () { for PACKAGE in ${PACKAGES} do is_pkg_installed $PACKAGE @@ -49,8 +49,24 @@ audit () { fi } -# This function will be called if the script status is on enabled mode -apply () { +# Todo +audit_redhat () { + : +} + +# This function will be called if the script status is on enabled / audit mode +audit () { + if [ $OS_RELEASE -eq 1 ]; then + audit_debian + elif [ $OS_RELEASE -eq 2 ]; then + audit_redhat + else + crit "Current OS is not support!" + FNRET=44 + fi +} + +apply_debian () { if [ $FNRET = 0 ]; then ok "AppArmor profiles is enable in the system " elif [ $FNRET = 1 ]; then @@ -69,6 +85,22 @@ apply () { fi } +# Todo +apply_redhat () { + : +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $OS_RELEASE -eq 1 ]; then + apply_debian + elif [ $OS_RELEASE -eq 2 ]; then + apply_redhat + else + crit "Current OS is not support!" + fi +} + # This function will check config parameters required check_config() { : diff --git a/bin/hardening/4.6_disable_usb_devices.sh b/bin/hardening/4.6_disable_usb_devices.sh index 4dfc158..ec95f7e 100755 --- a/bin/hardening/4.6_disable_usb_devices.sh +++ b/bin/hardening/4.6_disable_usb_devices.sh @@ -1,11 +1,13 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening / +# harbian audit 7/8/9/10 or CentOS Hardening +# Modify by: Samson-W (samson@hardenedlinux.org) # # # 4.6 Disable USB Devices +# TODO test # set -e # One error, it's over @@ -18,8 +20,11 @@ PATTERN='ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{auth FILES_TO_SEARCH='/etc/udev/rules.d' FILE='/etc/udev/rules.d/CIS_4.6_usb_devices.conf' -# This function will be called if the script status is on enabled / audit mode -audit () { +BLACKRULEPATTERN='^blacklist[[:blank:]].*usb-storage' +BLACKRULE='blacklist usb-storage' +BLACKCONFILE='/etc/modprobe.d/blacklist.conf' + +audit_debian () { SEARCH_RES=0 for FILE_SEARCHED in $FILES_TO_SEARCH; do if [ $SEARCH_RES = 1 ]; then break; fi @@ -50,6 +55,22 @@ audit () { fi } +audit_redhat () { + : +} + +# This function will be called if the script status is on enabled / audit mode +audit () { + if [ $OS_RELEASE -eq 1 ]; then + audit_debian + elif [ $OS_RELEASE -eq 2 ]; then + audit_redhat + else + crit "Current OS is not support!" + FNRET=44 + fi +} + # This function will be called if the script status is on enabled mode apply () { SEARCH_RES=0 diff --git a/bin/hardening/5.1.1_disable_nis.sh b/bin/hardening/5.1.1_disable_nis.sh index d3552f3..5481934 100755 --- a/bin/hardening/5.1.1_disable_nis.sh +++ b/bin/hardening/5.1.1_disable_nis.sh @@ -1,7 +1,8 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening +# Modify by: Samson-W (samson@hardenedlinux.org) # # @@ -14,10 +15,14 @@ set -u # One variable unset, it's over HARDENING_LEVEL=3 PACKAGE='nis' +PACKAGE_REDHAT='ypserv' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE + if [ $OS_RELEASE -eq 2 ]; then + PACKAGE=$PACKAGE_REDHAT + fi + is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then crit "$PACKAGE is installed!" else @@ -28,11 +33,18 @@ audit () { # This function will be called if the script status is on enabled mode apply () { + if [ $OS_RELEASE -eq 2 ]; then + PACKAGE=$PACKAGE_REDHAT + fi is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then crit "$PACKAGE is installed, purging it" - apt-get purge $PACKAGE -y - apt-get autoremove + if [ $OS_RELEASE -eq 2 ]; then + yum -y autoremove $PACKAGE + else + apt-get purge $PACKAGE -y + apt-get autoremove + fi else ok "$PACKAGE is absent" fi diff --git a/bin/hardening/5.1.2_disable_rsh.sh b/bin/hardening/5.1.2_disable_rsh.sh index 8810f87..24c2729 100755 --- a/bin/hardening/5.1.2_disable_rsh.sh +++ b/bin/hardening/5.1.2_disable_rsh.sh @@ -1,7 +1,8 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening +# Modify by: Samson-W (samson@hardenedlinux.org) # # @@ -15,11 +16,11 @@ HARDENING_LEVEL=2 # Based on aptitude search '~Prsh-server' PACKAGES='rsh-server rsh-redone-server heimdal-servers' +PACKAGE_REDHAT='rsh-server' FILE='/etc/inetd.conf' PATTERN='^(shell|login|exec)' -# This function will be called if the script status is on enabled / audit mode -audit () { +audit_debian () { for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then @@ -41,8 +42,27 @@ audit () { done } -# This function will be called if the script status is on enabled mode -apply () { +audit_redhat () { + is_pkg_installed $PACKAGE_REDHAT + if [ $FNRET = 0 ]; then + crit "$PACKAGE_REDHAT is installed!" + else + ok "$PACKAGE_REDHAT is absent" + fi +} +# This function will be called if the script status is on enabled / audit mode +audit () { + if [ $OS_RELEASE -eq 1 ]; then + audit_debian + elif [ $OS_RELEASE -eq 2 ]; then + audit_redhat + else + crit "Current OS is not support!" + FNRET=44 + fi +} + +apply_debian () { for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then @@ -70,6 +90,27 @@ apply () { done } +apply_redhat () { + is_pkg_installed $PACKAGE_REDHAT + if [ $FNRET = 0 ]; then + crit "$PACKAGE_REDHAT is installed, purging it" + yum -y remove $PACKAGE_REDHAT + else + ok "$PACKAGE_REDHAT is absent" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $OS_RELEASE -eq 1 ]; then + apply_debian + elif [ $OS_RELEASE -eq 2 ]; then + apply_redhat + else + crit "Current OS is not support!" + fi +} + # This function will check config parameters required check_config() { : diff --git a/bin/hardening/5.1.3_disable_rsh_client.sh b/bin/hardening/5.1.3_disable_rsh_client.sh index 79bb1ae..4bf7501 100755 --- a/bin/hardening/5.1.3_disable_rsh_client.sh +++ b/bin/hardening/5.1.3_disable_rsh_client.sh @@ -1,7 +1,8 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening +# Modify by: Samson-W (samson@hardenedlinux.org) # # @@ -18,28 +19,36 @@ PACKAGES='rsh-client rsh-redone-client heimdal-clients' # This function will be called if the script status is on enabled / audit mode audit () { - for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - crit "$PACKAGE is installed" - else - ok "$PACKAGE is absent" - fi - done + if [ $OS_RELEASE -eq 2 ]; then + ok "Redhat or CentOS does not have this check, so PASS" + else + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed" + else + ok "$PACKAGE is absent" + fi + done + fi } # This function will be called if the script status is on enabled mode apply () { - for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - warn "$PACKAGE is installed, purging" - apt-get purge $PACKAGE -y - apt-get autoremove - else - ok "$PACKAGE is absent" - fi - done + if [ $OS_RELEASE -eq 2 ]; then + ok "Redhat or CentOS does not have this check, so PASS" + else + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + warn "$PACKAGE is installed, purging" + apt-get purge $PACKAGE -y + apt-get autoremove + else + ok "$PACKAGE is absent" + fi + done + fi } # This function will check config parameters required diff --git a/bin/hardening/5.1.4_disable_talk.sh b/bin/hardening/5.1.4_disable_talk.sh index d9de3eb..d0968dd 100755 --- a/bin/hardening/5.1.4_disable_talk.sh +++ b/bin/hardening/5.1.4_disable_talk.sh @@ -1,7 +1,8 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening +# Modify by: Samson-W (samson@hardenedlinux.org) # # @@ -16,9 +17,9 @@ HARDENING_LEVEL=2 PACKAGES='inetutils-talkd talkd' FILE='/etc/inetd.conf' PATTERN='^(talk|ntalk)' +PACKAGES_REDHAT='talk-server' -# This function will be called if the script status is on enabled / audit mode -audit () { +audit_debian () { for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then @@ -40,8 +41,30 @@ audit () { done } -# This function will be called if the script status is on enabled mode -apply () { +audit_redhat () { + for PACKAGE in $PACKAGES_REDHAT; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed" + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled / audit mode +audit () { + if [ $OS_RELEASE -eq 1 ]; then + audit_debian + elif [ $OS_RELEASE -eq 2 ]; then + audit_redhat + else + crit "Current OS is not support!" + FNRET=44 + fi +} + +apply_debian () { for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then @@ -69,6 +92,28 @@ apply () { done } +apply_redhat () { + for PACKAGE in $PACKAGES_REDHAT; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + yum remove $PACKAGE -y + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $OS_RELEASE -eq 1 ]; then + apply_debian + elif [ $OS_RELEASE -eq 2 ]; then + apply_redhat + else + crit "Current OS is not support!" + fi +} # This function will check config parameters required check_config() { : diff --git a/bin/hardening/5.1.5_disable_talk_client.sh b/bin/hardening/5.1.5_disable_talk_client.sh index e161822..6056df3 100755 --- a/bin/hardening/5.1.5_disable_talk_client.sh +++ b/bin/hardening/5.1.5_disable_talk_client.sh @@ -1,7 +1,8 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening +# Modify by: Samson-W (samson@hardenedlinux.org) # # @@ -14,9 +15,13 @@ set -u # One variable unset, it's over HARDENING_LEVEL=2 PACKAGES='talk inetutils-talk' +PACKAGES_REDHAT='talk' # This function will be called if the script status is on enabled / audit mode audit () { + if [ $OS_RELEASE -eq 2 ]; then + PACKAGES=$PACKAGES_REDHAT + fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then @@ -29,12 +34,19 @@ audit () { # This function will be called if the script status is on enabled mode apply () { + if [ $OS_RELEASE -eq 2 ]; then + PACKAGES=$PACKAGES_REDHAT + fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then warn "$PACKAGE is installed, purging" - apt-get purge $PACKAGE -y - apt-get autoremove + if [ $OS_RELEASE -eq 2 ]; then + yum remove $PACKAGE -y + else + apt-get purge $PACKAGE -y + apt-get autoremove + fi else ok "$PACKAGE is absent" fi diff --git a/bin/hardening/5.1.6_disable_telnet_server.sh b/bin/hardening/5.1.6_disable_telnet_server.sh index d13eab0..2ed0118 100755 --- a/bin/hardening/5.1.6_disable_telnet_server.sh +++ b/bin/hardening/5.1.6_disable_telnet_server.sh @@ -1,7 +1,8 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening +# Modify by: Samson-W (samson@hardenedlinux.org) # # @@ -17,9 +18,9 @@ HARDENING_LEVEL=2 PACKAGES='telnetd inetutils-telnetd telnetd-ssl krb5-telnetd heimdal-servers' FILE='/etc/inetd.conf' PATTERN='^telnet' +PACKAGE_REDHAT='telnet-server' -# This function will be called if the script status is on enabled / audit mode -audit () { +audit_debian () { for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then @@ -41,8 +42,28 @@ audit () { done } -# This function will be called if the script status is on enabled mode -apply () { +audit_redhat () { + is_pkg_installed $PACKAGE_REDHAT + if [ $FNRET = 0 ]; then + crit "$PACKAGE_REDHAT is installed" + else + ok "$PACKAGE_REDHAT is absent" + fi +} + +# This function will be called if the script status is on enabled / audit mode +audit () { + if [ $OS_RELEASE -eq 1 ]; then + audit_debian + elif [ $OS_RELEASE -eq 2 ]; then + audit_redhat + else + crit "Current OS is not support!" + FNRET=44 + fi +} + +apply_debian () { for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then @@ -70,6 +91,27 @@ apply () { done } +apply_redhat () { + is_pkg_installed $PACKAGE_REDHAT + if [ $FNRET = 0 ]; then + crit "$PACKAGE_REDHAT is installed, purging it" + yum remove $PACKAGE_REDHAT -y + else + ok "$PACKAGE_REDHAT is absent" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $OS_RELEASE -eq 1 ]; then + apply_debian + elif [ $OS_RELEASE -eq 2 ]; then + apply_redhat + else + crit "Current OS is not support!" + fi +} + # This function will check config parameters required check_config() { : diff --git a/bin/hardening/5.1.8_disable_inetd.sh b/bin/hardening/5.1.7_disable_inetd.sh similarity index 77% rename from bin/hardening/5.1.8_disable_inetd.sh rename to bin/hardening/5.1.7_disable_inetd.sh index 639674b..d191b73 100755 --- a/bin/hardening/5.1.8_disable_inetd.sh +++ b/bin/hardening/5.1.7_disable_inetd.sh @@ -1,11 +1,12 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening +# Modify by: Samson-W (samson@hardenedlinux.org) # # -# 5.1.8 Ensure xinetd is not enabled (Scored) +# 5.1.7 Ensure xinetd is not enabled (Scored) # set -e # One error, it's over @@ -14,9 +15,13 @@ set -u # One variable unset, it's over HARDENING_LEVEL=3 PACKAGES='openbsd-inetd xinetd rlinetd' +PACKAGES_REDHAT='xinetd' # This function will be called if the script status is on enabled / audit mode audit () { + if [ $OS_RELEASE -eq 2 ]; then + PACKAGES=$PACKAGES_REDHAT + fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then @@ -29,12 +34,19 @@ audit () { # This function will be called if the script status is on enabled mode apply () { + if [ $OS_RELEASE -eq 2 ]; then + PACKAGES=$PACKAGES_REDHAT + fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then warn "$PACKAGE is installed, purging" - apt-get purge $PACKAGE -y - apt-get autoremove + if [ $OS_RELEASE -eq 2 ]; then + yum remove $PACKAGE -y + else + apt-get purge $PACKAGE -y + apt-get autoremove + fi else ok "$PACKAGE is absent" fi diff --git a/bin/hardening/5.1.7_disable_tftp_server.sh b/bin/hardening/5.1.7_disable_tftp_server.sh deleted file mode 100755 index e9566d8..0000000 --- a/bin/hardening/5.1.7_disable_tftp_server.sh +++ /dev/null @@ -1,93 +0,0 @@ -#!/bin/bash - -# -# harbian audit 7/8/9 Hardening -# - -# -# 5.1.7 Ensure tftp-server is not enabled (Scored) -# - -set -e # One error, it's over -set -u # One variable unset, it's over - -HARDENING_LEVEL=2 - -PACKAGES='tftpd tftpd-hpa atftpd' -FILE='/etc/inetd.conf' -PATTERN='^tftp' - -# This function will be called if the script status is on enabled / audit mode -audit () { - for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - warn "$PACKAGE is installed, checking configuration" - does_file_exist $FILE - if [ $FNRET != 0 ]; then - ok "$FILE does not exist" - else - does_pattern_exist_in_file $FILE $PATTERN - if [ $FNRET = 0 ]; then - crit "$PATTERN exists, $PACKAGE services are enabled!" - else - ok "$PATTERN is not present in $FILE" - fi - fi - else - ok "$PACKAGE is absent" - fi - done -} - -# This function will be called if the script status is on enabled mode -apply () { - for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - crit "$PACKAGE is installed, purging it" - apt-get purge $PACKAGE -y - apt-get autoremove - else - ok "$PACKAGE is absent" - fi - does_file_exist $FILE - if [ $FNRET != 0 ]; then - ok "$FILE does not exist" - else - info "$FILE exists, checking patterns" - does_pattern_exist_in_file $FILE $PATTERN - if [ $FNRET = 0 ]; then - warn "$PATTERN is present in $FILE, purging it" - backup_file $FILE - ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) - sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE - else - ok "$PATTERN is not present in $FILE" - fi - fi - done -} - -# This function will check config parameters required -check_config() { - : -} - -# Source Root Dir Parameter -if [ -r /etc/default/cis-hardening ]; then - . /etc/default/cis-hardening -fi -if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." - exit 128 -fi - -# Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then - . $CIS_ROOT_DIR/lib/main.sh -else - echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" - exit 128 -fi diff --git a/bin/hardening/5.2_disable_chargen.sh b/bin/hardening/5.2_disable_chargen.sh deleted file mode 100755 index ef295dc..0000000 --- a/bin/hardening/5.2_disable_chargen.sh +++ /dev/null @@ -1,74 +0,0 @@ -#!/bin/bash - -# -# harbian audit 7/8/9 Hardening -# - -# -# 5.2 Ensure chargen is not enabled (Scored) -# - -set -e # One error, it's over -set -u # One variable unset, it's over - -HARDENING_LEVEL=2 - -FILE='/etc/inetd.conf' -PATTERN='^chargen' - -# This function will be called if the script status is on enabled / audit mode -audit () { - does_file_exist $FILE - if [ $FNRET != 0 ]; then - ok "$FILE does not exist" - else - does_pattern_exist_in_file $FILE $PATTERN - if [ $FNRET = 0 ]; then - crit "$PATTERN exists, chargen service is enabled!" - else - ok "$PATTERN is not present in $FILE" - fi - fi -} - -# This function will be called if the script status is on enabled mode -apply () { - does_file_exist $FILE - if [ $FNRET != 0 ]; then - ok "$FILE does not exist" - else - info "$FILE exists, checking patterns" - does_pattern_exist_in_file $FILE $PATTERN - if [ $FNRET = 0 ]; then - warn "$PATTERN is present in $FILE, purging it" - backup_file $FILE - ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) - sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE - else - ok "$PATTERN is not present in $FILE" - fi - fi -} - -# This function will check config parameters required -check_config() { - : -} - -# Source Root Dir Parameter -if [ -r /etc/default/cis-hardening ]; then - . /etc/default/cis-hardening -fi -if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." - exit 128 -fi - -# Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then - . $CIS_ROOT_DIR/lib/main.sh -else - echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" - exit 128 -fi diff --git a/bin/hardening/5.7_install_screen.sh b/bin/hardening/5.2_install_screen.sh similarity index 88% rename from bin/hardening/5.7_install_screen.sh rename to bin/hardening/5.2_install_screen.sh index a15c7c6..9b378aa 100755 --- a/bin/hardening/5.7_install_screen.sh +++ b/bin/hardening/5.2_install_screen.sh @@ -1,11 +1,11 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # -# 5.7 Install screen (Scored) +# 5.2 Install screen (Scored) # Author : Samson wen, Samson # @@ -33,7 +33,11 @@ apply () { ok "$PACKAGE is installed" else warn "$PACKAGE is absent, installing it" - apt_install $PACKAGE + if [ $OS_RELEASE -eq 2 ]; then + yum install -y $PACKAGE + else + apt_install $PACKAGE + fi fi } diff --git a/bin/hardening/5.3_disable_daytime.sh b/bin/hardening/5.3_disable_daytime.sh deleted file mode 100755 index 3e8add7..0000000 --- a/bin/hardening/5.3_disable_daytime.sh +++ /dev/null @@ -1,74 +0,0 @@ -#!/bin/bash - -# -# harbian audit 7/8/9 Hardening -# - -# -# 5.3 Ensure daytime is not enabled (Scored) -# - -set -e # One error, it's over -set -u # One variable unset, it's over - -HARDENING_LEVEL=2 - -FILE='/etc/inetd.conf' -PATTERN='^daytime' - -# This function will be called if the script status is on enabled / audit mode -audit () { - does_file_exist $FILE - if [ $FNRET != 0 ]; then - ok "$FILE does not exist" - else - does_pattern_exist_in_file $FILE $PATTERN - if [ $FNRET = 0 ]; then - crit "$PATTERN exists, daytime service is enabled!" - else - ok "$PATTERN is not present in $FILE" - fi - fi -} - -# This function will be called if the script status is on enabled mode -apply () { - does_file_exist $FILE - if [ $FNRET != 0 ]; then - ok "$FILE does not exist" - else - info "$FILE exists, checking patterns" - does_pattern_exist_in_file $FILE $PATTERN - if [ $FNRET = 0 ]; then - warn "$PATTERN is present in $FILE, purging it" - backup_file $FILE - ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) - sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE - else - ok "$PATTERN is not present in $FILE" - fi - fi -} - -# This function will check config parameters required -check_config() { - : -} - -# Source Root Dir Parameter -if [ -r /etc/default/cis-hardening ]; then - . /etc/default/cis-hardening -fi -if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." - exit 128 -fi - -# Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then - . $CIS_ROOT_DIR/lib/main.sh -else - echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" - exit 128 -fi diff --git a/bin/hardening/5.8_enable_openssh_server.sh b/bin/hardening/5.3_enable_openssh_server.sh similarity index 66% rename from bin/hardening/5.8_enable_openssh_server.sh rename to bin/hardening/5.3_enable_openssh_server.sh index e6b8144..06b8379 100755 --- a/bin/hardening/5.8_enable_openssh_server.sh +++ b/bin/hardening/5.3_enable_openssh_server.sh @@ -1,11 +1,11 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # -# 5.8 Ensure openssh server is enabled (Scored) +# 5.3 Ensure openssh server is enabled (Scored) # Author : Samson wen, Samson # @@ -15,7 +15,8 @@ set -u # One variable unset, it's over HARDENING_LEVEL=2 PACKAGES='openssh-server openssh-client' - +SERVICE_NAME='ssh.service' +SERVICE_NAME_REDHAT='sshd.service' # This function will be called if the script status is on enabled / audit mode audit () { @@ -28,6 +29,15 @@ audit () { ok "$PACKAGE is installed" fi done + if [ $OS_RELEASE -eq 2 ]; then + SERVICE_NAME=$SERVICE_NAME_REDHAT + fi + is_service_active $SERVICE_NAME + if [ $FNRET = 0 ]; then + ok "$SERVICE_NAME is actived" + else + crit "$SERVICE_NAME is inactive" + fi } # This function will be called if the script status is on enabled mode @@ -39,9 +49,25 @@ apply () { ok "$PACKAGE is installed" else warn "$PACKAGE is absent, installing it" - apt_install $PACKAGE + if [ $OS_RELEASE -eq 2 ]; then + yum install -y $PACKAGE + else + apt_install $PACKAGE + fi fi done + if [ $OS_RELEASE -eq 2 ]; then + SERVICE_NAME=$SERVICE_NAME_REDHAT + fi + is_service_active $SERVICE_NAME + if [ $FNRET = 0 ]; then + ok "$SERVICE_NAME is actived" + else + warn "$SERVICE_NAME is inactive, set enable this service" + systemctl enable $SERVICE_NAME + systemctl daemon-reload + systemctl start $SERVICE_NAME + fi } # This function will check config parameters required diff --git a/bin/hardening/5.9_disable_ctrl_alt_del_target.sh b/bin/hardening/5.4_disable_ctrl_alt_del_target.sh similarity index 95% rename from bin/hardening/5.9_disable_ctrl_alt_del_target.sh rename to bin/hardening/5.4_disable_ctrl_alt_del_target.sh index 9fa598f..e04d6d1 100755 --- a/bin/hardening/5.9_disable_ctrl_alt_del_target.sh +++ b/bin/hardening/5.4_disable_ctrl_alt_del_target.sh @@ -1,11 +1,11 @@ #!/bin/bash # -# harbian audit 9 Hardening +# harbian audit 9 or CentOS Hardening # # -# 5.9 Ensure ctrl-alt-del is disabled (Scored) +# 5.4 Ensure ctrl-alt-del is disabled (Scored) # Author : Samson wen, Samson # diff --git a/bin/hardening/5.4_disable_echo.sh b/bin/hardening/5.4_disable_echo.sh deleted file mode 100755 index 0b3b14f..0000000 --- a/bin/hardening/5.4_disable_echo.sh +++ /dev/null @@ -1,74 +0,0 @@ -#!/bin/bash - -# -# harbian audit 7/8/9 Hardening -# - -# -# 5.4 Ensure echo is not enabled (Scored) -# - -set -e # One error, it's over -set -u # One variable unset, it's over - -HARDENING_LEVEL=2 - -FILE='/etc/inetd.conf' -PATTERN='^echo' - -# This function will be called if the script status is on enabled / audit mode -audit () { - does_file_exist $FILE - if [ $FNRET != 0 ]; then - ok "$FILE does not exist" - else - does_pattern_exist_in_file $FILE $PATTERN - if [ $FNRET = 0 ]; then - crit "$PATTERN exists, echo service is enabled!" - else - ok "$PATTERN is not present in $FILE" - fi - fi -} - -# This function will be called if the script status is on enabled mode -apply () { - does_file_exist $FILE - if [ $FNRET != 0 ]; then - ok "$FILE does not exist" - else - info "$FILE exists, checking patterns" - does_pattern_exist_in_file $FILE $PATTERN - if [ $FNRET = 0 ]; then - warn "$PATTERN is present in $FILE, purging it" - backup_file $FILE - ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) - sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE - else - ok "$PATTERN is not present in $FILE" - fi - fi -} - -# This function will check config parameters required -check_config() { - : -} - -# Source Root Dir Parameter -if [ -r /etc/default/cis-hardening ]; then - . /etc/default/cis-hardening -fi -if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." - exit 128 -fi - -# Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then - . $CIS_ROOT_DIR/lib/main.sh -else - echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" - exit 128 -fi diff --git a/bin/hardening/5.5_disable_discard.sh b/bin/hardening/5.5_disable_discard.sh deleted file mode 100755 index 4a20dc6..0000000 --- a/bin/hardening/5.5_disable_discard.sh +++ /dev/null @@ -1,74 +0,0 @@ -#!/bin/bash - -# -# harbian audit 7/8/9 Hardening -# - -# -# 5.5 Ensure discard is not enabled (Scored) -# - -set -e # One error, it's over -set -u # One variable unset, it's over - -HARDENING_LEVEL=2 - -FILE='/etc/inetd.conf' -PATTERN='^discard' - -# This function will be called if the script status is on enabled / audit mode -audit () { - does_file_exist $FILE - if [ $FNRET != 0 ]; then - ok "$FILE does not exist" - else - does_pattern_exist_in_file $FILE $PATTERN - if [ $FNRET = 0 ]; then - crit "$PATTERN exists, discard service is enabled!" - else - ok "$PATTERN is not present in $FILE" - fi - fi -} - -# This function will be called if the script status is on enabled mode -apply () { - does_file_exist $FILE - if [ $FNRET != 0 ]; then - ok "$FILE does not exist" - else - info "$FILE exists, checking patterns" - does_pattern_exist_in_file $FILE $PATTERN - if [ $FNRET = 0 ]; then - warn "$PATTERN is present in $FILE, purging it" - backup_file $FILE - ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) - sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE - else - ok "$PATTERN is not present in $FILE" - fi - fi -} - -# This function will check config parameters required -check_config() { - : -} - -# Source Root Dir Parameter -if [ -r /etc/default/cis-hardening ]; then - . /etc/default/cis-hardening -fi -if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." - exit 128 -fi - -# Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then - . $CIS_ROOT_DIR/lib/main.sh -else - echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" - exit 128 -fi diff --git a/bin/hardening/5.6_disable_time.sh b/bin/hardening/5.6_disable_time.sh deleted file mode 100755 index f6dac10..0000000 --- a/bin/hardening/5.6_disable_time.sh +++ /dev/null @@ -1,74 +0,0 @@ -#!/bin/bash - -# -# harbian audit 7/8/9 Hardening -# - -# -# 5.6 Ensure time is not enabled (Scored) -# - -set -e # One error, it's over -set -u # One variable unset, it's over - -HARDENING_LEVEL=2 - -FILE='/etc/inetd.conf' -PATTERN='^time' - -# This function will be called if the script status is on enabled / audit mode -audit () { - does_file_exist $FILE - if [ $FNRET != 0 ]; then - ok "$FILE does not exist" - else - does_pattern_exist_in_file $FILE $PATTERN - if [ $FNRET = 0 ]; then - crit "$PATTERN exists, time service is enabled!" - else - ok "$PATTERN is not present in $FILE" - fi - fi -} - -# This function will be called if the script status is on enabled mode -apply () { - does_file_exist $FILE - if [ $FNRET != 0 ]; then - ok "$FILE does not exist" - else - info "$FILE exists, checking patterns" - does_pattern_exist_in_file $FILE $PATTERN - if [ $FNRET = 0 ]; then - warn "$PATTERN is present in $FILE, purging it" - backup_file $FILE - ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) - sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE - else - ok "$PATTERN is not present in $FILE" - fi - fi -} - -# This function will check config parameters required -check_config() { - : -} - -# Source Root Dir Parameter -if [ -r /etc/default/cis-hardening ]; then - . /etc/default/cis-hardening -fi -if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." - exit 128 -fi - -# Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then - . $CIS_ROOT_DIR/lib/main.sh -else - echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" - exit 128 -fi diff --git a/bin/hardening/5.10_ensure_installed_sudo.sh b/bin/hardening/5.8_ensure_installed_sudo.sh similarity index 58% rename from bin/hardening/5.10_ensure_installed_sudo.sh rename to bin/hardening/5.8_ensure_installed_sudo.sh index 4eb896c..e9cdaf9 100755 --- a/bin/hardening/5.10_ensure_installed_sudo.sh +++ b/bin/hardening/5.8_ensure_installed_sudo.sh @@ -1,11 +1,13 @@ #!/bin/bash # -# harbian audit 9 Hardening +# harbian audit 9 or CentOS Hardening # # -# 5.10 Ensure sudo is installed (Scored) +# 5.8 Ensure sudo is installed (Scored) +# Add feature: +# Ensure sudo log file is set to /var/log/sudo.log # Add new by: # Author : Samson wen, Samson # @@ -16,27 +18,46 @@ set -u # One variable unset, it's over HARDENING_LEVEL=2 PACKAGE='sudo' - +CONFIGFILE='/etc/sudoers' +LOGFILENAME='/var/log/sudo.log' +LOGFILENAME_REP='\/var\/log\/sudo.log' # This function will be called if the script status is on enabled / audit mode audit () { is_pkg_installed $PACKAGE if [ $FNRET != 0 ]; then crit "$PACKAGE is not installed!" - FNRET=1 + FNRET=1 else ok "$PACKAGE is installed" - FNRET=0 - fi + if [ $(grep -c "^Defaults.*logfile=" $CONFIGFILE) -eq 1 ]; then + if [ $(grep "^Defaults.*logfile=" $CONFIGFILE | grep -c "$LOGFILENAME") -eq 1 ]; then + ok "Log file is set to $LOGFILENAME in $CONFIGFILE" + FNRET=0 + else + crit "Log file path was set, but is not set to $LOGFILENAME" + FNRET=3 + fi + else + crit "sudo Log file is not set in $CONFIGFILE" + FNRET=2 + fi + fi } # This function will be called if the script status is on enabled mode apply () { if [ $FNRET = 0 ]; then ok "$PACKAGE is installed" - else + elif [ $FNRET = 1 ]; then warn "$PACKAGE is absent, installing it" apt_install $PACKAGE + elif [ $FNRET = 2 ]; then + warn "sudo Log file is not set in $CONFIGFILE, add set to" + add_end_of_file $CONFIGFILE "Defaults logfile="$LOGFILENAME"" + else + warn "Log file path was set, but is not set to $LOGFILENAME, modify" + replace_in_file $CONFIGFILE "logfile=.*" "logfile=$LOGFILENAME_REP" fi } diff --git a/bin/hardening/6.10_disable_http_server.sh b/bin/hardening/6.10_disable_http_server.sh index 07b3eb4..cc3d005 100755 --- a/bin/hardening/6.10_disable_http_server.sh +++ b/bin/hardening/6.10_disable_http_server.sh @@ -1,7 +1,8 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9 or CentOS Hardening +# Modify by: Samson-W (samson@hardenedlinux.org) # # @@ -16,9 +17,13 @@ HARDENING_EXCEPTION=http # Based on aptitude search '~Phttpd' PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd' +PACKAGES_REDHAT='httpd pcp-pmda-nginx' # This function will be called if the script status is on enabled / audit mode audit () { + if [ $OS_RELEASE -eq 2 ]; then + PACKAGES=$PACKAGES_REDHAT + fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then @@ -35,6 +40,9 @@ audit () { # This function will be called if the script status is on enabled mode apply () { + if [ $OS_RELEASE -eq 2 ]; then + PACKAGES=$PACKAGES_REDHAT + fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then @@ -42,8 +50,12 @@ apply () { warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate." else crit "$PACKAGE is installed, purging it" - apt-get purge $PACKAGE - apt-get autoremove + if [ $OS_RELEASE -eq 2 ]; then + yum autoremove $PACKAGE + else + apt-get purge $PACKAGE + apt-get autoremove + fi fi else ok "$PACKAGE is absent" diff --git a/bin/hardening/6.11_disable_imap_pop.sh b/bin/hardening/6.11_disable_imap_pop.sh index 9301d31..39456be 100755 --- a/bin/hardening/6.11_disable_imap_pop.sh +++ b/bin/hardening/6.11_disable_imap_pop.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9 or CentOS Hardening # # @@ -19,36 +19,44 @@ PACKAGES='citadel-server courier-imap cyrus-imapd-2.4 dovecot-imapd mailutils-im # This function will be called if the script status is on enabled / audit mode audit () { - for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - if [ $ISEXCEPTION -eq 1 ]; then - warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!" - else - crit "$PACKAGE is installed!" - fi - else - ok "$PACKAGE is absent" - fi - done + if [ $OS_RELEASE -eq 2 ]; then + ok "Redhat or CentOS does not have this check, so PASS" + else + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + if [ $ISEXCEPTION -eq 1 ]; then + warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!" + else + crit "$PACKAGE is installed!" + fi + else + ok "$PACKAGE is absent" + fi + done + fi } # This function will be called if the script status is on enabled mode apply () { - for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - if [ $ISEXCEPTION -eq 1 ]; then - warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate." - else - crit "$PACKAGE is installed, purging it" - apt-get purge $PACKAGE -y - apt-get autoremove - fi - else - ok "$PACKAGE is absent" - fi - done + if [ $OS_RELEASE -eq 2 ]; then + ok "Redhat or CentOS does not have this check, so PASS" + else + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + if [ $ISEXCEPTION -eq 1 ]; then + warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate." + else + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y + apt-get autoremove + fi + else + ok "$PACKAGE is absent" + fi + done + fi } # This function will create the config file for this check with default values diff --git a/bin/hardening/6.12_disable_samba.sh b/bin/hardening/6.12_disable_samba.sh index f2daaaf..a073431 100755 --- a/bin/hardening/6.12_disable_samba.sh +++ b/bin/hardening/6.12_disable_samba.sh @@ -1,7 +1,8 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9 or CentOS Hardening +# Modify by: Samson-W (samson@hardenedlinux.org) # # @@ -41,8 +42,12 @@ apply () { warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate." else crit "$PACKAGE is installed, purging it" - apt-get purge $PACKAGE -y - apt-get autoremove + if [ $OS_RELEASE -eq 2 ]; then + yum autoremove $PACKAGE -y + else + apt-get purge $PACKAGE -y + apt-get autoremove + fi fi else ok "$PACKAGE is absent" diff --git a/bin/hardening/6.13_disable_http_proxy.sh b/bin/hardening/6.13_disable_http_proxy.sh index 8ce2d94..d11b3d7 100755 --- a/bin/hardening/6.13_disable_http_proxy.sh +++ b/bin/hardening/6.13_disable_http_proxy.sh @@ -1,7 +1,8 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9 or CentOS Hardening +# Modify by: Samson-W (samson@hardenedlinux.org) # # @@ -15,9 +16,13 @@ HARDENING_LEVEL=3 HARDENING_EXCEPTION=http PACKAGES='squid3 squid' +PACKAGES_REDHAT='squid gssproxy haproxy' # This function will be called if the script status is on enabled / audit mode audit () { + if [ $OS_RELEASE -eq 2 ]; then + PACKAGES=$PACKAGES_REDHAT + fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then @@ -34,6 +39,9 @@ audit () { # This function will be called if the script status is on enabled mode apply () { + if [ $OS_RELEASE -eq 2 ]; then + PACKAGES=$PACKAGES_REDHAT + fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then @@ -41,8 +49,12 @@ apply () { warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate." else crit "$PACKAGE is installed, purging it" - apt-get purge $PACKAGE -y - apt-get autoremove + if [ $OS_RELEASE -eq 2 ]; then + yum autoremove $PACKAGE -y + else + apt-get purge $PACKAGE -y + apt-get autoremove + fi fi else ok "$PACKAGE is absent" diff --git a/bin/hardening/6.14_disable_snmp_server.sh b/bin/hardening/6.14_disable_snmp_server.sh index e78448e..da14eae 100755 --- a/bin/hardening/6.14_disable_snmp_server.sh +++ b/bin/hardening/6.14_disable_snmp_server.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9 or CentOS Hardening # # @@ -18,35 +18,43 @@ PACKAGES='snmpd' # This function will be called if the script status is on enabled / audit mode audit () { - for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - if [ $ISEXCEPTION -eq 1 ]; then - warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!" - else - crit "$PACKAGE is installed!" - fi - else - ok "$PACKAGE is absent" - fi - done + if [ $OS_RELEASE -eq 2 ]; then + ok "Redhat or CentOS does not have this check, so PASS" + else + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + if [ $ISEXCEPTION -eq 1 ]; then + warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!" + else + crit "$PACKAGE is installed!" + fi + else + ok "$PACKAGE is absent" + fi + done + fi } # This function will be called if the script status is on enabled mode apply () { - for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - if [ $ISEXCEPTION -eq 1 ]; then - warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate." - else - crit "$PACKAGE is installed, purging it" - apt-get purge $PACKAGE -y - fi - else - ok "$PACKAGE is absent" - fi - done + if [ $OS_RELEASE -eq 2 ]; then + ok "Redhat or CentOS does not have this check, so PASS" + else + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + if [ $ISEXCEPTION -eq 1 ]; then + warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate." + else + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y + fi + else + ok "$PACKAGE is absent" + fi + done + fi } # This function will create the config file for this check with default values diff --git a/bin/hardening/6.16_disable_rsync.sh b/bin/hardening/6.16_disable_rsync.sh index 744cc09..627e5eb 100755 --- a/bin/hardening/6.16_disable_rsync.sh +++ b/bin/hardening/6.16_disable_rsync.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9 or CentOS Hardening # # @@ -21,36 +21,44 @@ RSYNC_DEFAULT_PATTERN_TO_SEARCH='RSYNC_ENABLE=true' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE - if [ $FNRET != 0 ]; then - ok "$PACKAGE is not installed" - else - ok "$PACKAGE is installed, checking configuration" - does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN" - if [ $FNRET != 0 ]; then - crit "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE" - else - ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE" - fi - fi + if [ $OS_RELEASE -eq 2 ]; then + ok "Redhat or CentOS does not have this check, so PASS" + else + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + ok "$PACKAGE is not installed" + else + ok "$PACKAGE is installed, checking configuration" + does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN" + if [ $FNRET != 0 ]; then + crit "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE" + else + ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE" + fi + fi + fi } # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET != 0 ]; then - ok "$PACKAGE is not installed" - else - ok "$PACKAGE is installed, checking configuration" - does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN" - if [ $FNRET != 0 ]; then - warn "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE, adding it" - backup_file $RSYNC_DEFAULT_FILE - replace_in_file $RSYNC_DEFAULT_FILE $RSYNC_DEFAULT_PATTERN_TO_SEARCH $RSYNC_DEFAULT_PATTERN - else - ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE" - fi - fi + if [ $OS_RELEASE -eq 2 ]; then + ok "Redhat or CentOS does not have this check, so PASS" + else + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + ok "$PACKAGE is not installed" + else + ok "$PACKAGE is installed, checking configuration" + does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN" + if [ $FNRET != 0 ]; then + warn "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE, adding it" + backup_file $RSYNC_DEFAULT_FILE + replace_in_file $RSYNC_DEFAULT_FILE $RSYNC_DEFAULT_PATTERN_TO_SEARCH $RSYNC_DEFAULT_PATTERN + else + ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE" + fi + fi + fi } # This function will check config parameters required diff --git a/bin/hardening/6.17_ensure_virul_scan_server_is_enabled.sh b/bin/hardening/6.17_ensure_virul_scan_server_is_enabled.sh index 07b788c..228e24b 100755 --- a/bin/hardening/6.17_ensure_virul_scan_server_is_enabled.sh +++ b/bin/hardening/6.17_ensure_virul_scan_server_is_enabled.sh @@ -2,7 +2,7 @@ # # harbian audit 7/8/9 Hardening -# +# todo test for centos # # 6.17 Ensure virul scan Server is enabled (Scored) diff --git a/bin/hardening/6.18_ensure_virusscan_program_update_is_enabled.sh b/bin/hardening/6.18_ensure_virusscan_program_update_is_enabled.sh index d67aa05..d7956ec 100755 --- a/bin/hardening/6.18_ensure_virusscan_program_update_is_enabled.sh +++ b/bin/hardening/6.18_ensure_virusscan_program_update_is_enabled.sh @@ -2,7 +2,7 @@ # # harbian audit 9 Hardening -# +# todo test for centos # # 6.18 Ensure virul scan Server update is enabled (Scored) diff --git a/bin/hardening/6.19_configure_ntp.sh b/bin/hardening/6.19_configure_ntp.sh index 5361b8b..515c07f 100755 --- a/bin/hardening/6.19_configure_ntp.sh +++ b/bin/hardening/6.19_configure_ntp.sh @@ -1,11 +1,11 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening -# +# harbian audit 7/8/9 or CentOS Hardening +# todo base redhat7 v2r3 of STIG # -# 6.5 Configure Network Time Protocol (NTP) (Scored) +# 6.19 Configure Network Time Protocol (NTP) (Scored) # Modify Author : Samson wen, Samson # diff --git a/bin/hardening/6.1_disable_xwindow_system.sh b/bin/hardening/6.1_disable_xwindow_system.sh index d9d0f18..13522b6 100755 --- a/bin/hardening/6.1_disable_xwindow_system.sh +++ b/bin/hardening/6.1_disable_xwindow_system.sh @@ -7,6 +7,7 @@ # # 6.1 Ensure the X Window system is not installed (Scored) # +# todo test for centos set -e # One error, it's over set -u # One variable unset, it's over diff --git a/bin/hardening/6.20_configure_chrony.sh b/bin/hardening/6.20_configure_chrony.sh index 0933139..ae6cfeb 100755 --- a/bin/hardening/6.20_configure_chrony.sh +++ b/bin/hardening/6.20_configure_chrony.sh @@ -23,48 +23,56 @@ NTP_POOL_CFG='pool 2.debian.pool.ntp.org iburst' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $ANALOGONS_PKG - if [ $FNRET = 0 ]; then - ok "Analogons pagkage $ANALOGONS_PKG is installed. So pass check." + if [ $OS_RELEASE -eq 2 ]; then + ok "Redhat or CentOS does not have this check, so PASS" else - is_pkg_installed $PACKAGE - if [ $FNRET != 0 ]; then - crit "$PACKAGE is not installed!" - else - ok "$PACKAGE is installed, checking configuration" - does_pattern_exist_in_file $NTP_CONF_FILE $NTP_SERVER_PATTERN - if [ $FNRET != 0 ]; then - crit "$NTP_SERVER_PATTERN not found in $NTP_CONF_FILE" - else - ok "$NTP_SERVER_PATTERN found in $NTP_CONF_FILE" - fi - fi + is_pkg_installed $ANALOGONS_PKG + if [ $FNRET = 0 ]; then + ok "Analogons pagkage $ANALOGONS_PKG is installed. So pass check." + else + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed!" + else + ok "$PACKAGE is installed, checking configuration" + does_pattern_exist_in_file $NTP_CONF_FILE $NTP_SERVER_PATTERN + if [ $FNRET != 0 ]; then + crit "$NTP_SERVER_PATTERN not found in $NTP_CONF_FILE" + else + ok "$NTP_SERVER_PATTERN found in $NTP_CONF_FILE" + fi + fi + fi fi } # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $ANALOGONS_PKG - if [ $FNRET = 0 ]; then - ok "Analogons pagkage $ANALOGONS_PKG is installed. So pass check." + if [ $OS_RELEASE -eq 2 ]; then + ok "Redhat or CentOS does not have this check, so PASS" else - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - ok "$PACKAGE is installed" - else - crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE - info "Checking $PACKAGE configuration" - does_pattern_exist_in_file $NTP_CONF_FILE $NTP_SERVER_PATTERN - if [ $FNRET != 0 ]; then - warn "$NTP_SERVER_PATTERN not found in $NTP_CONF_FILE, adding it" - backup_file $NTP_CONF_FILE - add_end_of_file $NTP_CONF_FILE $NTP_POOL_CFG + is_pkg_installed $ANALOGONS_PKG + if [ $FNRET = 0 ]; then + ok "Analogons pagkage $ANALOGONS_PKG is installed. So pass check." + else + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" else - ok "$NTP_SERVER_PATTERN found in $NTP_CONF_FILE" + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + info "Checking $PACKAGE configuration" + does_pattern_exist_in_file $NTP_CONF_FILE $NTP_SERVER_PATTERN + if [ $FNRET != 0 ]; then + warn "$NTP_SERVER_PATTERN not found in $NTP_CONF_FILE, adding it" + backup_file $NTP_CONF_FILE + add_end_of_file $NTP_CONF_FILE $NTP_POOL_CFG + else + ok "$NTP_SERVER_PATTERN found in $NTP_CONF_FILE" + fi + exit 1 fi - exit 1 - fi + fi fi } diff --git a/bin/hardening/6.2_disable_avahi_server.sh b/bin/hardening/6.2_disable_avahi_server.sh index a810b9d..9d3a455 100755 --- a/bin/hardening/6.2_disable_avahi_server.sh +++ b/bin/hardening/6.2_disable_avahi_server.sh @@ -1,7 +1,8 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9 or CentOS Hardening +# Modify by: Samson-W (samson@hardenedlinux.org) # # @@ -15,9 +16,13 @@ HARDENING_LEVEL=3 HARDENING_EXCEPTION=dns PACKAGES='avahi-daemon libavahi-common-data libavahi-common3 libavahi-core7' +PACKAGES_REDHAT='avahi' # This function will be called if the script status is on enabled / audit mode audit () { + if [ $OS_RELEASE -eq 2 ]; then + PACKAGES=$PACKAGES_REDHAT + fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then @@ -34,6 +39,9 @@ audit () { # This function will be called if the script status is on enabled mode apply () { + if [ $OS_RELEASE -eq 2 ]; then + PACKAGES=$PACKAGES_REDHAT + fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then @@ -41,8 +49,12 @@ apply () { warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate." else crit "$PACKAGE is installed, purging it" - apt-get purge $PACKAGE -y - apt-get autoremove + if [ $OS_RELEASE -eq 2 ]; then + yum autoremove $PACKAGE -y + else + apt-get purge $PACKAGE -y + apt-get autoremove + fi fi else ok "$PACKAGE is absent" diff --git a/bin/hardening/6.3_disable_print_server.sh b/bin/hardening/6.3_disable_print_server.sh index 3f5cd9b..83f7328 100755 --- a/bin/hardening/6.3_disable_print_server.sh +++ b/bin/hardening/6.3_disable_print_server.sh @@ -1,7 +1,8 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9 or CentOS Hardening +# Modify by: Samson-W (samson@hardenedlinux.org) # # @@ -15,9 +16,13 @@ HARDENING_LEVEL=3 HARDENING_EXCEPTION=cups PACKAGES='libcups2 libcupscgi1 libcupsimage2 libcupsmime1 libcupsppdc1 cups-common cups-client cups-ppdc libcupsfilters1 cups-filters cups' +PACKAGES_REDHAT='cups' # This function will be called if the script status is on enabled / audit mode audit () { + if [ $OS_RELEASE -eq 2 ]; then + PACKAGES=$PACKAGES_REDHAT + fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then @@ -34,6 +39,9 @@ audit () { # This function will be called if the script status is on enabled mode apply () { + if [ $OS_RELEASE -eq 2 ]; then + PACKAGES=$PACKAGES_REDHAT + fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then @@ -41,8 +49,12 @@ apply () { warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate." else crit "$PACKAGE is installed, purging it" - apt-get purge $PACKAGE -y - apt-get autoremove + if [ $OS_RELEASE -eq 2 ]; then + yum autoremove $PACKAGE -y + else + apt-get purge $PACKAGE -y + apt-get autoremove + fi fi else ok "$PACKAGE is absent" diff --git a/bin/hardening/6.4_disable_dhcp.sh b/bin/hardening/6.4_disable_dhcp.sh index d99e060..778b48b 100755 --- a/bin/hardening/6.4_disable_dhcp.sh +++ b/bin/hardening/6.4_disable_dhcp.sh @@ -1,7 +1,8 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9 or CentOS Hardening +# Modify by: Samson-W (samson@hardenedlinux.org) # # @@ -15,9 +16,13 @@ HARDENING_LEVEL=3 HARDENING_EXCEPTION=dhcp PACKAGES='udhcpd isc-dhcp-server' +PACKAGES_REDHAT='dnsmasq' # This function will be called if the script status is on enabled / audit mode audit () { + if [ $OS_RELEASE -eq 2 ]; then + PACKAGES=$PACKAGES_REDHAT + fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then @@ -34,6 +39,9 @@ audit () { # This function will be called if the script status is on enabled mode apply () { + if [ $OS_RELEASE -eq 2 ]; then + PACKAGES=$PACKAGES_REDHAT + fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then @@ -41,8 +49,12 @@ apply () { warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate." else crit "$PACKAGE is installed, purging it" - apt-get purge $PACKAGE -y - apt-get autoremove + if [ $OS_RELEASE -eq 2 ]; then + yum autoremove $PACKAGE -y + else + apt-get purge $PACKAGE -y + apt-get autoremove + fi fi else ok "$PACKAGE is absent" diff --git a/bin/hardening/6.5_ensure_time_sync_server_is_installed.sh b/bin/hardening/6.5_ensure_time_sync_server_is_installed.sh index bc54001..e561b63 100755 --- a/bin/hardening/6.5_ensure_time_sync_server_is_installed.sh +++ b/bin/hardening/6.5_ensure_time_sync_server_is_installed.sh @@ -14,7 +14,6 @@ set -u # One variable unset, it's over HARDENING_LEVEL=3 PACKAGES='ntp chrony' -PACKAGES_COUNT=$(echo $PACKAGES | wc -w) # This function will be called if the script status is on enabled / audit mode audit () { diff --git a/bin/hardening/6.6_disable_ldap.sh b/bin/hardening/6.6_disable_ldap.sh index 8d9b6ac..1e5c315 100755 --- a/bin/hardening/6.6_disable_ldap.sh +++ b/bin/hardening/6.6_disable_ldap.sh @@ -1,7 +1,8 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9 or CentOS Hardening +# Modify by: Samson-W (samson@hardenedlinux.org) # # @@ -15,9 +16,13 @@ HARDENING_LEVEL=3 HARDENING_EXCEPTION=ldap PACKAGES='slapd' +PACKAGES_REDHAT='openldap-servers' # This function will be called if the script status is on enabled / audit mode audit () { + if [ $OS_RELEASE -eq 2 ]; then + PACKAGES=$PACKAGES_REDHAT + fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then @@ -34,6 +39,9 @@ audit () { # This function will be called if the script status is on enabled mode apply () { + if [ $OS_RELEASE -eq 2 ]; then + PACKAGES=$PACKAGES_REDHAT + fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then @@ -41,8 +49,12 @@ apply () { warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate." else crit "$PACKAGE is installed, purging it" - apt-get purge $PACKAGE -y - apt-get autoremove + if [ $OS_RELEASE -eq 2 ]; then + yum autoremove $PACKAGE -y + else + apt-get purge $PACKAGE -y + apt-get autoremove + fi fi else ok "$PACKAGE is absent" diff --git a/bin/hardening/6.7_disable_nfs_rpc.sh b/bin/hardening/6.7_disable_nfs_rpc.sh index 9a6ab19..27aafe6 100755 --- a/bin/hardening/6.7_disable_nfs_rpc.sh +++ b/bin/hardening/6.7_disable_nfs_rpc.sh @@ -1,7 +1,8 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9 or CentOS Hardening +# Modify by: Samson-W (samson@hardenedlinux.org) # # @@ -18,36 +19,44 @@ PACKAGES='rpcbind nfs-kernel-server' # This function will be called if the script status is on enabled / audit mode audit () { - for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - if [ $ISEXCEPTION -eq 1 ]; then - warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!" - else - crit "$PACKAGE is installed!" - fi - else - ok "$PACKAGE is absent" - fi - done + if [ $OS_RELEASE -eq 2 ]; then + ok "Redhat or CentOS does not have this check, so PASS" + else + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + if [ $ISEXCEPTION -eq 1 ]; then + warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!" + else + crit "$PACKAGE is installed!" + fi + else + ok "$PACKAGE is absent" + fi + done + fi } # This function will be called if the script status is on enabled mode apply () { - for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - if [ $ISEXCEPTION -eq 1 ]; then - warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate." - else - crit "$PACKAGE is installed, purging it" - apt-get purge $PACKAGE -y - apt-get autoremove - fi - else - ok "$PACKAGE is absent" - fi - done + if [ $OS_RELEASE -eq 2 ]; then + ok "Redhat or CentOS does not have this check, so PASS" + else + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + if [ $ISEXCEPTION -eq 1 ]; then + warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate." + else + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y + apt-get autoremove + fi + else + ok "$PACKAGE is absent" + fi + done + fi } # This function will create the config file for this check with default values diff --git a/bin/hardening/6.8_disable_dns_server.sh b/bin/hardening/6.8_disable_dns_server.sh index 212c61d..6e2b4dd 100755 --- a/bin/hardening/6.8_disable_dns_server.sh +++ b/bin/hardening/6.8_disable_dns_server.sh @@ -1,7 +1,8 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9 or CentOS Hardening +# Modify by: Samson-W (samson@hardenedlinux.org) # # @@ -15,9 +16,13 @@ HARDENING_LEVEL=3 HARDENING_EXCEPTION=dns PACKAGES='bind9 unbound' +PACKAGES_REDHAT='bind unbound' # This function will be called if the script status is on enabled / audit mode audit () { + if [ $OS_RELEASE -eq 2 ]; then + PACKAGES=$PACKAGES_REDHAT + fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then @@ -34,6 +39,9 @@ audit () { # This function will be called if the script status is on enabled mode apply () { + if [ $OS_RELEASE -eq 2 ]; then + PACKAGES=$PACKAGES_REDHAT + fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then @@ -41,8 +49,12 @@ apply () { warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate." else crit "$PACKAGE is installed, purging it" - apt-get purge $PACKAGE -y - apt-get autoremove + if [ $OS_RELEASE -eq 2 ]; then + yum autoremove $PACKAGE -y + else + apt-get purge $PACKAGE -y + apt-get autoremove + fi fi else ok "$PACKAGE is absent" diff --git a/bin/hardening/6.9_disable_ftp.sh b/bin/hardening/6.9_disable_ftp.sh index fee2833..462b9db 100755 --- a/bin/hardening/6.9_disable_ftp.sh +++ b/bin/hardening/6.9_disable_ftp.sh @@ -1,7 +1,8 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening +# Modify by: Samson-W (samson@hardenedlinux.org) # # @@ -16,9 +17,13 @@ HARDENING_EXCEPTION=ftp # Based on aptitude search '~Pftp-server' PACKAGES='ftpd ftpd-ssl heimdal-servers inetutils-ftpd krb5-ftpd muddleftpd proftpd-basic pure-ftpd pure-ftpd-ldap pure-ftpd-mysql pure-ftpd-postgresql twoftpd-run vsftpd wzdftpd' +PACKAGE_REDHAT='tftp-server vsftpd' # This function will be called if the script status is on enabled / audit mode audit () { + if [ $OS_RELEASE -eq 2 ]; then + PACKAGES=$PACKAGE_REDHAT + fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then @@ -35,6 +40,9 @@ audit () { # This function will be called if the script status is on enabled mode apply () { + if [ $OS_RELEASE -eq 2 ]; then + PACKAGES=$PACKAGE_REDHAT + fi for PACKAGE in $PACKAGES; do is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then @@ -42,8 +50,12 @@ apply () { warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate." else crit "$PACKAGE is installed, purging it" - apt-get purge $PACKAGE -y - apt-get autoremove + if [ $OS_RELEASE -eq 2 ]; then + yum autoremove $PACKAGE -y + else + apt-get purge $PACKAGE -y + apt-get autoremove + fi fi else ok "$PACKAGE is absent" diff --git a/bin/hardening/7.1.1_disable_ip_forwarding.sh b/bin/hardening/7.1.1_disable_ip_forwarding.sh index bc058fe..bd281f0 100755 --- a/bin/hardening/7.1.1_disable_ip_forwarding.sh +++ b/bin/hardening/7.1.1_disable_ip_forwarding.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/7.1.2_disable_send_packet_redirects.sh b/bin/hardening/7.1.2_disable_send_packet_redirects.sh index bbde757..5ca8a36 100755 --- a/bin/hardening/7.1.2_disable_send_packet_redirects.sh +++ b/bin/hardening/7.1.2_disable_send_packet_redirects.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/7.1.3_disable_interface_promisc_mode.sh b/bin/hardening/7.1.3_disable_interface_promisc_mode.sh index 0b7d311..93d0264 100755 --- a/bin/hardening/7.1.3_disable_interface_promisc_mode.sh +++ b/bin/hardening/7.1.3_disable_interface_promisc_mode.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/7.2.1_disable_source_routed_packets.sh b/bin/hardening/7.2.1_disable_source_routed_packets.sh index 9f335dc..894c9c7 100755 --- a/bin/hardening/7.2.1_disable_source_routed_packets.sh +++ b/bin/hardening/7.2.1_disable_source_routed_packets.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/7.2.2_disable_icmp_redirect.sh b/bin/hardening/7.2.2_disable_icmp_redirect.sh index 851362f..fb32b47 100755 --- a/bin/hardening/7.2.2_disable_icmp_redirect.sh +++ b/bin/hardening/7.2.2_disable_icmp_redirect.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/7.2.3_disable_secure_icmp_redirect.sh b/bin/hardening/7.2.3_disable_secure_icmp_redirect.sh index 58c0bd3..818717b 100755 --- a/bin/hardening/7.2.3_disable_secure_icmp_redirect.sh +++ b/bin/hardening/7.2.3_disable_secure_icmp_redirect.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # @@ -13,7 +13,7 @@ set -u # One variable unset, it's over HARDENING_LEVEL=2 -SYSCTL_PARAMS='net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0' +SYSCTL_PARAMS='net.ipv4.conf.all.secure_redirects=1 net.ipv4.conf.default.secure_redirects=1' # This function will be called if the script status is on enabled / audit mode audit () { diff --git a/bin/hardening/7.2.4_log_martian_packets.sh b/bin/hardening/7.2.4_log_martian_packets.sh index cfbf7b9..567f81e 100755 --- a/bin/hardening/7.2.4_log_martian_packets.sh +++ b/bin/hardening/7.2.4_log_martian_packets.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/7.2.5_ignore_broadcast_requests.sh b/bin/hardening/7.2.5_ignore_broadcast_requests.sh index fe374de..418697f 100755 --- a/bin/hardening/7.2.5_ignore_broadcast_requests.sh +++ b/bin/hardening/7.2.5_ignore_broadcast_requests.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/7.2.6_enable_bad_error_message_protection.sh b/bin/hardening/7.2.6_enable_bad_error_message_protection.sh index abe9f11..89b00e7 100755 --- a/bin/hardening/7.2.6_enable_bad_error_message_protection.sh +++ b/bin/hardening/7.2.6_enable_bad_error_message_protection.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/7.2.7_enable_source_route_validation.sh b/bin/hardening/7.2.7_enable_source_route_validation.sh index 4991726..0d26929 100755 --- a/bin/hardening/7.2.7_enable_source_route_validation.sh +++ b/bin/hardening/7.2.7_enable_source_route_validation.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/7.2.8_enable_tcp_syn_cookies.sh b/bin/hardening/7.2.8_enable_tcp_syn_cookies.sh index c3b99be..193c1ce 100755 --- a/bin/hardening/7.2.8_enable_tcp_syn_cookies.sh +++ b/bin/hardening/7.2.8_enable_tcp_syn_cookies.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/7.3.1_disable_ipv6_router_advertisement.sh b/bin/hardening/7.3.1_disable_ipv6_router_advertisement.sh index 9676b96..b106973 100755 --- a/bin/hardening/7.3.1_disable_ipv6_router_advertisement.sh +++ b/bin/hardening/7.3.1_disable_ipv6_router_advertisement.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/7.3.2_disable_ipv6_redirect.sh b/bin/hardening/7.3.2_disable_ipv6_redirect.sh index e6030c9..e1b6630 100755 --- a/bin/hardening/7.3.2_disable_ipv6_redirect.sh +++ b/bin/hardening/7.3.2_disable_ipv6_redirect.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/7.3.3_disable_ipv6.sh b/bin/hardening/7.3.3_disable_ipv6.sh deleted file mode 100755 index cad05ca..0000000 --- a/bin/hardening/7.3.3_disable_ipv6.sh +++ /dev/null @@ -1,85 +0,0 @@ -#!/bin/bash - -# -# harbian audit 7/8/9 Hardening -# - -# -# 7.3.3 Disable IPv6 (Not Scored) -# - -set -e # One error, it's over -set -u # One variable unset, it's over - -HARDENING_LEVEL=2 - -SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1' - -# This function will be called if the script status is on enabled / audit mode -audit () { - does_sysctl_param_exists "net.ipv6" - if [ $FNRET != 0 ]; then - ok "ipv6 is disabled" - else - for SYSCTL_VALUES in $SYSCTL_PARAMS; do - SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) - SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) - debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" - has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT - if [ $FNRET != 0 ]; then - crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" - elif [ $FNRET = 255 ]; then - warn "$SYSCTL_PARAM does not exist -- Typo?" - else - ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" - fi - done - fi -} - -# This function will be called if the script status is on enabled mode -apply () { - does_sysctl_param_exists "net.ipv6" - if [ $FNRET != 0 ]; then - ok "ipv6 is disabled" - else - for SYSCTL_VALUES in $SYSCTL_PARAMS; do - SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) - SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) - debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" - has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT - if [ $FNRET != 0 ]; then - warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT value, fixing" - set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT - warn "you may want to reboot or sysctl -p a file including $SYSCTL_PARAMS" - elif [ $FNRET = 255 ]; then - warn "$SYSCTL_PARAM does not exist -- Typo?" - else - ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" - fi - done - fi -} - -# This function will check config parameters required -check_config() { - : -} - -# Source Root Dir Parameter -if [ -r /etc/default/cis-hardening ]; then - . /etc/default/cis-hardening -fi -if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." - exit 128 -fi - -# Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then - . $CIS_ROOT_DIR/lib/main.sh -else - echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" - exit 128 -fi diff --git a/bin/hardening/7.4.1_install_tcp_wrapper.sh b/bin/hardening/7.4.1_install_tcp_wrapper.sh index 590ee6f..8df8264 100755 --- a/bin/hardening/7.4.1_install_tcp_wrapper.sh +++ b/bin/hardening/7.4.1_install_tcp_wrapper.sh @@ -1,7 +1,8 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening +# Modify by: Samson-W (samson@hardenedlinux.org) # # @@ -14,10 +15,14 @@ set -u # One variable unset, it's over HARDENING_LEVEL=3 PACKAGE='tcpd' +PACKAGE_REDHAT='tcp_wrappers' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE + if [ $OS_RELEASE -eq 2 ]; then + PACKAGE=$PACKAGE_REDHAT + fi + is_pkg_installed $PACKAGE if [ $FNRET != 0 ]; then crit "$PACKAGE is not installed!" else @@ -27,13 +32,20 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - ok "$PACKAGE is installed" - else - crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE - fi + if [ $OS_RELEASE -eq 2 ]; then + PACKAGE=$PACKAGE_REDHAT + fi + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + if [ $OS_RELEASE -eq 2 ]; then + yum install $PACKAGE -y + else + apt_install $PACKAGE + fi + fi } # This function will check config parameters required diff --git a/bin/hardening/7.4.2_hosts_allow.sh b/bin/hardening/7.4.2_hosts_allow.sh index f771214..d759ef3 100755 --- a/bin/hardening/7.4.2_hosts_allow.sh +++ b/bin/hardening/7.4.2_hosts_allow.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/7.4.3_hosts_allow_permissions.sh b/bin/hardening/7.4.3_hosts_allow_permissions.sh index 4cf4d89..5869885 100755 --- a/bin/hardening/7.4.3_hosts_allow_permissions.sh +++ b/bin/hardening/7.4.3_hosts_allow_permissions.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/7.4.4_hosts_deny.sh b/bin/hardening/7.4.4_hosts_deny.sh index be70b8b..c8f6357 100755 --- a/bin/hardening/7.4.4_hosts_deny.sh +++ b/bin/hardening/7.4.4_hosts_deny.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/7.4.5_hosts_deny_permissions.sh b/bin/hardening/7.4.5_hosts_deny_permissions.sh index 8303cdf..2b8a355 100755 --- a/bin/hardening/7.4.5_hosts_deny_permissions.sh +++ b/bin/hardening/7.4.5_hosts_deny_permissions.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/7.6_disable_wireless.sh b/bin/hardening/7.6_disable_wireless.sh index 899781c..ddfea41 100755 --- a/bin/hardening/7.6_disable_wireless.sh +++ b/bin/hardening/7.6_disable_wireless.sh @@ -1,12 +1,12 @@ #!/bin/bash # -# harbian audit 9 Hardening +# harbian audit 9 or CentOS Hardening # # # 7.6 Ensure wireless interfaces are disabled (Not Scored) -# Author : Samson wen, Samson +# Author : Samson wen, Samson # set -e # One error, it's over @@ -35,7 +35,8 @@ apply () { if [ $FNRET = 0 ]; then ok "Wireless interfaces are disabled!" else - warn "Wireless interfaces is not disabled! Need the administrator to manually disable it. HOWTO: ip link set down" + warn "Wireless interfaces is not disabled! Disabled wireless." + nmcli radio wifi off fi } diff --git a/bin/hardening/7.7.1_enable_firewall.sh b/bin/hardening/7.7.1_enable_firewall.sh index 44c9646..14997d8 100755 --- a/bin/hardening/7.7.1_enable_firewall.sh +++ b/bin/hardening/7.7.1_enable_firewall.sh @@ -1,7 +1,8 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening +# todo 7.7.* need test for CentOS # # @@ -19,6 +20,7 @@ HARDENING_LEVEL=2 # Do as you want, but this script does not handle this PACKAGES='iptables iptables-persistent' +PACKAGES_REDHAT='iptables nftables firewalld' SERVICENAME='netfilter-persistent' # This function will be called if the script status is on enabled / audit mode diff --git a/bin/hardening/8.0_enable_auditd_kernel.sh b/bin/hardening/8.0_enable_auditd_kernel.sh index 9714e20..9afc7fd 100755 --- a/bin/hardening/8.0_enable_auditd_kernel.sh +++ b/bin/hardening/8.0_enable_auditd_kernel.sh @@ -20,7 +20,7 @@ KERNEL_OPTION="CONFIG_AUDIT" # This function will be called if the script status is on enabled / audit mode audit () { - is_kernel_option_enabled "^$KERNEL_OPTION=" + is_kernel_option_enabled $KERNEL_OPTION if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated ok "$KERNEL_OPTION is enabled" else @@ -31,7 +31,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_kernel_option_enabled "^$KERNEL_OPTION=" + is_kernel_option_enabled $KERNEL_OPTION if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated ok "$KERNEL_OPTION is enabled" else diff --git a/bin/hardening/8.1.1.1_audit_log_storage.sh b/bin/hardening/8.1.1.1_audit_log_storage.sh index 014e360..1bdbde8 100755 --- a/bin/hardening/8.1.1.1_audit_log_storage.sh +++ b/bin/hardening/8.1.1.1_audit_log_storage.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/8.1.1.2_halt_when_audit_log_full.sh b/bin/hardening/8.1.1.2_halt_when_audit_log_full.sh index 6a3b52c..22fb9f6 100755 --- a/bin/hardening/8.1.1.2_halt_when_audit_log_full.sh +++ b/bin/hardening/8.1.1.2_halt_when_audit_log_full.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/8.1.1.3_keep_all_audit_logs.sh b/bin/hardening/8.1.1.3_keep_all_audit_logs.sh index 0812643..d1e76ed 100755 --- a/bin/hardening/8.1.1.3_keep_all_audit_logs.sh +++ b/bin/hardening/8.1.1.3_keep_all_audit_logs.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/8.1.1.4_set_failure_mode.sh b/bin/hardening/8.1.1.4_set_failure_mode.sh index e37ff31..26e2461 100755 --- a/bin/hardening/8.1.1.4_set_failure_mode.sh +++ b/bin/hardening/8.1.1.4_set_failure_mode.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 9 Hardening +# harbian audit 9/10 or CentOS Hardening # # diff --git a/bin/hardening/8.1.1.5_ensure_set_remote_server.sh b/bin/hardening/8.1.1.5_ensure_set_remote_server.sh index f8e51a7..9920503 100755 --- a/bin/hardening/8.1.1.5_ensure_set_remote_server.sh +++ b/bin/hardening/8.1.1.5_ensure_set_remote_server.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 9 Hardening +# harbian audit 9/10 or CentOS Hardening # # diff --git a/bin/hardening/8.1.1.6_ensure_set_encrypt_for_audit_remote.sh b/bin/hardening/8.1.1.6_ensure_set_encrypt_for_audit_remote.sh index daa68da..182eb39 100755 --- a/bin/hardening/8.1.1.6_ensure_set_encrypt_for_audit_remote.sh +++ b/bin/hardening/8.1.1.6_ensure_set_encrypt_for_audit_remote.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 9 Hardening +# harbian audit 9/10 or CentOS Hardening # # diff --git a/bin/hardening/8.1.1.7_ensure_set_action_for_audit_storage_full.sh b/bin/hardening/8.1.1.7_ensure_set_action_for_audit_storage_full.sh index 2bec33a..02e2a45 100755 --- a/bin/hardening/8.1.1.7_ensure_set_action_for_audit_storage_full.sh +++ b/bin/hardening/8.1.1.7_ensure_set_action_for_audit_storage_full.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 9 Hardening +# harbian audit 9/10 or CentOS Hardening # # diff --git a/bin/hardening/8.1.1.8_ensure_set_action_for_net_fail.sh b/bin/hardening/8.1.1.8_ensure_set_action_for_net_fail.sh index 47627d9..5ad45bd 100755 --- a/bin/hardening/8.1.1.8_ensure_set_action_for_net_fail.sh +++ b/bin/hardening/8.1.1.8_ensure_set_action_for_net_fail.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 9 Hardening +# harbian audit 9/10 or CentOS Hardening # # diff --git a/bin/hardening/8.1.1.9_set_space_left_audit.sh b/bin/hardening/8.1.1.9_set_space_left_audit.sh index f992e1c..22e6507 100755 --- a/bin/hardening/8.1.1.9_set_space_left_audit.sh +++ b/bin/hardening/8.1.1.9_set_space_left_audit.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 9 Hardening +# harbian audit 9/10 or CentOS Hardening # # diff --git a/bin/hardening/8.1.10_record_dac_edit.sh b/bin/hardening/8.1.10_record_dac_edit.sh index 6943916..851f8c4 100755 --- a/bin/hardening/8.1.10_record_dac_edit.sh +++ b/bin/hardening/8.1.10_record_dac_edit.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/8.1.11_record_failed_access_file.sh b/bin/hardening/8.1.11_record_failed_access_file.sh index 5ceace2..526686f 100755 --- a/bin/hardening/8.1.11_record_failed_access_file.sh +++ b/bin/hardening/8.1.11_record_failed_access_file.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/8.1.12_record_privileged_commands.sh b/bin/hardening/8.1.12_record_privileged_commands.sh index db1521b..078b6c1 100755 --- a/bin/hardening/8.1.12_record_privileged_commands.sh +++ b/bin/hardening/8.1.12_record_privileged_commands.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/8.1.13_record_successful_mount.sh b/bin/hardening/8.1.13_record_successful_mount.sh index a665ce3..4e127f5 100755 --- a/bin/hardening/8.1.13_record_successful_mount.sh +++ b/bin/hardening/8.1.13_record_successful_mount.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/8.1.14_record_file_deletions.sh b/bin/hardening/8.1.14_record_file_deletions.sh index a3ee5f0..e639075 100755 --- a/bin/hardening/8.1.14_record_file_deletions.sh +++ b/bin/hardening/8.1.14_record_file_deletions.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/8.1.15_record_sudoers_edit.sh b/bin/hardening/8.1.15_record_sudoers_edit.sh index a579b13..2e81553 100755 --- a/bin/hardening/8.1.15_record_sudoers_edit.sh +++ b/bin/hardening/8.1.15_record_sudoers_edit.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/8.1.16_record_sudo_usage.sh b/bin/hardening/8.1.16_record_sudo_usage.sh index 8f37a4b..7c588aa 100755 --- a/bin/hardening/8.1.16_record_sudo_usage.sh +++ b/bin/hardening/8.1.16_record_sudo_usage.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/8.1.17_record_kernel_modules.sh b/bin/hardening/8.1.17_record_kernel_modules.sh index a9e2f6b..b00ef48 100755 --- a/bin/hardening/8.1.17_record_kernel_modules.sh +++ b/bin/hardening/8.1.17_record_kernel_modules.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/8.1.18_freeze_auditd_conf.sh b/bin/hardening/8.1.18_freeze_auditd_conf.sh index 6bb5876..e917924 100755 --- a/bin/hardening/8.1.18_freeze_auditd_conf.sh +++ b/bin/hardening/8.1.18_freeze_auditd_conf.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9 or CentOS Hardening # # diff --git a/bin/hardening/8.1.19_record_sshkeysign_usage.sh b/bin/hardening/8.1.19_record_sshkeysign_usage.sh index 13ba324..f89d331 100755 --- a/bin/hardening/8.1.19_record_sshkeysign_usage.sh +++ b/bin/hardening/8.1.19_record_sshkeysign_usage.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # @@ -9,13 +9,15 @@ # Author : Samson wen, Samson # -set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 -AUDIT_PARAMS='-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh --a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh' + +AUDIT_PARAMS="-a always,exit -F path=$(find /usr/ -name "ssh-keysign") -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh +-a always,exit -F path=$(which ssh-agent 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh" + +set -e # One error, it's over FILE='/etc/audit/rules.d/audit.rules' @@ -26,15 +28,21 @@ audit () { c_IFS=$'\n' IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - IFS=$d_IFS - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - IFS=$c_IFS - if [ $FNRET != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - else - ok "$AUDIT_VALUE is present in $FILE" - fi + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + crit "path is not exsit! Please check file path is exist!" + continue + else + debug "$AUDIT_VALUE should be in file $FILE" + IFS=$d_IFS + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + IFS=$c_IFS + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE is present in $FILE" + fi + fi done IFS=$d_IFS } @@ -43,15 +51,21 @@ audit () { apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - if [ $FNRET != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - check_auditd_is_immutable_mode - else - ok "$AUDIT_VALUE is present in $FILE" - fi + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + crit "path is not exsit! Please check file path is exist!" + continue + else + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + check_auditd_is_immutable_mode + else + ok "$AUDIT_VALUE is present in $FILE" + fi + fi done } diff --git a/bin/hardening/8.1.20_record_open_by_handle_at_syscall.sh b/bin/hardening/8.1.20_record_open_by_handle_at_syscall.sh index c0b5aab..6b2fc0f 100755 --- a/bin/hardening/8.1.20_record_open_by_handle_at_syscall.sh +++ b/bin/hardening/8.1.20_record_open_by_handle_at_syscall.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh b/bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh index fc08318..242f564 100755 --- a/bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh +++ b/bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # @@ -9,16 +9,16 @@ # Author : Samson wen, Samson # -set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 -AUDIT_PARAMS='-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd --a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd --a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd --a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd' +AUDIT_PARAMS="-a always,exit -F path=$(which passwd 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd +-a always,exit -F path=$(which unix_chkpwd 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd +-a always,exit -F path=$(which gpasswd 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd +-a always,exit -F path=$(which chage 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd" +set -e # One error, it's over FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode @@ -28,15 +28,21 @@ audit () { c_IFS=$'\n' IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - IFS=$d_IFS - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - IFS=$c_IFS - if [ $FNRET != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - else - ok "$AUDIT_VALUE is present in $FILE" - fi + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + crit "path is not exsit! Please check file path is exist!" + continue + else + debug "$AUDIT_VALUE should be in file $FILE" + IFS=$d_IFS + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + IFS=$c_IFS + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE is present in $FILE" + fi + fi done IFS=$d_IFS } @@ -45,15 +51,21 @@ audit () { apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - if [ $FNRET != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - check_auditd_is_immutable_mode - else - ok "$AUDIT_VALUE is present in $FILE" - fi + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + crit "path is not exsit! Please check file path is exist!" + continue + else + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + check_auditd_is_immutable_mode + else + ok "$AUDIT_VALUE is present in $FILE" + fi + fi done } diff --git a/bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh b/bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh index dfcfd93..229fac8 100755 --- a/bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh +++ b/bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # @@ -9,18 +9,18 @@ # Author : Samson wen, Samson # -set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 -AUDIT_PARAMS='-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change' +AUDIT_PARAMS="-a always,exit -F path=$(which su 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=$(which sudo 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=$(which newgrp 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=$(which chsh 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=$(which sudoedit 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=$(which chfn 2>/dev/null) -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change" +set -e # One error, it's over FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode @@ -30,15 +30,21 @@ audit () { c_IFS=$'\n' IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - IFS=$d_IFS - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - IFS=$c_IFS - if [ $FNRET != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - else - ok "$AUDIT_VALUE is present in $FILE" - fi + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + crit "path is not exsit! Please check file path is exist!" + continue + else + debug "$AUDIT_VALUE should be in file $FILE" + IFS=$d_IFS + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + IFS=$c_IFS + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE is present in $FILE" + fi + fi done IFS=$d_IFS } @@ -47,15 +53,21 @@ audit () { apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - if [ $FNRET != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - check_auditd_is_immutable_mode - else - ok "$AUDIT_VALUE is present in $FILE" - fi + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + crit "path is not exsit! Please check file path is exist!" + continue + else + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + check_auditd_is_immutable_mode + else + ok "$AUDIT_VALUE is present in $FILE" + fi + fi done } diff --git a/bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh b/bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh index 1dc4feb..0f2791f 100755 --- a/bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh +++ b/bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # @@ -9,14 +9,14 @@ # Author : Samson wen, Samson # -set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 -AUDIT_PARAMS='-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix --a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix' +AUDIT_PARAMS='-a always,exit -F path=$(which postdrop 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix +-a always,exit -F path=$(which postqueue 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix' +set -e # One error, it's over FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode @@ -26,15 +26,21 @@ audit () { c_IFS=$'\n' IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - IFS=$d_IFS - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - IFS=$c_IFS - if [ $FNRET != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - else - ok "$AUDIT_VALUE is present in $FILE" - fi + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + crit "path is not exsit! Please check file path is exist!" + continue + else + debug "$AUDIT_VALUE should be in file $FILE" + IFS=$d_IFS + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + IFS=$c_IFS + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE is present in $FILE" + fi + fi done IFS=$d_IFS } @@ -43,15 +49,21 @@ audit () { apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - if [ $FNRET != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - check_auditd_is_immutable_mode - else - ok "$AUDIT_VALUE is present in $FILE" - fi + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + crit "path is not exsit! Please check file path is exist!" + continue + else + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + check_auditd_is_immutable_mode + else + ok "$AUDIT_VALUE is present in $FILE" + fi + fi done } diff --git a/bin/hardening/8.1.24_record_crontab_cmd_usage.sh b/bin/hardening/8.1.24_record_crontab_cmd_usage.sh index 4f8d938..4abed4f 100755 --- a/bin/hardening/8.1.24_record_crontab_cmd_usage.sh +++ b/bin/hardening/8.1.24_record_crontab_cmd_usage.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # @@ -9,12 +9,13 @@ # Author : Samson wen, Samson # -set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 -AUDIT_PARAMS='-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron' +AUDIT_PARAMS='-a always,exit -F path=$(which crontab 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron' + +set -e # One error, it's over FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode @@ -24,15 +25,21 @@ audit () { c_IFS=$'\n' IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - IFS=$d_IFS - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - IFS=$c_IFS - if [ $FNRET != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - else - ok "$AUDIT_VALUE is present in $FILE" - fi + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + crit "path is not exsit! Please check file path is exist!" + continue + else + debug "$AUDIT_VALUE should be in file $FILE" + IFS=$d_IFS + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + IFS=$c_IFS + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE is present in $FILE" + fi + fi done IFS=$d_IFS } @@ -41,15 +48,21 @@ audit () { apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - if [ $FNRET != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - check_auditd_is_immutable_mode - else - ok "$AUDIT_VALUE is present in $FILE" - fi + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + crit "path is not exsit! Please check file path is exist!" + continue + else + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + check_auditd_is_immutable_mode + else + ok "$AUDIT_VALUE is present in $FILE" + fi + fi done } diff --git a/bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh b/bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh index 32066d8..90de0a5 100755 --- a/bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh +++ b/bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # @@ -9,12 +9,13 @@ # Author : Samson wen, Samson # -set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 -AUDIT_PARAMS='-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam' +AUDIT_PARAMS='-a always,exit -F path=$(which pam_timestamp_check 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam' + +set -e # One error, it's over FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode @@ -24,15 +25,21 @@ audit () { c_IFS=$'\n' IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - IFS=$d_IFS - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - IFS=$c_IFS - if [ $FNRET != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - else - ok "$AUDIT_VALUE is present in $FILE" - fi + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + crit "path is not exsit! Please check file path is exist!" + continue + else + debug "$AUDIT_VALUE should be in file $FILE" + IFS=$d_IFS + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + IFS=$c_IFS + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE is present in $FILE" + fi + fi done IFS=$d_IFS } @@ -41,15 +48,21 @@ audit () { apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - if [ $FNRET != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - check_auditd_is_immutable_mode - else - ok "$AUDIT_VALUE is present in $FILE" - fi + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + crit "path is not exsit! Please check file path is exist!" + continue + else + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + check_auditd_is_immutable_mode + else + ok "$AUDIT_VALUE is present in $FILE" + fi + fi done } diff --git a/bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh b/bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh index 99bac87..ccdb5ca 100755 --- a/bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh +++ b/bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # @@ -9,13 +9,14 @@ # Author : Samson wen, Samson Author add this # -set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 -AUDIT_PARAMS='-a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam --a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam' +AUDIT_PARAMS='-a always,exit -F path=$(which pam_tally 2>/dev/null) -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam +-a always,exit -F path=$(which pam_tally2 2>/dev/null) -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam' + +set -e # One error, it's over FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode @@ -25,15 +26,21 @@ audit () { c_IFS=$'\n' IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - IFS=$d_IFS - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - IFS=$c_IFS - if [ $FNRET != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - else - ok "$AUDIT_VALUE is present in $FILE" - fi + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + crit "path is not exsit! Please check file path is exist!" + continue + else + debug "$AUDIT_VALUE should be in file $FILE" + IFS=$d_IFS + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + IFS=$c_IFS + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE is present in $FILE" + fi + fi done IFS=$d_IFS } @@ -42,15 +49,21 @@ audit () { apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - if [ $FNRET != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - check_auditd_is_immutable_mode - else - ok "$AUDIT_VALUE is present in $FILE" - fi + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + crit "path is not exsit! Please check file path is exist!" + continue + else + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + check_auditd_is_immutable_mode + else + ok "$AUDIT_VALUE is present in $FILE" + fi + fi done } diff --git a/bin/hardening/8.1.27_record_Events_that_modify_conf_files.sh b/bin/hardening/8.1.27_record_Events_that_modify_conf_files.sh index 2821d17..71c594d 100755 --- a/bin/hardening/8.1.27_record_Events_that_modify_conf_files.sh +++ b/bin/hardening/8.1.27_record_Events_that_modify_conf_files.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 9 Hardening +# harbian audit 9/10 or CentOS Hardening # # @@ -9,25 +9,25 @@ # Author: Samson-W (sccxboy@gmail.com) author add this # -set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 -AUDIT_PARAMS='-w /etc/audisp/audisp-remote.conf -p wa -k config_file_change --w /etc/audit/auditd.conf -p wa -k config_file_change --w /etc/audit/rules.d/ -p wa -k config_file_change --w /etc/default/grub -p wa -k config_file_change --w /etc/fstab -p wa -k config_file_change --w /etc/hosts.deny -p wa -k config_file_change --w /etc/login.defs -p wa -k config_file_change --w /etc/pam.d/ -p wa -k config_file_change --w /etc/profile -p wa -k config_file_change --w /etc/profile.d/ -p wa -k config_file_change --w /etc/security/ -p wa -k config_file_change --w /etc/iptables/ -p wa -k config_file_change --w /etc/sysctl.conf -p wa -k config_file_change' +AUDIT_PARAMS='-a always,exit -F path=$(find /etc/ -name audisp-remote.conf) -F perm=wa -k config_file_change +-a always,exit -F path=$(find /etc/ -name auditd.conf) -F perm=wa -k config_file_change +-a always,exit -F dir=$(find /etc/audit/ -name rules.d) -F perm=wa -k config_file_change +-a always,exit -F path=$(find /etc/ -name grub) -F perm=wa -k config_file_change +-a always,exit -F path=$(find /etc/ -name fstab) -F perm=wa -k config_file_change +-a always,exit -F path=$(find /etc/ -name hosts.deny) -F perm=wa -k config_file_change +-a always,exit -F path=$(find /etc/ -name login.defs) -F perm=wa -k config_file_change +-a always,exit -F dir=/etc/pam.d/ -F perm=wa -k config_file_change +-a always,exit -F path=/etc/profile -F perm=wa -k config_file_change +-a always,exit -F dir=/etc/profile.d/ -F perm=wa -k config_file_change +-a always,exit -F dir=/etc/security/ -F perm=wa -k config_file_change +-a always,exit -F dir=/etc/iptables/ -F perm=wa -k config_file_change +-a always,exit -F path=/etc/sysctl.conf -F perm=wa -k config_file_change' +set -e # One error, it's over FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode @@ -37,15 +37,21 @@ audit () { c_IFS=$'\n' IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - IFS=$d_IFS - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - IFS=$c_IFS - if [ $FNRET != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - else - ok "$AUDIT_VALUE is present in $FILE" - fi + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + crit "path is not exsit! Please check file path is exist!" + continue + else + debug "$AUDIT_VALUE should be in file $FILE" + IFS=$d_IFS + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + IFS=$c_IFS + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE is present in $FILE" + fi + fi done IFS=$d_IFS } @@ -54,15 +60,21 @@ audit () { apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - if [ $FNRET != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - check_auditd_is_immutable_mode - else - ok "$AUDIT_VALUE is present in $FILE" - fi + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + crit "path is not exsit! Please check file path is exist!" + continue + else + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + check_auditd_is_immutable_mode + else + ok "$AUDIT_VALUE is present in $FILE" + fi + fi done } diff --git a/bin/hardening/8.1.28_record_acl_cmd_usage.sh b/bin/hardening/8.1.28_record_acl_cmd_usage.sh index 74bf365..41ce2b0 100755 --- a/bin/hardening/8.1.28_record_acl_cmd_usage.sh +++ b/bin/hardening/8.1.28_record_acl_cmd_usage.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # @@ -9,14 +9,14 @@ # Author : Samson wen, Samson # -set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 -AUDIT_PARAMS='-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng --a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng' +AUDIT_PARAMS='-a always,exit -F path=$(which setfacl 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng +-a always,exit -F path=$(which chacl 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng' +set -e # One error, it's over FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode @@ -26,15 +26,21 @@ audit () { c_IFS=$'\n' IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - IFS=$d_IFS - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - IFS=$c_IFS - if [ $FNRET != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - else - ok "$AUDIT_VALUE is present in $FILE" - fi + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + crit "path is not exsit! Please check file path is exist!" + continue + else + debug "$AUDIT_VALUE should be in file $FILE" + IFS=$d_IFS + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + IFS=$c_IFS + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE is present in $FILE" + fi + fi done IFS=$d_IFS } @@ -43,15 +49,21 @@ audit () { apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - if [ $FNRET != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - check_auditd_is_immutable_mode - else - ok "$AUDIT_VALUE is present in $FILE" - fi + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + crit "path is not exsit! Please check file path is exist!" + continue + else + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + check_auditd_is_immutable_mode + else + ok "$AUDIT_VALUE is present in $FILE" + fi + fi done } diff --git a/bin/hardening/8.1.29_record_usermod_cmd_usage.sh b/bin/hardening/8.1.29_record_usermod_cmd_usage.sh index 4079014..fd2e4ed 100755 --- a/bin/hardening/8.1.29_record_usermod_cmd_usage.sh +++ b/bin/hardening/8.1.29_record_usermod_cmd_usage.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # @@ -9,13 +9,13 @@ # Author : Samson wen, Samson # -set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 -AUDIT_PARAMS='-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod' +AUDIT_PARAMS='-a always,exit -F path=$(which usermod 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod' +set -e # One error, it's over FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode @@ -25,15 +25,21 @@ audit () { c_IFS=$'\n' IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - IFS=$d_IFS - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - IFS=$c_IFS - if [ $FNRET != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - else - ok "$AUDIT_VALUE is present in $FILE" - fi + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + crit "path is not exsit! Please check file path is exist!" + continue + else + debug "$AUDIT_VALUE should be in file $FILE" + IFS=$d_IFS + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + IFS=$c_IFS + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE is present in $FILE" + fi + fi done IFS=$d_IFS } @@ -42,15 +48,21 @@ audit () { apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - if [ $FNRET != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - check_auditd_is_immutable_mode - else - ok "$AUDIT_VALUE is present in $FILE" - fi + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + crit "path is not exsit! Please check file path is exist!" + continue + else + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + check_auditd_is_immutable_mode + else + ok "$AUDIT_VALUE is present in $FILE" + fi + fi done } diff --git a/bin/hardening/8.1.2_enable_auditd.sh b/bin/hardening/8.1.2_enable_auditd.sh index e1d8006..398edbd 100755 --- a/bin/hardening/8.1.2_enable_auditd.sh +++ b/bin/hardening/8.1.2_enable_auditd.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # @@ -15,10 +15,14 @@ set -u # One variable unset, it's over HARDENING_LEVEL=4 PACKAGE='auditd' +PACKAGE_REDHAT='audit' SERVICE_NAME='auditd' # This function will be called if the script status is on enabled / audit mode audit () { + if [ $OS_RELEASE -eq 2 ]; then + PACKAGE=$PACKAGE_REDHAT + fi is_pkg_installed $PACKAGE if [ $FNRET != 0 ]; then crit "$PACKAGE is not installed!" @@ -35,12 +39,19 @@ audit () { # This function will be called if the script status is on enabled mode apply () { + if [ $OS_RELEASE -eq 2 ]; then + PACKAGE=$PACKAGE_REDHAT + fi is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then ok "$PACKAGE is installed" else warn "$PACKAGE is absent, installing it" - apt_install $PACKAGE + if [ $OS_RELEASE -eq 2 ]; then + yum install -y $PACKAGE + else + apt_install $PACKAGE + fi fi is_service_enabled $SERVICE_NAME if [ $FNRET = 0 ]; then @@ -48,8 +59,9 @@ apply () { else warn "$SERVICE_NAME is not enabled, enabling it" is_debian_9 - if [ $FNRET = 0 ]; then - systemctl enable auditd + if [ $FNRET = 0 -o $OS_RELEASE -eq 2 ]; then + systemctl enable $SERVICE_NAME + systemctl start $SERVICE_NAME else update-rc.d $SERVICE_NAME remove > /dev/null 2>&1 update-rc.d $SERVICE_NAME defaults > /dev/null 2>&1 diff --git a/bin/hardening/8.1.30_record_unix_update_cmd_usage.sh b/bin/hardening/8.1.30_record_unix_update_cmd_usage.sh index 9d2bae6..b152ba6 100755 --- a/bin/hardening/8.1.30_record_unix_update_cmd_usage.sh +++ b/bin/hardening/8.1.30_record_unix_update_cmd_usage.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # @@ -9,13 +9,13 @@ # Author : Samson wen, Samson # -set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 -AUDIT_PARAMS='-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update' +AUDIT_PARAMS='-a always,exit -F path=$(which unix_update 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update' +set -e # One error, it's over FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode @@ -25,15 +25,21 @@ audit () { c_IFS=$'\n' IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - IFS=$d_IFS - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - IFS=$c_IFS - if [ $FNRET != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - else - ok "$AUDIT_VALUE is present in $FILE" - fi + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + crit "path is not exsit! Please check file path is exist!" + continue + else + debug "$AUDIT_VALUE should be in file $FILE" + IFS=$d_IFS + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + IFS=$c_IFS + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE is present in $FILE" + fi + fi done IFS=$d_IFS } @@ -42,15 +48,21 @@ audit () { apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - if [ $FNRET != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - check_auditd_is_immutable_mode - else - ok "$AUDIT_VALUE is present in $FILE" - fi + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + crit "path is not exsit! Please check file path is exist!" + continue + else + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + check_auditd_is_immutable_mode + else + ok "$AUDIT_VALUE is present in $FILE" + fi + fi done } diff --git a/bin/hardening/8.1.31_record_syscall_execve.sh b/bin/hardening/8.1.31_record_syscall_execve.sh index 1a6b947..3f39a70 100755 --- a/bin/hardening/8.1.31_record_syscall_execve.sh +++ b/bin/hardening/8.1.31_record_syscall_execve.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/8.1.32_record_Events_netfilter.sh b/bin/hardening/8.1.32_record_Events_netfilter.sh new file mode 100755 index 0000000..4940b81 --- /dev/null +++ b/bin/hardening/8.1.32_record_Events_netfilter.sh @@ -0,0 +1,91 @@ +#!/bin/bash + +# +# harbian audit 10 Hardening +# + +# +# 8.1.32 Record netfilter related Events (Scored) +# Author: Samson-W (samson@hardenedlinux.org) author add this +# todo test for centos + +set -e # One error, it's over +set -u # One variable unset, it's over + +HARDENING_LEVEL=4 + +AUDIT_PARAMS='-w /etc/nftables.conf -p wa -k nft_config_file_change +-w /usr/share/netfilter-persistent/plugins.d/ -p wa -k nft_config_file_change +-a always,exit -F path=/usr/sbin/netfilter-persistent -F perm=x -F auid>=1000 -F auid!=4294967295 -k nft_persistent_use +-a always,exit -F path=/usr/sbin/nft -F perm=x -F auid>=1000 -F auid!=4294967295 -k nft_cmd_use' + +FILE='/etc/audit/rules.d/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_debian_10 + if [ $FNRET != 0 ]; then + ok "OS not support nft, so pass" + else + # define custom IFS and save default one + d_IFS=$IFS + c_IFS=$'\n' + IFS=$c_IFS + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE should be in file $FILE" + IFS=$d_IFS + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + IFS=$c_IFS + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE is present in $FILE" + fi + done + IFS=$d_IFS + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_debian_10 + if [ $FNRET != 0 ]; then + ok "OS not support nft, so pass" + else + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + check_auditd_is_immutable_mode + else + ok "$AUDIT_VALUE is present in $FILE" + fi + done + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + . $CIS_ROOT_DIR/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/8.1.3_audit_bootloader.sh b/bin/hardening/8.1.3_audit_bootloader.sh index 4e0c07d..3284db6 100755 --- a/bin/hardening/8.1.3_audit_bootloader.sh +++ b/bin/hardening/8.1.3_audit_bootloader.sh @@ -9,6 +9,7 @@ # # 8.1.3 Enable Auditing for Processes That Start Prior to auditd (Scored) # +# todo test for centos set -e # One error, it's over set -u # One variable unset, it's over diff --git a/bin/hardening/8.1.4_record_date_time_edit.sh b/bin/hardening/8.1.4_record_date_time_edit.sh index 7a9626b..1c87fe8 100755 --- a/bin/hardening/8.1.4_record_date_time_edit.sh +++ b/bin/hardening/8.1.4_record_date_time_edit.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/8.1.5_record_user_group_edit.sh b/bin/hardening/8.1.5_record_user_group_edit.sh index 1f4efe9..7362152 100755 --- a/bin/hardening/8.1.5_record_user_group_edit.sh +++ b/bin/hardening/8.1.5_record_user_group_edit.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/8.1.6_record_network_edit.sh b/bin/hardening/8.1.6_record_network_edit.sh index 349bcf9..c52e5e7 100755 --- a/bin/hardening/8.1.6_record_network_edit.sh +++ b/bin/hardening/8.1.6_record_network_edit.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/8.1.7_record_mac_edit.sh b/bin/hardening/8.1.7_record_mac_edit.sh index 6d81cbd..ea261ce 100755 --- a/bin/hardening/8.1.7_record_mac_edit.sh +++ b/bin/hardening/8.1.7_record_mac_edit.sh @@ -1,29 +1,35 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # # 8.1.7 Record Events That Modify the System's Mandatory Access Controls (Scored) # Modify by: Samson-W (sccxboy@gmail.com) # +# todo test for centos -set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 SELINUX_PKG="selinux-basics" -SE_AUDIT_PARAMS='-w /etc/selinux/ -p wa -k MAC-policy --w /usr/share/selinux/ -p wa -k MAC-policy --a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng' +SELINUX_PKG_REDHAT="selinux-policy" + +SE_AUDIT_PARAMS="-a always,exit -F dir=/etc/selinux/ -F perm=wa -k MAC-policy +-a always,exit -F dir=/usr/share/selinux/ -F perm=wa -k MAC-policy +-a always,exit -F path=$(which chcon 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng +-a always,exit -F path=$(which semanage 2>/dev/null) -F auid>=1000 -F auid!=4294967295 -k perm_chng +-a always,exit -F path=$(which setsebool 2>/dev/null) -F auid>=1000 -F auid!=4294967295 -k perm_chng +-a always,exit -F path=$(which setfiles 2>/dev/null) -F auid>=1000 -F auid!=4294967295 -k perm_chng" APPARMOR_PKG="apparmor" AA_AUDIT_PARAMS='-w /etc/apparmor/ -p wa -k MAC-policy -w /etc/apparmor.d/ -p wa -k MAC-policy -a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k MAC-policy' +set -e # One error, it's over FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode @@ -33,6 +39,9 @@ audit () { # define custom IFS and save default one d_IFS=$IFS IFS=$'\n' + if [ $OS_RELEASE -eq 2 ]; then + SELINUX_PKG=$SELINUX_PKG_REDHAT + fi is_pkg_installed $SELINUX_PKG if [ $FNRET = 0 ]; then AUDIT_PARAMS=$SE_AUDIT_PARAMS @@ -42,6 +51,8 @@ audit () { if [ $FNRET = 0 ]; then AUDIT_PARAMS=$AA_AUDIT_PARAMS info "Apparmor has installed!" + else + crit "SELinux and Apparmor not install!" fi fi for AUDIT_VALUE in $AUDIT_PARAMS; do @@ -60,6 +71,9 @@ audit () { apply () { d_IFS=$IFS IFS=$'\n' + if [ $OS_RELEASE -eq 2 ]; then + SELINUX_PKG=$SELINUX_PKG_REDHAT + fi is_pkg_installed $SELINUX_PKG if [ $FNRET = 0 ]; then AUDIT_PARAMS=$SE_AUDIT_PARAMS @@ -69,6 +83,8 @@ apply () { if [ $FNRET = 0 ]; then AUDIT_PARAMS=$AA_AUDIT_PARAMS info "Apparmor has installed!" + else + crit "SELinux and Apparmor not install!" fi fi for AUDIT_VALUE in $AUDIT_PARAMS; do diff --git a/bin/hardening/8.1.8_record_login_logout.sh b/bin/hardening/8.1.8_record_login_logout.sh index bfaac91..1633ad9 100755 --- a/bin/hardening/8.1.8_record_login_logout.sh +++ b/bin/hardening/8.1.8_record_login_logout.sh @@ -1,9 +1,11 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening +# Modify by: Samson-W (samson@hardenedlinux.org) # + # # 8.1.8 Collect Login and Logout Events (Scored) # @@ -16,10 +18,15 @@ HARDENING_LEVEL=4 AUDIT_PARAMS='-w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/log/tallylog -p wa -k logins' +AUDIT_PARAMS_REDHAT='-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins' FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode audit () { + if [ $OS_RELEASE -eq 2 ]; then + AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT + fi # define custom IFS and save default one d_IFS=$IFS IFS=$'\n' @@ -37,6 +44,9 @@ audit () { # This function will be called if the script status is on enabled mode apply () { + if [ $OS_RELEASE -eq 2 ]; then + AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT + fi d_IFS=$IFS IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do diff --git a/bin/hardening/8.1.9_record_session_init.sh b/bin/hardening/8.1.9_record_session_init.sh index 96de42d..a2ada80 100755 --- a/bin/hardening/8.1.9_record_session_init.sh +++ b/bin/hardening/8.1.9_record_session_init.sh @@ -1,7 +1,8 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening +# Modify by: Samson-W (samson@hardenedlinux.org) # # @@ -16,10 +17,15 @@ HARDENING_LEVEL=4 AUDIT_PARAMS='-w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /var/log/btmp -p wa -k session' +AUDIT_PARAMS_REDHAT='-w /var/log/wtmp -p wa -k session +-w /var/log/btmp -p wa -k session' FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode audit () { + if [ $OS_RELEASE -eq 2 ]; then + AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT + fi # define custom IFS and save default one d_IFS=$IFS IFS=$'\n' @@ -37,6 +43,9 @@ audit () { # This function will be called if the script status is on enabled mode apply () { + if [ $OS_RELEASE -eq 2 ]; then + AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT + fi d_IFS=$IFS IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do diff --git a/bin/hardening/8.4.1_install_aide.sh b/bin/hardening/8.4.1_install_aide.sh index b7e3977..60c11c9 100755 --- a/bin/hardening/8.4.1_install_aide.sh +++ b/bin/hardening/8.4.1_install_aide.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 9 Hardening +# harbian audit 9/10 or CentOS Hardening # # @@ -34,9 +34,15 @@ apply () { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE - aideinit - info "${PACKAGE} is now installed but not fully functionnal, please see readme to go further" + if [ $OS_RELEASE -eq 2 ]; then + yum install -y $PACKAGE + aide --init + mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz + else + apt_install $PACKAGE + aideinit + info "${PACKAGE} is now installed but not fully functionnal, please see readme to go further" + fi fi } diff --git a/bin/hardening/8.4.2_aide_cron.sh b/bin/hardening/8.4.2_aide_cron.sh index 8121cbf..3c5a602 100755 --- a/bin/hardening/8.4.2_aide_cron.sh +++ b/bin/hardening/8.4.2_aide_cron.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 9 Hardening +# harbian audit 9/10 or CentOS Hardening # # diff --git a/bin/hardening/8.5_ensure_permissions_on_all_logfiles.sh b/bin/hardening/8.5_ensure_permissions_on_all_logfiles.sh index e0cd0b5..f1bf38c 100755 --- a/bin/hardening/8.5_ensure_permissions_on_all_logfiles.sh +++ b/bin/hardening/8.5_ensure_permissions_on_all_logfiles.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 9 Hardening +# harbian audit 9/10 or CentOS Hardening # # @@ -15,17 +15,21 @@ set -u # One variable unset, it's over HARDENING_LEVEL=3 LOGDIR='/var/log' +ERRPERFILELIST='/dev/shm/8.5-filelist' PERMISS_MODE='/7137' PERMISS_SET='0640' # This function will be called if the script status is on enabled / audit mode audit () { - countnum=$(find $LOGDIR -type f -perm $PERMISS_MODE -ls | wc -l) + find $LOGDIR -type f -perm $PERMISS_MODE -ls > $ERRPERFILELIST + countnum=$(cat $ERRPERFILELIST | wc -l) if [ $countnum -gt 0 ]; then crit "Permissions of all log files are not correctly configured!" + cat $ERRPERFILELIST FNRET=1 else ok "Permissions of all log files have correctly configured!" + rm $ERRPERFILELIST FNRET=0 fi } @@ -37,6 +41,7 @@ apply () { else warn "Permissions of all log files are not correctly configured! Set it" chmod -R $PERMISS_SET $LOGDIR/* + rm $ERRPERFILELIST fi } diff --git a/bin/hardening/8.6_configure_logrotate.sh b/bin/hardening/8.6_configure_logrotate.sh index fc551e0..a6869dc 100755 --- a/bin/hardening/8.6_configure_logrotate.sh +++ b/bin/hardening/8.6_configure_logrotate.sh @@ -6,6 +6,7 @@ # # 8.6 Configure logrotate (Not Scored) +# todo delete this or ... # set -e # One error, it's over diff --git a/bin/hardening/8.7_verify_integrity_packages.sh b/bin/hardening/8.7_verify_integrity_packages.sh index 16d55f4..41ab35d 100755 --- a/bin/hardening/8.7_verify_integrity_packages.sh +++ b/bin/hardening/8.7_verify_integrity_packages.sh @@ -1,14 +1,14 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # # 8.7 Verifies integrity all packages (Scored) # Author : Samson wen, Samson # -set -e # One error, it's over +set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=5 @@ -25,7 +25,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - info "This check item need to confirm manually. No automatic fix is available." + warn "This check item need to confirm manually. No automatic fix is available." } # This function will check config parameters required diff --git a/bin/hardening/9.1.1_enable_cron.sh b/bin/hardening/9.1.1_enable_cron.sh index 0018a94..0f32b3c 100755 --- a/bin/hardening/9.1.1_enable_cron.sh +++ b/bin/hardening/9.1.1_enable_cron.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # @@ -17,8 +17,15 @@ HARDENING_LEVEL=3 PACKAGE="cron" SERVICE_NAME="cron" +PACKAGE_REDHAT="cronie" +SERVICE_NAME_REDHAT="crond" + # This function will be called if the script status is on enabled / audit mode audit () { + if [ $OS_RELEASE -eq 2 ]; then + PACKAGE=$PACKAGE_REDHAT + SERVICE_NAME=$SERVICE_NAME_REDHAT + fi is_pkg_installed $PACKAGE if [ $FNRET != 0 ]; then crit "$PACKAGE is not installed!" @@ -35,17 +42,25 @@ audit () { # This function will be called if the script status is on enabled mode apply () { + if [ $OS_RELEASE -eq 2 ]; then + PACKAGE=$PACKAGE_REDHAT + SERVICE_NAME=$SERVICE_NAME_REDHAT + fi is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + if [ $OS_RELEASE -eq 2 ]; then + yum install -y $PACKAGE + else + apt_install $PACKAGE + fi is_service_enabled $SERVICE_NAME if [ $FNRET != 0 ]; then info "Enabling $SERVICE_NAME" is_debian_9 - if [ $FNRET = 0 ]; then + if [ $FNRET = 0 -o $OS_RELEASE -eq 2 ]; then systemctl enable $SERVICE_NAME > /dev/null 2>&1 systemctl start $SERVICE_NAME > /dev/null 2>&1 else diff --git a/bin/hardening/9.1.2_crontab_perm_ownership.sh b/bin/hardening/9.1.2_crontab_perm_ownership.sh index f4c0aa7..01fcf27 100755 --- a/bin/hardening/9.1.2_crontab_perm_ownership.sh +++ b/bin/hardening/9.1.2_crontab_perm_ownership.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/9.1.3_cron_hourly_perm_ownership.sh b/bin/hardening/9.1.3_cron_hourly_perm_ownership.sh index 413fc34..fe7bc2d 100755 --- a/bin/hardening/9.1.3_cron_hourly_perm_ownership.sh +++ b/bin/hardening/9.1.3_cron_hourly_perm_ownership.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/9.1.4_cron_daily_perm_ownership.sh b/bin/hardening/9.1.4_cron_daily_perm_ownership.sh index 9c51454..8277c33 100755 --- a/bin/hardening/9.1.4_cron_daily_perm_ownership.sh +++ b/bin/hardening/9.1.4_cron_daily_perm_ownership.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/9.1.5_cron_weekly_perm_ownership.sh b/bin/hardening/9.1.5_cron_weekly_perm_ownership.sh index 00097e6..bd14d06 100755 --- a/bin/hardening/9.1.5_cron_weekly_perm_ownership.sh +++ b/bin/hardening/9.1.5_cron_weekly_perm_ownership.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/9.1.6_cron_monthly_perm_ownership.sh b/bin/hardening/9.1.6_cron_monthly_perm_ownership.sh index 676272c..71df8bf 100755 --- a/bin/hardening/9.1.6_cron_monthly_perm_ownership.sh +++ b/bin/hardening/9.1.6_cron_monthly_perm_ownership.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/9.1.7_cron_d_perm_ownership.sh b/bin/hardening/9.1.7_cron_d_perm_ownership.sh index 1eb072e..c69aaa8 100755 --- a/bin/hardening/9.1.7_cron_d_perm_ownership.sh +++ b/bin/hardening/9.1.7_cron_d_perm_ownership.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/9.1.8_cron_users.sh b/bin/hardening/9.1.8_cron_users.sh index 9c5b0ff..fe390b0 100755 --- a/bin/hardening/9.1.8_cron_users.sh +++ b/bin/hardening/9.1.8_cron_users.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/9.2.10_pam_maxclassrepeat_cracklib.sh b/bin/hardening/9.2.10_pam_maxclassrepeat_cracklib.sh index a167ce2..76fc3c2 100755 --- a/bin/hardening/9.2.10_pam_maxclassrepeat_cracklib.sh +++ b/bin/hardening/9.2.10_pam_maxclassrepeat_cracklib.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # @@ -19,13 +19,15 @@ PAMLIBNAME='pam_cracklib.so' PATTERN='^password.*pam_cracklib.so' FILE='/etc/pam.d/common-password' +# Redhat/CentOS default use pam_pwquality +FILE_REDHAT='/etc/security/pwquality.conf' + OPTIONNAME='maxclassrepeat' # condition CONDT_VAL=4 -# This function will be called if the script status is on enabled / audit mode -audit () { +audit_debian () { is_pkg_installed $PACKAGE if [ $FNRET != 0 ]; then crit "$PACKAGE is not installed!" @@ -37,9 +39,9 @@ audit () { ok "$PATTERN is present in $FILE" check_param_pair_by_pam $FILE $PAMLIBNAME $OPTIONNAME le $CONDT_VAL if [ $FNRET = 0 ]; then - ok "$OPTIONNAME set condition is $CONDT_VAL" + ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL" else - crit "$OPTIONNAME set condition is $CONDT_VAL" + crit "$OPTIONNAME set condition is greater than $CONDT_VAL" #FNRET=3 fi else @@ -49,27 +51,76 @@ audit () { fi } -# This function will be called if the script status is on enabled mode -apply () { +audit_redhat () { + check_param_pair_by_value $FILE_REDHAT $OPTIONNAME le $CONDT_VAL + if [ $FNRET = 0 ]; then + ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT" + elif [ $FNRET = 1 ]; then + crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_REDHAT" + elif [ $FNRET = 2 ]; then + crit "Option $OPTIONNAME is not conf in $FILE_REDHAT" + elif [ $FNRET = 3 ]; then + crit "Config file $FILE_REDHAT is not exist!" + fi +} + +# This function will be called if the script status is on enabled / audit mode +audit () { + if [ $OS_RELEASE -eq 1 ]; then + audit_debian + elif [ $OS_RELEASE -eq 2 ]; then + audit_redhat + else + crit "Current OS is not support!" + FNRET=44 + fi +} + +apply_debian () { if [ $FNRET = 0 ]; then ok "$PACKAGE is installed" elif [ $FNRET = 1 ]; then - crit "$PACKAGE is absent, installing it" + warn "$PACKAGE is absent, installing it" apt_install $PACKAGE elif [ $FNRET = 2 ]; then - crit "$PATTERN is not present in $FILE, add default config to $FILE" + warn "$PATTERN is not present in $FILE, add default config to $FILE" add_line_file_before_pattern $FILE "password requisite pam_cracklib.so retry=3 minlen=8 difok=3" "# pam-auth-update(8) for details." elif [ $FNRET = 3 ]; then crit "$FILE is not exist, please check" elif [ $FNRET = 4 ]; then - crit "$OPTIONNAME is not conf" + warn "$OPTIONNAME is not conf" add_option_to_password_check $FILE $PAMLIBNAME "$OPTIONNAME=$CONDT_VAL" elif [ $FNRET = 5 ]; then - crit "$OPTIONNAME set is not match legally, reset it to $CONDT_VAL" + warn "$OPTIONNAME set is not match legally, reset it to $CONDT_VAL" reset_option_to_password_check $FILE $PAMLIBNAME "$OPTIONNAME" "$CONDT_VAL" fi } +apply_redhat () { + if [ $FNRET = 0 ]; then + ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT" + elif [ $FNRET = 1 ]; then + warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_REDHAT" + replace_in_file $FILE_REDHAT "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL" + elif [ $FNRET = 2 ]; then + warn "$OPTIONNAME is not conf, add to $FILE_REDHAT" + add_end_of_file $FILE_REDHAT "$OPTIONNAME = $CONDT_VAL" + elif [ $FNRET = 3 ]; then + crit "Config file $FILE_REDHAT is not exist!" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $OS_RELEASE -eq 1 ]; then + apply_debian + elif [ $OS_RELEASE -eq 2 ]; then + apply_redhat + else + crit "Current OS is not support!" + fi +} + # This function will check config parameters required check_config() { : diff --git a/bin/hardening/9.2.11_pam_deny_times_tally2.sh b/bin/hardening/9.2.11_pam_deny_times_tally2.sh index 901fae7..ab7f68c 100755 --- a/bin/hardening/9.2.11_pam_deny_times_tally2.sh +++ b/bin/hardening/9.2.11_pam_deny_times_tally2.sh @@ -2,6 +2,7 @@ # # harbian audit 7/8/9 Hardening +# todo for centos # # diff --git a/bin/hardening/9.2.12_pam_lockout_failed_tally2.sh b/bin/hardening/9.2.12_pam_lockout_failed_tally2.sh index 64b4929..b49199e 100755 --- a/bin/hardening/9.2.12_pam_lockout_failed_tally2.sh +++ b/bin/hardening/9.2.12_pam_lockout_failed_tally2.sh @@ -2,6 +2,7 @@ # # harbian audit 7/8/9 Hardening +# todo centos # # diff --git a/bin/hardening/9.2.13_pam_password_sha512_unix.sh b/bin/hardening/9.2.13_pam_password_sha512_unix.sh index 1a0f0ba..67dc836 100755 --- a/bin/hardening/9.2.13_pam_password_sha512_unix.sh +++ b/bin/hardening/9.2.13_pam_password_sha512_unix.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # @@ -22,8 +22,10 @@ OPTIONNAME='sha512' ROUNDS_KEY='rounds' ROUNDS_V='5000' -# This function will be called if the script status is on enabled / audit mode -audit () { +# For CentOS +FILES='/etc/pam.d/system-auth /etc/pam.d/password-auth' + +audit_debian () { is_pkg_installed $PACKAGE if [ $FNRET != 0 ]; then crit "$PACKAGE is not installed!" @@ -53,12 +55,34 @@ audit () { fi } -# This function will be called if the script status is on enabled mode -apply () { +audit_redhat () { + for FILE in $FILES; do + does_pattern_exist_in_file $FILE "$PATTERN.*$OPTIONNAME" + if [ $FNRET -eq 0 ]; then + ok "$OPTIONNAME is already configured in $FILE" + else + crit "$OPTIONNAME is not configured in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled / audit mode +audit () { + if [ $OS_RELEASE -eq 1 ]; then + audit_debian + elif [ $OS_RELEASE -eq 2 ]; then + audit_redhat + else + crit "Current OS is not support!" + FNRET=44 + fi +} + +apply_debian () { if [ $FNRET = 0 ]; then ok "$PACKAGE is installed" elif [ $FNRET = 1 ]; then - crit "$PACKAGE is absent, installing it" + warn "$PACKAGE is absent, installing it" apt_install $PACKAGE elif [ $FNRET = 2 ]; then warn "$PATTERN is not present in $FILE" @@ -68,21 +92,43 @@ apply () { if [ $FNRET = 3 ]; then crit "$FILE is not exist, please check" elif [ $FNRET = 4 ]; then - crit "$OPTIONNAME is not conf in $FILE" + warn "$OPTIONNAME is not conf in $FILE" add_option_to_password_check $FILE $KEYWORD $OPTIONNAME fi check_param_pair_by_pam $FILE $KEYWORD $ROUNDS_KEY ge $ROUNDS_V if [ $FNRET = 3 ]; then crit "$FILE is not exist, please check" elif [ $FNRET = 4 ]; then - crit "$ROUNDS_KEY is not conf" + warn "$ROUNDS_KEY is not conf" add_option_to_password_check $FILE $KEYWORD "$ROUNDS_KEY=$ROUNDS_V" elif [ $FNRET = 5 ]; then - crit "$ROUNDS_KEY set is not match legally, reset it to $ROUNDS_V" + warn "$ROUNDS_KEY set is not match legally, reset it to $ROUNDS_V" reset_option_to_password_check $FILE $KEYWORD "$ROUNDS_KEY" "$ROUNDS_V" fi } +apply_redhat () { + for FILE in $FILES; do + does_pattern_exist_in_file $FILE "$PATTERN.*$OPTIONNAME" + if [ $FNRET -eq 0 ]; then + ok "$OPTIONNAME is already configured in $FILE" + else + warn "$OPTIONNAME is not configured in $FILE, set it" + sed -i "s;\($PATTERN.*\);\1 $OPTIONNAME;" $FILE + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $OS_RELEASE -eq 1 ]; then + apply_debian + elif [ $OS_RELEASE -eq 2 ]; then + apply_redhat + else + crit "Current OS is not support!" + fi +} # This function will check config parameters required check_config() { : diff --git a/bin/hardening/9.2.1_pam_retry_cracklib.sh b/bin/hardening/9.2.1_pam_retry_cracklib.sh index d3ba24d..d389fba 100755 --- a/bin/hardening/9.2.1_pam_retry_cracklib.sh +++ b/bin/hardening/9.2.1_pam_retry_cracklib.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # @@ -19,6 +19,12 @@ PAMLIBNAME='pam_cracklib.so' PATTERN='^password.*pam_cracklib.so' FILE='/etc/pam.d/common-password' +# Redhat/CentOS default use pam_pwquality +PACKAGE_REDHAT='libpwquality' +PAMLIBNAME_REDHAT='pam_pwquality.so' +PATTERN_REDHAT='^password.*pam_pwquality.so' +FILE_REDHAT='/etc/pam.d/system-auth' + OPTIONNAME='retry' # condition @@ -26,6 +32,12 @@ CONDT_VAL=3 # This function will be called if the script status is on enabled / audit mode audit () { + if [ $OS_RELEASE -eq 2 ]; then + PACKAGE=$PACKAGE_REDHAT + PAMLIBNAME=$PAMLIBNAME_REDHAT + PATTERN=$PATTERN_REDHAT + FILE=$FILE_REDHAT + fi is_pkg_installed $PACKAGE if [ $FNRET != 0 ]; then crit "$PACKAGE is not installed!" @@ -37,9 +49,9 @@ audit () { ok "$PATTERN is present in $FILE" check_param_pair_by_pam $FILE $PAMLIBNAME $OPTIONNAME le $CONDT_VAL if [ $FNRET = 0 ]; then - ok "$OPTIONNAME set condition is $CONDT_VAL" + ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL" else - crit "$OPTIONNAME set condition is $CONDT_VAL" + crit "$OPTIONNAME set condition is greater than $CONDT_VAL" #FNRET=3 fi else @@ -51,11 +63,21 @@ audit () { # This function will be called if the script status is on enabled mode apply () { + if [ $OS_RELEASE -eq 2 ]; then + PACKAGE=$PACKAGE_REDHAT + PAMLIBNAME=$PAMLIBNAME_REDHAT + PATTERN=$PATTERN_REDHAT + FILE=$FILE_REDHAT + fi if [ $FNRET = 0 ]; then ok "$PACKAGE is installed" elif [ $FNRET = 1 ]; then crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + if [ $OS_RELEASE -eq 2 ]; then + yum install -y $PACKAGE + else + apt_install $PACKAGE + fi elif [ $FNRET = 2 ]; then crit "$PATTERN is not present in $FILE, add default config to $FILE" add_line_file_before_pattern $FILE "password requisite pam_cracklib.so retry=3 minlen=8 difok=3" "# pam-auth-update(8) for details." diff --git a/bin/hardening/9.2.2_pam_minlen_cracklib.sh b/bin/hardening/9.2.2_pam_minlen_cracklib.sh index d0411c5..61e3e71 100755 --- a/bin/hardening/9.2.2_pam_minlen_cracklib.sh +++ b/bin/hardening/9.2.2_pam_minlen_cracklib.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # @@ -19,13 +19,15 @@ PAMLIBNAME='pam_cracklib.so' PATTERN='^password.*pam_cracklib.so' FILE='/etc/pam.d/common-password' +# Redhat/CentOS default use pam_pwquality +FILE_REDHAT='/etc/security/pwquality.conf' + OPTIONNAME='minlen' # condition -CONDT_VAL=14 +CONDT_VAL=15 -# This function will be called if the script status is on enabled / audit mode -audit () { +audit_debian () { is_pkg_installed $PACKAGE if [ $FNRET != 0 ]; then crit "$PACKAGE is not installed!" @@ -37,9 +39,9 @@ audit () { ok "$PATTERN is present in $FILE" check_param_pair_by_pam $FILE $PAMLIBNAME $OPTIONNAME ge $CONDT_VAL if [ $FNRET = 0 ]; then - ok "$OPTIONNAME set condition is $CONDT_VAL" + ok "$OPTIONNAME set condition is greater than or equal to $CONDT_VAL" else - crit "$OPTIONNAME set condition is $CONDT_VAL" + crit "$OPTIONNAME set condition is less than $CONDT_VAL" #FNRET=3 fi else @@ -49,27 +51,76 @@ audit () { fi } -# This function will be called if the script status is on enabled mode -apply () { +audit_redhat () { + check_param_pair_by_value $FILE_REDHAT $OPTIONNAME ge $CONDT_VAL + if [ $FNRET = 0 ]; then + ok "Option $OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_REDHAT" + elif [ $FNRET = 1 ]; then + crit "Option $OPTIONNAME set condition is less than $CONDT_VAL in $FILE_REDHAT" + elif [ $FNRET = 2 ]; then + crit "Option $OPTIONNAME is not conf in $FILE_REDHAT" + elif [ $FNRET = 3 ]; then + crit "Config file $FILE_REDHAT is not exist!" + fi +} + +# This function will be called if the script status is on enabled / audit mode +audit () { + if [ $OS_RELEASE -eq 1 ]; then + audit_debian + elif [ $OS_RELEASE -eq 2 ]; then + audit_redhat + else + crit "Current OS is not support!" + FNRET=44 + fi +} + +apply_debian () { if [ $FNRET = 0 ]; then ok "$PACKAGE is installed" elif [ $FNRET = 1 ]; then - crit "$PACKAGE is absent, installing it" + warn "$PACKAGE is absent, installing it" apt_install $PACKAGE elif [ $FNRET = 2 ]; then - crit "$PATTERN is not present in $FILE, add default config to $FILE" + warn "$PATTERN is not present in $FILE, add default config to $FILE" add_line_file_before_pattern $FILE "password requisite pam_cracklib.so retry=3 minlen=8 difok=3" "# pam-auth-update(8) for details." elif [ $FNRET = 3 ]; then crit "$FILE is not exist, please check" elif [ $FNRET = 4 ]; then - crit "$OPTIONNAME is not conf" + warn "$OPTIONNAME is not conf, reset" add_option_to_password_check $FILE $PAMLIBNAME "$OPTIONNAME=$CONDT_VAL" elif [ $FNRET = 5 ]; then - crit "$OPTIONNAME set is not match legally, reset it to $CONDT_VAL" + warn "$OPTIONNAME set is not match legally, reset it to $CONDT_VAL" reset_option_to_password_check $FILE $PAMLIBNAME "$OPTIONNAME" "$CONDT_VAL" fi } +apply_redhat () { + if [ $FNRET = 0 ]; then + ok "$OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_REDHAT" + elif [ $FNRET = 1 ]; then + warn "Set option $OPTIONNAME to $CONDT_VAL in $FILE_REDHAT" + replace_in_file $FILE_REDHAT "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL" + elif [ $FNRET = 2 ]; then + warn "$OPTIONNAME is not conf, add to $FILE_REDHAT" + add_end_of_file $FILE_REDHAT "$OPTIONNAME = $CONDT_VAL" + elif [ $FNRET = 3 ]; then + crit "Config file $FILE_REDHAT is not exist!" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $OS_RELEASE -eq 1 ]; then + apply_debian + elif [ $OS_RELEASE -eq 2 ]; then + apply_redhat + else + crit "Current OS is not support!" + fi +} + # This function will check config parameters required check_config() { : diff --git a/bin/hardening/9.2.3_pam_dcredit_cracklib.sh b/bin/hardening/9.2.3_pam_dcredit_cracklib.sh index 896cf9a..cd67fd5 100755 --- a/bin/hardening/9.2.3_pam_dcredit_cracklib.sh +++ b/bin/hardening/9.2.3_pam_dcredit_cracklib.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 9 Hardening +# harbian audit 9/10 or CentOS Hardening # # @@ -19,13 +19,15 @@ PAMLIBNAME='pam_cracklib.so' PATTERN='^password.*pam_cracklib.so' FILE='/etc/pam.d/common-password' +# Redhat/CentOS default use pam_pwquality +FILE_REDHAT='/etc/security/pwquality.conf' + OPTIONNAME='dcredit' # condition CONDT_VAL=-1 -# This function will be called if the script status is on enabled / audit mode -audit () { +audit_debian () { is_pkg_installed $PACKAGE if [ $FNRET != 0 ]; then crit "$PACKAGE is not installed!" @@ -37,9 +39,9 @@ audit () { ok "$PATTERN is present in $FILE" check_param_pair_by_pam $FILE $PAMLIBNAME $OPTIONNAME le $CONDT_VAL if [ $FNRET = 0 ]; then - ok "$OPTIONNAME set condition is $CONDT_VAL" + ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL" else - crit "$OPTIONNAME set condition is $CONDT_VAL" + crit "$OPTIONNAME set condition is greater than $CONDT_VAL" #FNRET=3 fi else @@ -49,8 +51,32 @@ audit () { fi } -# This function will be called if the script status is on enabled mode -apply () { +audit_redhat () { + check_param_pair_by_value $FILE_REDHAT $OPTIONNAME le $CONDT_VAL + if [ $FNRET = 0 ]; then + ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT" + elif [ $FNRET = 1 ]; then + crit "Option $OPTIONNAME set condition is not set greater than $CONDT_VAL in $FILE_REDHAT" + elif [ $FNRET = 2 ]; then + crit "Option $OPTIONNAME is not conf in $FILE_REDHAT" + elif [ $FNRET = 3 ]; then + crit "Config file $FILE_REDHAT is not exist!" + fi +} + +# This function will be called if the script status is on enabled / audit mode +audit () { + if [ $OS_RELEASE -eq 1 ]; then + audit_debian + elif [ $OS_RELEASE -eq 2 ]; then + audit_redhat + else + crit "Current OS is not support!" + FNRET=44 + fi +} + +apply_debian () { if [ $FNRET = 0 ]; then ok "$PACKAGE is installed" elif [ $FNRET = 1 ]; then @@ -70,6 +96,31 @@ apply () { fi } +apply_redhat () { + if [ $FNRET = 0 ]; then + ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT" + elif [ $FNRET = 1 ]; then + warn "Set option $OPTIONNAME to $CONDT_VAL in $FILE_REDHAT" + replace_in_file $FILE_REDHAT "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL" + elif [ $FNRET = 2 ]; then + warn "$OPTIONNAME is not conf, add to $FILE_REDHAT" + add_end_of_file $FILE_REDHAT "$OPTIONNAME = $CONDT_VAL" + elif [ $FNRET = 3 ]; then + crit "Config file $FILE_REDHAT is not exist!" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $OS_RELEASE -eq 1 ]; then + apply_debian + elif [ $OS_RELEASE -eq 2 ]; then + apply_redhat + else + crit "Current OS is not support!" + fi +} + # This function will check config parameters required check_config() { : diff --git a/bin/hardening/9.2.4_pam_ucredit_cracklib.sh b/bin/hardening/9.2.4_pam_ucredit_cracklib.sh index 7b451b8..a1429b9 100755 --- a/bin/hardening/9.2.4_pam_ucredit_cracklib.sh +++ b/bin/hardening/9.2.4_pam_ucredit_cracklib.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 9 Hardening +# harbian audit 9/10 or CentOS Hardening # # @@ -19,13 +19,15 @@ PAMLIBNAME='pam_cracklib.so' PATTERN='^password.*pam_cracklib.so' FILE='/etc/pam.d/common-password' +# Redhat/CentOS default use pam_pwquality +FILE_REDHAT='/etc/security/pwquality.conf' + OPTIONNAME='ucredit' # condition CONDT_VAL=-1 -# This function will be called if the script status is on enabled / audit mode -audit () { +audit_debian () { is_pkg_installed $PACKAGE if [ $FNRET != 0 ]; then crit "$PACKAGE is not installed!" @@ -37,9 +39,9 @@ audit () { ok "$PATTERN is present in $FILE" check_param_pair_by_pam $FILE $PAMLIBNAME $OPTIONNAME le $CONDT_VAL if [ $FNRET = 0 ]; then - ok "$OPTIONNAME set condition is $CONDT_VAL" + ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL" else - crit "$OPTIONNAME set condition is $CONDT_VAL" + crit "$OPTIONNAME set condition is greater than $CONDT_VAL" #FNRET=3 fi else @@ -49,8 +51,33 @@ audit () { fi } -# This function will be called if the script status is on enabled mode -apply () { +audit_redhat () { + check_param_pair_by_value $FILE_REDHAT $OPTIONNAME le $CONDT_VAL + if [ $FNRET = 0 ]; then + ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT" + elif [ $FNRET = 1 ]; then + crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_REDHAT" + elif [ $FNRET = 2 ]; then + crit "Option $OPTIONNAME is not conf in $FILE_REDHAT" + elif [ $FNRET = 3 ]; then + crit "Config file $FILE_REDHAT is not exist!" + fi +} + +# This function will be called if the script status is on enabled / audit mode +audit () { + if [ $OS_RELEASE -eq 1 ]; then + audit_debian + elif [ $OS_RELEASE -eq 2 ]; then + audit_redhat + else + crit "Current OS is not support!" + FNRET=44 + fi +} + + +apply_debian () { if [ $FNRET = 0 ]; then ok "$PACKAGE is installed" elif [ $FNRET = 1 ]; then @@ -70,6 +97,31 @@ apply () { fi } +apply_redhat () { + if [ $FNRET = 0 ]; then + ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT" + elif [ $FNRET = 1 ]; then + warn "Set option $OPTIONNAME to $CONDT_VAL in $FILE_REDHAT" + replace_in_file $FILE_REDHAT "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL" + elif [ $FNRET = 2 ]; then + warn "$OPTIONNAME is not conf, add to $FILE_REDHAT" + add_end_of_file $FILE_REDHAT "$OPTIONNAME = $CONDT_VAL" + elif [ $FNRET = 3 ]; then + crit "Config file $FILE_REDHAT is not exist!" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $OS_RELEASE -eq 1 ]; then + apply_debian + elif [ $OS_RELEASE -eq 2 ]; then + apply_redhat + else + crit "Current OS is not support!" + fi +} + # This function will check config parameters required check_config() { : diff --git a/bin/hardening/9.2.5_pam_ocredit_cracklib.sh b/bin/hardening/9.2.5_pam_ocredit_cracklib.sh index 56bbc6b..b845520 100755 --- a/bin/hardening/9.2.5_pam_ocredit_cracklib.sh +++ b/bin/hardening/9.2.5_pam_ocredit_cracklib.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 9 Hardening +# harbian audit 9/10 or CentOS Hardening # # @@ -19,13 +19,15 @@ PAMLIBNAME='pam_cracklib.so' PATTERN='^password.*pam_cracklib.so' FILE='/etc/pam.d/common-password' +# Redhat/CentOS default use pam_pwquality +FILE_REDHAT='/etc/security/pwquality.conf' + OPTIONNAME='ocredit' # condition CONDT_VAL=-1 -# This function will be called if the script status is on enabled / audit mode -audit () { +audit_debian () { is_pkg_installed $PACKAGE if [ $FNRET != 0 ]; then crit "$PACKAGE is not installed!" @@ -37,9 +39,9 @@ audit () { ok "$PATTERN is present in $FILE" check_param_pair_by_pam $FILE $PAMLIBNAME $OPTIONNAME le $CONDT_VAL if [ $FNRET = 0 ]; then - ok "$OPTIONNAME set condition is $CONDT_VAL" + ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL" else - crit "$OPTIONNAME set condition is $CONDT_VAL" + crit "$OPTIONNAME set condition is greater than $CONDT_VAL" #FNRET=3 fi else @@ -49,8 +51,32 @@ audit () { fi } -# This function will be called if the script status is on enabled mode -apply () { +audit_redhat () { + check_param_pair_by_value $FILE_REDHAT $OPTIONNAME le $CONDT_VAL + if [ $FNRET = 0 ]; then + ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT" + elif [ $FNRET = 1 ]; then + crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_REDHAT" + elif [ $FNRET = 2 ]; then + crit "Option $OPTIONNAME is not conf in $FILE_REDHAT" + elif [ $FNRET = 3 ]; then + crit "Config file $FILE_REDHAT is not exist!" + fi +} + +# This function will be called if the script status is on enabled / audit mode +audit () { + if [ $OS_RELEASE -eq 1 ]; then + audit_debian + elif [ $OS_RELEASE -eq 2 ]; then + audit_redhat + else + crit "Current OS is not support!" + FNRET=44 + fi +} + +apply_debian () { if [ $FNRET = 0 ]; then ok "$PACKAGE is installed" elif [ $FNRET = 1 ]; then @@ -70,6 +96,32 @@ apply () { fi } +apply_redhat () { + if [ $FNRET = 0 ]; then + ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT" + elif [ $FNRET = 1 ]; then + warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_REDHAT" + replace_in_file $FILE_REDHAT "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL" + elif [ $FNRET = 2 ]; then + warn "$OPTIONNAME is not conf, add to $FILE_REDHAT" + add_end_of_file $FILE_REDHAT "$OPTIONNAME = $CONDT_VAL" + elif [ $FNRET = 3 ]; then + crit "Config file $FILE_REDHAT is not exist!" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $OS_RELEASE -eq 1 ]; then + apply_debian + elif [ $OS_RELEASE -eq 2 ]; then + apply_redhat + else + crit "Current OS is not support!" + fi +} + + # This function will check config parameters required check_config() { : diff --git a/bin/hardening/9.2.6_pam_lcredit_cracklib.sh b/bin/hardening/9.2.6_pam_lcredit_cracklib.sh index fb56c7b..b7f0962 100755 --- a/bin/hardening/9.2.6_pam_lcredit_cracklib.sh +++ b/bin/hardening/9.2.6_pam_lcredit_cracklib.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 9 Hardening +# harbian audit 9/10 or CentOS Hardening # # @@ -19,13 +19,15 @@ PAMLIBNAME='pam_cracklib.so' PATTERN='^password.*pam_cracklib.so' FILE='/etc/pam.d/common-password' +# Redhat/CentOS default use pam_pwquality +FILE_REDHAT='/etc/security/pwquality.conf' + OPTIONNAME='lcredit' # condition CONDT_VAL=-1 -# This function will be called if the script status is on enabled / audit mode -audit () { +audit_debian () { is_pkg_installed $PACKAGE if [ $FNRET != 0 ]; then crit "$PACKAGE is not installed!" @@ -37,9 +39,9 @@ audit () { ok "$PATTERN is present in $FILE" check_param_pair_by_pam $FILE $PAMLIBNAME $OPTIONNAME le $CONDT_VAL if [ $FNRET = 0 ]; then - ok "$OPTIONNAME set condition is $CONDT_VAL" + ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL" else - crit "$OPTIONNAME set condition is $CONDT_VAL" + crit "$OPTIONNAME set condition is greater than $CONDT_VAL" #FNRET=3 fi else @@ -49,27 +51,76 @@ audit () { fi } -# This function will be called if the script status is on enabled mode -apply () { +audit_redhat () { + check_param_pair_by_value $FILE_REDHAT $OPTIONNAME le $CONDT_VAL + if [ $FNRET = 0 ]; then + ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT" + elif [ $FNRET = 1 ]; then + crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_REDHAT" + elif [ $FNRET = 2 ]; then + crit "Option $OPTIONNAME is not conf in $FILE_REDHAT" + elif [ $FNRET = 3 ]; then + crit "Config file $FILE_REDHAT is not exist!" + fi +} + +# This function will be called if the script status is on enabled / audit mode +audit () { + if [ $OS_RELEASE -eq 1 ]; then + audit_debian + elif [ $OS_RELEASE -eq 2 ]; then + audit_redhat + else + crit "Current OS is not support!" + FNRET=44 + fi +} + +apply_debian () { if [ $FNRET = 0 ]; then ok "$PACKAGE is installed" elif [ $FNRET = 1 ]; then - crit "$PACKAGE is absent, installing it" + warn "$PACKAGE is absent, installing it" apt_install $PACKAGE elif [ $FNRET = 2 ]; then - crit "$PATTERN is not present in $FILE, add default config to $FILE" + warn "$PATTERN is not present in $FILE, add default config to $FILE" add_line_file_before_pattern $FILE "password requisite pam_cracklib.so retry=3 minlen=8 difok=3" "# pam-auth-update(8) for details." elif [ $FNRET = 3 ]; then crit "$FILE is not exist, please check" elif [ $FNRET = 4 ]; then - crit "$OPTIONNAME is not conf" + warn "$OPTIONNAME is not conf" add_option_to_password_check $FILE $PAMLIBNAME "$OPTIONNAME=$CONDT_VAL" elif [ $FNRET = 5 ]; then - crit "$OPTIONNAME set is not match legally, reset it to $CONDT_VAL" + warn "$OPTIONNAME set is not match legally, reset it to $CONDT_VAL" reset_option_to_password_check $FILE $PAMLIBNAME "$OPTIONNAME" "$CONDT_VAL" fi } +apply_redhat () { + if [ $FNRET = 0 ]; then + ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT" + elif [ $FNRET = 1 ]; then + warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_REDHAT" + replace_in_file $FILE_REDHAT "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL" + elif [ $FNRET = 2 ]; then + warn "$OPTIONNAME is not conf, add to $FILE_REDHAT" + add_end_of_file $FILE_REDHAT "$OPTIONNAME = $CONDT_VAL" + elif [ $FNRET = 3 ]; then + crit "Config file $FILE_REDHAT is not exist!" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $OS_RELEASE -eq 1 ]; then + apply_debian + elif [ $OS_RELEASE -eq 2 ]; then + apply_redhat + else + crit "Current OS is not support!" + fi +} + # This function will check config parameters required check_config() { : diff --git a/bin/hardening/9.2.7_pam_difok_cracklib.sh b/bin/hardening/9.2.7_pam_difok_cracklib.sh index ad95398..4f5bda3 100755 --- a/bin/hardening/9.2.7_pam_difok_cracklib.sh +++ b/bin/hardening/9.2.7_pam_difok_cracklib.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # @@ -19,13 +19,15 @@ PAMLIBNAME='pam_cracklib.so' PATTERN='^password.*pam_cracklib.so' FILE='/etc/pam.d/common-password' +# Redhat/CentOS default use pam_pwquality +FILE_REDHAT='/etc/security/pwquality.conf' + OPTIONNAME='difok' # condition CONDT_VAL=8 -# This function will be called if the script status is on enabled / audit mode -audit () { +audit_debian () { is_pkg_installed $PACKAGE if [ $FNRET != 0 ]; then crit "$PACKAGE is not installed!" @@ -37,9 +39,9 @@ audit () { ok "$PATTERN is present in $FILE" check_param_pair_by_pam $FILE $PAMLIBNAME $OPTIONNAME ge $CONDT_VAL if [ $FNRET = 0 ]; then - ok "$OPTIONNAME set condition is $CONDT_VAL" + ok "$OPTIONNAME set condition is greater than or equal to $CONDT_VAL" else - crit "$OPTIONNAME set condition is $CONDT_VAL" + crit "$OPTIONNAME set condition is less than $CONDT_VAL" #FNRET=3 fi else @@ -49,27 +51,76 @@ audit () { fi } -# This function will be called if the script status is on enabled mode -apply () { +audit_redhat () { + check_param_pair_by_value $FILE_REDHAT $OPTIONNAME ge $CONDT_VAL + if [ $FNRET = 0 ]; then + ok "Option $OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_REDHAT" + elif [ $FNRET = 1 ]; then + crit "Option $OPTIONNAME set condition is less than $CONDT_VAL in $FILE_REDHAT" + elif [ $FNRET = 2 ]; then + crit "Option $OPTIONNAME is not conf in $FILE_REDHAT" + elif [ $FNRET = 3 ]; then + crit "Config file $FILE_REDHAT is not exist!" + fi +} + +# This function will be called if the script status is on enabled / audit mode +audit () { + if [ $OS_RELEASE -eq 1 ]; then + audit_debian + elif [ $OS_RELEASE -eq 2 ]; then + audit_redhat + else + crit "Current OS is not support!" + FNRET=44 + fi +} + +apply_debian () { if [ $FNRET = 0 ]; then ok "$PACKAGE is installed" elif [ $FNRET = 1 ]; then - crit "$PACKAGE is absent, installing it" + warn "$PACKAGE is absent, installing it" apt_install $PACKAGE elif [ $FNRET = 2 ]; then - crit "$PATTERN is not present in $FILE, add default config to $FILE" + warn "$PATTERN is not present in $FILE, add default config to $FILE" add_line_file_before_pattern $FILE "password requisite pam_cracklib.so retry=3 minlen=8 difok=3" "# pam-auth-update(8) for details." elif [ $FNRET = 3 ]; then crit "$FILE is not exist, please check" elif [ $FNRET = 4 ]; then - crit "$OPTIONNAME is not conf" + warn "$OPTIONNAME is not conf" add_option_to_password_check $FILE $PAMLIBNAME "$OPTIONNAME=$CONDT_VAL" elif [ $FNRET = 5 ]; then - crit "$OPTIONNAME set is not match legally, reset it to $CONDT_VAL" + warn "$OPTIONNAME set is not match legally, reset it to $CONDT_VAL" reset_option_to_password_check $FILE $PAMLIBNAME "$OPTIONNAME" "$CONDT_VAL" fi } +apply_redhat () { + if [ $FNRET = 0 ]; then + ok "$OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_REDHAT" + elif [ $FNRET = 1 ]; then + warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_REDHAT" + replace_in_file $FILE_REDHAT "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL" + elif [ $FNRET = 2 ]; then + warn "$OPTIONNAME is not conf, add to $FILE_REDHAT" + add_end_of_file $FILE_REDHAT "$OPTIONNAME = $CONDT_VAL" + elif [ $FNRET = 3 ]; then + crit "Config file $FILE_REDHAT is not exist!" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $OS_RELEASE -eq 1 ]; then + apply_debian + elif [ $OS_RELEASE -eq 2 ]; then + apply_redhat + else + crit "Current OS is not support!" + fi +} + # This function will check config parameters required check_config() { : diff --git a/bin/hardening/9.2.8_pam_minclass_cracklib.sh b/bin/hardening/9.2.8_pam_minclass_cracklib.sh index 1ec456a..6472e2a 100755 --- a/bin/hardening/9.2.8_pam_minclass_cracklib.sh +++ b/bin/hardening/9.2.8_pam_minclass_cracklib.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # @@ -19,13 +19,15 @@ PAMLIBNAME='pam_cracklib.so' PATTERN='^password.*pam_cracklib.so' FILE='/etc/pam.d/common-password' +# Redhat/CentOS default use pam_pwquality +FILE_REDHAT='/etc/security/pwquality.conf' + OPTIONNAME='minclass' # condition CONDT_VAL=4 -# This function will be called if the script status is on enabled / audit mode -audit () { +audit_debian () { is_pkg_installed $PACKAGE if [ $FNRET != 0 ]; then crit "$PACKAGE is not installed!" @@ -37,9 +39,9 @@ audit () { ok "$PATTERN is present in $FILE" check_param_pair_by_pam $FILE $PAMLIBNAME $OPTIONNAME ge $CONDT_VAL if [ $FNRET = 0 ]; then - ok "$OPTIONNAME set condition is $CONDT_VAL" + ok "$OPTIONNAME set condition is greater than or equal to $CONDT_VAL" else - crit "$OPTIONNAME set condition is $CONDT_VAL" + crit "$OPTIONNAME set condition is less than $CONDT_VAL" #FNRET=3 fi else @@ -49,27 +51,76 @@ audit () { fi } -# This function will be called if the script status is on enabled mode -apply () { +audit_redhat () { + check_param_pair_by_value $FILE_REDHAT $OPTIONNAME ge $CONDT_VAL + if [ $FNRET = 0 ]; then + ok "Option $OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_REDHAT" + elif [ $FNRET = 1 ]; then + crit "Option $OPTIONNAME set condition is less than $CONDT_VAL in $FILE_REDHAT" + elif [ $FNRET = 2 ]; then + crit "Option $OPTIONNAME is not conf in $FILE_REDHAT" + elif [ $FNRET = 3 ]; then + crit "Config file $FILE_REDHAT is not exist!" + fi +} + +# This function will be called if the script status is on enabled / audit mode +audit () { + if [ $OS_RELEASE -eq 1 ]; then + audit_debian + elif [ $OS_RELEASE -eq 2 ]; then + audit_redhat + else + crit "Current OS is not support!" + FNRET=44 + fi +} + +apply_debian () { if [ $FNRET = 0 ]; then ok "$PACKAGE is installed" elif [ $FNRET = 1 ]; then - crit "$PACKAGE is absent, installing it" + warn "$PACKAGE is absent, installing it" apt_install $PACKAGE elif [ $FNRET = 2 ]; then - crit "$PATTERN is not present in $FILE, add default config to $FILE" + warn "$PATTERN is not present in $FILE, add default config to $FILE" add_line_file_before_pattern $FILE "password requisite pam_cracklib.so retry=3 minlen=8 difok=3" "# pam-auth-update(8) for details." elif [ $FNRET = 3 ]; then crit "$FILE is not exist, please check" elif [ $FNRET = 4 ]; then - crit "$OPTIONNAME is not conf" + warn "$OPTIONNAME is not conf" add_option_to_password_check $FILE $PAMLIBNAME "$OPTIONNAME=$CONDT_VAL" elif [ $FNRET = 5 ]; then - crit "$OPTIONNAME set is not match legally, reset it to $CONDT_VAL" + warn "$OPTIONNAME set is not match legally, reset it to $CONDT_VAL" reset_option_to_password_check $FILE $PAMLIBNAME "$OPTIONNAME" "$CONDT_VAL" fi } +apply_redhat () { + if [ $FNRET = 0 ]; then + ok "$OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_REDHAT" + elif [ $FNRET = 1 ]; then + warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_REDHAT" + replace_in_file $FILE_REDHAT "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL" + elif [ $FNRET = 2 ]; then + warn "$OPTIONNAME is not conf, add to $FILE_REDHAT" + add_end_of_file $FILE_REDHAT "$OPTIONNAME = $CONDT_VAL" + elif [ $FNRET = 3 ]; then + crit "Config file $FILE_REDHAT is not exist!" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $OS_RELEASE -eq 1 ]; then + apply_debian + elif [ $OS_RELEASE -eq 2 ]; then + apply_redhat + else + crit "Current OS is not support!" + fi +} + # This function will check config parameters required check_config() { : diff --git a/bin/hardening/9.2.9_pam_maxrepeat_cracklib.sh b/bin/hardening/9.2.9_pam_maxrepeat_cracklib.sh index 46b0031..e4d0ece 100755 --- a/bin/hardening/9.2.9_pam_maxrepeat_cracklib.sh +++ b/bin/hardening/9.2.9_pam_maxrepeat_cracklib.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # @@ -19,13 +19,15 @@ PAMLIBNAME='pam_cracklib.so' PATTERN='^password.*pam_cracklib.so' FILE='/etc/pam.d/common-password' +# Redhat/CentOS default use pam_pwquality +FILE_REDHAT='/etc/security/pwquality.conf' + OPTIONNAME='maxrepeat' # condition CONDT_VAL=3 -# This function will be called if the script status is on enabled / audit mode -audit () { +audit_debian () { is_pkg_installed $PACKAGE if [ $FNRET != 0 ]; then crit "$PACKAGE is not installed!" @@ -37,9 +39,9 @@ audit () { ok "$PATTERN is present in $FILE" check_param_pair_by_pam $FILE $PAMLIBNAME $OPTIONNAME le $CONDT_VAL if [ $FNRET = 0 ]; then - ok "$OPTIONNAME set condition is $CONDT_VAL" + ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL" else - crit "$OPTIONNAME set condition is $CONDT_VAL" + crit "$OPTIONNAME set condition is greater than $CONDT_VAL" #FNRET=3 fi else @@ -49,27 +51,76 @@ audit () { fi } -# This function will be called if the script status is on enabled mode -apply () { +audit_redhat () { + check_param_pair_by_value $FILE_REDHAT $OPTIONNAME le $CONDT_VAL + if [ $FNRET = 0 ]; then + ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT" + elif [ $FNRET = 1 ]; then + crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_REDHAT" + elif [ $FNRET = 2 ]; then + crit "Option $OPTIONNAME is not conf in $FILE_REDHAT" + elif [ $FNRET = 3 ]; then + crit "Config file $FILE_REDHAT is not exist!" + fi +} + +# This function will be called if the script status is on enabled / audit mode +audit () { + if [ $OS_RELEASE -eq 1 ]; then + audit_debian + elif [ $OS_RELEASE -eq 2 ]; then + audit_redhat + else + crit "Current OS is not support!" + FNRET=44 + fi +} + +apply_debian () { if [ $FNRET = 0 ]; then ok "$PACKAGE is installed" elif [ $FNRET = 1 ]; then - crit "$PACKAGE is absent, installing it" + warn "$PACKAGE is absent, installing it" apt_install $PACKAGE elif [ $FNRET = 2 ]; then - crit "$PATTERN is not present in $FILE, add default config to $FILE" + warn "$PATTERN is not present in $FILE, add default config to $FILE" add_line_file_before_pattern $FILE "password requisite pam_cracklib.so retry=3 minlen=8 difok=3" "# pam-auth-update(8) for details." elif [ $FNRET = 3 ]; then crit "$FILE is not exist, please check" elif [ $FNRET = 4 ]; then - crit "$OPTIONNAME is not conf" + warn "$OPTIONNAME is not conf" add_option_to_password_check $FILE $PAMLIBNAME "$OPTIONNAME=$CONDT_VAL" elif [ $FNRET = 5 ]; then - crit "$OPTIONNAME set is not match legally, reset it to $CONDT_VAL" + warn "$OPTIONNAME set is not match legally, reset it to $CONDT_VAL" reset_option_to_password_check $FILE $PAMLIBNAME "$OPTIONNAME" "$CONDT_VAL" fi } +apply_redhat () { + if [ $FNRET = 0 ]; then + ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_REDHAT" + elif [ $FNRET = 1 ]; then + warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_REDHAT" + replace_in_file $FILE_REDHAT "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL" + elif [ $FNRET = 2 ]; then + warn "$OPTIONNAME is not conf, add to $FILE_REDHAT" + add_end_of_file $FILE_REDHAT "$OPTIONNAME = $CONDT_VAL" + elif [ $FNRET = 3 ]; then + crit "Config file $FILE_REDHAT is not exist!" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $OS_RELEASE -eq 1 ]; then + apply_debian + elif [ $OS_RELEASE -eq 2 ]; then + apply_redhat + else + crit "Current OS is not support!" + fi +} + # This function will check config parameters required check_config() { : diff --git a/debian/default b/debian/default index f4db83d..0217026 100644 --- a/debian/default +++ b/debian/default @@ -1,5 +1,8 @@ -# Default file for CIS Debian hardening scripts +# Default file for CIS Debian/CentOS hardening scripts -# Define here root directory for CIS debian hardening scripts +# Define here root directory for CIS debian/CentOS hardening scripts CIS_ROOT_DIR='/opt/cis-hardening' +# If distor is Debian, set 1; It's default +# If distor is CentOS, set 2; +OS_RELEASE=1 diff --git a/docs/configurations/etc.nftables.conf b/docs/configurations/etc.nftables.conf new file mode 100644 index 0000000..245f2db --- /dev/null +++ b/docs/configurations/etc.nftables.conf @@ -0,0 +1,107 @@ +#!/usr/sbin/nft -f + +# Please replace ens33 to interface name of your device +define int_if = ens33 + +# If there are multiple net interface, example: +# define int_if = {ens33, ens36} + +flush ruleset + +table ip filter { + chain INPUT { + type filter hook input priority 0; policy drop; + iifname "lo" counter packets 0 bytes 0 accept + ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop + ip protocol tcp ct state established counter packets 0 bytes 0 accept + ip protocol udp ct state established counter packets 0 bytes 0 accept + ip protocol icmp ct state established counter packets 0 bytes 0 accept + ip protocol icmp ct state related counter packets 0 bytes 0 accept + limit rate 3/minute counter packets 0 bytes 0 log prefix "SFW2-IN-ILL-TARGET " flags tcp options flags ip options + iifname $int_if tcp flags & (fin | syn | rst | ack) != syn ct state new limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "Drop Syn" + iifname $int_if tcp flags & (fin | syn | rst | ack) != syn ct state new counter packets 0 bytes 0 drop + iifname $int_if ip frag-off & 8191 != 0 limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "Fragments Packets" + iifname $int_if ip frag-off & 8191 != 0 counter packets 0 bytes 0 drop + iifname $int_if tcp flags & (fin | syn | rst | psh | ack | urg) == fin | psh | urg counter packets 0 bytes 0 drop + iifname $int_if tcp flags & (fin | syn | rst | psh | ack | urg) == fin | syn | rst | psh | ack | urg counter packets 0 bytes 0 drop + iifname $int_if tcp flags & (fin | syn | rst | psh | ack | urg) == 0x0 limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "NULL Packets" + iifname $int_if tcp flags & (fin | syn | rst | psh | ack | urg) == 0x0 counter packets 0 bytes 0 drop + iifname $int_if tcp flags & (syn | rst) == syn | rst counter packets 0 bytes 0 drop + iifname $int_if tcp flags & (fin | syn) == fin | syn limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "XMAS Packets" + iifname $int_if tcp flags & (fin | syn) == fin | syn counter packets 0 bytes 0 drop + iifname $int_if tcp flags & (fin | ack) == fin limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "Fin Packets Scan" + iifname $int_if tcp flags & (fin | ack) == fin counter packets 0 bytes 0 drop + iifname $int_if tcp flags & (fin | syn | rst | psh | ack | urg) == fin | syn | rst | ack | urg counter packets 0 bytes 0 drop + iifname $int_if tcp dport 137-139 counter packets 0 bytes 0 reject + iifname $int_if udp dport 137-139 counter packets 0 bytes 0 reject + icmp type source-quench counter packets 0 bytes 0 accept + tcp dport ssh ct state new counter packets 0 bytes 0 accept + udp dport ntp ct state new counter packets 0 bytes 0 accept + udp dport bootpc ct state new counter packets 0 bytes 0 accept + tcp dport http ct state new counter packets 0 bytes 0 accept + icmp type echo-request ct state established,related,new counter packets 0 bytes 0 accept + counter packets 0 bytes 0 log + counter packets 0 bytes 0 drop + } + + chain FORWARD { + type filter hook forward priority 0; policy drop; + limit rate 3/minute counter packets 0 bytes 0 log prefix "SFW2-FWD-ILL-ROUTING " flags tcp options flags ip options + counter packets 0 bytes 0 log + } + + chain OUTPUT { + type filter hook output priority 0; policy drop; + oifname "lo" counter packets 0 bytes 0 accept + ip protocol tcp ct state established,new counter packets 0 bytes 0 accept + ip protocol udp ct state established,new counter packets 0 bytes 0 accept + ip protocol icmp ct state established,new counter packets 0 bytes 0 accept + icmp type echo-request counter packets 0 bytes 0 accept + icmp type echo-reply ct state established,related counter packets 0 bytes 0 accept + } + + chain LOGDROP { + counter packets 0 bytes 0 log + counter packets 0 bytes 0 drop + } +} + + +table ip nat { + chain PREROUTING { + type nat hook prerouting priority -100; policy accept; + } + + chain INPUT { + type nat hook input priority 100; policy accept; + } + + chain POSTROUTING { + type nat hook postrouting priority 100; policy accept; + } + + chain OUTPUT { + type nat hook output priority -100; policy accept; + } +} +table ip mangle { + chain PREROUTING { + type filter hook prerouting priority -150; policy accept; + } + + chain INPUT { + type filter hook input priority -150; policy accept; + } + + chain FORWARD { + type filter hook forward priority -150; policy accept; + } + + chain OUTPUT { + type route hook output priority -150; policy accept; + } + + chain POSTROUTING { + type filter hook postrouting priority -150; policy accept; + } +} diff --git a/docs/configurations/manual-operation-docs/how_to_migrating_from_iptables_to_nftables_in_debian10.md b/docs/configurations/manual-operation-docs/how_to_migrating_from_iptables_to_nftables_in_debian10.md new file mode 100644 index 0000000..b8823ce --- /dev/null +++ b/docs/configurations/manual-operation-docs/how_to_migrating_from_iptables_to_nftables_in_debian10.md @@ -0,0 +1,271 @@ +# How to migrating from iptables to nftables in debian Buster +Debian Buster uses the nftables framework by default. + +## Pre-install +``` +$ sudo apt install nftables +``` + +## Check iptables link point +Starting with Debian Buster, nf_tables is the default backend when using iptables, by means of the iptables-nft layer (i.e, using iptables syntax with the nf_tables kernel subsystem). This also affects ip6tables, arptables and ebtables. + +You can switch back and forth between iptables-nft and iptables-legacy by means of update-alternatives (same applies to arptables and ebtables). + +Check iptables currently link: +``` +$ sudo update-alternatives --display iptables +iptables - auto mode + link best version is /usr/sbin/iptables-nft + link currently points to /usr/sbin/iptables-nft + link iptables is /usr/sbin/iptables + slave iptables-restore is /usr/sbin/iptables-restore + slave iptables-save is /usr/sbin/iptables-save +/usr/sbin/iptables-legacy - priority 10 + slave iptables-restore: /usr/sbin/iptables-legacy-restore + slave iptables-save: /usr/sbin/iptables-legacy-save +/usr/sbin/iptables-nft - priority 20 + slave iptables-restore: /usr/sbin/iptables-nft-restore + slave iptables-save: /usr/sbin/iptables-nft-save +``` +If you see above, don't need switching, if currently link to iptables-legacy, need use command to switching to iptables-nft: +``` +$ sudo update-alternatives --set iptables /usr/sbin/iptables-nft +$ sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-nft +$ sudo update-alternatives --set arptables /usr/sbin/arptables-nft +$ sudo update-alternatives --set ebtables /usr/sbin/ebtables-nft +$ sudo update-alternatives --display iptables +``` +## Migrating +move from an existing iptables ruleset to nftables: + +### Command translation +You can generate a translation of an iptables/ip6tables command to know the nftables equivalent. +``` +$ sudo iptables-translate -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT +nft add rule ip filter INPUT tcp dport 22 ct state new counter accept +$ sudo ip6tables-translate -A FORWARD -i eth0 -o eth3 -p udp -m multiport --dports 111,222 -j ACCEPT +nft add rule ip6 filter FORWARD iifname "eth0" oifname "eth3" meta l4proto udp udp dport { 111,222} counter accept +``` + +Instead of translating command by command, you can translate your whole ruleset in a single run: + +``` +$ sudo iptables-save > save.txt +$ sudo iptables-restore-translate -f save.txt +# Translated by iptables-restore-translate v1.8.2 on Fri Jul 12 04:33:36 2019 +add table ip filter +add chain ip filter INPUT { type filter hook input priority 0; policy drop; } +add chain ip filter FORWARD { type filter hook forward priority 0; policy drop; } +add chain ip filter OUTPUT { type filter hook output priority 0; policy drop; } +add chain ip filter LOGDROP +add rule ip filter INPUT iifname "lo" counter accept +add rule ip filter INPUT ip saddr 127.0.0.0/8 counter drop +add rule ip filter INPUT ip protocol tcp ct state established counter accept +add rule ip filter INPUT ip protocol udp ct state established counter accept +add rule ip filter INPUT ip protocol icmp ct state established counter accept +add rule ip filter INPUT ip protocol icmp ct state related counter accept +add rule ip filter INPUT limit rate 3/minute burst 5 packets counter log prefix "SFW2-IN-ILL-TARGET " flags tcp options flags ip options +add rule ip filter INPUT iifname "ens33" tcp flags & (fin|syn|rst|ack) != syn ct state new limit rate 5/minute burst 7 packets counter log prefix "Drop Syn" +add rule ip filter INPUT iifname "ens33" tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop +add rule ip filter INPUT iifname "ens33" ip frag-off & 0x1fff != 0 limit rate 5/minute burst 7 packets counter log prefix "Fragments Packets" +add rule ip filter INPUT iifname "ens33" ip frag-off & 0x1fff != 0 counter drop +add rule ip filter INPUT iifname "ens33" tcp flags & (fin|syn|rst|psh|ack|urg) == fin|psh|urg counter drop +add rule ip filter INPUT iifname "ens33" tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter drop +add rule ip filter INPUT iifname "ens33" tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 limit rate 5/minute burst 7 packets counter log prefix "NULL Packets" +add rule ip filter INPUT iifname "ens33" tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop +add rule ip filter INPUT iifname "ens33" tcp flags & (syn|rst) == syn|rst counter drop +add rule ip filter INPUT iifname "ens33" tcp flags & (fin|syn) == fin|syn limit rate 5/minute burst 7 packets counter log prefix "XMAS Packets" +add rule ip filter INPUT iifname "ens33" tcp flags & (fin|syn) == fin|syn counter drop +add rule ip filter INPUT iifname "ens33" tcp flags & (fin|ack) == fin limit rate 5/minute burst 7 packets counter log prefix "Fin Packets Scan" +add rule ip filter INPUT iifname "ens33" tcp flags & (fin|ack) == fin counter drop +add rule ip filter INPUT iifname "ens33" tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|ack|urg counter drop +add rule ip filter INPUT iifname "ens33" tcp dport 137-139 counter reject +add rule ip filter INPUT iifname "ens33" udp dport 137-139 counter reject +add rule ip filter INPUT icmp type source-quench counter accept +add rule ip filter INPUT tcp dport 22 ct state new counter accept +add rule ip filter INPUT udp dport 123 ct state new counter accept +add rule ip filter INPUT udp dport 68 ct state new counter accept +add rule ip filter INPUT tcp dport 80 ct state new counter accept +add rule ip filter INPUT icmp type echo-request ct state new,related,established counter accept +add rule ip filter INPUT counter log +add rule ip filter INPUT counter drop +add rule ip filter FORWARD limit rate 3/minute burst 5 packets counter log prefix "SFW2-FWD-ILL-ROUTING " flags tcp options flags ip options +add rule ip filter FORWARD counter log +add rule ip filter OUTPUT oifname "lo" counter accept +add rule ip filter OUTPUT ip protocol tcp ct state new,established counter accept +add rule ip filter OUTPUT ip protocol udp ct state new,established counter accept +add rule ip filter OUTPUT ip protocol icmp ct state new,established counter accept +add rule ip filter OUTPUT icmp type echo-request counter accept +add rule ip filter OUTPUT icmp type echo-reply ct state related,established counter accept +add rule ip filter LOGDROP counter log +add rule ip filter LOGDROP counter drop +add table ip nat +add chain ip nat PREROUTING { type nat hook prerouting priority -100; policy accept; } +add chain ip nat INPUT { type nat hook input priority 100; policy accept; } +add chain ip nat POSTROUTING { type nat hook postrouting priority 100; policy accept; } +add chain ip nat OUTPUT { type nat hook output priority -100; policy accept; } +add table ip mangle +add chain ip mangle PREROUTING { type filter hook prerouting priority -150; policy accept; } +add chain ip mangle INPUT { type filter hook input priority -150; policy accept; } +add chain ip mangle FORWARD { type filter hook forward priority -150; policy accept; } +add chain ip mangle OUTPUT { type route hook output priority -150; policy accept; } +add chain ip mangle POSTROUTING { type filter hook postrouting priority -150; policy accept; } +# Completed on Fri Jul 12 04:33:36 2019 +``` +You should be able to directly give this to nftables: +``` +$ sudo iptables-restore-translate -f save.txt > ruleset.nft +$ sudo nft -f ruleset.nft +``` +$ sudo nft list ruleset +List nft ruleset: +``` +table ip filter { + chain INPUT { + type filter hook input priority 0; policy drop; + iifname "ens33" meta l4proto tcp tcp dport 22 ct state new # recent: UPDATE seconds: 60 hit_count: 4 name: DEFAULT side: source mask: 255.255.255.255 counter packets 0 bytes 0 jump LOGDROP + iifname "ens33" meta l4proto tcp tcp dport 22 ct state new # recent: SET name: DEFAULT side: source mask: 255.255.255.255 counter packets 0 bytes 0 + iifname "lo" counter packets 0 bytes 0 accept + ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop + meta l4proto tcp ct state established counter packets 487 bytes 34832 accept + meta l4proto udp ct state established counter packets 4 bytes 1060 accept + meta l4proto icmp ct state established counter packets 0 bytes 0 accept + meta l4proto icmp ct state related counter packets 0 bytes 0 accept + limit rate 3/minute counter packets 0 bytes 0 log prefix "SFW2-IN-ILL-TARGET " flags tcp options flags ip options + iifname "ens33" meta l4proto tcp tcp flags & (fin|syn|rst|ack) != syn ct state new limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "Drop Syn" + iifname "ens33" meta l4proto tcp tcp flags & (fin|syn|rst|ack) != syn ct state new counter packets 0 bytes 0 drop + iifname "ens33" ip frag-off & 8191 != 0 limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "Fragments Packets" + iifname "ens33" ip frag-off & 8191 != 0 counter packets 0 bytes 0 drop + iifname "ens33" meta l4proto tcp tcp flags & (fin|syn|rst|psh|ack|urg) == fin|psh|urg counter packets 0 bytes 0 drop + iifname "ens33" meta l4proto tcp tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter packets 0 bytes 0 drop + iifname "ens33" meta l4proto tcp tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "NULL Packets" + iifname "ens33" meta l4proto tcp tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter packets 0 bytes 0 drop + iifname "ens33" meta l4proto tcp tcp flags & (syn|rst) == syn|rst counter packets 0 bytes 0 drop + iifname "ens33" meta l4proto tcp tcp flags & (fin|syn) == fin|syn limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "XMAS Packets" + iifname "ens33" meta l4proto tcp tcp flags & (fin|syn) == fin|syn counter packets 0 bytes 0 drop + iifname "ens33" meta l4proto tcp tcp flags & (fin|ack) == fin limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "Fin Packets Scan" + iifname "ens33" meta l4proto tcp tcp flags & (fin|ack) == fin counter packets 0 bytes 0 drop + iifname "ens33" meta l4proto tcp tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|ack|urg counter packets 0 bytes 0 drop + iifname "ens33" meta l4proto tcp tcp dport 137-139 counter packets 0 bytes 0 reject + iifname "ens33" meta l4proto udp udp dport 137-139 counter packets 0 bytes 0 reject + meta l4proto icmp icmp type source-quench counter packets 0 bytes 0 accept + meta l4proto tcp tcp dport 22 ct state new counter packets 0 bytes 0 accept + meta l4proto udp udp dport 123 ct state new counter packets 0 bytes 0 accept + meta l4proto udp udp dport 68 ct state new counter packets 0 bytes 0 accept + meta l4proto tcp tcp dport 80 ct state new counter packets 0 bytes 0 accept + meta l4proto icmp icmp type echo-request ct state new,related,established counter packets 0 bytes 0 accept + counter packets 0 bytes 0 log + counter packets 0 bytes 0 drop + iifname "lo" counter packets 0 bytes 0 accept + ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop + ip protocol tcp ct state established counter packets 0 bytes 0 accept + ip protocol udp ct state established counter packets 0 bytes 0 accept + ip protocol icmp ct state established counter packets 0 bytes 0 accept + ip protocol icmp ct state related counter packets 0 bytes 0 accept + limit rate 3/minute counter packets 0 bytes 0 log prefix "SFW2-IN-ILL-TARGET " flags tcp options flags ip options + iifname "ens33" tcp flags & (fin | syn | rst | ack) != syn ct state new limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "Drop Syn" + iifname "ens33" tcp flags & (fin | syn | rst | ack) != syn ct state new counter packets 0 bytes 0 drop + iifname "ens33" ip frag-off & 8191 != 0 limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "Fragments Packets" + iifname "ens33" ip frag-off & 8191 != 0 counter packets 0 bytes 0 drop + iifname "ens33" tcp flags & (fin | syn | rst | psh | ack | urg) == fin | psh | urg counter packets 0 bytes 0 drop + iifname "ens33" tcp flags & (fin | syn | rst | psh | ack | urg) == fin | syn | rst | psh | ack | urg counter packets 0 bytes 0 drop + iifname "ens33" tcp flags & (fin | syn | rst | psh | ack | urg) == 0x0 limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "NULL Packets" + iifname "ens33" tcp flags & (fin | syn | rst | psh | ack | urg) == 0x0 counter packets 0 bytes 0 drop + iifname "ens33" tcp flags & (syn | rst) == syn | rst counter packets 0 bytes 0 drop + iifname "ens33" tcp flags & (fin | syn) == fin | syn limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "XMAS Packets" + iifname "ens33" tcp flags & (fin | syn) == fin | syn counter packets 0 bytes 0 drop + iifname "ens33" tcp flags & (fin | ack) == fin limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "Fin Packets Scan" + iifname "ens33" tcp flags & (fin | ack) == fin counter packets 0 bytes 0 drop + iifname "ens33" tcp flags & (fin | syn | rst | psh | ack | urg) == fin | syn | rst | ack | urg counter packets 0 bytes 0 drop + iifname "ens33" tcp dport 137-139 counter packets 0 bytes 0 reject + iifname "ens33" udp dport 137-139 counter packets 0 bytes 0 reject + icmp type source-quench counter packets 0 bytes 0 accept + tcp dport ssh ct state new counter packets 0 bytes 0 accept + udp dport ntp ct state new counter packets 0 bytes 0 accept + udp dport bootpc ct state new counter packets 0 bytes 0 accept + tcp dport http ct state new counter packets 0 bytes 0 accept + icmp type echo-request ct state established,related,new counter packets 0 bytes 0 accept + counter packets 0 bytes 0 log + counter packets 0 bytes 0 drop + } + + chain FORWARD { + type filter hook forward priority 0; policy drop; + # PHYSDEV match --physdev-is-bridged counter packets 0 bytes 0 accept + limit rate 3/minute counter packets 0 bytes 0 log prefix "SFW2-FWD-ILL-ROUTING " flags tcp options flags ip options + counter packets 0 bytes 0 log + limit rate 3/minute counter packets 0 bytes 0 log prefix "SFW2-FWD-ILL-ROUTING " flags tcp options flags ip options + counter packets 0 bytes 0 log + } + + chain OUTPUT { + type filter hook output priority 0; policy drop; + oifname "lo" counter packets 0 bytes 0 accept + meta l4proto tcp ct state new,established counter packets 308 bytes 44704 accept + meta l4proto udp ct state new,established counter packets 4 bytes 1060 accept + meta l4proto icmp ct state new,established counter packets 0 bytes 0 accept + meta l4proto icmp icmp type echo-request counter packets 0 bytes 0 accept + meta l4proto icmp icmp type echo-reply ct state related,established counter packets 0 bytes 0 accept + oifname "lo" counter packets 0 bytes 0 accept + ip protocol tcp ct state established,new counter packets 0 bytes 0 accept + ip protocol udp ct state established,new counter packets 0 bytes 0 accept + ip protocol icmp ct state established,new counter packets 0 bytes 0 accept + icmp type echo-request counter packets 0 bytes 0 accept + icmp type echo-reply ct state established,related counter packets 0 bytes 0 accept + } + + chain LOGDROP { + counter packets 0 bytes 0 log + counter packets 0 bytes 0 drop + counter packets 0 bytes 0 log + counter packets 0 bytes 0 drop + } +} +table ip nat { + chain PREROUTING { + type nat hook prerouting priority -100; policy accept; + } + + chain INPUT { + type nat hook input priority 100; policy accept; + } + + chain POSTROUTING { + type nat hook postrouting priority 100; policy accept; + } + + chain OUTPUT { + type nat hook output priority -100; policy accept; + } +} +table ip mangle { + chain PREROUTING { + type filter hook prerouting priority -150; policy accept; + } + + chain INPUT { + type filter hook input priority -150; policy accept; + } + + chain FORWARD { + type filter hook forward priority -150; policy accept; + } + + chain OUTPUT { + type route hook output priority -150; policy accept; + } + + chain POSTROUTING { + type filter hook postrouting priority -150; policy accept; + } +} +``` + +## Uninstall iptables +``` +$ sudo apt purge --autoremove iptables +``` + +## Reference +[https://wiki.debian.org/nftables](https://wiki.debian.org/nftables) +[https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables](https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables) diff --git a/docs/configurations/manual-operation-docs/how_to_persistent_nft_rules_with_debian_10.mkd b/docs/configurations/manual-operation-docs/how_to_persistent_nft_rules_with_debian_10.mkd new file mode 100644 index 0000000..0109c9b --- /dev/null +++ b/docs/configurations/manual-operation-docs/how_to_persistent_nft_rules_with_debian_10.mkd @@ -0,0 +1,78 @@ +# How to persistent nft rules with debian 10 + +## Test platform info + +Debian 10.0 +netfilter-persistent 1.0.11 +nftables 0.9.0-2 + +## Pre-Install +``` +$ sudo apt-get install -y nftables netfilter-persistent +``` + +## Uninstall iptables +``` +$ sudo apt purge --autoremove iptables +``` + +## How to enable netfilter-persistent service + +netfilter-persistent service is auto running when netfilter-persistent was installed. + +Check service status: +``` +$ sudo systemctl status netfilter-persistent +``` + +If netfilter-persistent service is not started, use the following command to enable netfilter-persistent service: +``` +$ sudo systemctl start netfilter-persistent +``` + +## How to config for persistent nft rules + +### Get nftables ruleset +``` +~$ wget https://raw.githubusercontent.com/hardenedlinux/harbian-audit/master/docs/configurations/etc.nftables.conf +~$ sudo mv etc.nftables.conf /etc/nftables.conf +``` + +Note: Please replace ens33 to interface name of your device + +### Get plugin of netfilter-persistent +``` +~$ wget https://raw.githubusercontent.com/hardenedlinux/harbian-audit/master/docs/configurations/usr.share.netfilter-persistent.plugins.d.15-nft +~$ sudo mv usr.share.netfilter-persistent.plugins.d.15-nft /usr/share/netfilter-persistent/plugins.d/15-nft +~$ sudo chmod 755 /usr/share/netfilter-persistent/plugins.d/15-nft +``` + +## Well-done +Nft rules would auto restore nftables rules when Operation system restart, or manual to exec following command: +``` +$ sudo netfilter-persistent start +run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-nft start +``` + +## Additional usage +### Flush nft rules +``` +$ sudo netfilter-persistent flush +run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-nft flush +``` +### Save nft rules +``` +$ sudo netfilter-persistent save +run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-nft save +``` + +### Restore nft rules +``` +$ sudo netfilter-persistent start +run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-nft start +``` + +## Reference +[http://manpages.org/netfilter-persistent/8](http://manpages.org/netfilter-persistent/8) + + diff --git a/docs/configurations/usr.share.netfilter-persistent.plugins.d.15-nft b/docs/configurations/usr.share.netfilter-persistent.plugins.d.15-nft new file mode 100755 index 0000000..f5d640d --- /dev/null +++ b/docs/configurations/usr.share.netfilter-persistent.plugins.d.15-nft @@ -0,0 +1,68 @@ +#!/bin/sh + +# This file is part of netfilter-persistent +# Copyright (C) 2019, Samson W +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation, either version 3 +# of the License, or (at your option) any later version. + +set -e + +PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +NFT_RULESET="/etc/nftables.conf" +NFT_CMD=$(which nft) + +load_rules() +{ + #load nft rules + if [ ! -f ${NFT_RULESET} ]; then + echo "Warning: nft ruleset file ${NFT_RULESET} is not exist!" + else + ${NFT_CMD} -f ${NFT_RULESET} + fi +} + +save_rules() +{ + if [ ! -f ${NFT_RULESET} ]; then + echo "Warning: nft ruleset file ${NFT_RULESET} is not exist!" + touch ${NFT_RULESET} + chmod 0640 ${NFT_RULESET} + else + : + fi + ${NFT_CMD} list ruleset -n > ${NFT_RULESET} +} + +flush_rules() +{ + if [ ! -f ${NFT_CMD} ]; then + echo "Warning: nft ruleset file ${NFT_CMD} is not exist!" + else + ${NFT_CMD} flush ruleset + fi +} + +case "$1" in +start|restart|reload|force-reload) + load_rules + ;; +save) + save_rules + ;; +stop) + # Why? because if stop is used, the firewall gets flushed for a variable + # amount of time during package upgrades, leaving the machine vulnerable + # It's also not always desirable to flush during purge + echo "Automatic flushing disabled, use \"flush\" instead of \"stop\"" + ;; +flush) + flush_rules + ;; +*) + echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2 + exit 1 + ;; +esac diff --git a/lib/utils.sh b/lib/utils.sh index 3dbddc7..647bda3 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -7,24 +7,34 @@ is_debian_9() { - if $(cat /etc/debian_version | grep -q "^9.[0-9]"); then - debug "Debian version is 9.*." - FNRET=0 - else - debug "Debian version is not 9.*." - FNRET=1 - fi + if [ -r /etc/debian_version ]; then + if $(cat /etc/debian_version | grep -q "^9.[0-9]"); then + debug "Debian version is 9.*." + FNRET=0 + else + debug "Debian version is not 9.*." + FNRET=1 + fi + else + debug "Current OS is not Debian." + FNRET=2 + fi } is_debian_10() { - if $(cat /etc/debian_version | grep -q "^10.[0-9]"); then - debug "Debian version is buster/10." - FNRET=0 - else - debug "Debian version is not buster/10." - FNRET=1 - fi + if [ -r /etc/debian_version ]; then + if $(cat /etc/debian_version | grep -q "^10.[0-9]"); then + debug "Debian version is buster/10." + FNRET=0 + else + debug "Debian version is not buster/10." + FNRET=1 + fi + else + debug "Current OS is not Debian." + FNRET=2 + fi } is_64bit_arch() @@ -239,11 +249,41 @@ does_group_exist() { # Service Boot Checks # +is_service_active() { + local SERVICE=$1 + if [ $OS_RELEASE -eq 2 ]; then + FNRET=0 + else + is_debian_9 + fi + if [ $FNRET = 0 ]; then + if [ $(systemctl is-active $SERVICE | grep -c "^active") -eq 1 ]; then + debug "Service $SERVICE is actived" + FNRET=0 + else + debug "Service $SERVICE is inactived" + FNRET=1 + fi + else + if [ $($SUDO_CMD find /etc/rc?.d/ -name "S*$SERVICE" -print | wc -l) -gt 0 ]; then + debug "Service $SERVICE is enabled" + FNRET=0 + else + debug "Service $SERVICE is disabled" + FNRET=1 + fi + fi +} + is_service_enabled() { local SERVICE=$1 - is_debian_9 + if [ $OS_RELEASE -eq 2 ]; then + FNRET=0 + else + is_debian_9 + fi if [ $FNRET = 0 ]; then - if [ $(systemctl is-enabled $SERVICE | grep -wc "^enabled") -eq 1 ]; then + if [ $(systemctl is-enabled $SERVICE | grep -c "^enabled") -eq 1 ]; then debug "Service $SERVICE is enabled" FNRET=0 else @@ -493,26 +533,88 @@ apt_install() is_pkg_installed() { PKG_NAME=$1 - if $(dpkg -s $PKG_NAME 2> /dev/null | grep -q '^Status: install ') ; then - debug "$PKG_NAME is installed" - FNRET=0 - else - debug "$PKG_NAME is not installed" - FNRET=1 - fi + if [ $OS_RELEASE -eq 2 ]; then + if [ $(rpm -qa | grep -c $PKG_NAME) -gt 0 ]; then + debug "$PKG_NAME is installed" + FNRET=0 + else + debug "$PKG_NAME is not installed" + FNRET=1 + fi + else + if $(dpkg -s $PKG_NAME 2> /dev/null | grep -q '^Status: install ') ; then + debug "$PKG_NAME is installed" + FNRET=0 + else + debug "$PKG_NAME is not installed" + FNRET=1 + fi + fi } verify_integrity_all_packages() { - dpkg -V > /dev/shm/dpkg_verify_ret - if [ $(cat /dev/shm/dpkg_verify_ret | wc -l) -gt 0 ]; then - debug "Verify integrity all packages is fail" - cat /dev/shm/dpkg_verify_ret - FNRET=1 + if [ $OS_RELEASE -eq 2 ]; then + rpm -Va > /dev/shm/yum_verify_ret + COUNT=$(cat /dev/shm/yum_verify_ret | wc -l ) + if [ $COUNT -gt 0 ]; then + debug "Verify integrity all packages is fail" + cat /dev/shm/yum_verify_ret + rm /dev/shm/yum_verify_ret + FNRET=1 + else + debug "Verify integrity all packages is OK" + FNRET=0 + fi + else + dpkg -V > /dev/shm/dpkg_verify_ret + if [ $(cat /dev/shm/dpkg_verify_ret | wc -l) -gt 0 ]; then + debug "Verify integrity all packages is fail" + cat /dev/shm/dpkg_verify_ret + FNRET=1 + else + debug "Verify integrity all packages is OK" + FNRET=0 + fi + fi +} + +# Check paramer with value +# example : minlen = 9 +# ruturn: 0 1 2 3 +check_param_pair_by_value () +{ + FILENAME=$1 + OPTION=$2 + COMPARE=$3 + OP_VALUE=$4 + + #Example: + # FILENAME="/etc/security/pwquality.conf" + # OPTION="minlen" + # COMPARE="ge" + # OP_VALUE=15 + + if [ -f "$FILENAME" ];then + COUNT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' $FILENAME | grep "^$OPTION[[:space:]]=[[:space:]]" | wc -l) + if [ $COUNT -eq 1 ]; then + debug "$OPTION is conf" + RESULT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' $FILENAME | grep "^$OPTION[[:space:]]=[[:space:]]") + if [ "$(echo $RESULT | awk -F'= ' '{print $2}')" "-$COMPARE" "$OP_VALUE" ]; then + debug "$OPTION conf is right." + FNRET=0 + else + debug "$OPTION conf is not right." + FNRET=1 + fi + else + debug "$OPTION is not conf of $FILENAME" + FNRET=2 + fi else - debug "Verify integrity all packages is OK" - FNRET=0 + debug "$FILENAME is not exist" + FNRET=3 fi } @@ -539,6 +641,9 @@ check_param_pair_by_pam() if [ "$cndt_value" "-$COMPARE" "$CONDITION" ]; then debug "$cndt_value -$COMPARE $CONDITION is ok" FNRET=0 + elif [ "$cndt_value" -eq 0 ]; then + debug "$cndt_value -eq 0, is not ok" + FNRET=5 else debug "$cndt_value -$COMPARE $CONDITION is not ok" FNRET=5 @@ -880,3 +985,39 @@ check_auditd_is_immutable_mode() eval $(pkill -HUP -P 1 auditd) fi } + + +# +# yum +# + +# FNRET values: +# 100: need update +# 0: not need update +# 1: error +yum_check_updates() +{ + FNRET=$($SUDO_CMD yum check-update > /dev/null; echo $?) + if [ $FNRET -eq 100 ]; then + # update too old, refresh database + $SUDO_CMD yum makecache >/dev/null 2>/dev/null + fi +} + +# Check path of audit rule is exist, return 0 if path string is not NULL, else return 1 +# Example: +# Process only the following format: +# AUDITRULE="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd" +check_audit_path () +{ + AUDITRULE=$1 + RESULT=$(echo $AUDITRULE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}') + if [ -z $(eval echo $RESULT) ]; then + debug "Result is NULL" + FNRET=1 + else + debug "Result is not NULL" + FNRET=0 + fi +} +