Fix some bugs related to sshd configuration.

hardenedlinux · Nov 4, 2020 · 822d6ef · 822d6ef
1 parent d9d2609
commit 822d6ef
Show file tree

Hide file tree

Showing 16 changed files with 144 additions and 224 deletions.
diff --git a/bin/hardening/9.3.10_disable_sshd_setenv.sh b/bin/hardening/9.3.10_disable_sshd_setenv.sh
@@ -31,20 +31,18 @@ audit () {
 		if [ $FNRET = 0 ]; then 
 			ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
 			FNRET=0
-		elif [ $FNRET = 1 ]; then 
+		else
 			crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration."
-			PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+			PATTERN="^$SSH_PARAM[[:space:]]*"
+			PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
 			does_pattern_exist_in_file $FILE "$PATTERN"
 			if [ $FNRET = 0 ]; then
-				ok "$PATTERN is present in $FILE"
+				crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
 				FNRET=1
 			else
-				crit "$PATTERN is not present in $FILE"
+				crit "$PATTERN_INFO is not present in $FILE"
 				FNRET=2
 			fi
-		else
-			crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
-			FNRET=3
 		fi
 	fi
 }
@@ -53,21 +51,18 @@ audit () {
 apply () {
 	SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
 	SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
-	PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+	PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
 	case $FNRET in
 		0)	ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
 			;;
-		1)	warn "$PATTERN is present in $FILE, but runtime conf is incorrect, need reload"
+		1)	warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
+			replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
 			/etc/init.d/ssh reload > /dev/null 2>&1
 			;;
-		2)	warn "$PATTERN is not present in $FILE, need add to sshd_config and reload"
+		2)	warn "$PATTERN_INFO is not present in $FILE, need add to sshd_config and reload"
 			add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
 			/etc/init.d/ssh reload > /dev/null 2>&1
 			;;
-		3)	warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
-			replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
-			/etc/init.d/ssh reload > /dev/null 2>&1
-			;;
 		5)	warn "$PACKAGE is absent, installing it"
 			apt_install $PACKAGE
 			;;

diff --git a/bin/hardening/9.3.14_ssh_banner.sh b/bin/hardening/9.3.14_ssh_banner.sh
@@ -31,20 +31,18 @@ audit () {
 		if [ $FNRET = 0 ]; then 
 			ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
 			FNRET=0
-		elif [ $FNRET = 1 ]; then 
+		else
 			crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration."
-			PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+			PATTERN="^$SSH_PARAM[[:space:]]*"
+			PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
 			does_pattern_exist_in_file $FILE "$PATTERN"
 			if [ $FNRET = 0 ]; then
-				ok "$PATTERN is present in $FILE"
+				crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
 				FNRET=1
 			else
-				crit "$PATTERN is not present in $FILE"
+				crit "$PATTERN_INFO is not present in $FILE"
 				FNRET=2
 			fi
-		else
-			crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
-			FNRET=3
 		fi
 	fi
 }
@@ -54,21 +52,18 @@ apply () {
     OPTIONS="Banner=$BANNER_FILE"
 	SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
 	SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
-	PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+	PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
 	case $FNRET in
 		0)	ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
 			;;
-		1)	warn "$PATTERN is present in $FILE, but runtime conf is incorrect, need reload"
+		1)	warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
+			replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
 			/etc/init.d/ssh reload > /dev/null 2>&1
 			;;
-		2)	warn "$PATTERN is not present in $FILE, need add to sshd_config and reload"
+		2)	warn "$PATTERN_INFO is not present in $FILE, need add to sshd_config and reload"
 			add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
 			/etc/init.d/ssh reload > /dev/null 2>&1
 			;;
-		3)	warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
-			replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
-			/etc/init.d/ssh reload > /dev/null 2>&1
-			;;
 		5)	warn "$PACKAGE is absent, installing it"
 			apt_install $PACKAGE
 			;;

diff --git a/bin/hardening/9.3.15_sshd_printlastlog.sh b/bin/hardening/9.3.15_sshd_printlastlog.sh
@@ -32,20 +32,18 @@ audit () {
 		if [ $FNRET = 0 ]; then 
 			ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
 			FNRET=0
-		elif [ $FNRET = 1 ]; then 
+		else
 			crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration."
-			PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+			PATTERN="^$SSH_PARAM[[:space:]]*"
+			PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
 			does_pattern_exist_in_file $FILE "$PATTERN"
 			if [ $FNRET = 0 ]; then
-				ok "$PATTERN is present in $FILE"
+				crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
 				FNRET=1
 			else
-				crit "$PATTERN is not present in $FILE"
+				crit "$PATTERN_INFO is not present in $FILE"
 				FNRET=2
 			fi
-		else
-			crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
-			FNRET=3
 		fi
 	fi
 }
@@ -54,21 +52,18 @@ audit () {
 apply () {
 	SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
 	SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
-	PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+	PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
 	case $FNRET in
 		0)	ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
 			;;
-		1)	warn "$PATTERN is present in $FILE, but runtime conf is incorrect, need reload"
+		1)	warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
+			replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
 			/etc/init.d/ssh reload > /dev/null 2>&1
 			;;
-		2)	warn "$PATTERN is not present in $FILE, need add to sshd_config and reload"
+		2)	warn "$PATTERN_INFO is not present in $FILE, need add to sshd_config and reload"
 			add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
 			/etc/init.d/ssh reload > /dev/null 2>&1
 			;;
-		3)	warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
-			replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
-			/etc/init.d/ssh reload > /dev/null 2>&1
-			;;
 		5)	warn "$PACKAGE is absent, installing it"
 			apt_install $PACKAGE
 			;;

diff --git a/bin/hardening/9.3.16_sshd_IgnoreUserKnownHosts.sh b/bin/hardening/9.3.16_sshd_IgnoreUserKnownHosts.sh
@@ -32,20 +32,18 @@ audit () {
 		if [ $FNRET = 0 ]; then 
 			ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
 			FNRET=0
-		elif [ $FNRET = 1 ]; then 
+		else
 			crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration."
-			PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+			PATTERN="^$SSH_PARAM[[:space:]]*"
+			PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
 			does_pattern_exist_in_file $FILE "$PATTERN"
 			if [ $FNRET = 0 ]; then
-				ok "$PATTERN is present in $FILE"
+				crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
 				FNRET=1
 			else
-				crit "$PATTERN is not present in $FILE"
+				crit "$PATTERN_INFO is not present in $FILE"
 				FNRET=2
 			fi
-		else
-			crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
-			FNRET=3
 		fi
 	fi
 }
@@ -54,21 +52,18 @@ audit () {
 apply () {
 	SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
 	SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
-	PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+	PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
 	case $FNRET in
 		0)	ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
 			;;
-		1)	warn "$PATTERN is present in $FILE, but runtime conf is incorrect, need reload"
+		1)	warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
+			replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
 			/etc/init.d/ssh reload > /dev/null 2>&1
 			;;
-		2)	warn "$PATTERN is not present in $FILE, need add to sshd_config and reload"
+		2)	warn "$PATTERN_INFO is not present in $FILE, need add to sshd_config and reload"
 			add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
 			/etc/init.d/ssh reload > /dev/null 2>&1
 			;;
-		3)	warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
-			replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
-			/etc/init.d/ssh reload > /dev/null 2>&1
-			;;
 		5)	warn "$PACKAGE is absent, installing it"
 			apt_install $PACKAGE
 			;;

diff --git a/bin/hardening/9.3.17_sshd_GSSAPIAuthentication.sh b/bin/hardening/9.3.17_sshd_GSSAPIAuthentication.sh
@@ -32,20 +32,18 @@ audit () {
 		if [ $FNRET = 0 ]; then 
 			ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
 			FNRET=0
-		elif [ $FNRET = 1 ]; then 
+		else
 			crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration."
-			PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+			PATTERN="^$SSH_PARAM[[:space:]]*"
+			PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
 			does_pattern_exist_in_file $FILE "$PATTERN"
 			if [ $FNRET = 0 ]; then
-				ok "$PATTERN is present in $FILE"
+				crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
 				FNRET=1
 			else
-				crit "$PATTERN is not present in $FILE"
+				crit "$PATTERN_INFO is not present in $FILE"
 				FNRET=2
 			fi
-		else
-			crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
-			FNRET=3
 		fi
 	fi
 }
@@ -54,21 +52,18 @@ audit () {
 apply () {
 	SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
 	SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
-	PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+	PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
 	case $FNRET in
 		0)	ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
 			;;
-		1)	warn "$PATTERN is present in $FILE, but runtime conf is incorrect, need reload"
+		1)	warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
+			replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
 			/etc/init.d/ssh reload > /dev/null 2>&1
 			;;
-		2)	warn "$PATTERN is not present in $FILE, need add to sshd_config and reload"
+		2)	warn "$PATTERN_INFO is not present in $FILE, need add to sshd_config and reload"
 			add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
 			/etc/init.d/ssh reload > /dev/null 2>&1
 			;;
-		3)	warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
-			replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
-			/etc/init.d/ssh reload > /dev/null 2>&1
-			;;
 		5)	warn "$PACKAGE is absent, installing it"
 			apt_install $PACKAGE
 			;;

diff --git a/bin/hardening/9.3.18_sshd_KerberosAuthentication.sh b/bin/hardening/9.3.18_sshd_KerberosAuthentication.sh
@@ -32,20 +32,18 @@ audit () {
 		if [ $FNRET = 0 ]; then 
 			ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
 			FNRET=0
-		elif [ $FNRET = 1 ]; then 
+		else
 			crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration."
-			PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+			PATTERN="^$SSH_PARAM[[:space:]]*"
+			PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
 			does_pattern_exist_in_file $FILE "$PATTERN"
 			if [ $FNRET = 0 ]; then
-				ok "$PATTERN is present in $FILE"
+				crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
 				FNRET=1
 			else
-				crit "$PATTERN is not present in $FILE"
+				crit "$PATTERN_INFO is not present in $FILE"
 				FNRET=2
 			fi
-		else
-			crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
-			FNRET=3
 		fi
 	fi
 }
@@ -54,21 +52,18 @@ audit () {
 apply () {
 	SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
 	SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
-	PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+	PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
 	case $FNRET in
 		0)	ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
 			;;
-		1)	warn "$PATTERN is present in $FILE, but runtime conf is incorrect, need reload"
+		1)	warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
+			replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
 			/etc/init.d/ssh reload > /dev/null 2>&1
 			;;
-		2)	warn "$PATTERN is not present in $FILE, need add to sshd_config and reload"
+		2)	warn "$PATTERN_INFO is not present in $FILE, need add to sshd_config and reload"
 			add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
 			/etc/init.d/ssh reload > /dev/null 2>&1
 			;;
-		3)	warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
-			replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
-			/etc/init.d/ssh reload > /dev/null 2>&1
-			;;
 		5)	warn "$PACKAGE is absent, installing it"
 			apt_install $PACKAGE
 			;;

diff --git a/bin/hardening/9.3.19_sshd_StrictModes.sh b/bin/hardening/9.3.19_sshd_StrictModes.sh
@@ -32,20 +32,18 @@ audit () {
 		if [ $FNRET = 0 ]; then 
 			ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
 			FNRET=0
-		elif [ $FNRET = 1 ]; then 
+		else
 			crit "The keyword $SSH_PARAM does not exist in the sshd runtime configuration."
-			PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+			PATTERN="^$SSH_PARAM[[:space:]]*"
+			PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
 			does_pattern_exist_in_file $FILE "$PATTERN"
 			if [ $FNRET = 0 ]; then
-				ok "$PATTERN is present in $FILE"
+				crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
 				FNRET=1
 			else
-				crit "$PATTERN is not present in $FILE"
+				crit "$PATTERN_INFO is not present in $FILE"
 				FNRET=2
 			fi
-		else
-			crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
-			FNRET=3
 		fi
 	fi
 }
@@ -54,21 +52,18 @@ audit () {
 apply () {
 	SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
 	SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
-	PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+	PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
 	case $FNRET in
 		0)	ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
 			;;
-		1)	warn "$PATTERN is present in $FILE, but runtime conf is incorrect, need reload"
+		1)	warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
+			replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
 			/etc/init.d/ssh reload > /dev/null 2>&1
 			;;
-		2)	warn "$PATTERN is not present in $FILE, need add to sshd_config and reload"
+		2)	warn "$PATTERN_INFO is not present in $FILE, need add to sshd_config and reload"
 			add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
 			/etc/init.d/ssh reload > /dev/null 2>&1
 			;;
-		3)	warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
-			replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
-			/etc/init.d/ssh reload > /dev/null 2>&1
-			;;
 		5)	warn "$PACKAGE is absent, installing it"
 			apt_install $PACKAGE
 			;;