13.1_remove_empty_password_field.sh 13.2_remove_legacy_passwd_entries.sh 13.3_remove_legacy_shadow_entries.sh 13.4_remove_legacy_group_entries.sh 13.5_find_0_uid_non_root_account.sh 13.6_sanitize_root_path.sh

This commit is contained in:
thibault.dewailly 2016-04-16 17:25:48 +02:00
parent 8c94214120
commit fb9bf542a1
16 changed files with 367 additions and 7 deletions

View file

@ -6,7 +6,7 @@
#
#
# 10.1.3 Set Password Expiring Warning Days (Scored)
# 10.3 Set Default Group for root Account (Scored)
#
set -e # One error, it's over

View file

@ -6,7 +6,7 @@
#
#
# 10.4 Set Default umask for Users (Scored)
# 10.5 Lock Inactive User Accounts (Scored)
#
set -e # One error, it's over

View file

@ -17,7 +17,7 @@ FILE='/etc/shadow'
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if accounts have empty passwords"
RESULT=$(/bin/cat $FILE | /usr/bin/awk -F: '($2 == "" ) { print $1 }')
RESULT=$(cat $FILE | awk -F: '($2 == "" ) { print $1 }')
if [ ! -z "$RESULT" ]; then
crit "Some accounts have empty passwords"
crit $RESULT
@ -28,7 +28,7 @@ audit () {
# This function will be called if the script status is on enabled mode
apply () {
RESULT=$(/bin/cat $FILE | /usr/bin/awk -F: '($2 == "" ) { print $1 }')
RESULT=$(cat $FILE | awk -F: '($2 == "" ) { print $1 }')
if [ ! -z "$RESULT" ]; then
warn "Some accounts have empty passwords"
for ACCOUNT in $RESULT; do

View file

@ -0,0 +1,61 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
#
#
# 13.2 Verify No Legacy "+" Entries Exist in /etc/passwd File (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
FILE='/etc/passwd'
RESULT=''
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if accounts have empty passwords"
if grep '^+:' $FILE -q; then
RESULT=$(grep '^+:' $FILE)
crit "Some accounts have legacy password entry"
crit $RESULT
else
ok "All accounts have a valid password entry format"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if grep '^+:' $FILE -q; then
RESULT=$(grep '^+:' $FILE)
warn "Some accounts have legacy password entry"
for LINE in $RESULT; do
info "Removing $LINE from $FILE"
delete_line_in_file $FILE $LINE
done
else
ok "All accounts have a valid password entry format"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

View file

@ -0,0 +1,61 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
#
#
# 13.3 Verify No Legacy "+" Entries Exist in /etc/shadow File (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
FILE='/etc/shadow'
RESULT=''
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if accounts have empty passwords"
if grep '^+:' $FILE -q; then
RESULT=$(grep '^+:' $FILE)
crit "Some accounts have legacy password entry"
crit $RESULT
else
ok "All accounts have a valid password entry format"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if grep '^+:' $FILE -q; then
RESULT=$(grep '^+:' $FILE)
warn "Some accounts have legacy password entry"
for LINE in $RESULT; do
info "Removing $LINE from $FILE"
delete_line_in_file $FILE $LINE
done
else
ok "All accounts have a valid password entry format"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

View file

@ -0,0 +1,61 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
#
#
# 13.4 Verify No Legacy "+" Entries Exist in /etc/group File (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
FILE='/etc/group'
RESULT=''
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if accounts have empty passwords"
if grep '^+:' $FILE -q; then
RESULT=$(grep '^+:' $FILE)
crit "Some accounts have legacy password entry"
crit $RESULT
else
ok "All accounts have a valid password entry format"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if grep '^+:' $FILE -q; then
RESULT=$(grep '^+:' $FILE)
warn "Some accounts have legacy password entry"
for LINE in $RESULT; do
info "Removing $LINE from $FILE"
delete_line_in_file $FILE $LINE
done
else
ok "All accounts have a valid password entry format"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

View file

@ -0,0 +1,65 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
#
#
# 13.5 Verify No UID 0 Accounts Exist Other Than root (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
FILE='/etc/passwd'
RESULT=''
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if accounts have uid 0"
RESULT=$(cat $FILE | awk -F: '($3 == 0 && $1!="root" ) { print $1 }')
for ACCOUNT in $RESULT; do
debug "Account : $ACCOUNT"
debug "Exceptions : $EXCEPTIONS"
debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then
debug "$ACCOUNT is confirmed as an exception"
RESULT=$(sed "s!$ACCOUNT!!" <<< "$RESULT")
else
debug "$ACCOUNT not found in exceptions"
fi
done
if [ ! -z "$RESULT" ]; then
crit "Some accounts have uid 0"
crit $RESULT
else
ok "No account with suid 0 apart root"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "Removing accounts with uid 0 may seriously harm your system, report only here"
}
# This function will check config parameters required
check_config() {
if [ -z "$EXCEPTIONS" ]; then
EXCEPTIONS="@"
fi
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

View file

@ -0,0 +1,84 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
#
#
# 13.6 Ensure root PATH Integrity (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
ERRORS=0
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ "`echo $PATH | grep :: `" != "" ]; then
crit "Empty Directory in PATH (::)"
ERRORS=$((ERRORS+1))
fi
if [ "`echo $PATH | grep :$`" != "" ]; then
crit "Trailing : in PATH $PATH"
ERRORS=$((ERRORS+1))
fi
FORMATTED_PATH=$(echo $PATH | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g')
set -- $FORMATTED_PATH
while [ "${1:-}" != "" ]; do
if [ "$1" = "." ]; then
crit "PATH contains ."
ERRORS=$((ERRORS+1))
else
if [ -d $1 ]; then
dirperm=$(ls -ldH $1 | cut -f1 -d" ")
if [ $(echo $dirperm | cut -c6 ) != "-" ]; then
crit "Group Write permission set on directory $1"
ERRORS=$((ERRORS+1))
fi
if [ $(echo $dirperm | cut -c9 ) != "-" ]; then
crit "Other Write permission set on directory $1"
ERRORS=$((ERRORS+1))
fi
dirown=$(ls -ldH $1 | awk '{print $3}')
if [ "$dirown" != "root" ] ; then
crit "$1 is not owned by root"
ERRORS=$((ERRORS+1))
fi
else
crit "$1 is not a directory"
ERRORS=$((ERRORS+1))
fi
fi
shift
done
if [ $ERRORS = 0 ]; then
ok "root PATH is secure"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "Editing items from PATH may seriously harm your system, report only here"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

16
bin/hardenning.sh Normal file
View file

@ -0,0 +1,16 @@
#!/bin/bash
# CIs Deb
#
# CIS Debian 7 Hardening
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
#
#
# Main script : Execute hardening considering configuration
#
# Execute blindly binaries
# Audit mode
# ls | sort -n

View file

@ -0,0 +1,2 @@
# Configuration for script of same name
status=enabled

View file

@ -0,0 +1,2 @@
# Configuration for script of same name
status=enabled

View file

@ -0,0 +1,2 @@
# Configuration for script of same name
status=enabled

View file

@ -0,0 +1,4 @@
# Configuration for script of same name
status=enabled
# Put here valid accounts with uid 0 separated by spaces
EXCEPTIONS=""

View file

@ -0,0 +1,2 @@
# Configuration for script of same name
status=enabled

View file

@ -125,7 +125,7 @@ add_line_file_before_pattern() {
backup_file "$FILE"
debug "Inserting $LINE before $PATTERN in $FILE"
PATTERN=$(sed 's@/@\/@g' <<< $PATTERN)
PATTERN=$(sed 's@/@\\\/@g' <<< $PATTERN)
debug "sed -i '/$PATTERN/i $LINE' $FILE"
sed -i "/$PATTERN/i $LINE" $FILE
FNRET=0
@ -138,7 +138,7 @@ replace_in_file() {
backup_file "$FILE"
debug "Replacing $SOURCE to $DESTINATION in $FILE"
SOURCE=$(sed 's@/@\/@g' <<< $SOURCE)
SOURCE=$(sed 's@/@\\\/@g' <<< $PATTERN)
debug "sed -i 's/$SOURCE/$DESTINATION/g' $FILE"
sed -i "s/$SOURCE/$DESTINATION/g" $FILE
FNRET=0
@ -150,7 +150,7 @@ delete_line_in_file() {
backup_file "$FILE"
debug "Deleting lines from $FILE containing $PATTERN"
PATTERN=$(sed 's@/@\/@g' <<< $PATTERN)
PATTERN=$(sed 's@/@\\\/@g' <<< $PATTERN)
debug "sed -i '/$PATTERN/d' $FILE"
sed -i "/$PATTERN/d" $FILE
FNRET=0