ovh
diff --git a/‎bin/hardening/auditd_running_config_same_on_disk.sh‎
Lines changed: 87 additions & 0 deletions b/‎bin/hardening/auditd_running_config_same_on_disk.sh‎
Lines changed: 87 additions & 0 deletions
diff --git a/‎bin/hardening/find_suid_and_sgid_files.sh‎
Lines changed: 101 additions & 0 deletions b/‎bin/hardening/find_suid_and_sgid_files.sh‎
Lines changed: 101 additions & 0 deletions
diff --git a/‎bin/hardening/pam_unix_nullok_absent.sh‎
Lines changed: 75 additions & 0 deletions b/‎bin/hardening/pam_unix_nullok_absent.sh‎
Lines changed: 75 additions & 0 deletions
diff --git a/‎bin/hardening/pam_unix_remember_absent.sh‎
Lines changed: 85 additions & 0 deletions b/‎bin/hardening/pam_unix_remember_absent.sh‎
Lines changed: 85 additions & 0 deletions
@@ -0,0 +1,87 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure the running and on disk configuration is the same (Manual)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure the running and on disk configuration is the same"
+
+# This function will be called if the script status is on enabled / audit mode
+# shellcheck disable=2120
+audit() {
+    # Ensure that all rules in /etc/audit/rules.d have been merged into /etc/audit/audit.rules
+    AUDIT_RULES_UPTODATE=0
+    BINARY_PATH="/usr/sbin"
+
+    # the day we clean debian 11, don't forget the sudo rules
+    if [ "$DEB_MAJ_VER" -eq 11 ]; then
+        BINARY_PATH="/sbin"
+    fi
+
+    local result
+    result=$($SUDO_CMD "$BINARY_PATH"/augenrules --check)
+    # /usr/sbin/augenrules: No change
+    # or
+    # /usr/sbin/augenrules: Rules have changed and should be updated
+    if grep -q "updated" <<<"$result"; then
+        AUDIT_RULES_UPTODATE=1
+    fi
+
+    if [ "$AUDIT_RULES_UPTODATE" -eq 0 ]; then
+        ok "audit rules are merged"
+    else
+        crit "audit rules need to be merged"
+    fi
+
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$AUDIT_RULES_UPTODATE" -eq 1 ]; then
+        info "merging audit rules"
+        "$BINARY_PATH"/augenrules --load
+    fi
+
+    info "check if reboot is required"
+    local reboot_required=0
+    reboot_required=$($SUDO_CMD "$BINARY_PATH"/auditctl -s | awk '/enabled/ {print  $2}')
+    if [ "$reboot_required" -eq 2 ]; then
+        info "Reboot required to load rules"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
@@ -0,0 +1,101 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Audit SUID and SGID executables (Manual)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Find SUID and SGID system executables."
+IGNORED_PATH=''
+
+# find emits following error if directory or file disappear during
+# tree traversal: find: ‘/tmp/xxx’: No such file or directory
+FIND_IGNORE_NOSUCHFILE_ERR=false
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    info "Checking if there are suid files"
+    if [ -n "$IGNORED_PATH" ]; then
+        # maybe IGNORED_PATH allow us to filter out some FS
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$IGNORED_PATH")
+
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
+        # shellcheck disable=2086
+        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f \( -perm -4000 -o -perm -2000 \) -regextype 'egrep' ! -regex $IGNORED_PATH -print)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
+    else
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
+
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
+        # shellcheck disable=2086
+        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f \( -perm -4000 -o -perm -2000 \) -print)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
+    fi
+
+    BAD_BINARIES=""
+    for BINARY in $FOUND_BINARIES; do
+        if grep -qw "$BINARY" <<<"$EXCEPTIONS"; then
+            debug "$BINARY is confirmed as an exception"
+        else
+            BAD_BINARIES="$BAD_BINARIES $BINARY"
+        fi
+    done
+    if [ -n "$BAD_BINARIES" ]; then
+        crit "Some suid / sgid files are present"
+        # shellcheck disable=SC2001
+        FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$BAD_BINARIES" | sort | uniq | tr '\n' ' ')
+        crit "$FORMATTED_RESULT"
+    else
+        ok "No unknown suid / sgid files found"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    info "please review manually the binaries in the output"
+}
+
+# This function will create the config file for this check with default values
+create_config() {
+    cat <<EOF
+status=audit
+# Put Here your valid suid binaries so that they do not appear during the audit
+EXCEPTIONS="/bin/mount /bin/ping /bin/ping6 /bin/su /bin/umount /sbin/unix_chkpwd /usr/bin/at /usr/bin/bsd-write /usr/bin/chage /usr/bin/chfn /usr/bin/chsh /usr/bin/crontab /usr/bin/dotlockfile /usr/bin/expiry /usr/bin/fping /usr/bin/fping6 /usr/bin/gpasswd /usr/bin/mail-lock /usr/bin/mail-touchlock /usr/bin/mail-unlock /usr/bin/mount /usr/bin/mtr /usr/bin/mutt_dotlock /usr/bin/newgrp /usr/bin/passwd /usr/bin/ping /usr/bin/ping6 /usr/bin/screen /usr/bin/ssh-agent /usr/bin/su /usr/bin/sudo /usr/bin/sudoedit /usr/bin/umount /usr/bin/wall /usr/lib/openssh/ssh-keysign /usr/lib/pt_chown /usr/sbin/postdrop /usr/sbin/postqueue /usr/sbin/unix_chkpwd"
+EOF
+}
+
+# This function will check config parameters required
+check_config() {
+    # No param for this function
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
@@ -0,0 +1,75 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure pam_unix does not include nullok (Automated)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+DESCRIPTION="Ensure pam_unix does not include nullok"
+
+# The nullok argument overrides the default action of pam_unix.so to not permit the user access to a service if their official password is blank.
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    PAM_INVALID_FILES=""
+
+    if grep "pam_unix\.so" /etc/pam.d/common-{password,auth,account,session,session-noninteractive} >/dev/null; then
+        PAM_INVALID_FILES=$(grep -HP -- '^\h*^\h*[^#\n\r]+\h+pam_unix\.so\b' /etc/pam.d/common-{password,auth,account,session,session-noninteractive} | awk -F ':' '/nullok/ {print $1}')
+    fi
+
+    for file in $PAM_INVALID_FILES; do
+        crit "$file contains nullok"
+    done
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ -n "$PAM_INVALID_FILES" ]; then
+        info "editing pam-config files to remove nullok"
+        sed -i 's/nullok//g' /usr/share/pam-configs/*
+
+        # if custom files are being used, the corresponding files in /etc/pam.d/ would need
+        # to be edited directly, and the pam-auth-update --enable <EDITED_PROFILE_NAME>
+        # command skipped
+        # -> so we edit directly also the pam.d files
+        for file in $PAM_INVALID_FILES; do
+            info "editing $file to remove nullok"
+            sed -i 's/nullok//g' "$file"
+        done
+    fi
+
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
@@ -0,0 +1,85 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure pam_unix does not include remember (Automated)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+DESCRIPTION="Ensure pam_unix does not include remember"
+
+# The remember=n argument saves the last n passwords for each user in
+# /etc/security/opasswd in order to force password change history and keep the user
+# from alternating between the same password too frequently. The MD5 password hash
+# algorithm is used for storing the old passwords. Instead of this option the pam_pwhistory
+# module should be used. The pam_pwhistory module saves the last n passwords for
+# each user in /etc/security/opasswd using the password hash algorithm set on the
+# pam_unix module. This allows for the yescrypt or sha512 hash algorithm to be used.
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    PAM_INVALID_FILES=""
+
+    if grep "pam_unix\.so" /etc/pam.d/common-{password,auth,account,session,session-noninteractive} >/dev/null; then
+        PAM_INVALID_FILES=$(grep -HP -- '^\h*^\h*[^#\n\r]+\h+pam_unix\.so\b' /etc/pam.d/common-{password,auth,account,session,session-noninteractive} | awk -F ':' '/remember/ {print $1}')
+    fi
+
+    for file in $PAM_INVALID_FILES; do
+        crit "$file contains remember"
+    done
+
+    if [ -n "$PAM_INVALID_FILES" ]; then
+        warn "'apply' will remove 'remember' from /etc/pam.d, you should ensure the 'pam_pwhistory' module is configured"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ -n "$PAM_INVALID_FILES" ]; then
+        info "editing pam-config files to remove remember"
+        sed -i 's/remember=[0-9]*//g' /usr/share/pam-configs/*
+
+        # if custom files are being used, the corresponding files in /etc/pam.d/ would need
+        # to be edited directly, and the pam-auth-update --enable <EDITED_PROFILE_NAME>
+        # command skipped
+        # -> so we edit directly also the pam.d files
+        for file in $PAM_INVALID_FILES; do
+            info "editing $file to remove remember"
+            sed -i 's/remember=[0-9]*//g' "$file"
+        done
+    fi
+
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi