Repository: hardenedlinux/harbian-audit
Branch: master
Commit: 7fe31792867c
Files: 352
Total size: 1.9 MB
Directory structure:
gitextract_sowemua5/
├── .gitignore
├── LICENSE
├── README-CN.md
├── README.md
├── bin/
│ ├── harbianaudit.sh
│ ├── hardening/
│ │ ├── 1.1_install_updates.sh
│ │ ├── 1.2_enable_verify_sign_packages_from_repository.sh
│ │ ├── 1.3_enable_verify_sign_of_local_packages.sh
│ │ ├── 1.4_set_no_allow_insecure_repository_by_apt.sh
│ │ ├── 1.5.11_ensure_core_file_size_configured.sh
│ │ ├── 1.5.12_ensure_systemd_coredump_processsizemax.sh
│ │ ├── 1.5.13_ensure_systemd_coredump_storage.sh
│ │ ├── 1.5.1_ensure_fs_protected_hardlinks.sh
│ │ ├── 1.5.2_ensure_fs_protected_symlinks.sh
│ │ ├── 1.5.3_ensure_kernel_yama_ptrace_scope.sh
│ │ ├── 1.5.4_ensure_fs_suid_dumpable.sh
│ │ ├── 1.5.5_ensure_kernel_dmesg_restrict.sh
│ │ ├── 1.5.7_ensure_automatic_error_reporting_configured.sh
│ │ ├── 1.5.8_ensure_kernel_kptr_restrict.sh
│ │ ├── 1.5.9_ensure_kernel_randomize_va_space.sh
│ │ ├── 10.1.10_set_maxlogins_for_all_accounts.sh
│ │ ├── 10.1.11_ensure_no_shosts_cfg_on_system.sh
│ │ ├── 10.1.1_set_password_exp_days.sh
│ │ ├── 10.1.2_set_password_min_days_change.sh
│ │ ├── 10.1.3_set_password_exp_warning_days.sh
│ │ ├── 10.1.4_set_password_encrypt_method.sh
│ │ ├── 10.1.5_set_password_lock_inactive_user.sh
│ │ ├── 10.1.6_remove_nopasswd_sudoers.sh
│ │ ├── 10.1.7_remove_noauthenticate_sudoers.sh
│ │ ├── 10.1.8_set_fail_delay_seconds.sh
│ │ ├── 10.1.9_set_create_home_bool.sh
│ │ ├── 10.2_disable_system_accounts.sh
│ │ ├── 10.3_default_root_group.sh
│ │ ├── 10.4_default_umask.sh
│ │ ├── 10.5_set_timeout_tty.sh
│ │ ├── 11.1_warning_banners.sh
│ │ ├── 11.2_remove_os_info_warning_banners.sh
│ │ ├── 12.10_find_suid_files.sh
│ │ ├── 12.11_find_sgid_files.sh
│ │ ├── 12.12_etc_group_backup_permissions.sh
│ │ ├── 12.13_etc_gshadow_backup_permissions.sh
│ │ ├── 12.1_etc_passwd_permissions.sh
│ │ ├── 12.2_etc_shadow_permissions.sh
│ │ ├── 12.3_etc_group_permissions.sh
│ │ ├── 12.4_etc_gshadow_permissions.sh
│ │ ├── 12.5_etc_passwd_backup_permissions.sh
│ │ ├── 12.6_etc_shadow_backup_permissions.sh
│ │ ├── 12.7_find_world_writable_file.sh
│ │ ├── 12.8_find_unowned_files.sh
│ │ ├── 12.9_find_ungrouped_files.sh
│ │ ├── 13.10_find_user_rhosts_files.sh
│ │ ├── 13.11_find_passwd_group_inconsistencies.sh
│ │ ├── 13.12_users_valid_homedir.sh
│ │ ├── 13.13_check_user_homedir_ownership.sh
│ │ ├── 13.14_check_duplicate_uid.sh
│ │ ├── 13.15_check_duplicate_gid.sh
│ │ ├── 13.16_check_duplicate_username.sh
│ │ ├── 13.17_check_duplicate_groupname.sh
│ │ ├── 13.18_find_user_netrc_files.sh
│ │ ├── 13.19_find_user_forward_files.sh
│ │ ├── 13.1_remove_empty_password_field.sh
│ │ ├── 13.20_shadow_group_empty.sh
│ │ ├── 13.2_remove_legacy_passwd_entries.sh
│ │ ├── 13.3_remove_legacy_shadow_entries.sh
│ │ ├── 13.4_remove_legacy_group_entries.sh
│ │ ├── 13.5_find_0_uid_non_root_account.sh
│ │ ├── 13.6_sanitize_root_path.sh
│ │ ├── 13.7_check_user_dir_perm.sh
│ │ ├── 13.8_check_user_dot_file_perm.sh
│ │ ├── 13.9_set_perm_on_user_netrc.sh
│ │ ├── 14.1_security_related_NAT_slipstreaming.sh
│ │ ├── 14.2_check_abuse_777_permissions.sh
│ │ ├── 2.10_home_nodev.sh
│ │ ├── 2.11_removable_device_nodev.sh
│ │ ├── 2.12_removable_device_noexec.sh
│ │ ├── 2.13_removable_device_nosuid.sh
│ │ ├── 2.14_run_shm_nodev.sh
│ │ ├── 2.15_run_shm_nosuid.sh
│ │ ├── 2.16_run_shm_noexec.sh
│ │ ├── 2.17_sticky_bit_world_writable_folder.sh
│ │ ├── 2.18_disable_cramfs.sh
│ │ ├── 2.19_disable_freevxfs.sh
│ │ ├── 2.1_tmp_partition.sh
│ │ ├── 2.20_disable_jffs2.sh
│ │ ├── 2.21_disable_hfs.sh
│ │ ├── 2.22_disable_hfsplus.sh
│ │ ├── 2.23_disable_squashfs.sh
│ │ ├── 2.24_disable_udf.sh
│ │ ├── 2.25_disable_automounting.sh
│ │ ├── 2.26_home_nosuid.sh
│ │ ├── 2.27_nfs_nosuid.sh
│ │ ├── 2.28_nfs_noexec.sh
│ │ ├── 2.29_nfs_RPCSEC_GSS.sh
│ │ ├── 2.2_tmp_nodev.sh
│ │ ├── 2.3_tmp_nosuid.sh
│ │ ├── 2.4_tmp_noexec.sh
│ │ ├── 2.5_var_partition.sh
│ │ ├── 2.6.1_var_tmp_partition.sh
│ │ ├── 2.6.2_var_tmp_nodev.sh
│ │ ├── 2.6.3_var_tmp_nosuid.sh
│ │ ├── 2.6.4_var_tmp_noexec.sh
│ │ ├── 2.7_var_log_partition.sh
│ │ ├── 2.8_var_log_audit_partition.sh
│ │ ├── 2.9_home_partition.sh
│ │ ├── 3.1_bootloader_ownership.sh
│ │ ├── 3.2_bootloader_permissions.sh
│ │ ├── 3.3_bootloader_password.sh
│ │ ├── 3.4_root_password.sh
│ │ ├── 4.1.1_ensure_ufw_installed.sh
│ │ ├── 4.1.2_ensure_ufw_service_configured.sh
│ │ ├── 4.1_restrict_core_dumps.sh
│ │ ├── 4.2_enable_nx_support.sh
│ │ ├── 4.3_enable_randomized_vm_placement.sh
│ │ ├── 4.4_disable_prelink.sh
│ │ ├── 4.5_enable_apparmor.sh
│ │ ├── 4.6_enable_selinux.sh
│ │ ├── 4.7_enable_selinux_policy.sh
│ │ ├── 4.8_disable_usb_devices.sh
│ │ ├── 5.1.1_disable_nis.sh
│ │ ├── 5.1.2_disable_rsh.sh
│ │ ├── 5.1.3_disable_rsh_client.sh
│ │ ├── 5.1.4_disable_talk.sh
│ │ ├── 5.1.5_disable_talk_client.sh
│ │ ├── 5.1.6_disable_telnet_server.sh
│ │ ├── 5.1.7_disable_inetd.sh
│ │ ├── 5.2_install_screen.sh
│ │ ├── 5.3_enable_openssh_server.sh
│ │ ├── 5.4_disable_ctrl_alt_del_target.sh
│ │ ├── 5.5_ensure_installed_sudo.sh
│ │ ├── 6.10_disable_http_server.sh
│ │ ├── 6.11_disable_imap_pop.sh
│ │ ├── 6.12_disable_samba.sh
│ │ ├── 6.13_disable_http_proxy.sh
│ │ ├── 6.14_disable_snmp_server.sh
│ │ ├── 6.15_mta_localhost.sh
│ │ ├── 6.16_disable_rsync.sh
│ │ ├── 6.17_ensure_virul_scan_server_is_enabled.sh
│ │ ├── 6.18_ensure_virusscan_program_update_is_enabled.sh
│ │ ├── 6.19_configure_ntp.sh
│ │ ├── 6.1_disable_xwindow_system.sh
│ │ ├── 6.20_configure_chrony.sh
│ │ ├── 6.2_disable_avahi_server.sh
│ │ ├── 6.3_disable_print_server.sh
│ │ ├── 6.4_disable_dhcp.sh
│ │ ├── 6.5_ensure_time_sync_server_is_installed.sh
│ │ ├── 6.6_disable_ldap.sh
│ │ ├── 6.7_disable_nfs_rpc.sh
│ │ ├── 6.8_disable_dns_server.sh
│ │ ├── 6.9_disable_ftp.sh
│ │ ├── 7.1.1_disable_ip_forwarding.sh
│ │ ├── 7.1.2_disable_send_packet_redirects.sh
│ │ ├── 7.1.3_disable_interface_promisc_mode.sh
│ │ ├── 7.2.1_disable_source_routed_packets.sh
│ │ ├── 7.2.2_disable_icmp_redirect.sh
│ │ ├── 7.2.3_disable_secure_icmp_redirect.sh
│ │ ├── 7.2.4_log_martian_packets.sh
│ │ ├── 7.2.5_ignore_broadcast_requests.sh
│ │ ├── 7.2.6_enable_bad_error_message_protection.sh
│ │ ├── 7.2.7_enable_source_route_validation.sh
│ │ ├── 7.2.8_enable_tcp_syn_cookies.sh
│ │ ├── 7.3.1_disable_ipv6_router_advertisement.sh
│ │ ├── 7.3.2_disable_ipv6_redirect.sh
│ │ ├── 7.4.1_install_tcp_wrapper.sh
│ │ ├── 7.4.2_hosts_allow.sh
│ │ ├── 7.4.3_hosts_allow_permissions.sh
│ │ ├── 7.4.4_hosts_deny.sh
│ │ ├── 7.4.5_hosts_deny_permissions.sh
│ │ ├── 7.6_disable_wireless.sh
│ │ ├── 7.7.1_enable_firewall.sh
│ │ ├── 7.7.2_ensure_set_firewall_rules.sh
│ │ ├── 7.7.3_ensure_firewall_set_protect_dos_attacks.sh
│ │ ├── 7.7.4.1_ensure_default_deny_firewall_policy.sh
│ │ ├── 7.7.4.2_ensure_loopback_traffic_is_configured.sh
│ │ ├── 7.7.4.3_ensure_firewall_rules_exist_for_all_open_ports.sh
│ │ ├── 7.7.4.4_ensure_outbound_and_established_connections_are_configured.sh
│ │ ├── 7.7.5.1_ensure_default_deny_firewall_policy_for_v6.sh
│ │ ├── 7.7.5.2_ensure_loopback_traffic_is_configured_for_v6.sh
│ │ ├── 7.7.5.3_ensure_firewall_rules_exist_for_all_open_ports_for_v6.sh
│ │ ├── 7.7.5.4_ensure_outbound_and_established_connections_are_configured_for_v6.sh
│ │ ├── 8.0_enable_auditd_kernel.sh
│ │ ├── 8.1.1.1_audit_log_storage.sh
│ │ ├── 8.1.1.2_halt_when_audit_log_full.sh
│ │ ├── 8.1.1.3_keep_all_audit_logs.sh
│ │ ├── 8.1.1.4_set_failure_mode.sh
│ │ ├── 8.1.1.5_ensure_set_remote_server.sh
│ │ ├── 8.1.1.6_ensure_set_encrypt_for_audit_remote.sh
│ │ ├── 8.1.1.7_ensure_set_action_for_audit_storage_full.sh
│ │ ├── 8.1.1.8_ensure_set_action_for_net_fail.sh
│ │ ├── 8.1.1.9_set_space_left_audit.sh
│ │ ├── 8.1.10_record_dac_edit.sh
│ │ ├── 8.1.11_record_failed_access_file.sh
│ │ ├── 8.1.12_record_syscall_execve.sh
│ │ ├── 8.1.13_record_successful_mount.sh
│ │ ├── 8.1.14_record_file_deletions.sh
│ │ ├── 8.1.15_record_sudoers_edit.sh
│ │ ├── 8.1.16_record_sudo_usage.sh
│ │ ├── 8.1.17_record_kernel_modules.sh
│ │ ├── 8.1.18_record_Events_netfilter.sh
│ │ ├── 8.1.19_record_sshkeysign_usage.sh
│ │ ├── 8.1.20_record_open_by_handle_at_syscall.sh
│ │ ├── 8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh
│ │ ├── 8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh
│ │ ├── 8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh
│ │ ├── 8.1.24_record_crontab_cmd_usage.sh
│ │ ├── 8.1.25_record_pam_timestamp_check_cmd_usage.sh
│ │ ├── 8.1.26_record_pam_tally_cmd_usage.sh
│ │ ├── 8.1.27_record_Events_that_modify_conf_files.sh
│ │ ├── 8.1.28_record_acl_cmd_usage.sh
│ │ ├── 8.1.29_record_usermod_cmd_usage.sh
│ │ ├── 8.1.2_enable_auditd.sh
│ │ ├── 8.1.30_record_unix_update_cmd_usage.sh
│ │ ├── 8.1.31_record_file_transfer_related.sh
│ │ ├── 8.1.32_record_ufw_of_debian_like.sh
│ │ ├── 8.1.33_record_iptables_restore_exec.sh
│ │ ├── 8.1.34_record_privileged_commands.sh
│ │ ├── 8.1.35_freeze_auditd_conf.sh
│ │ ├── 8.1.3_audit_bootloader.sh
│ │ ├── 8.1.4_record_date_time_edit.sh
│ │ ├── 8.1.5_record_user_group_edit.sh
│ │ ├── 8.1.6_record_network_edit.sh
│ │ ├── 8.1.7_record_mac_edit.sh
│ │ ├── 8.1.8_record_login_logout.sh
│ │ ├── 8.1.9_record_session_init.sh
│ │ ├── 8.2.1_install_rsyslog.sh
│ │ ├── 8.2.2_enable_rsyslog.sh
│ │ ├── 8.2.3_set_logfile_perm_cfg_rsyslog.sh
│ │ ├── 8.2.4_rsyslog_remote_host.sh
│ │ ├── 8.3.1_install_syslog-ng.sh
│ │ ├── 8.3.2_enable_syslog-ng.sh
│ │ ├── 8.3.3_set_logfile_perm.sh
│ │ ├── 8.3.4_syslog-ng_remote_host.sh
│ │ ├── 8.4.1_install_aide.sh
│ │ ├── 8.4.2_aide_cron.sh
│ │ ├── 8.5_ensure_permissions_on_all_logfiles.sh
│ │ ├── 8.6_verify_integrity_packages.sh
│ │ ├── 8.7.1_journald_config_compress.sh
│ │ ├── 8.7.2_journald_config_storage.sh
│ │ ├── 9.1.1_enable_cron.sh
│ │ ├── 9.1.2_crontab_perm_ownership.sh
│ │ ├── 9.1.3_cron_hourly_perm_ownership.sh
│ │ ├── 9.1.4_cron_daily_perm_ownership.sh
│ │ ├── 9.1.5_cron_weekly_perm_ownership.sh
│ │ ├── 9.1.6_cron_monthly_perm_ownership.sh
│ │ ├── 9.1.7_cron_d_perm_ownership.sh
│ │ ├── 9.1.8_cron_users.sh
│ │ ├── 9.2.10_pam_maxclassrepeat_cracklib.sh
│ │ ├── 9.2.11_pam_deny_times_tally2.sh
│ │ ├── 9.2.12_pam_lockout_failed_tally2.sh
│ │ ├── 9.2.13_pam_even_deny_root_tally2.sh
│ │ ├── 9.2.14_pam_dictcheck_pwquality.sh
│ │ ├── 9.2.15_pam_printlastlog_to_showfailed_lastlog.sh
│ │ ├── 9.2.16_pam_limit_password_reuse.sh
│ │ ├── 9.2.17_pam_password_sha512_unix.sh
│ │ ├── 9.2.18_pam_auth_without_nullpwd_unix.sh
│ │ ├── 9.2.1_pam_retry_cracklib.sh
│ │ ├── 9.2.2_pam_minlen_cracklib.sh
│ │ ├── 9.2.3_pam_dcredit_cracklib.sh
│ │ ├── 9.2.4_pam_ucredit_cracklib.sh
│ │ ├── 9.2.5_pam_ocredit_cracklib.sh
│ │ ├── 9.2.6_pam_lcredit_cracklib.sh
│ │ ├── 9.2.7_pam_difok_cracklib.sh
│ │ ├── 9.2.8_pam_minclass_cracklib.sh
│ │ ├── 9.2.9_pam_maxrepeat_cracklib.sh
│ │ ├── 9.3.10_disable_sshd_setenv.sh
│ │ ├── 9.3.11_sshd_ciphers.sh
│ │ ├── 9.3.12_sshd_idle_timeout.sh
│ │ ├── 9.3.13_sshd_limit_access.sh
│ │ ├── 9.3.14_ssh_banner.sh
│ │ ├── 9.3.15_sshd_printlastlog.sh
│ │ ├── 9.3.16_sshd_IgnoreUserKnownHosts.sh
│ │ ├── 9.3.17_sshd_GSSAPIAuthentication.sh
│ │ ├── 9.3.18_sshd_KerberosAuthentication.sh
│ │ ├── 9.3.19_sshd_StrictModes.sh
│ │ ├── 9.3.1_sshd_protocol.sh
│ │ ├── 9.3.20_sshd_compression.sh
│ │ ├── 9.3.21_sshd_MACs.sh
│ │ ├── 9.3.22_ssh_check_pub_hostkey_permission.sh
│ │ ├── 9.3.23_ssh_check_priv_hostkey_permission.sh
│ │ ├── 9.3.24_sshd_kexalgorithms.sh
│ │ ├── 9.3.25_sshd_logingracetime.sh
│ │ ├── 9.3.2_sshd_loglevel.sh
│ │ ├── 9.3.3_sshd_conf_perm_ownership.sh
│ │ ├── 9.3.4_disable_x11_forwarding.sh
│ │ ├── 9.3.5_sshd_maxauthtries.sh
│ │ ├── 9.3.6_enable_sshd_ignorerhosts.sh
│ │ ├── 9.3.7_disable_sshd_hostbasedauthentication.sh
│ │ ├── 9.3.8_disable_root_login.sh
│ │ ├── 9.3.9_disable_sshd_permitemptypasswords.sh
│ │ └── 9.4_pam_restrict_su.sh
│ └── hardening.sh
├── docs/
│ ├── STIG-Benchmark/
│ │ ├── stig-Ubuntu_16-04_LTS.txt
│ │ └── stig-rhel-7-v1r4.txt
│ ├── complianced_image/
│ │ ├── AMI/
│ │ │ ├── how_to_creating_and_making_an_AMI_public.mkd
│ │ │ └── how_to_use_harbian_audit_complianced_Debian_9.mkd
│ │ └── QEMU/
│ │ ├── how_to_creating_and_making_a_QEMU_img_for_centos8.mkd
│ │ ├── how_to_creating_and_making_a_QEMU_img_for_debian9.mkd
│ │ ├── how_to_use_QEMU_image_of_harbian_audit_complianced_Debian_9.mkd
│ │ └── signature/
│ │ ├── debian9.9-harbian-0910.qcow2.sig
│ │ └── debian9.9-harbian-0910.qcow2.tar.gz.sig
│ ├── configurations/
│ │ ├── build-simple-cdd-cfg/
│ │ │ ├── Readme
│ │ │ ├── usr_share_simple-cdd_profiles_default.packages
│ │ │ └── usr_share_simple-cdd_profiles_default.preseed
│ │ ├── debian-config-4-build-deb/
│ │ │ ├── debian/
│ │ │ │ ├── Readme
│ │ │ │ ├── changelog
│ │ │ │ ├── compat
│ │ │ │ ├── control
│ │ │ │ ├── copyright
│ │ │ │ └── rules
│ │ │ └── how-to-build-deb-package.md
│ │ ├── etc.audit.auditd.conf
│ │ ├── etc.audit.rules.d.audit.rules_for_debian
│ │ ├── etc.iptables.rules.v4.sh
│ │ ├── etc.iptables.rules.v6.sh
│ │ ├── etc.login.defs
│ │ ├── etc.nftables.conf
│ │ ├── etc.ssh.sshd_config
│ │ ├── manual-operation-docs/
│ │ │ ├── how_to_config_grub2_password_protection.mkd
│ │ │ ├── how_to_deploy_audisp_remote_for_audit_log.mkd
│ │ │ ├── how_to_fix_SELinux_access_denied.mkd
│ │ │ ├── how_to_migrating_from_iptables_to_nftables_in_debian10.md
│ │ │ ├── how_to_persistent_iptables_rules_with_debian_9.mkd
│ │ │ └── how_to_persistent_nft_rules_with_debian_10.mkd
│ │ └── usr.share.netfilter-persistent.plugins.d.15-nft
│ ├── harbian_audit_Debian_9_Benchmark_v0.1.mkd
│ └── use-cases/
│ ├── apache2-usecase/
│ │ ├── Readme.mkd
│ │ └── etc.iptables.rules.v4.4http.sh
│ ├── hyperledger-cello-usecase/
│ │ ├── README.mkd
│ │ ├── master-ufw-rules.conf
│ │ └── worker-ufw-rules.conf
│ ├── nodejs-redis-mysql-usecase/
│ │ ├── README.md
│ │ └── helloworld/
│ │ ├── app.js
│ │ ├── config/
│ │ │ └── config.js
│ │ ├── package.json
│ │ └── services/
│ │ ├── LogService.js
│ │ ├── RedisService.js
│ │ └── SqlService.js
│ └── tls-transmission-usecase/
│ ├── nginx-mutual-ssl-proxy-http-service/
│ │ ├── Readme.mkd
│ │ ├── iptables_ufw-4-client.cfg
│ │ └── iptables_ufw-4-server.cfg
│ └── using-Nginx-as-SSL-tunnel-4TCP-UDP-service/
│ ├── Readme.mkd
│ ├── iptables_ufw-4-client.cfg
│ └── iptables_ufw-4-server.cfg
├── etc/
│ ├── conf.d/
│ │ ├── .gitignore
│ │ └── README
│ ├── default.cfg
│ └── hardening.cfg
├── lib/
│ ├── common.sh
│ ├── constants.sh
│ ├── main.sh
│ └── utils.sh
└── src/
├── skel
└── skel.cfg
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitignore
================================================
tmp/*
================================================
FILE: LICENSE
================================================
GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007
Copyright (C) 2007 Free Software Foundation, Inc.
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The GNU General Public License is a free, copyleft license for
software and other kinds of works.
The licenses for most software and other practical works are designed
to take away your freedom to share and change the works. By contrast,
the GNU General Public License is intended to guarantee your freedom to
share and change all versions of a program--to make sure it remains free
software for all its users. We, the Free Software Foundation, use the
GNU General Public License for most of our software; it applies also to
any other work released this way by its authors. You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
them if you wish), that you receive source code or can get it if you
want it, that you can change the software or use pieces of it in new
free programs, and that you know you can do these things.
To protect your rights, we need to prevent others from denying you
these rights or asking you to surrender the rights. Therefore, you have
certain responsibilities if you distribute copies of the software, or if
you modify it: responsibilities to respect the freedom of others.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must pass on to the recipients the same
freedoms that you received. You must make sure that they, too, receive
or can get the source code. And you must show them these terms so they
know their rights.
Developers that use the GNU GPL protect your rights with two steps:
(1) assert copyright on the software, and (2) offer you this License
giving you legal permission to copy, distribute and/or modify it.
For the developers' and authors' protection, the GPL clearly explains
that there is no warranty for this free software. For both users' and
authors' sake, the GPL requires that modified versions be marked as
changed, so that their problems will not be attributed erroneously to
authors of previous versions.
Some devices are designed to deny users access to install or run
modified versions of the software inside them, although the manufacturer
can do so. This is fundamentally incompatible with the aim of
protecting users' freedom to change the software. The systematic
pattern of such abuse occurs in the area of products for individuals to
use, which is precisely where it is most unacceptable. Therefore, we
have designed this version of the GPL to prohibit the practice for those
products. If such problems arise substantially in other domains, we
stand ready to extend this provision to those domains in future versions
of the GPL, as needed to protect the freedom of users.
Finally, every program is threatened constantly by software patents.
States should not allow patents to restrict development and use of
software on general-purpose computers, but in those that do, we wish to
avoid the special danger that patents applied to a free program could
make it effectively proprietary. To prevent this, the GPL assures that
patents cannot be used to render the program non-free.
The precise terms and conditions for copying, distribution and
modification follow.
TERMS AND CONDITIONS
0. Definitions.
"This License" refers to version 3 of the GNU General Public License.
"Copyright" also means copyright-like laws that apply to other kinds of
works, such as semiconductor masks.
"The Program" refers to any copyrightable work licensed under this
License. Each licensee is addressed as "you". "Licensees" and
"recipients" may be individuals or organizations.
To "modify" a work means to copy from or adapt all or part of the work
in a fashion requiring copyright permission, other than the making of an
exact copy. The resulting work is called a "modified version" of the
earlier work or a work "based on" the earlier work.
A "covered work" means either the unmodified Program or a work based
on the Program.
To "propagate" a work means to do anything with it that, without
permission, would make you directly or secondarily liable for
infringement under applicable copyright law, except executing it on a
computer or modifying a private copy. Propagation includes copying,
distribution (with or without modification), making available to the
public, and in some countries other activities as well.
To "convey" a work means any kind of propagation that enables other
parties to make or receive copies. Mere interaction with a user through
a computer network, with no transfer of a copy, is not conveying.
An interactive user interface displays "Appropriate Legal Notices"
to the extent that it includes a convenient and prominently visible
feature that (1) displays an appropriate copyright notice, and (2)
tells the user that there is no warranty for the work (except to the
extent that warranties are provided), that licensees may convey the
work under this License, and how to view a copy of this License. If
the interface presents a list of user commands or options, such as a
menu, a prominent item in the list meets this criterion.
1. Source Code.
The "source code" for a work means the preferred form of the work
for making modifications to it. "Object code" means any non-source
form of a work.
A "Standard Interface" means an interface that either is an official
standard defined by a recognized standards body, or, in the case of
interfaces specified for a particular programming language, one that
is widely used among developers working in that language.
The "System Libraries" of an executable work include anything, other
than the work as a whole, that (a) is included in the normal form of
packaging a Major Component, but which is not part of that Major
Component, and (b) serves only to enable use of the work with that
Major Component, or to implement a Standard Interface for which an
implementation is available to the public in source code form. A
"Major Component", in this context, means a major essential component
(kernel, window system, and so on) of the specific operating system
(if any) on which the executable work runs, or a compiler used to
produce the work, or an object code interpreter used to run it.
The "Corresponding Source" for a work in object code form means all
the source code needed to generate, install, and (for an executable
work) run the object code and to modify the work, including scripts to
control those activities. However, it does not include the work's
System Libraries, or general-purpose tools or generally available free
programs which are used unmodified in performing those activities but
which are not part of the work. For example, Corresponding Source
includes interface definition files associated with source files for
the work, and the source code for shared libraries and dynamically
linked subprograms that the work is specifically designed to require,
such as by intimate data communication or control flow between those
subprograms and other parts of the work.
The Corresponding Source need not include anything that users
can regenerate automatically from other parts of the Corresponding
Source.
The Corresponding Source for a work in source code form is that
same work.
2. Basic Permissions.
All rights granted under this License are granted for the term of
copyright on the Program, and are irrevocable provided the stated
conditions are met. This License explicitly affirms your unlimited
permission to run the unmodified Program. The output from running a
covered work is covered by this License only if the output, given its
content, constitutes a covered work. This License acknowledges your
rights of fair use or other equivalent, as provided by copyright law.
You may make, run and propagate covered works that you do not
convey, without conditions so long as your license otherwise remains
in force. You may convey covered works to others for the sole purpose
of having them make modifications exclusively for you, or provide you
with facilities for running those works, provided that you comply with
the terms of this License in conveying all material for which you do
not control copyright. Those thus making or running the covered works
for you must do so exclusively on your behalf, under your direction
and control, on terms that prohibit them from making any copies of
your copyrighted material outside their relationship with you.
Conveying under any other circumstances is permitted solely under
the conditions stated below. Sublicensing is not allowed; section 10
makes it unnecessary.
3. Protecting Users' Legal Rights From Anti-Circumvention Law.
No covered work shall be deemed part of an effective technological
measure under any applicable law fulfilling obligations under article
11 of the WIPO copyright treaty adopted on 20 December 1996, or
similar laws prohibiting or restricting circumvention of such
measures.
When you convey a covered work, you waive any legal power to forbid
circumvention of technological measures to the extent such circumvention
is effected by exercising rights under this License with respect to
the covered work, and you disclaim any intention to limit operation or
modification of the work as a means of enforcing, against the work's
users, your or third parties' legal rights to forbid circumvention of
technological measures.
4. Conveying Verbatim Copies.
You may convey verbatim copies of the Program's source code as you
receive it, in any medium, provided that you conspicuously and
appropriately publish on each copy an appropriate copyright notice;
keep intact all notices stating that this License and any
non-permissive terms added in accord with section 7 apply to the code;
keep intact all notices of the absence of any warranty; and give all
recipients a copy of this License along with the Program.
You may charge any price or no price for each copy that you convey,
and you may offer support or warranty protection for a fee.
5. Conveying Modified Source Versions.
You may convey a work based on the Program, or the modifications to
produce it from the Program, in the form of source code under the
terms of section 4, provided that you also meet all of these conditions:
a) The work must carry prominent notices stating that you modified
it, and giving a relevant date.
b) The work must carry prominent notices stating that it is
released under this License and any conditions added under section
7. This requirement modifies the requirement in section 4 to
"keep intact all notices".
c) You must license the entire work, as a whole, under this
License to anyone who comes into possession of a copy. This
License will therefore apply, along with any applicable section 7
additional terms, to the whole of the work, and all its parts,
regardless of how they are packaged. This License gives no
permission to license the work in any other way, but it does not
invalidate such permission if you have separately received it.
d) If the work has interactive user interfaces, each must display
Appropriate Legal Notices; however, if the Program has interactive
interfaces that do not display Appropriate Legal Notices, your
work need not make them do so.
A compilation of a covered work with other separate and independent
works, which are not by their nature extensions of the covered work,
and which are not combined with it such as to form a larger program,
in or on a volume of a storage or distribution medium, is called an
"aggregate" if the compilation and its resulting copyright are not
used to limit the access or legal rights of the compilation's users
beyond what the individual works permit. Inclusion of a covered work
in an aggregate does not cause this License to apply to the other
parts of the aggregate.
6. Conveying Non-Source Forms.
You may convey a covered work in object code form under the terms
of sections 4 and 5, provided that you also convey the
machine-readable Corresponding Source under the terms of this License,
in one of these ways:
a) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by the
Corresponding Source fixed on a durable physical medium
customarily used for software interchange.
b) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by a
written offer, valid for at least three years and valid for as
long as you offer spare parts or customer support for that product
model, to give anyone who possesses the object code either (1) a
copy of the Corresponding Source for all the software in the
product that is covered by this License, on a durable physical
medium customarily used for software interchange, for a price no
more than your reasonable cost of physically performing this
conveying of source, or (2) access to copy the
Corresponding Source from a network server at no charge.
c) Convey individual copies of the object code with a copy of the
written offer to provide the Corresponding Source. This
alternative is allowed only occasionally and noncommercially, and
only if you received the object code with such an offer, in accord
with subsection 6b.
d) Convey the object code by offering access from a designated
place (gratis or for a charge), and offer equivalent access to the
Corresponding Source in the same way through the same place at no
further charge. You need not require recipients to copy the
Corresponding Source along with the object code. If the place to
copy the object code is a network server, the Corresponding Source
may be on a different server (operated by you or a third party)
that supports equivalent copying facilities, provided you maintain
clear directions next to the object code saying where to find the
Corresponding Source. Regardless of what server hosts the
Corresponding Source, you remain obligated to ensure that it is
available for as long as needed to satisfy these requirements.
e) Convey the object code using peer-to-peer transmission, provided
you inform other peers where the object code and Corresponding
Source of the work are being offered to the general public at no
charge under subsection 6d.
A separable portion of the object code, whose source code is excluded
from the Corresponding Source as a System Library, need not be
included in conveying the object code work.
A "User Product" is either (1) a "consumer product", which means any
tangible personal property which is normally used for personal, family,
or household purposes, or (2) anything designed or sold for incorporation
into a dwelling. In determining whether a product is a consumer product,
doubtful cases shall be resolved in favor of coverage. For a particular
product received by a particular user, "normally used" refers to a
typical or common use of that class of product, regardless of the status
of the particular user or of the way in which the particular user
actually uses, or expects or is expected to use, the product. A product
is a consumer product regardless of whether the product has substantial
commercial, industrial or non-consumer uses, unless such uses represent
the only significant mode of use of the product.
"Installation Information" for a User Product means any methods,
procedures, authorization keys, or other information required to install
and execute modified versions of a covered work in that User Product from
a modified version of its Corresponding Source. The information must
suffice to ensure that the continued functioning of the modified object
code is in no case prevented or interfered with solely because
modification has been made.
If you convey an object code work under this section in, or with, or
specifically for use in, a User Product, and the conveying occurs as
part of a transaction in which the right of possession and use of the
User Product is transferred to the recipient in perpetuity or for a
fixed term (regardless of how the transaction is characterized), the
Corresponding Source conveyed under this section must be accompanied
by the Installation Information. But this requirement does not apply
if neither you nor any third party retains the ability to install
modified object code on the User Product (for example, the work has
been installed in ROM).
The requirement to provide Installation Information does not include a
requirement to continue to provide support service, warranty, or updates
for a work that has been modified or installed by the recipient, or for
the User Product in which it has been modified or installed. Access to a
network may be denied when the modification itself materially and
adversely affects the operation of the network or violates the rules and
protocols for communication across the network.
Corresponding Source conveyed, and Installation Information provided,
in accord with this section must be in a format that is publicly
documented (and with an implementation available to the public in
source code form), and must require no special password or key for
unpacking, reading or copying.
7. Additional Terms.
"Additional permissions" are terms that supplement the terms of this
License by making exceptions from one or more of its conditions.
Additional permissions that are applicable to the entire Program shall
be treated as though they were included in this License, to the extent
that they are valid under applicable law. If additional permissions
apply only to part of the Program, that part may be used separately
under those permissions, but the entire Program remains governed by
this License without regard to the additional permissions.
When you convey a copy of a covered work, you may at your option
remove any additional permissions from that copy, or from any part of
it. (Additional permissions may be written to require their own
removal in certain cases when you modify the work.) You may place
additional permissions on material, added by you to a covered work,
for which you have or can give appropriate copyright permission.
Notwithstanding any other provision of this License, for material you
add to a covered work, you may (if authorized by the copyright holders of
that material) supplement the terms of this License with terms:
a) Disclaiming warranty or limiting liability differently from the
terms of sections 15 and 16 of this License; or
b) Requiring preservation of specified reasonable legal notices or
author attributions in that material or in the Appropriate Legal
Notices displayed by works containing it; or
c) Prohibiting misrepresentation of the origin of that material, or
requiring that modified versions of such material be marked in
reasonable ways as different from the original version; or
d) Limiting the use for publicity purposes of names of licensors or
authors of the material; or
e) Declining to grant rights under trademark law for use of some
trade names, trademarks, or service marks; or
f) Requiring indemnification of licensors and authors of that
material by anyone who conveys the material (or modified versions of
it) with contractual assumptions of liability to the recipient, for
any liability that these contractual assumptions directly impose on
those licensors and authors.
All other non-permissive additional terms are considered "further
restrictions" within the meaning of section 10. If the Program as you
received it, or any part of it, contains a notice stating that it is
governed by this License along with a term that is a further
restriction, you may remove that term. If a license document contains
a further restriction but permits relicensing or conveying under this
License, you may add to a covered work material governed by the terms
of that license document, provided that the further restriction does
not survive such relicensing or conveying.
If you add terms to a covered work in accord with this section, you
must place, in the relevant source files, a statement of the
additional terms that apply to those files, or a notice indicating
where to find the applicable terms.
Additional terms, permissive or non-permissive, may be stated in the
form of a separately written license, or stated as exceptions;
the above requirements apply either way.
8. Termination.
You may not propagate or modify a covered work except as expressly
provided under this License. Any attempt otherwise to propagate or
modify it is void, and will automatically terminate your rights under
this License (including any patent licenses granted under the third
paragraph of section 11).
However, if you cease all violation of this License, then your
license from a particular copyright holder is reinstated (a)
provisionally, unless and until the copyright holder explicitly and
finally terminates your license, and (b) permanently, if the copyright
holder fails to notify you of the violation by some reasonable means
prior to 60 days after the cessation.
Moreover, your license from a particular copyright holder is
reinstated permanently if the copyright holder notifies you of the
violation by some reasonable means, this is the first time you have
received notice of violation of this License (for any work) from that
copyright holder, and you cure the violation prior to 30 days after
your receipt of the notice.
Termination of your rights under this section does not terminate the
licenses of parties who have received copies or rights from you under
this License. If your rights have been terminated and not permanently
reinstated, you do not qualify to receive new licenses for the same
material under section 10.
9. Acceptance Not Required for Having Copies.
You are not required to accept this License in order to receive or
run a copy of the Program. Ancillary propagation of a covered work
occurring solely as a consequence of using peer-to-peer transmission
to receive a copy likewise does not require acceptance. However,
nothing other than this License grants you permission to propagate or
modify any covered work. These actions infringe copyright if you do
not accept this License. Therefore, by modifying or propagating a
covered work, you indicate your acceptance of this License to do so.
10. Automatic Licensing of Downstream Recipients.
Each time you convey a covered work, the recipient automatically
receives a license from the original licensors, to run, modify and
propagate that work, subject to this License. You are not responsible
for enforcing compliance by third parties with this License.
An "entity transaction" is a transaction transferring control of an
organization, or substantially all assets of one, or subdividing an
organization, or merging organizations. If propagation of a covered
work results from an entity transaction, each party to that
transaction who receives a copy of the work also receives whatever
licenses to the work the party's predecessor in interest had or could
give under the previous paragraph, plus a right to possession of the
Corresponding Source of the work from the predecessor in interest, if
the predecessor has it or can get it with reasonable efforts.
You may not impose any further restrictions on the exercise of the
rights granted or affirmed under this License. For example, you may
not impose a license fee, royalty, or other charge for exercise of
rights granted under this License, and you may not initiate litigation
(including a cross-claim or counterclaim in a lawsuit) alleging that
any patent claim is infringed by making, using, selling, offering for
sale, or importing the Program or any portion of it.
11. Patents.
A "contributor" is a copyright holder who authorizes use under this
License of the Program or a work on which the Program is based. The
work thus licensed is called the contributor's "contributor version".
A contributor's "essential patent claims" are all patent claims
owned or controlled by the contributor, whether already acquired or
hereafter acquired, that would be infringed by some manner, permitted
by this License, of making, using, or selling its contributor version,
but do not include claims that would be infringed only as a
consequence of further modification of the contributor version. For
purposes of this definition, "control" includes the right to grant
patent sublicenses in a manner consistent with the requirements of
this License.
Each contributor grants you a non-exclusive, worldwide, royalty-free
patent license under the contributor's essential patent claims, to
make, use, sell, offer for sale, import and otherwise run, modify and
propagate the contents of its contributor version.
In the following three paragraphs, a "patent license" is any express
agreement or commitment, however denominated, not to enforce a patent
(such as an express permission to practice a patent or covenant not to
sue for patent infringement). To "grant" such a patent license to a
party means to make such an agreement or commitment not to enforce a
patent against the party.
If you convey a covered work, knowingly relying on a patent license,
and the Corresponding Source of the work is not available for anyone
to copy, free of charge and under the terms of this License, through a
publicly available network server or other readily accessible means,
then you must either (1) cause the Corresponding Source to be so
available, or (2) arrange to deprive yourself of the benefit of the
patent license for this particular work, or (3) arrange, in a manner
consistent with the requirements of this License, to extend the patent
license to downstream recipients. "Knowingly relying" means you have
actual knowledge that, but for the patent license, your conveying the
covered work in a country, or your recipient's use of the covered work
in a country, would infringe one or more identifiable patents in that
country that you have reason to believe are valid.
If, pursuant to or in connection with a single transaction or
arrangement, you convey, or propagate by procuring conveyance of, a
covered work, and grant a patent license to some of the parties
receiving the covered work authorizing them to use, propagate, modify
or convey a specific copy of the covered work, then the patent license
you grant is automatically extended to all recipients of the covered
work and works based on it.
A patent license is "discriminatory" if it does not include within
the scope of its coverage, prohibits the exercise of, or is
conditioned on the non-exercise of one or more of the rights that are
specifically granted under this License. You may not convey a covered
work if you are a party to an arrangement with a third party that is
in the business of distributing software, under which you make payment
to the third party based on the extent of your activity of conveying
the work, and under which the third party grants, to any of the
parties who would receive the covered work from you, a discriminatory
patent license (a) in connection with copies of the covered work
conveyed by you (or copies made from those copies), or (b) primarily
for and in connection with specific products or compilations that
contain the covered work, unless you entered into that arrangement,
or that patent license was granted, prior to 28 March 2007.
Nothing in this License shall be construed as excluding or limiting
any implied license or other defenses to infringement that may
otherwise be available to you under applicable patent law.
12. No Surrender of Others' Freedom.
If conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot convey a
covered work so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you may
not convey it at all. For example, if you agree to terms that obligate you
to collect a royalty for further conveying from those to whom you convey
the Program, the only way you could satisfy both those terms and this
License would be to refrain entirely from conveying the Program.
13. Use with the GNU Affero General Public License.
Notwithstanding any other provision of this License, you have
permission to link or combine any covered work with a work licensed
under version 3 of the GNU Affero General Public License into a single
combined work, and to convey the resulting work. The terms of this
License will continue to apply to the part which is the covered work,
but the special requirements of the GNU Affero General Public License,
section 13, concerning interaction through a network will apply to the
combination as such.
14. Revised Versions of this License.
The Free Software Foundation may publish revised and/or new versions of
the GNU General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the
Program specifies that a certain numbered version of the GNU General
Public License "or any later version" applies to it, you have the
option of following the terms and conditions either of that numbered
version or of any later version published by the Free Software
Foundation. If the Program does not specify a version number of the
GNU General Public License, you may choose any version ever published
by the Free Software Foundation.
If the Program specifies that a proxy can decide which future
versions of the GNU General Public License can be used, that proxy's
public statement of acceptance of a version permanently authorizes you
to choose that version for the Program.
Later license versions may give you additional or different
permissions. However, no additional obligations are imposed on any
author or copyright holder as a result of your choosing to follow a
later version.
15. Disclaimer of Warranty.
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
16. Limitation of Liability.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES.
17. Interpretation of Sections 15 and 16.
If the disclaimer of warranty and limitation of liability provided
above cannot be given local legal effect according to their terms,
reviewing courts shall apply local law that most closely approximates
an absolute waiver of all civil liability in connection with the
Program, unless a warranty or assumption of liability accompanies a
copy of the Program in return for a fee.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
state the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
Copyright (C)
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see .
Also add information on how to contact you by electronic and paper mail.
If the program does terminal interaction, make it output a short
notice like this when it starts in an interactive mode:
Copyright (C)
This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, your program's commands
might be different; for a GUI interface, you would use an "about box".
You should also get your employer (if you work as a programmer) or school,
if any, to sign a "copyright disclaimer" for the program, if necessary.
For more information on this, and how to apply and follow the GNU GPL, see
.
The GNU General Public License does not permit incorporating your program
into proprietary programs. If your program is a subroutine library, you
may consider it more useful to permit linking proprietary applications with
the library. If this is what you want to do, use the GNU Lesser General
Public License instead of this License. But first, please read
.
================================================
FILE: README-CN.md
================================================
# harbian-audit审计与加固
## 简介
本项目是面向 Debian GNU/Linux、CentOS 8 和 Ubuntu 发行版的安全审计与加固工具。当前主要测试环境为 Debian GNU/Linux 9/10/11/12/13、CentOS 8 以及 Ubuntu 22,其他版本尚未经过充分测试。本项目主要面向服务器场景,暂未针对桌面环境实现对应检查项。
本项目基于 [OVH-debian-cis](https://github.com/ovh/debian-cis) 框架,并结合 Debian GNU/Linux 9 的一些特性进行了优化。同时参考了安全合规基线 STIG([STIG Red_Hat_Enterprise_Linux_7_V2R5](redhat-STIG-DOCs/U_Red_Hat_Enterprise_Linux_7_V2R5_STIG.zip) 及 [STIG Ubuntu V1R2](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Canonical_Ubuntu_16-04_LTS_V1R2_STIG.zip))和 CIS([cisecurity.org](https://www.cisecurity.org/)),补充了安全检查项;另外也结合 HardenedLinux 社区在实际生产环境中的经验,实现了一些额外安全检查项的审计功能。项目不仅支持安全审计,也支持自动修复。
审计功能的使用示例:
```console
# bash bin/hardening.sh --audit-all
[...]
hardening [INFO] Treating /home/test/harbian-audit/bin/hardening/13.15_check_duplicate_gid.sh
13.15_check_duplicate_gid [INFO] Working on 13.15_check_duplicate_gid
13.15_check_duplicate_gid [INFO] Checking Configuration
13.15_check_duplicate_gid [INFO] Performing audit
13.15_check_duplicate_gid [ OK ] No duplicate GIDs
13.15_check_duplicate_gid [ OK ] Check Passed
[...]
################### SUMMARY ###################
Total Available Checks : 271
Total Checks Run : 271
Total Passed Checks : [ 226/271 ]
Total Failed Checks : [ 44/271 ]
Enabled Checks Percentage : 100.00 %
Conformity Percentage : 83.39 %
```
## 快速上手使用介绍
### 下载及初始化
```console
$ git clone https://github.com/hardenedlinux/harbian-audit.git && cd harbian-audit
# cp etc/default.cfg /etc/default/cis-hardening
# sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
# bin/hardening.sh --init
```
### 对所有安全检查项执行审计
```
# bin/hardening.sh --audit-all
hardening [INFO] Treating /home/test/harbian-audit/bin/hardening/1.1_install_updates.sh
1.1_install_updates [INFO] Working on 1.1_install_updates
1.1_install_updates [INFO] Checking Configuration
1.1_install_updates [INFO] Performing audit
1.1_install_updates [INFO] Checking if apt needs an update
1.1_install_updates [INFO] Fetching upgrades ...
1.1_install_updates [ OK ] No upgrades available
1.1_install_updates [ OK ] Check Passed
[...]
################### SUMMARY ###################
Total Available Checks : 270
Total Checks Run : 270
Total Passed Checks : [ 226/270 ]
Total Failed Checks : [ 44/270 ]
Enabled Checks Percentage : 100.00 %
Conformity Percentage : 83.70 %
```
### 设置加固级别并执行自动修复
```
# bin/hardening.sh --set-hardening-level 5
# bin/hardening.sh --apply
hardening [INFO] Treating /home/test/harbian-audit/bin/hardening/1.1_install_updates.sh
1.1_install_updates [INFO] Working on 1.1_install_updates
1.1_install_updates [INFO] Checking Configuration
1.1_install_updates [INFO] Performing audit
1.1_install_updates [INFO] Checking if apt needs an update
1.1_install_updates [INFO] Fetching upgrades ...
1.1_install_updates [ OK ] No upgrades available
1.1_install_updates [INFO] Applying Hardening
1.1_install_updates [ OK ] No Upgrades to apply
1.1_install_updates [ OK ] Check Passed
[...]
```
## 用法简介
### 需要预装的软件
如果 Debian GNU/Linux 系统采用最小化安装方式,在使用本项目之前需要先安装以下软件:
```
# apt-get install -y bc net-tools pciutils
```
如果系统是 RedHat/CentOS,在使用本项目前,需要安装以下软件包:
```
# yum install -y bc net-tools pciutils NetworkManager epel-release
```
### 需要预先进行的配置
在使用本项目前,必须为所有会用到的用户设置密码。否则在执行自动化加固后,相关用户可能无法登录系统。例如(用户:root 和 test):
```
# passwd
# passwd test
```
### 项目本身的配置
审计与修复脚本位于 `bin/hardening` 目录中,每个脚本文件都对应一个位于 `/etc/conf.d/[script_name].cfg` 的配置文件。每个脚本都可以单独设置为 `enabled` 或 `disabled`,例如:
``disable_system_accounts``:
```
# Configuration for script of same name
status=disabled
# Put here your exceptions concerning admin accounts shells separated by spaces
EXCEPTIONS=""
```
`status` 参数有 3 个可选值:
- `disabled` (do nothing): 执行时不运行该脚本
- `audit` (RO): 仅执行审计检查
- `enabled` (RW): 执行审计检查,并尝试自动修复
如需为每个脚本生成对应配置文件,并设置审计级别,可使用以下命令:
1. 首次执行本项目时,可通过 `audit-all` 参数生成 `etc/conf.d/[script_name].cfg`:
```
# bash bin/hardening.sh --audit-all
```
2. 使用 `set-hardening-level` 参数,将对应级别的 `[script_name].cfg` 配置文件设为 `enabled` 状态:
```
# bash bin/hardening.sh --set-hardening-level
```
通用配置文件为 `etc/hardening.cfg`。该文件可用于控制日志级别和备份目录;备份目录用于在自动修复时保存原始配置文件。
### 审计及修复操作(执行加固后,必须完成“修复后必须进行的操作”章节中的内容)
执行审计或修复时,运行 `bin/hardening.sh`。该命令主要有两种执行模式:
- `--audit`: 对所有配置为 `enabled` 的脚本执行审计
- `--apply`: 对所有配置为 `enabled` 的脚本执行审计并尝试修复
另外,`--audit-all` 参数会强制执行所有审计脚本,包括配置为 `disabled` 的脚本;该操作不会修改系统(即不会执行修复)。
`--audit-all-enable-passed` 参数可用作快速初始化配置的快捷方式:它会以审计模式执行所有脚本,如果某个脚本审计通过,则自动将其对应配置文件设为 `enabled`。如果你已经自定义了配置文件,不建议使用此参数。
使用以下命令对系统进行加固/修复:
```
# bash bin/hardening.sh --apply
```
## 修复后必须进行的操作(非常重要)
当 `set-hardening-level` 设为 5(最高等级)并执行 `--apply` 后,还需要完成以下操作:
1. 当 9.4 项(Restrict Access to the su Command)被修复后,如果仍然存在必须使用 `su` 的场景,例如通过 SSH 以普通用户登录后再切换到其他用户,可以使用以下命令临时解除限制:
```
# sed -i '/^[^#].*pam_wheel.so.*/s/^/# &/' /etc/pam.d/su
```
该命令会临时注释掉包含 `pam_wheel.so` 的行。使用完 `su` 后,请恢复该行的注释状态。
2. 当 7.4.4 项(`7.4.4_hosts_deny.sh`)被修复后,系统将拒绝所有连接(例如 SSH 连接),因此需要在 `/etc/hosts.allow` 中配置允许访问此主机的来源,例如:
```
# echo "ALL: 192.168.1. 192.168.5." >> /etc/hosts.allow
```
该示例表示仅允许 `192.168.1.[1-255]` 和 `192.168.5.[1-255]` 两个网段访问此系统。请根据实际场景调整配置。
3. 为普通用户授予 sudo 权限,例如(用户名为 `test`):
```
# sed -i "/^root/a\test ALL=(ALL:ALL) ALL" /etc/sudoers
```
4. 设置基础 iptables 防火墙规则
请根据实际场景配置防火墙规则,可参考 HardenedLinux 社区整理的 Debian GNU/Linux 基础防火墙规则:
[etc.iptables.rules.v4.sh](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/etc.iptables.rules.v4.sh)
基于iptables的部署:
```
$ INTERFACENAME="your network interfacename(Example eth0)"
# bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME
# iptables-save > /etc/iptables/rules.v4
# ip6tables-save > /etc/iptables/rules.v6
```
基于 nft 的部署:
按以下命令修改 `nftables.conf`(将对外网卡名称替换为实际值,例如 `eth0`):
```
$ sed -i 's/^define int_if = ens33/define int_if = eth0/g' etc.nftables.conf
# nft -f ./etc.nftables.conf
```
5. 当所有安全基线项都修复完成后,可使用 `--final` 完成以下收尾工作:
1. 使用 `passwd` 命令重新设置普通用户及 root 用户的密码,以满足 `pam_cracklib` 模块对密码强度的要求。
2. 重新初始化 aide 工具的数据库。
```
# bin/hardening.sh --final
```
## 特别注意
### 必须在第一次应用修复后处理的项
8.1.35:此项一旦设置完成,将无法继续添加新的审计规则。
### 必须在所有项都修复完成后再处理的项
8.4.1、8.4.2:这两项都与 aide 文件完整性检测有关,最好在所有修复完成后再执行,以便基于修复完成后的系统文件初始化完整性数据库。
### 一些检查项需要多次修复,且操作系统可能需要多次重启
#### 需要执行两次修复的项
8.1.1.2
8.1.1.3
8.1.12
4.5
## 扩展(如何添加检查项)
**获取源码**
```console
$ git clone https://github.com/hardenedlinux/harbian-audit.git
```
**添加一个自定义脚本**
```console
$ cp src/skel bin/hardening/99.99_custom_script.sh
$ chmod +x bin/hardening/99.99_custom_script.sh
$ cp src/skel.cfg etc/conf.d/99.99_custom_script.cfg
```
将对应配置文件设为 `enabled`,然后执行审计及加固测试:
```console
$ sed -i "s/status=.+/status=enabled/" etc/conf.d/99.99_custom_script.cfg
$ bash bin/hardening.sh --audit --only 99.99
$ bash bin/hardening.sh --apply --only 99.99
```
## 项目相关文档列表
### Harbian-audit benchmark for Debian GNU/Linux 9
This document is a description of the additions to the sections not included in the [CIS reference documentation](https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=debian8.100). Includes STIG reference documentation and additional checks recommended by the HardenedLinux community.
[CIS Debian GNU/Linux 8 Benchmark v1.0.0](https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=debian8.100)
[CIS Debian GNU/Linux 9 Benchmark v1.0.0](https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=debian8.100)
[harbian audit Debian Linux 9 Benchmark](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd)
### 手动修复操作文档列表
[How to config grub2 password protection](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_config_grub2_password_protection.mkd)
[How to persistent iptables rules with debian 9](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_persistent_iptables_rules_with_debian_9.mkd)
[How to deploy audisp-remote for auditd log](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_deploy_audisp_remote_for_audit_log.mkd)
[How to migrating from iptables to nftables in debian10](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_migrating_from_iptables_to_nftables_in_debian10.md)
[How to persistent nft rules with debian 10](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_persistent_nft_rules_with_debian_10.mkd)
[How to fix SELinux access denied](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_fix_SELinux_access_denied.mkd)
### 应用场景示例文档列表
[Nodejs + redis + mysql demo](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/use-cases/nodejs-redis-mysql-usecase/README.md)
[deploy-hyperledger-cello-on-debian-9](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/use-cases/hyperledger-cello-usecase/README.mkd)
[nginx-mutual-ssl-proxy-http](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/use-cases/tls-transmission-usecase/nginx-mutual-ssl-proxy-http-service/Readme.mkd)
[nginx-mutual-ssl-proxy-tcp-udp](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/use-cases/tls-transmission-usecase/using-Nginx-as-SSL-tunnel-4TCP-UDP-service/Readme.mkd)
## harbian-audit 合规镜像
### AMI(Amazon Machine Image) Public
#### 相关文档
[how to creating and making an AMI public](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd)
[how to use harbian-audit complianced for GNU/Linux Debian 9](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/AMI/how_to_use_harbian_audit_complianced_Debian_9.mkd)
### QEMU Image
#### 相关文档
[How to creating and making a QEMU image of harbian-audit complianced Debian GNU/Linux 9](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img.mkd)
[How to use QEMU image of harbian-audit complicanced Debian GNU/Linux 9](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/QEMU/how_to_use_QEMU_image_of_harbian_audit_complianced_Debian_9.mkd)
## harbian-audit License
GPL 3.0
## OVH Disclaimer
This project is a set of tools. They are meant to help the system administrator
built a secure environment. While we use it at OVH to harden our PCI-DSS compliant
infrastructure, we can not guarantee that it will work for you. It will not
magically secure any random host.
Additionally, quoting the License:
> THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY
> EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
> WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
> DISCLAIMED. IN NO EVENT SHALL OVH SAS AND CONTRIBUTORS BE LIABLE FOR ANY
> DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
> (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
> LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
> ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
> SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
## OVH License
3-Clause BSD
## 参考列表
- **Center for Internet Security**: https://www.cisecurity.org/
- **STIG V1R4**: https://iasecontent.disa.mil/stigs/zip/U_Red_Hat_Enterprise_Linux_7_V1R4_STIG.zip
- **Firewall Rules**: https://github.com/citypw/arsenal-4-sec-testing/blob/master/bt5_firewall/debian_fw
================================================
FILE: README.md
================================================
# harbian-audit Hardening
## Introduction
Hardened Debian GNU/Linux and CentOS 8 distro auditing.
The main test environment is in debian GNU/Linux 9/10/11/12/13 and CentOS 8 and ubuntu 22, and other versions are not fully tested. There are no implementations of desktop related items in this release.
The code framework is based on the [OVH-debian-cis](https://github.com/ovh/debian-cis) project, Modified some of the original implementations according to the features of Debian 9/10/11/12/13 and CentOS 8, added and implemented check items for [STIG Red_Hat_Enterprise_Linux_7_V2R5](https://github.com/hardenedlinux/STIG-OS-mirror/blob/master/redhat-STIG-DOCs/U_Red_Hat_Enterprise_Linux_7_V2R5_STIG.zip) [STIG Ubuntu V1R2](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Canonical_Ubuntu_16-04_LTS_V1R2_STIG.zip) and [cisecurity.org](https://www.cisecurity.org/) recommendations, and also added and implemented some check items by the HardenedLinux community. The audit and apply functions of the infrastructure are implemented, and the automatic fix function is implemented for the items that can be automatically fixed.
```console
# bash bin/hardening.sh --audit-all
[...]
hardening [INFO] Treating /home/test/harbian-audit/bin/hardening/13.15_check_duplicate_gid.sh
13.15_check_duplicate_gid [INFO] Working on 13.15_check_duplicate_gid
13.15_check_duplicate_gid [INFO] Checking Configuration
13.15_check_duplicate_gid [INFO] Performing audit
13.15_check_duplicate_gid [ OK ] No duplicate GIDs
13.15_check_duplicate_gid [ OK ] Check Passed
[...]
################### SUMMARY ###################
Total Available Checks : 271
Total Checks Run : 271
Total Passed Checks : [ 226/271 ]
Total Failed Checks : [ 44/271 ]
Enabled Checks Percentage : 100.00 %
Conformity Percentage : 83.39 %
```
## Quickstart
```console
$ git clone https://github.com/hardenedlinux/harbian-audit.git && cd harbian-audit
# cp etc/default.cfg /etc/default/cis-hardening
# sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
# bin/hardening.sh --init
# bin/hardening.sh --audit-all
hardening [INFO] Treating /home/test/harbian-audit/bin/hardening/1.1_install_updates.sh
1.1_install_updates [INFO] Working on 1.1_install_updates
1.1_install_updates [INFO] Checking Configuration
1.1_install_updates [INFO] Performing audit
1.1_install_updates [INFO] Checking if apt needs an update
1.1_install_updates [INFO] Fetching upgrades ...
1.1_install_updates [ OK ] No upgrades available
1.1_install_updates [ OK ] Check Passed
[...]
################### SUMMARY ###################
Total Available Checks : 284
Total Checks Run : 284
Total Passed Checks : [ 260/284 ]
Total Failed Checks : [ 24/284 ]
Enabled Checks Percentage : 100.00 %
Conformity Percentage : 91.55 %
# bin/hardening.sh --set-hardening-level 5
# bin/hardening.sh --apply
hardening [INFO] Treating /home/test/harbian-audit/bin/hardening/1.1_install_updates.sh
1.1_install_updates [INFO] Working on 1.1_install_updates
1.1_install_updates [INFO] Checking Configuration
1.1_install_updates [INFO] Performing audit
1.1_install_updates [INFO] Checking if apt needs an update
1.1_install_updates [INFO] Fetching upgrades ...
1.1_install_updates [ OK ] No upgrades available
1.1_install_updates [INFO] Applying Hardening
1.1_install_updates [ OK ] No Upgrades to apply
1.1_install_updates [ OK ] Check Passed
[...]
```
## Usage
### Pre-Install
If use Network install from a minimal CD to installed Debian GNU/Linux, need install packages before use the hardening tool.
```
# apt-get install -y bc net-tools pciutils network-manager
```
Redhat/CentOS need install packages before use the hardening tool:
```
# yum install -y bc net-tools pciutils NetworkManager epel-release
```
### Pre-Set
You must set a password for all users before hardening. Otherwise, you will not be able to log in after the hardening is completed. Example(OS user: root and test):
```
# passwd
# passwd test
```
### Configuration
Hardening scripts are in ``bin/hardening``. Each script has a corresponding
configuration file in ``etc/conf.d/[script_name].cfg``.
Each hardening script can be individually enabled from its configuration file.
For example, this is the default configuration file for ``disable_system_accounts``:
```
# Configuration for script of same name
status=disabled
# Put here your exceptions concerning admin accounts shells separated by spaces
EXCEPTIONS=""
```
``status`` parameter may take 3 values:
- ``disabled`` (do nothing): The script will not run.
- ``audit`` (RO): The script will check if any change *should* be applied.
- ``enabled`` (RW): The script will check if any change should be done and automatically apply what it can.
You can also set the configuration item to enable by modifying the level, following command:
1) Generate etc/conf.d/[script_name].cfg by audit-all when first use
```
# bash bin/hardening.sh --audit-all
```
2) Enable [script_name].cfg by set-hardening-level
Use the command to set the hardening level to make the corresponding level audit entry take effect.
```
# bash bin/hardening.sh --set-hardening-level
```
Global configuration is in ``etc/hardening.cfg``. This file controls the log level
as well as the backup directory. Whenever a script is instructed to edit a file, it
will create a timestamped backup in this directory.
### Run aka "Harden your distro (After the hardened, you must perform the "After remediation" section)
To run the checks and apply the fixes, run ``bin/hardening.sh``.
This command has 2 main operation modes:
- ``--audit``: Audit your system with all enabled and audit mode scripts
- ``--apply``: Audit your system with all enabled and audit mode scripts and apply changes for enabled scripts
Additionally, ``--audit-all`` can be used to force running all auditing scripts, including disabled ones. this will *not* change the system.
``--audit-all-enable-passed`` can be used as a quick way to kickstart your configuration. It will run all scripts in audit mode. If a script passes, it will automatically be enabled for future runs. Do NOT use this option if you have already started to customize your configuration.
Use the command to harden your OS:
```
# bash bin/hardening.sh --apply
```
### rsyslog config
If rsyslog is used, and you want to print the harbian-audit log to a separate log file, the configuration is as follows:
```
user.info /var/log/harbian-audit.log
user.* -/var/log/user.log
```
The log will be output to the file /var/log/harbian-audit.log.
If you apply docs/configurations/etc.iptables.rules.v4.sh to your firewall rules, and want to print the iptables log to a separate log file, insert the following lines to rsyslog.conf:
```
:msg,contains,"FW-" -/var/log/firewalllog.log
& stop
```
## After remediation (Very important)
When exec --apply and set-hardening-level are set to 5 (the highest level), you need to do the following:
1) When applying 9.4(Restrict Access to the su Command), you must use the root account to log in to the OS because ordinary users cannot perform subsequent operations.
If you can only use ssh for remote login, you must use the su command when the normal user logs in. Then do the following:
```
# sed -i '/^[^#].*pam_wheel.so.*/s/^/# &/' /etc/pam.d/su
```
Temporarily comment out the line containing pam_wheel.so. After you have finished using the su command, please uncomment the line.
2) When applying 7.4.4_hosts_deny.sh, the OS cannot be connected through the ssh service, so you need to set allow access host list on /etc/hosts.allow, example:
```
# echo "ALL: 192.168.1. 192.168.5." >> /etc/hosts.allow
```
This example only allows 192.168.1.[1-255] 192.168.5.[1-255] to access this system. Need to be configured according to your situation.
3) Set capabilities for usual user, example(user name is test):
```
# sed -i "/^root/a\test ALL=(ALL:ALL) ALL" /etc/sudoers
```
4) Set basic firewall rules
Set the corresponding firewall rules according to the applications used. HardenedLinux community for Debian GNU/Linux basic firewall rules:
### Iptabels format rules:
[etc.iptables.rules.v4.sh](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/etc.iptables.rules.v4.sh)
First install the iptables-persistent package, then to do the following:
```
$ INTERFACENAME="your network interfacename(Example eth0)"
# bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME
# iptables-save > /etc/iptables/rules.v4
# ip6tables-save > /etc/iptables/rules.v6
```
### nft format rules:
[nftables.conf](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/etc.nftables.conf)
to do the following(your network interfacename(Example eth0)):
```
$ sed -i 's/^define int_if = ens33/define int_if = eth0/g' etc.nftables.conf
# nft -f ./etc.nftables.conf
```
5) When all repairs are completed. --final method will:
1. Use passwd command to change the password of the regular and root user to apply the password complexity and robustness of the pam_cracklib module configuration.
2. Aide reinitializes.
```
# bin/hardening.sh --final
```
## Special Note
Some check items check a variety of situations and are interdependent, they must be applied (fix) multiple times, and the OS must be a reboot after each applies (fix).
### Items that must be applied after the first application(reboot after is better)
8.1.35 Because this item is set, the audit rules will not be added.
### Items that must be applied after all application is ok
8.4.1
8.4.2
These are all related to the aide. It is best to fix all the items after they have been fixed to fix the integrity of the database in the system.
### Items that need to be fix twice
4.5
## Hacking
**Getting the source**
```console
$ git clone https://github.com/hardenedlinux/harbian-audit.git
```
**Adding a custom hardening script**
```console
$ cp src/skel bin/hardening/99.99_custom_script.sh
$ chmod +x bin/hardening/99.99_custom_script.sh
$ cp src/skel.cfg etc/conf.d/99.99_custom_script.cfg
```
Code your check explaining what it does then if you want to test
```console
$ sed -i "s/status=.+/status=enabled/" etc/conf.d/99.99_custom_script.cfg
$ bash bin/hardening.sh --audit --only 99.99
$ bash bin/hardening.sh --apply --only 99.99
```
## Document
### Harbian-audit benchmark for Debian GNU/Linux 9
This document is a description of the additions to the sections not included in the [CIS reference documentation](https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=debian8.100). Includes STIG reference documentation and additional checks recommended by the HardenedLinux community.
[CIS Debian GNU/Linux 8 Benchmark v1.0.0](https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=debian8.100)
[CIS Debian GNU/Linux 9 Benchmark v1.0.0](https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=debian8.100)
[harbian audit Debian Linux 9 Benchmark](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd)
### Manual Operation docs
[How to config grub2 password protection](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_config_grub2_password_protection.mkd)
[How to persistent iptables rules with debian 9](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_persistent_iptables_rules_with_debian_9.mkd)
[How to deploy audisp-remote for auditd log](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_deploy_audisp_remote_for_audit_log.mkd)
[How to migrating from iptables to nftables in debian10](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_migrating_from_iptables_to_nftables_in_debian10.md)
[How to persistent nft rules with debian 10](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_persistent_nft_rules_with_debian_10.mkd)
[How to fix SELinux access denied](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_fix_SELinux_access_denied.mkd)
### Use case docs
[Nodejs + redis + mysql demo](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/use-cases/nodejs-redis-mysql-usecase/README.md)
[deploy-hyperledger-cello-on-debian-9](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/use-cases/hyperledger-cello-usecase/README.mkd)
[nginx-mutual-ssl-proxy-http](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/use-cases/tls-transmission-usecase/nginx-mutual-ssl-proxy-http-service/Readme.mkd)
[nginx-mutual-ssl-proxy-tcp-udp](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/use-cases/tls-transmission-usecase/using-Nginx-as-SSL-tunnel-4TCP-UDP-service/Readme.mkd)
## harbian-audit complianced image
### AMI(Amazon Machine Image) Public
#### Docs
[how to creating and making an AMI public](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd)
[how to use harbian-audit complianced for GNU/Linux Debian 9](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/AMI/how_to_use_harbian_audit_complianced_Debian_9.mkd)
### QEMU Image
#### Docs
[How to creating and making a QEMU image of harbian-audit complianced Debian GNU/Linux 9](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img.mkd)
[How to use QEMU image of harbian-audit complicanced Debian GNU/Linux 9](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/QEMU/how_to_use_QEMU_image_of_harbian_audit_complianced_Debian_9.mkd)
## harbian-audit License
GPL 3.0
## OVH Disclaimer
This project is a set of tools. They are meant to help the system administrator
built a secure environment. While we use it at OVH to harden our PCI-DSS compliant
infrastructure, we can not guarantee that it will work for you. It will not
magically secure any random host.
Additionally, quoting the License:
> THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY
> EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
> WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
> DISCLAIMED. IN NO EVENT SHALL OVH SAS AND CONTRIBUTORS BE LIABLE FOR ANY
> DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
> (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
> LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
> ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
> SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
## OVH License
3-Clause BSD
## Reference
- **Center for Internet Security**: [https://www.cisecurity.org](https://www.cisecurity.org)
- **STIG V1R4**: [https://iasecontent.disa.mil/stigs/zip/U_Red_Hat_Enterprise_Linux_7_V1R4_STIG.zip](https://iasecontent.disa.mil/stigs/zip/U_Red_Hat_Enterprise_Linux_7_V1R4_STIG.zip)
- **Firewall Rules**: [https://github.com/citypw/arsenal-4-sec-testing/blob/master/bt5_firewall/debian_fw](https://github.com/citypw/arsenal-4-sec-testing/blob/master/bt5_firewall/debian_fw)
================================================
FILE: bin/harbianaudit.sh
================================================
#!/bin/bash
# For make deb package
/opt/harbianaudit/bin/hardening.sh --init
/opt/harbianaudit/bin/hardening.sh --audit-all
/opt/harbianaudit/bin/hardening.sh --set-hardening-level 5
sed -i 's/^status=.*/status=disabled/' /opt/harbianaudit/etc/conf.d/7.4.4_hosts_deny.cfg
sed -i 's/^status=.*/status=disabled/' /opt/harbianaudit/etc/conf.d/8.1.35_freeze_auditd_conf.cfg
sed -i 's/^status=.*/status=disabled/' /opt/harbianaudit/etc/conf.d/8.4.1_install_aide.cfg
sed -i 's/^status=.*/status=disabled/' /opt/harbianaudit/etc/conf.d/8.4.2_aide_cron.cfg
sed -i 's/^status=.*/status=disabled/' /opt/harbianaudit/etc/conf.d/9.4_pam_restrict_su.cfg
/opt/harbianaudit/bin/hardening.sh --apply
sed -i 's/^status=.*/status=enabled/' /opt/harbianaudit/etc/conf.d/8.1.35_freeze_auditd_conf.cfg
sed -i 's/^status=.*/status=enabled/' /opt/harbianaudit/etc/conf.d/8.4.1_install_aide.cfg
sed -i 's/^status=.*/status=enabled/' /opt/harbianaudit/etc/conf.d/8.4.2_aide_cron.cfg
/opt/harbianaudit/bin/hardening.sh --apply --only 8.4.1
/opt/harbianaudit/bin/hardening.sh --apply --only 8.4.2
/opt/harbianaudit/bin/hardening.sh --apply --only 8.1.35
================================================
FILE: bin/hardening/1.1_install_updates.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux Debian 9/10/11/12/13 or CentOS 8 Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
# 1.1 Install Updates, Patches and Additional Security Software (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
audit_debian ()
{
info "Checking if apt needs an update"
apt_update_if_needed
info "Fetching upgrades ..."
apt_check_updates "CIS_APT"
if [ $FNRET -gt 0 ]; then
crit "$RESULT"
FNRET=1
else
ok "No upgrades available"
FNRET=0
fi
}
audit_centos ()
{
info "Checking if yum needs an update"
info "Fetching upgrades ..."
yum_check_updates
if [ $FNRET -eq 100 ]; then
crit "There are packages available for an update!"
elif [ $FNRET -eq 0 ]; then
ok "No upgrades available"
else
crit "Call yum_check_updates function error!"
fi
}
# This function will be called if the script status is on enabled / audit mode
audit ()
{
if [ $OS_RELEASE -eq 2 ]; then
audit_centos
else
audit_debian
fi
}
apply_debian ()
{
if [ $FNRET -eq 1 ]; then
info "Applying Upgrades..."
DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' upgrade -y
else
ok "No Upgrades to apply"
fi
}
apply_centos ()
{
if [ $FNRET -eq 100 ]; then
info "Applying Upgrades..."
yum upgrade -y
elif [ $FNRET -eq 0 ]; then
ok "No Upgrades to apply"
else
crit "Call yum_check_updates function error!"
fi
}
# This function will be called if the script status is on enabled mode
apply ()
{
if [ $OS_RELEASE -eq 2 ]; then
apply_centos
else
apply_debian
fi
}
# This function will check config parameters required
check_config() {
# No parameters for this function
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/1.2_enable_verify_sign_packages_from_repository.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux Debian 9/10/11/12/13 or CentOS 8 Hardening
#
#
# 1.2 Enable Option for signature of packages from a repository (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
OPTION='AllowUnauthenticated'
YUM_OPTION='gpgcheck'
YUM_CONF='/etc/yum.conf'
audit_debian ()
{
if [ $(grep -v "^#" /etc/apt/ -Ir | grep -c "${OPTION}.*true") -gt 0 ]; then
crit "The signature of packages option is disable "
FNRET=1
else
ok "The signature of packages option is enable "
FNRET=0
fi
}
audit_centos ()
{
if [ $(grep -c "^$YUM_OPTION" $YUM_CONF) -gt 0 ]; then
if [ $(grep "^$YUM_OPTION" $YUM_CONF | awk -F"=" '{print $2}') -eq 1 ]; then
ok "The signature of packages option is enable "
FNRET=0
else
crit "The signature of packages option is disable "
FNRET=1
fi
else
crit "Option $YUM_OPTION is not set in $YUM_CONF!"
FNRET=2
fi
}
# This function will be called if the script status is on enabled / audit mode
audit ()
{
if [ $OS_RELEASE -eq 2 ]; then
audit_centos
else
audit_debian
fi
}
apply_debian () {
if [ $FNRET = 0 ]; then
ok "The signature of packages option is enable "
else
warn "Set to enabled signature of packages option"
for CONFFILE in $(grep -i "${OPTION}" /etc/apt/ -Ir | grep -v "^#" | awk -F: '{print $1}')
do
backup_file ${CONFFILE}
sed -i "s/${OPTION}.*true.*/${OPTION} \"false\";/g" ${CONFFILE}
done
fi
}
apply_centos () {
if [ $FNRET = 0 ]; then
ok "The signature of packages option is enable "
elif [ $FNRET = 1 ]; then
warn "Set to enabled signature of packages option"
backup_file $YUM_CONF
sed -i "s/$YUM_OPTION=.*/$YUM_OPTION=1/g" $YUM_CONF
else
warn "Add $YUM_OPTION option to $YUM_CONF"
backup_file $YUM_CONF
add_end_of_file $YUM_CONF "$YUM_OPTION=1"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
apply_centos
else
apply_debian
fi
}
# This function will check config parameters required
check_config() {
# No parameters for this function
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/1.3_enable_verify_sign_of_local_packages.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux Debian 9/10/11/12/13 or CentOS 8 Hardening
#
#
# 1.3 Enable verify the signature of local packages (Scored)
# Dependence pkg: debsig-verify
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
OPTION='no-debsig'
CONFFILE='/etc/dpkg/dpkg.cfg'
YUM_OPTION='localpkg_gpgcheck'
YUM_CONFFILE='/etc/yum.conf'
audit_debian () {
if [ $(grep -v "^#" ${CONFFILE} | grep -c ${OPTION}) -gt 0 ]; then
crit "The signature of local packages option is disable "
FNRET=1
else
ok "The signature of local packages option is enable "
FNRET=0
fi
}
audit_centos ()
{
if [ $(grep -c "^$YUM_OPTION" $YUM_CONFFILE) -gt 0 ]; then
if [ $(grep "^$YUM_OPTION" $YUM_CONFFILE | awk -F"=" '{print $2}') -eq 1 ]; then
ok "The signature of packages option is enable "
FNRET=0
else
crit "The signature of packages option is disable "
FNRET=1
fi
else
crit "Option $YUM_OPTION is not set in $YUM_CONFFILE!"
FNRET=2
fi
}
# This function will be called if the script status is on enabled / audit mode
audit()
{
if [ $OS_RELEASE -eq 2 ]; then
audit_centos
else
audit_debian
fi
}
apply_debian () {
if [ $FNRET = 0 ]; then
ok "The signature of local packages option is enable "
else
warn "Set to enabled signature of local packages option"
backup_file $CONFFILE
sed -i "s/^${OPTION}/#&/" ${CONFFILE}
fi
}
apply_centos () {
if [ $FNRET = 0 ]; then
ok "The signature of packages option is enable "
elif [ $FNRET = 1 ]; then
backup_file $YUM_CONFFILE
warn "Set to enabled signature of packages option"
sed -i "s/$YUM_OPTION=.*/$YUM_OPTION=1/g" $YUM_CONFFILE
else
backup_file $YUM_CONFFILE
warn "Add $YUM_OPTION option to $YUM_CONFFILE"
add_end_of_file $YUM_CONFFILE "$YUM_OPTION=1"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
apply_centos
else
apply_debian
fi
}
# This function will check config parameters required
check_config() {
# No parameters for this function
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/1.4_set_no_allow_insecure_repository_by_apt.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux Debian 9/10/11/12/13 or CentOS 8 Hardening
#
#
# 1.4 Set no allow insecure repository when by apt update (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
OPTION='AllowInsecureRepositories'
YUM_OPTION='repo_gpgcheck'
YUM_CONFFILE='/etc/yum.conf'
audit_debian () {
if [ $(grep -v "^#" /etc/apt/ -rI | grep -c "${OPTION}.*true") -gt 0 ]; then
crit "The allow insecure repository when by apt update is enable"
FNRET=1
else
ok "The allow insecure repository when by apt update is disable"
FNRET=0
fi
}
audit_centos ()
{
if [ $(grep -c "^$YUM_OPTION" $YUM_CONFFILE) -gt 0 ]; then
if [ $(grep "^$YUM_OPTION" $YUM_CONFFILE | awk -F"=" '{print $2}') -eq 1 ]; then
ok "The allow insecure repository when by yum update is disable"
FNRET=0
else
crit "The signature of repodata option is disable "
FNRET=1
fi
else
crit "Option $YUM_OPTION is not set in $YUM_CONFFILE!"
FNRET=2
fi
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
audit_centos
else
audit_debian
fi
}
apply_debian () {
if [ $FNRET = 0 ]; then
ok "The allow insecure repository when by apt update is disable"
else
warn "Set no allow insecure repository when by apt update"
for CONFFILE in $(grep -i "${OPTION}" /etc/apt/ -rI | grep -v "^#" | awk -F: '{print $1}')
do
sed -i "s/${OPTION}.*true.*/${OPTION} \"false\";/g" ${CONFFILE}
done
fi
}
apply_centos () {
if [ $FNRET = 0 ]; then
ok "The signature of repodata option is enable "
elif [ $FNRET = 1 ]; then
warn "Set to enabled signature of repodata option"
sed -i "s/$YUM_OPTION=.*/$YUM_OPTION=1/g" $YUM_CONFFILE
else
warn "Add $YUM_OPTION option to $YUM_CONFFILE"
add_end_of_file $YUM_CONFFILE "$YUM_OPTION=1"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
apply_centos
else
apply_debian
fi
}
# This function will check config parameters required
check_config() {
# No parameters for this function
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/1.5.11_ensure_core_file_size_configured.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 13
#
#
# 1.5.11 Ensure core file size is configured
#
set -e
set -u
HARDENING_LEVEL=2
audit () {
is_debian_ge_13
if [ $FNRET = 0 ]; then
file_limit_check '* hard core 0'
else
ok "Rule is not applicable to OS versions prior to Debian 13."
FNRET=0
fi
}
apply () {
# The main framework automatically calls audit() first to set FNRET based on the current system state.
# Therefore, we just use the existing $FNRET instead of calling is_debian_ge_13 again which would clobber it.
if [ $FNRET = 0 ]; then
ok "Already compliant. Nothing to apply for 1.5.11 Ensure core file size is configured."
elif [ $FNRET != 0 ]; then
is_debian_ge_13
local is_supported=$FNRET
if [ $is_supported = 0 ]; then
file_limit_apply '* hard core 0'
else
ok "Rule is not applicable to OS versions prior to Debian 13."
fi
fi
}
check_config() {
:
}
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory?"
exit 128
fi
================================================
FILE: bin/hardening/1.5.12_ensure_systemd_coredump_processsizemax.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 13
#
#
# 1.5.12 Ensure systemd-coredump ProcessSizeMax is configured
#
set -e
set -u
HARDENING_LEVEL=2
audit () {
is_debian_ge_13
if [ $FNRET = 0 ]; then
check_param_pair_by_str '/etc/systemd/coredump.conf' 'ProcessSizeMax' '0'
if [ $FNRET = 0 ]; then
ok "Parameter is correctly set"
else
crit "Parameter is missing or incorrect"
fi
else
ok "Rule is not applicable to OS versions prior to Debian 13."
FNRET=0
fi
}
apply () {
# The main framework automatically calls audit() first to set FNRET based on the current system state.
# Therefore, we just use the existing $FNRET instead of calling is_debian_ge_13 again which would clobber it.
if [ $FNRET = 0 ]; then
ok "Already compliant. Nothing to apply for 1.5.12 Ensure systemd-coredump ProcessSizeMax is configured."
elif [ $FNRET != 0 ]; then
is_debian_ge_13
local is_supported=$FNRET
if [ $is_supported = 0 ]; then
replace_in_file_custom '/etc/systemd/coredump.conf' '^#?ProcessSizeMax.*' 'ProcessSizeMax=0'
else
ok "Rule is not applicable to OS versions prior to Debian 13."
fi
fi
}
check_config() {
:
}
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory?"
exit 128
fi
================================================
FILE: bin/hardening/1.5.13_ensure_systemd_coredump_storage.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 13
#
#
# 1.5.13 Ensure systemd-coredump Storage is configured
#
set -e
set -u
HARDENING_LEVEL=2
audit () {
is_debian_ge_13
if [ $FNRET = 0 ]; then
check_param_pair_by_str '/etc/systemd/coredump.conf' 'Storage' 'none'
if [ $FNRET = 0 ]; then
ok "Parameter is correctly set"
else
crit "Parameter is missing or incorrect"
fi
else
ok "Rule is not applicable to OS versions prior to Debian 13."
FNRET=0
fi
}
apply () {
# The main framework automatically calls audit() first to set FNRET based on the current system state.
# Therefore, we just use the existing $FNRET instead of calling is_debian_ge_13 again which would clobber it.
if [ $FNRET = 0 ]; then
ok "Already compliant. Nothing to apply for 1.5.13 Ensure systemd-coredump Storage is configured."
elif [ $FNRET != 0 ]; then
is_debian_ge_13
local is_supported=$FNRET
if [ $is_supported = 0 ]; then
replace_in_file_custom '/etc/systemd/coredump.conf' '^#?Storage.*' 'Storage=none'
else
ok "Rule is not applicable to OS versions prior to Debian 13."
fi
fi
}
check_config() {
:
}
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory?"
exit 128
fi
================================================
FILE: bin/hardening/1.5.1_ensure_fs_protected_hardlinks.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 13
#
#
# 1.5.1 Ensure fs.protected_hardlinks is configured
#
set -e
set -u
HARDENING_LEVEL=2
audit () {
is_debian_ge_13
if [ $FNRET = 0 ]; then
sysctl_check 'fs.protected_hardlinks' '1'
else
ok "Rule is not applicable to OS versions prior to Debian 13."
FNRET=0
fi
}
apply () {
# The main framework automatically calls audit() first to set FNRET based on the current system state.
# Therefore, we just use the existing $FNRET instead of calling is_debian_ge_13 again which would clobber it.
if [ $FNRET = 0 ]; then
ok "Already compliant. Nothing to apply for 1.5.1 Ensure fs.protected_hardlinks is configured."
elif [ $FNRET != 0 ]; then
is_debian_ge_13
local is_supported=$FNRET
if [ $is_supported = 0 ]; then
sysctl_apply 'fs.protected_hardlinks' '1'
else
ok "Rule is not applicable to OS versions prior to Debian 13."
fi
fi
}
check_config() {
:
}
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory?"
exit 128
fi
================================================
FILE: bin/hardening/1.5.2_ensure_fs_protected_symlinks.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 13
#
#
# 1.5.2 Ensure fs.protected_symlinks is configured
#
set -e
set -u
HARDENING_LEVEL=2
audit () {
is_debian_ge_13
if [ $FNRET = 0 ]; then
sysctl_check 'fs.protected_symlinks' '1'
else
ok "Rule is not applicable to OS versions prior to Debian 13."
FNRET=0
fi
}
apply () {
# The main framework automatically calls audit() first to set FNRET based on the current system state.
# Therefore, we just use the existing $FNRET instead of calling is_debian_ge_13 again which would clobber it.
if [ $FNRET = 0 ]; then
ok "Already compliant. Nothing to apply for 1.5.2 Ensure fs.protected_symlinks is configured."
elif [ $FNRET != 0 ]; then
is_debian_ge_13
local is_supported=$FNRET
if [ $is_supported = 0 ]; then
sysctl_apply 'fs.protected_symlinks' '1'
else
ok "Rule is not applicable to OS versions prior to Debian 13."
fi
fi
}
check_config() {
:
}
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory?"
exit 128
fi
================================================
FILE: bin/hardening/1.5.3_ensure_kernel_yama_ptrace_scope.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 13
#
#
# 1.5.3 Ensure kernel.yama.ptrace_scope is configured
#
set -e
set -u
HARDENING_LEVEL=2
audit () {
is_debian_ge_13
if [ $FNRET = 0 ]; then
sysctl_check 'kernel.yama.ptrace_scope' '1'
else
ok "Rule is not applicable to OS versions prior to Debian 13."
FNRET=0
fi
}
apply () {
# The main framework automatically calls audit() first to set FNRET based on the current system state.
# Therefore, we just use the existing $FNRET instead of calling is_debian_ge_13 again which would clobber it.
if [ $FNRET = 0 ]; then
ok "Already compliant. Nothing to apply for 1.5.3 Ensure kernel.yama.ptrace_scope is configured."
elif [ $FNRET != 0 ]; then
is_debian_ge_13
local is_supported=$FNRET
if [ $is_supported = 0 ]; then
sysctl_apply 'kernel.yama.ptrace_scope' '1'
else
ok "Rule is not applicable to OS versions prior to Debian 13."
fi
fi
}
check_config() {
:
}
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory?"
exit 128
fi
================================================
FILE: bin/hardening/1.5.4_ensure_fs_suid_dumpable.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 13
#
#
# 1.5.4 Ensure fs.suid_dumpable is configured
#
set -e
set -u
HARDENING_LEVEL=2
audit () {
is_debian_ge_13
if [ $FNRET = 0 ]; then
sysctl_check 'fs.suid_dumpable' '0'
else
ok "Rule is not applicable to OS versions prior to Debian 13."
FNRET=0
fi
}
apply () {
# The main framework automatically calls audit() first to set FNRET based on the current system state.
# Therefore, we just use the existing $FNRET instead of calling is_debian_ge_13 again which would clobber it.
if [ $FNRET = 0 ]; then
ok "Already compliant. Nothing to apply for 1.5.4 Ensure fs.suid_dumpable is configured."
elif [ $FNRET != 0 ]; then
is_debian_ge_13
local is_supported=$FNRET
if [ $is_supported = 0 ]; then
sysctl_apply 'fs.suid_dumpable' '0'
else
ok "Rule is not applicable to OS versions prior to Debian 13."
fi
fi
}
check_config() {
:
}
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory?"
exit 128
fi
================================================
FILE: bin/hardening/1.5.5_ensure_kernel_dmesg_restrict.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 13
#
#
# 1.5.5 Ensure kernel.dmesg_restrict is configured
#
set -e
set -u
HARDENING_LEVEL=2
audit () {
is_debian_ge_13
if [ $FNRET = 0 ]; then
sysctl_check 'kernel.dmesg_restrict' '1'
else
ok "Rule is not applicable to OS versions prior to Debian 13."
FNRET=0
fi
}
apply () {
# The main framework automatically calls audit() first to set FNRET based on the current system state.
# Therefore, we just use the existing $FNRET instead of calling is_debian_ge_13 again which would clobber it.
if [ $FNRET = 0 ]; then
ok "Already compliant. Nothing to apply for 1.5.5 Ensure kernel.dmesg_restrict is configured."
elif [ $FNRET != 0 ]; then
is_debian_ge_13
local is_supported=$FNRET
if [ $is_supported = 0 ]; then
sysctl_apply 'kernel.dmesg_restrict' '1'
else
ok "Rule is not applicable to OS versions prior to Debian 13."
fi
fi
}
check_config() {
:
}
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory?"
exit 128
fi
================================================
FILE: bin/hardening/1.5.7_ensure_automatic_error_reporting_configured.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 13
#
#
# 1.5.7 Ensure Automatic Error Reporting is configured
#
set -e
set -u
HARDENING_LEVEL=2
audit () {
is_debian_ge_13
if [ $FNRET = 0 ]; then
service_disable_check 'apport.service'
else
ok "Rule is not applicable to OS versions prior to Debian 13."
FNRET=0
fi
}
apply () {
# The main framework automatically calls audit() first to set FNRET based on the current system state.
# Therefore, we just use the existing $FNRET instead of calling is_debian_ge_13 again which would clobber it.
if [ $FNRET = 0 ]; then
ok "Already compliant. Nothing to apply for 1.5.7 Ensure Automatic Error Reporting is configured."
elif [ $FNRET != 0 ]; then
is_debian_ge_13
local is_supported=$FNRET
if [ $is_supported = 0 ]; then
service_disable_apply 'apport.service'
else
ok "Rule is not applicable to OS versions prior to Debian 13."
fi
fi
}
check_config() {
:
}
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory?"
exit 128
fi
================================================
FILE: bin/hardening/1.5.8_ensure_kernel_kptr_restrict.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 13
#
#
# 1.5.8 Ensure kernel.kptr_restrict is configured
#
set -e
set -u
HARDENING_LEVEL=2
audit () {
is_debian_ge_13
if [ $FNRET = 0 ]; then
sysctl_check 'kernel.kptr_restrict' '1'
else
ok "Rule is not applicable to OS versions prior to Debian 13."
FNRET=0
fi
}
apply () {
# The main framework automatically calls audit() first to set FNRET based on the current system state.
# Therefore, we just use the existing $FNRET instead of calling is_debian_ge_13 again which would clobber it.
if [ $FNRET = 0 ]; then
ok "Already compliant. Nothing to apply for 1.5.8 Ensure kernel.kptr_restrict is configured."
elif [ $FNRET != 0 ]; then
is_debian_ge_13
local is_supported=$FNRET
if [ $is_supported = 0 ]; then
sysctl_apply 'kernel.kptr_restrict' '1'
else
ok "Rule is not applicable to OS versions prior to Debian 13."
fi
fi
}
check_config() {
:
}
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory?"
exit 128
fi
================================================
FILE: bin/hardening/1.5.9_ensure_kernel_randomize_va_space.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 13
#
#
# 1.5.9 Ensure kernel.randomize_va_space is configured
#
set -e
set -u
HARDENING_LEVEL=2
audit () {
is_debian_ge_13
if [ $FNRET = 0 ]; then
sysctl_check 'kernel.randomize_va_space' '2'
else
ok "Rule is not applicable to OS versions prior to Debian 13."
FNRET=0
fi
}
apply () {
# The main framework automatically calls audit() first to set FNRET based on the current system state.
# Therefore, we just use the existing $FNRET instead of calling is_debian_ge_13 again which would clobber it.
if [ $FNRET = 0 ]; then
ok "Already compliant. Nothing to apply for 1.5.9 Ensure kernel.randomize_va_space is configured."
elif [ $FNRET != 0 ]; then
is_debian_ge_13
local is_supported=$FNRET
if [ $is_supported = 0 ]; then
sysctl_apply 'kernel.randomize_va_space' '2'
else
ok "Rule is not applicable to OS versions prior to Debian 13."
fi
fi
}
check_config() {
:
}
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory?"
exit 128
fi
================================================
FILE: bin/hardening/10.1.10_set_maxlogins_for_all_accounts.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux debian 7/8/9 or CentOS 8 Hardening
#
#
# 10.1.10 Set maxlogins for all accounts (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGE='libpam-modules'
OPTIONS='maxsyslogins'
OPVALUE=10
FILE='/etc/security/limits.conf'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=1
else
ok "$PACKAGE is installed"
does_file_exist $FILE
if [ $FNRET != 0 ]; then
crit "$FILE does not exist"
FNRET=2
else
ok "$FILE does exist"
COUNT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' $FILE | grep "${OPTIONS}" | wc -l)
if [ $COUNT -gt 0 ]; then
ok "$OPTIONS is set in $FILE."
VALUE=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' $FILE | grep ".*[[:space:]].*${OPTIONS}[[:space:]].*${OPVALUE}" | wc -l)
if [ $VALUE -eq 0 ]; then
crit "$OPTIONS value is incorrect in $FILE"
FNRET=4
else
ok "$OPTIONS value is correct in $FILE"
FNRET=0
fi
else
crit "$OPTIONS is not set in $FILE."
FNRET=3
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$OPTIONS value is correct in $FILE"
elif [ $FNRET = 1 ]; then
warn "$PACKAGE is not installed, need install."
install_package $PACKAGE
elif [ $FNRET = 2 ]; then
warn "$FILE is not exist, need manual check."
elif [ $FNRET = 3 ]; then
warn "$OPTIONS value not exist in $FILE, add it"
add_end_of_file $FILE "* hard ${OPTIONS} $OPVALUE"
elif [ $FNRET = 4 ]; then
warn "$OPTIONS value is incorrect in $FILE, reset it"
replace_in_file $FILE "^[^#].*${OPTIONS}[[:space:]].*" "\* hard ${OPTIONS} $OPVALUE"
fi
}
# This function will check config parameters required
check_config() {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGE='pam'
else
:
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/10.1.11_ensure_no_shosts_cfg_on_system.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 10.1.11 Ensure no shosts configure file on system (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
FILENAME='.shosts'
FILENAME1='shosts.equiv'
# This function will be called if the script status is on enabled / audit mode
audit () {
COUNT=$(find / -xdev -name "${FILENAME}" | wc -l)
COUNT1=$(find / -xdev -name "${FILENAME1}" | wc -l)
if [ "$COUNT" -ne 0 -o "$COUNT1" -ne 0 ]; then
crit "$FILENAME or $FILENAME1 file is exist on system."
FNRET=1
else
ok "$FILENAME and $FILENAME1 file is not on system."
FNRET=0
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$FILENAME and $FILENAME1 file is not on system."
elif [ $FNRET = 1 ]; then
warn "$FILENAME or $FILENAME1 file is exist on the system, delete all like this name file on the system."
find / -name "$FILENAME" -exec rm {} \;
find / -name "$FILENAME1" -exec rm {} \;
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/10.1.1_set_password_exp_days.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 or CentOS 8 Hardening
#
#
# 10.1.1 Set Password Expiration Days (Scored)
# Modify by: Samson-W (sccxboy@gmail.com)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
OPTIONS='PASS_MAX_DAYS=60'
FILE='/etc/login.defs'
SHA_FILE='/etc/shadow'
# This function will be called if the script status is on enabled / audit mode
audit () {
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
fi
if [ $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '$5 > "'$SSH_VALUE'" {print $1}' | wc -l) -gt 0 ]; then
crit "Have least user's maximum password lifetime is greater than $SSH_VALUE day"
else
ok "All user's maximum password lifetime is equal or less than $SSH_VALUE day"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi
fi
if [ $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '$5 > "'$SSH_VALUE'" {print $1}' | wc -l) -gt 0 ]; then
warn "Have least user's maximum password lifetime is greater than $SSH_VALUE day, Fixing"
for USERNAME in $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '$5 > "'$SSH_VALUE'" {print $1}');
do
chage --maxdays $SSH_VALUE $USERNAME
done
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/10.1.2_set_password_min_days_change.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 or CentOS 8 Hardening
#
#
# 10.1.2 Set Password Change Minimum Number of Days (Scored)
# Modify by: Samson-W (sccxboy@gmail.com)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
OPTIONS='PASS_MIN_DAYS=1'
FILE='/etc/login.defs'
SHA_FILE='/etc/shadow'
# This function will be called if the script status is on enabled / audit mode
audit () {
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
fi
if [ $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '$4 < "'$SSH_VALUE'" {print $1}' | wc -l) -gt 0 ]; then
crit "Have least user's minimum password lifetime is not equal or less than $SSH_VALUE day"
else
ok "All user's minimum password lifetime is $SSH_VALUE day"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi
fi
if [ $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '$4 < "'$SSH_VALUE'" {print $1}' | wc -l) -gt 0 ]; then
warn "Have least user's minimum password lifetime is not equal or less than $SSH_VALUE day, Fixing"
for USERNAME in $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '$4 < "'$SSH_VALUE'" {print $1}');
do
chage --mindays $SSH_VALUE $USERNAME
done
else
ok "All user's minimum password lifetime is $SSH_VALUE day"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/10.1.3_set_password_exp_warning_days.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 or CentOS 8 Hardening
#
#
# 10.1.3 Set Password Expiring Warning Days (Scored)
# Modify by: Samson-W (sccxboy@gmail.com)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
OPTIONS='PASS_WARN_AGE=7'
FILE='/etc/login.defs'
SHA_FILE='/etc/shadow'
# This function will be called if the script status is on enabled / audit mode
audit () {
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
fi
if [ $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '$6 < "'$SSH_VALUE'" {print $1}' | wc -l) -gt 0 ]; then
crit "Have least user's maximum password lifetime is greater than $SSH_VALUE day"
else
ok "All user's maximum password lifetime is equal or less than $SSH_VALUE day"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi
fi
if [ $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '$6 < "'$SSH_VALUE'" {print $1}' | wc -l) -gt 0 ]; then
warn "Have least user's maximum password lifetime is greater than $SSH_VALUE day, Fixing"
for USERNAME in $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '$6 < "'$SSH_VALUE'" {print $1}');
do
chage --warndays $SSH_VALUE $USERNAME
done
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/10.1.4_set_password_encrypt_method.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 or CentOS 8 Hardening
#
#
# 10.1.4 Set Password Expiration Days (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
OPTIONS='ENCRYPT_METHOD=SHA512'
FILE='/etc/login.defs'
# This function will be called if the script status is on enabled / audit mode
audit () {
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/10.1.5_set_password_lock_inactive_user.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12/13 Hardening
#
#
# 10.1.5 Ensure inactive password lock is 30 days or less (Scored)
# Author: Samson-W (sccxboy@gmail.com)
# STIG for Ubuntu_16-04_LTS_STIG_V1R2_Manual: INACTIVE=35
# STIG for U_Red_Hat_Enterprise_Linux_7_V2R5: INACTIVE=0
#
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
OPTIONS='INACTIVE=30'
OPTIONS_CENTOS='INACTIVE=0'
SHA_FILE='/etc/shadow'
DISABLE_V='-1'
FILE='/etc/default/useradd'
audit_debian () {
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
INACTIVE_V=$(useradd -D | grep $SSH_PARAM | awk -F= '{print $2}')
if [ $INACTIVE_V -eq $DISABLE_V ]; then
crit "INACTIVE feature has disabled."
elif [ $INACTIVE_V -gt $SSH_VALUE ]; then
crit "INACTIVE value is greater than $SSH_VALUE day"
else
ok "All user's INACTIVE value is equal or less than $SSH_VALUE day"
fi
if [ $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '{print $7}' | wc -w) -eq 0 ]; then
crit "Have least user's INACTIVE password lifetime is not set"
else
if [ $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '$7 > "'$SSH_VALUE'" {print $1}' | wc -l) -gt 0 ]; then
crit "Have least user's INACTIVE password lifetime is greater than $SSH_VALUE day"
else
ok "All user's INACTIVE password lifetime is equal or less than $SSH_VALUE day"
fi
fi
}
audit_centos () {
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
INACTIVE_V=$(useradd -D | grep $SSH_PARAM | awk -F= '{print $2}')
if [ $INACTIVE_V -eq $DISABLE_V ]; then
crit "INACTIVE feature has disabled."
elif [ $INACTIVE_V -eq $SSH_VALUE ]; then
ok "All user's INACTIVE value has set $SSH_VALUE: disables the account as soon as the password has expired"
else
crit "All user's INACTIVE value is not set $SSH_VALUE: disables the account as soon as the password has expired"
fi
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
audit_centos
else
audit_debian
fi
}
apply_debian () {
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN="^$SSH_PARAM=$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM=$SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM.*" "$SSH_PARAM=$SSH_VALUE"
fi
fi
if [ $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '{print $7}' | wc -w) -eq 0 ]; then
warn "Have least user's INACTIVE password lifetime is not set. Fixing"
for USERNAME in $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '{print $1}');
do
chage --inactive $SSH_VALUE $USERNAME
done
else
if [ $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '$7 > "'$SSH_VALUE'" {print $1}' | wc -l) -gt 0 ]; then
warn "Have least user's INACTIVE password lifetime is greater than $SSH_VALUE day. Fixing"
for USERNAME in $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '$7 > "'$SSH_VALUE'" {print $1}');
do
chage --inactive $SSH_VALUE $USERNAME
done
else
ok "All user's INACTIVE password lifetime is equal or less than $SSH_VALUE day"
fi
fi
}
apply_centos () {
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN="^$SSH_PARAM=$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM=$SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM.*" "$SSH_PARAM=$SSH_VALUE"
fi
fi
if [ $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '{print $7}' | wc -w) -eq 0 ]; then
warn "Have least user's INACTIVE password lifetime is not set. Fixing"
for USERNAME in $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '{print $1}');
do
chage --inactive $SSH_VALUE $USERNAME
done
else
if [ $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '$7 > "'$SSH_VALUE'" {print $1}' | wc -l) -gt 0 ]; then
warn "All user's INACTIVE value is not set $SSH_VALUE, fixing it."
for USERNAME in $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '$7 > "'$SSH_VALUE'" {print $1}');
do
chage --inactive $SSH_VALUE $USERNAME
done
else
ok "All user's INACTIVE value has set $SSH_VALUE: disables the account as soon as the password has expired"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
apply_centos
else
apply_debian
fi
}
# This function will check config parameters required
check_config() {
if [ $OS_RELEASE -eq 2 ]; then
OPTIONS=$OPTIONS_CENTOS
else
:
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/10.1.6_remove_nopasswd_sudoers.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 10.1.6 Remove nopasswd option from the sudoers configuration (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
NOPASSWD='NOPASSWD'
PASSWD='PASSWD'
FILE='/etc/sudoers'
INCLUDFILE='/etc/sudoers.d/*'
# This function will be called if the script status is on enabled / audit mode
audit ()
{
does_file_exist $FILE
if [ $FNRET != 0 ]; then
crit "$FILE is not exist!"
FNRET=2
else
does_pattern_exist_in_file $FILE $NOPASSWD
if [ $FNRET = 0 ]; then
crit "$NOPASSWD is set on $FILE, it's error conf"
FNRET=1
else
ok "$NOPASSWD is not set on $FILE, it's ok"
if [ $(ls $(dirname $INCLUDFILE) | wc -l) -gt 0 ]; then
if [ $(grep $NOPASSWD $INCLUDFILE | wc -l) -gt 0 ]; then
crit "$NOPASSWD is set on $INCLUDFILE, it's error conf"
FNRET=1
else
ok "$NOPASSWD is not set on $INCLUDFILE, it's ok"
FNRET=0
fi
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "APPLY: $NOPASSWD is not set on $FILE, it's ok"
elif [ $FNRET = 1 ]; then
info "$NOPASSWD is set on the $FILE or $INCLUDFILE, need remove"
backup_file $FILE
chmod 640 $FILE && sed -i -e "s/$NOPASSWD/$PASSWD/g" $FILE && chmod 440 $FILE
if [ $(ls $(dirname $INCLUDFILE) | wc -l) -gt 0 ]; then
backup_file $INCLUDFILE
chmod 640 $INCLUDFILE && sed -i -e "s/$NOPASSWD/$PASSWD/g" $INCLUDFILE && chmod 440 $INCLUDFILE
fi
elif [ $FNRET = 2 ]; then
warn "$FILE is not exist! Maybe sudo package not installed."
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/10.1.7_remove_noauthenticate_sudoers.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 10.1.7 Remove not authenticate option from the sudoers configuration (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
NOAUTH='!authenticate'
AUTHENTICATE='authenticate'
FILE='/etc/sudoers'
INCLUDFILE='/etc/sudoers.d/'
# This function will be called if the script status is on enabled / audit mode
audit ()
{
does_file_exist $FILE
if [ $FNRET != 0 ]; then
crit "$FILE is not exist!"
FNRET=2
else
does_pattern_exist_in_file $FILE $NOAUTH
if [ $FNRET = 0 ]; then
crit "$NOAUTH is set on $FILE, it's error conf"
FNRET=1
else
ok "$NOAUTH is not set on $FILE, it's ok"
if [ $(grep $NOAUTH $INCLUDFILE -rh | wc -l) -gt 0 ]; then
crit "$NOAUTH is set on $INCLUDFILE, it's error conf"
FNRET=1
else
ok "$NOAUTH is not set on $INCLUDFILE, it's ok"
FNRET=0
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "APPLY: $NOAUTH is not set on $FILE, it's ok"
elif [ $FNRET = 1 ]; then
info "$NOAUTH is set on the $FILE or $INCLUDFILE, need remove"
backup_file $FILE ${INCLUDFILE}/*
chmod 640 $FILE ${INCLUDFILE}/* && sed -i -e "s/$NOAUTH/$AUTHENTICATE/g" $FILE ${INCLUDFILE}/* && chmod 440 $FILE ${INCLUDFILE}/*
elif [ $FNRET = 1 ]; then
warn "$FILE is not exist! Maybe sudo package not installed."
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/10.1.8_set_fail_delay_seconds.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux debian 9 or CentOS 8 Hardening
#
#
# 10.1.8 Set FAIL_DELAY Parameters Using pam_faildelay (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
audit_debian () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=1
else
ok "$PACKAGE is installed"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
check_param_pair_by_pam $FILE $PAMLIBNAME $OPTIONNAME ge $CONDT_VAL
if [ $FNRET = 0 ]; then
ok "$OPTIONNAME set condition is $CONDT_VAL"
else
crit "$OPTIONNAME set condition is not equal or greater than $CONDT_VAL"
fi
else
crit "$PATTERN is not present in $FILE"
FNRET=2
fi
fi
}
audit_centos () {
SSH_PARAM=$(echo $OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*[[:digit:]]*"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$SSH_PARAM is present in $FILE"
if [ $(grep $PATTERN $FILE | awk '{print $2}') -ge 4 ]; then
ok "$SSH_PARAM is set least four seconds between logon prompts following a failed console logon attempt"
FNRET=0
else
crit "$SSH_PARAM is not set least four seconds between logon prompts following a failed console logon attempt"
FNRET=2
fi
else
crit "$PATTERN is not present in $FILE"
FNRET=1
fi
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
audit_centos
else
audit_debian
fi
}
apply_debian () {
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
elif [ $FNRET = 1 ]; then
crit "$PACKAGE is absent, installing it"
install_package $PACKAGE
elif [ $FNRET = 2 ]; then
crit "$PATTERN is not present in $FILE, add default config to $FILE"
add_line_file_before_pattern $FILE "auth optional pam_faildelay.so delay=4000000" "# Outputs an issue file prior to each login prompt (Replaces the"
elif [ $FNRET = 3 ]; then
crit "$FILE is not exist, please check"
elif [ $FNRET = 4 ]; then
crit "$OPTIONNAME is not conf"
add_option_to_auth_check $FILE $PAMLIBNAME "$OPTIONNAME=$CONDT_VAL"
elif [ $FNRET = 5 ]; then
crit "$OPTIONNAME set is not match legally, reset it to $CONDT_VAL"
reset_option_to_auth_check $FILE $PAMLIBNAME "$OPTIONNAME" "$CONDT_VAL"
fi
}
apply_centos () {
if [ $FNRET = 0 ]; then
ok "$SSH_PARAM is set least four seconds between logon prompts following a failed console logon attempt"
elif [ $FNRET = 1 ]; then
warn "$PATTERN is not present in $FILE, adding it"
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
elif [ $FNRET = 2 ]; then
warn "Parameter $SSH_PARAM is present but less than $SSH_VALUE -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
else
:
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
apply_centos
else
apply_debian
fi
}
# This function will check config parameters required
check_config() {
# CentOS
if [ $OS_RELEASE -eq 2 ]; then
OPTION='FAIL_DELAY=4'
FILE='/etc/login.defs'
# Debian
else
PACKAGE='libpam-modules'
PAMLIBNAME='pam_faildelay.so'
PATTERN='^auth.*pam_faildelay.so'
FILE='/etc/pam.d/login'
OPTIONNAME='delay'
# condition (microseconds)
CONDT_VAL=4000000
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/10.1.9_set_create_home_bool.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux debian 7/8/9 or CentOS 8 Hardening
#
#
# 10.1.9 Set create home bool (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
OPTIONS='CREATE_HOME=yes'
FILE='/etc/login.defs'
# This function will be called if the script status is on enabled / audit mode
audit () {
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/10.2_disable_system_accounts.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 10.2 Disable System Accounts (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
SHELL='/bin/false'
FILE='/etc/passwd'
RESULT=''
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if admin accounts have a login shell different than $SHELL"
RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false" && $7!="/sbin/nologin") {print}')
IFS=$'\n'
for LINE in $RESULT; do
debug "line : $LINE"
ACCOUNT=$( echo $LINE | cut -d: -f 1 )
debug "Account : $ACCOUNT"
debug "Exceptions : $EXCEPTIONS"
debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then
debug "$ACCOUNT is confirmed as an exception"
RESULT=$(sed "s!$LINE!!" <<< "$RESULT")
else
debug "$ACCOUNT not found in exceptions"
fi
done
if [ ! -z "$RESULT" ]; then
crit "Some admin accounts don't have $SHELL as their login shell"
crit "$RESULT"
else
ok "All admin accounts deactivated"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}')
IFS=$'\n'
for LINE in $RESULT; do
debug "line : $LINE"
ACCOUNT=$( echo $LINE | cut -d: -f 1 )
debug "Account : $ACCOUNT"
debug "Exceptions : $EXCEPTIONS"
debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then
debug "$ACCOUNT is confirmed as an exception"
RESULT=$(sed "s!$LINE!!" <<< "$RESULT")
else
debug "$ACCOUNT not found in exceptions"
fi
done
if [ ! -z "$RESULT" ]; then
warn "Some admin accounts don't have $SHELL as their login shell -- Fixing"
warn "$RESULT"
for USER in $( echo "$RESULT" | cut -d: -f 1 ); do
info "Setting $SHELL as $USER login shell"
usermod -s $SHELL $USER
done
else
ok "All admin accounts deactivated, nothing to apply"
fi
}
# This function will create the config file for this check with default values
create_config() {
cat < $FILE
else
ok "$PATTERN is not present in $FILE"
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/12.10_find_suid_files.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 or CentOS 8 Hardening
#
#
# 12.10 Find SUID System Executables (Not Scored)
#
# set -e # One error, it's over, for some user to audit desktop even
# One variable unset, it's over
set -u
HARDENING_LEVEL=2
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if there are suid files"
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -type f -perm -4000 -print)
for BINARY in $RESULT; do
if grep -q $BINARY <<< "$EXCEPTIONS"; then
debug "$BINARY is confirmed as an exception"
RESULT=$(grep -wv "$BINARY" <<< $RESULT)
fi
done
if [ ! -z "$RESULT" ]; then
crit "Some suid files are present"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT"
FNRET=1
else
ok "No unknown suid files found"
FNRET=0
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 1 ]; then
warn "Removing suid on valid binary may seriously harm your system, report only here, need a manual fix."
else
ok "No unknown suid files found"
fi
}
# This function will create the config file for this check with default values
create_config() {
cat </dev/null)
if [ ! -z "$RESULT" ]; then
crit "Some world writable files are present"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT"
else
ok "No world writable files found"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then
warn "chmoding o-w all files in the system"
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null| xargs chmod o-w
else
ok "No world writable files found, nothing to apply"
fi
}
# This function will check config parameters required
check_config() {
# No param for this function
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/12.8_find_unowned_files.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12/13 or CentOS 8 Hardening
#
#
# 12.8 Find Un-owned Files and Directories (Scored)
#
set -u # One variable unset, it's over
HARDENING_LEVEL=2
USER='root'
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if there are unowned files"
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -nouser -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then
crit "Some unowned files are present"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT"
else
ok "No unowned files found"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
if [ ! -z "$RESULT" ]; then
warn "Applying chown on all unowned files in the system"
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER
else
ok "No unowned files found, nothing to apply"
fi
}
# This function will check config parameters required
check_config() {
# No param for this function
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/12.9_find_ungrouped_files.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12/13 or CentOS 8 Hardening
#
#
# 12.9 Find Un-grouped Files and Directories (Scored)
#
set -u # One variable unset, it's over
HARDENING_LEVEL=2
GROUP='root'
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if there are ungrouped files"
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -nogroup -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then
crit "Some ungrouped files are present"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT"
else
ok "No ungrouped files found"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
if [ ! -z "$RESULT" ]; then
warn "Applying chgrp on all ungrouped files in the system"
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp $GROUP
else
ok "No ungrouped files found, nothing to apply"
fi
}
# This function will check config parameters required
check_config() {
# No param for this function
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/13.10_find_user_rhosts_files.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 13.10 Check for Presence of User .rhosts Files (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
FILENAME=".rhosts"
# This function will be called if the script status is on enabled / audit mode
audit () {
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
debug "Working on $DIR"
for FILE in $DIR/$FILENAME; do
if [ ! -h "$FILE" -a -f "$FILE" ]; then
crit "$FILE present"
ERRORS=$((ERRORS+1))
fi
done
done
if [ $ERRORS = 0 ]; then
ok "No $FILENAME present in users home directory"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "If the audit returns something, please check with the user why he has this file"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/13.11_find_passwd_group_inconsistencies.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 13.11 Check Groups in /etc/passwd (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
# This function will be called if the script status is on enabled / audit mode
audit () {
for GROUP in $(cut -s -d: -f4 /etc/passwd | sort -u ); do
debug "Working on group $GROUP"
if ! grep -q -P "^.*?:[^:]*:$GROUP:" /etc/group; then
crit "Group $GROUP is referenced by /etc/passwd but does not exist in /etc/group"
ERRORS=$((ERRORS+1))
fi
done
if [ $ERRORS = 0 ]; then
ok "passwd and group Groups are consistent"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "Solving passwd and group consistency automatically may seriously harm your system, report only here"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/13.12_users_valid_homedir.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 13.12 Check That Users Are Assigned Valid Home Directories (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
# This function will be called if the script status is on enabled / audit mode
audit () {
RESULT=$(cat /etc/passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
for LINE in $RESULT; do
debug "Working on $LINE"
USER=$(awk -F: {'print $1'} <<< $LINE)
USERID=$(awk -F: {'print $2'} <<< $LINE)
DIR=$(awk -F: {'print $3'} <<< $LINE)
if [ $USERID -ge 1000 -a ! -d "$DIR" -a $USER != "nfsnobody" -a $USER != "nobody" ]; then
crit "The home directory ($DIR) of user $USER does not exist."
ERRORS=$((ERRORS+1))
fi
done
if [ $ERRORS = 0 ]; then
ok "All home directories exists"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "Modifying home directories may seriously harm your system, report only here"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/13.13_check_user_homedir_ownership.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 13.13 Check User Home Directory Ownership (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
# This function will be called if the script status is on enabled / audit mode
audit () {
RESULT=$(cat /etc/passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
for LINE in $RESULT; do
debug "Working on $LINE"
USER=$(awk -F: {'print $1'} <<< $LINE)
USERID=$(awk -F: {'print $2'} <<< $LINE)
DIR=$(awk -F: {'print $3'} <<< $LINE)
if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" -a "$DIR" != '/' ]; then
OWNER=$(stat -L -c "%U" "$DIR")
if [ "$OWNER" != "$USER" ]; then
crit "The home directory ($DIR) of user $USER is owned by $OWNER."
ERRORS=$((ERRORS+1))
fi
fi
done
if [ $ERRORS = 0 ]; then
ok "All home directories have correct ownership"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
cat /etc/passwd | awk -F: '{ print $1 " " $3 " " $6 }' | while read USER USERID DIR; do
if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" -a "$DIR" != '/' ]; then
OWNER=$(stat -L -c "%U" "$DIR")
if [ "$OWNER" != "$USER" ]; then
warn "The home directory ($DIR) of user $USER is owned by $OWNER."
chown $USER $DIR
fi
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/13.14_check_duplicate_uid.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 13.14 Check for Duplicate UIDs (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
# This function will be called if the script status is on enabled / audit mode
audit () {
RESULT=$(cat /etc/passwd | cut -f3 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
for LINE in $RESULT; do
debug "Working on line $LINE"
OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)
USERID=$(awk -F: {'print $2'} <<< $LINE)
if [ $OCC_NUMBER -gt 1 ]; then
USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERID /etc/passwd | xargs)
ERRORS=$((ERRORS+1))
crit "Duplicate UID ($USERID): ${USERS}"
fi
done
if [ $ERRORS = 0 ]; then
ok "No duplicate UIDs"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "Editing automatically uids may seriously harm your system, report only here"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/13.15_check_duplicate_gid.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 13.15 Check for Duplicate GIDs (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
# This function will be called if the script status is on enabled / audit mode
audit () {
RESULT=$(cat /etc/group | cut -f3 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
for LINE in $RESULT; do
debug "Working on line $LINE"
OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)
GROUPID=$(awk -F: {'print $2'} <<< $LINE)
if [ $OCC_NUMBER -gt 1 ]; then
USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPID /etc/passwd | xargs)
ERRORS=$((ERRORS+1))
crit "Duplicate GID ($GROUPID): ${USERS}"
fi
done
if [ $ERRORS = 0 ]; then
ok "No duplicate GIDs"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "Editing automatically gids may seriously harm your system, report only here"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/13.16_check_duplicate_username.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 13.16 Check for Duplicate User Names (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
ERRORS=0
# This function will be called if the script status is on enabled / audit mode
audit () {
RESULT=$(cat /etc/passwd | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
for LINE in $RESULT; do
debug "Working on line $LINE"
OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)
USERNAME=$(awk -F: {'print $2'} <<< $LINE)
if [ $OCC_NUMBER -gt 1 ]; then
USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERNAME /etc/passwd | xargs)
ERRORS=$((ERRORS+1))
crit "Duplicate username $USERNAME"
fi
done
if [ $ERRORS = 0 ]; then
ok "No duplicate usernames"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "Editing automatically username may seriously harm your system, report only here"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/13.17_check_duplicate_groupname.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 13.17 Check for Duplicate Group Names (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
ERRORS=0
# This function will be called if the script status is on enabled / audit mode
audit () {
RESULT=$(cat /etc/group | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
for LINE in $RESULT; do
debug "Working on line $LINE"
OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)
GROUPNAME=$(awk -F: {'print $2'} <<< $LINE)
if [ $OCC_NUMBER -gt 1 ]; then
USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPNAME /etc/passwd | xargs)
ERRORS=$((ERRORS+1))
crit "Duplicate groupname $GROUPNAME"
fi
done
if [ $ERRORS = 0 ]; then
ok "No duplicate groupnames"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "Editing automatically groupname may seriously harm your system, report only here"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/13.18_find_user_netrc_files.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 13.18 Check for Presence of User .netrc Files (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
FILENAME='.netrc'
# This function will be called if the script status is on enabled / audit mode
audit () {
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
debug "Working on $DIR"
for FILE in $DIR/$FILENAME; do
if [ ! -h "$FILE" -a -f "$FILE" ]; then
crit "$FILE present"
ERRORS=$((ERRORS+1))
fi
done
done
if [ $ERRORS = 0 ]; then
ok "No $FILENAME present in users home directory"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "If the audit returns something, please check with the user why he has this file"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/13.19_find_user_forward_files.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 13.19 Check for Presence of User .forward Files (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
FILENAME='.forward'
# This function will be called if the script status is on enabled / audit mode
audit () {
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
debug "Working on $DIR"
for FILE in $DIR/$FILENAME; do
if [ ! -h "$FILE" -a -f "$FILE" ]; then
crit "$FILE present"
ERRORS=$((ERRORS+1))
fi
done
done
if [ $ERRORS = 0 ]; then
ok "No $FILENAME present in users home directory"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "If the audit returns something, please check with the user why he has this file"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/13.1_remove_empty_password_field.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 13.1 Ensure Password Fields are Not Empty (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/shadow'
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if accounts have an empty password"
RESULT=$($SUDO_CMD cat $FILE | awk -F: '($2 == "" ) { print $1 }')
if [ ! -z "$RESULT" ]; then
crit "Some accounts have an empty password"
crit $RESULT
else
ok "All accounts have a password"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
RESULT=$(cat $FILE | awk -F: '($2 == "" ) { print $1 }')
if [ ! -z "$RESULT" ]; then
warn "Some accounts have an empty password"
for ACCOUNT in $RESULT; do
info "Locking $ACCOUNT"
passwd -l $ACCOUNT >/dev/null 2>&1
done
else
ok "All accounts have a password"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/13.20_shadow_group_empty.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 13.20 Ensure shadow group is empty (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
ERRORS=0
FILEGROUP='/etc/group'
PATTERN='^shadow:x:[[:digit:]]+:'
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 1 ]; then
does_pattern_exist_in_file $FILEGROUP $PATTERN
if [ $FNRET = 0 ]; then
info "shadow group exists"
RESULT=$(grep -E "$PATTERN" $FILEGROUP | cut -d: -f4)
GROUPID=$(getent group shadow | cut -d: -f3)
debug "$RESULT $GROUPID"
if [ ! -z "$RESULT" ]; then
crit "Some users belong to shadow group: $RESULT"
FNRET=1
else
ok "No user belongs to shadow group"
FNRET=0
fi
info "Checking if a user has $GROUPID as primary group"
RESULT=$(awk -F: '($4 == shadowid) { print $1 }' shadowid=$GROUPID /etc/passwd)
if [ ! -z "$RESULT" ]; then
crit "Some users have shadow id as their primary group: $RESULT"
FNRET=2
else
ok "No user has shadow id as their primary group"
FNRET=0
fi
else
crit "shadow group doesn't exist"
FNRET=3
fi
elif [ $OS_RELEASE -eq 2 ]; then
ok "shadow group doesn't exist in CentOS 8"
FNRET=0
else
:
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "Pass."
else
warn "Editing automatically users/groups may seriously harm your system, report only here"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/13.2_remove_legacy_passwd_entries.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 13.2 Verify No Legacy "+" Entries Exist in /etc/passwd File (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/passwd'
RESULT=''
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if accounts have a legacy password entry"
if grep '^+:' $FILE -q; then
RESULT=$(grep '^+:' $FILE)
crit "Some accounts have a legacy password entry"
crit $RESULT
else
ok "All accounts have a valid password entry format"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if grep '^+:' $FILE -q; then
RESULT=$(grep '^+:' $FILE)
warn "Some accounts have a legacy password entry"
for LINE in $RESULT; do
info "Removing $LINE from $FILE"
delete_line_in_file $FILE $LINE
done
else
ok "All accounts have a valid password entry format"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/13.3_remove_legacy_shadow_entries.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 13.3 Verify No Legacy "+" Entries Exist in /etc/shadow File (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/shadow'
RESULT=''
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if accounts have a legacy password entry"
if $SUDO_CMD grep '^+:' $FILE -q; then
RESULT=$(grep '^+:' $FILE)
crit "Some accounts have a legacy password entry"
crit $RESULT
else
ok "All accounts have a valid password entry format"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if grep '^+:' $FILE -q; then
RESULT=$(grep '^+:' $FILE)
warn "Some accounts have a legacy password entry"
for LINE in $RESULT; do
info "Removing $LINE from $FILE"
delete_line_in_file $FILE $LINE
done
else
ok "All accounts have a valid password entry format"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/13.4_remove_legacy_group_entries.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 13.4 Verify No Legacy "+" Entries Exist in /etc/group File (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/group'
RESULT=''
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if accounts have a legacy group entry"
if grep '^+:' $FILE -q; then
RESULT=$(grep '^+:' $FILE)
crit "Some accounts have a legacy group entry"
crit $RESULT
else
ok "All accounts have a valid group entry format"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if grep '^+:' $FILE -q; then
RESULT=$(grep '^+:' $FILE)
warn "Some accounts have a legacy group entry"
for LINE in $RESULT; do
info "Removing $LINE from $FILE"
delete_line_in_file $FILE $LINE
done
else
ok "All accounts have a valid group entry format"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/13.5_find_0_uid_non_root_account.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 13.5 Verify No UID 0 Accounts Exist Other Than root (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
FILE='/etc/passwd'
RESULT=''
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if accounts have uid 0"
RESULT=$(cat $FILE | awk -F: '($3 == 0 && $1!="root" ) { print $1 }')
for ACCOUNT in $RESULT; do
debug "Account : $ACCOUNT"
debug "Exceptions : $EXCEPTIONS"
debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then
debug "$ACCOUNT is confirmed as an exception"
RESULT=$(sed "s!$ACCOUNT!!" <<< "$RESULT")
else
debug "$ACCOUNT not found in exceptions"
fi
done
if [ ! -z "$RESULT" ]; then
crit "Some accounts have uid 0"
crit $RESULT
else
ok "No account with uid 0 apart from root and potential configured exceptions"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "Removing accounts with uid 0 may seriously harm your system, report only here"
}
# This function will create the config file for this check with default values
create_config() {
cat < /dev/null
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
else
warn "/proc/sys/net/netfilter/nf_conntrack_helper is not exist, just set $SYSCTL_PARAM = $SYSCTL_EXP_RESULT to /etc/sysctl.conf"
if [ $(grep "^$SYSCTL_PARAM = $SYSCTL_EXP_RESULT" /etc/sysctl.conf | wc -l) -eq 0 ]; then
echo "$SYSCTL_PARAM = $SYSCTL_EXP_RESULT" >> /etc/sysctl.conf
else
:
fi
fi
fi
}
# This function will create the config file for this check with default values
create_config() {
cat </dev/null)
if [ ! -z "$RESULT" ]; then
crit "Some world writable directories are not on sticky bit mode!"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT"
else
ok "All world writable directories have a sticky bit"
fi
# Check sticky dir group-owned is root
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -type d ! -group root \( -perm -0002 -a -perm -1000 \) -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then
crit "Some world writable directories are sticky bit mode, but not group owned is root!"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT"
else
ok "All world writable directories have a sticky bit, and group owner is root."
fi
}
# This function will be called if the script status is on enabled mode
apply () {
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
else
ok "All world writable directories have a sticky bit, nothing to apply"
fi
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -type d ! -group root \( -perm -0002 -a -perm -1000 \) -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -type d ! -group root \( -perm -0002 -a -perm -1000 \) -print 2>/dev/null | xargs chgrp root
else
ok "All world writable directories have a sticky bit, and group owner is root."
fi
}
# This function will check config parameters required
check_config() {
# No param for this function
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/2.18_disable_cramfs.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12/13 Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
# 2.18 Disable Mounting of cramfs Filesystems (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
HARBIAN_SEC_CONF_FILE='/etc/modprobe.d/harbian-security-workaround.conf'
KERNEL_OPTION="CONFIG_CRAMFS"
MODULE_NAME="cramfs"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
crit "$MODULE_NAME is not set to blacklist"
fi
else
ok "$MODULE_NAME's kernel option is disabled"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
warn "$MODULE_NAME is not set to blacklist, add to config file $HARBIAN_SEC_CONF_FILE"
if [ -w $HARBIAN_SEC_CONF_FILE ]; then
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
else
touch $HARBIAN_SEC_CONF_FILE
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
fi
fi
else
ok "$KERNEL_OPTION is disabled, nothing to do"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/2.19_disable_freevxfs.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12/13 Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
# 2.19 Disable Mounting of freevxfs Filesystems (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
HARBIAN_SEC_CONF_FILE='/etc/modprobe.d/harbian-security-workaround.conf'
KERNEL_OPTION="CONFIG_VXFS_FS"
MODULE_NAME="freevxfs"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
crit "$MODULE_NAME is not set to blacklist"
fi
else
ok "$MODULE_NAME's kernel option is disabled"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
warn "$MODULE_NAME is not set to blacklist, add to config file $HARBIAN_SEC_CONF_FILE"
if [ -w $HARBIAN_SEC_CONF_FILE ]; then
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
else
touch $HARBIAN_SEC_CONF_FILE
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
fi
fi
else
ok "$KERNEL_OPTION is disabled, nothing to do"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/2.1_tmp_partition.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux Debian 7/8/9 or CentOS Hardening
# Modify by: Samson-W (sccxboy@gmail.com)
#
#
# 2.1 Create Separate Partition/filesystem for /tmp (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Quick factoring as many script use the same logic
PARTITION="/tmp"
SERVICENAME="tmp.mount"
SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount"
CENTOS_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a filesystem/partition"
FNRET=0
#If /tmp is set in /etc/fstab, only check /etc/fstab and disable tmp.mount service if it's exist
is_a_partition "$PARTITION"
if [ $FNRET -eq 0 ]; then
ok "$PARTITION is a partition"
is_mounted "$PARTITION"
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted"
FNRET=2
else
ok "$PARTITION is mounted"
FNRET=0
fi
else
warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service"
is_service_active $SERVICENAME
if [ $FNRET -eq 0 ]; then
ok "$SERVICENAME service is active!"
else
crit "$SERVICENAME service is inactive!"
FNRET=3
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 1 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 2 ]; then
warn "mounting $PARTITION"
mount $PARTITION
elif [ $FNRET = 3 ]; then
if [ $OS_RELEASE -eq 1 ]; then
if [ -e $DEBIAN_SERVICEPATH ]; then
$SUDO_CMD systemctl enable "$SERVICENAME"
$SUDO_CMD systemctl daemon-reload
$SUDO_CMD systemctl start "$SERVICENAME"
else
if [ -e $SERVICEPATH_DEBIAN ]; then
cp $SERVICEPATH_DEBIAN $DEBIAN_SERVICEPATH
$SUDO_CMD systemctl enable "$SERVICENAME"
$SUDO_CMD systemctl daemon-reload
$SUDO_CMD systemctl start "$SERVICENAME"
else
crit "System unit file $DEBIAN_SERVICEPATH is not exist!"
fi
fi
elif [ $OS_RELEASE -eq 2 ]; then
if [ -e $CENTOS_SERVICEPATH ]; then
$SUDO_CMD systemctl enable "$SERVICENAME"
$SUDO_CMD systemctl daemon-reload
$SUDO_CMD systemctl start "$SERVICENAME"
else
crit "System unit file $CENTOS_SERVICEPATH is not exist!"
fi
fi
fi
}
# This function will check config parameters required
check_config() {
# No parameter for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/2.20_disable_jffs2.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12/13 Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
# 2.20 Disable Mounting of jffs2 Filesystems (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
HARBIAN_SEC_CONF_FILE='/etc/modprobe.d/harbian-security-workaround.conf'
KERNEL_OPTION="CONFIG_JFFS2_FS"
MODULE_NAME="jffs2"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
crit "$MODULE_NAME is not set to blacklist"
fi
else
ok "$MODULE_NAME's kernel option is disabled"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
warn "$MODULE_NAME is not set to blacklist, add to config file $HARBIAN_SEC_CONF_FILE"
if [ -w $HARBIAN_SEC_CONF_FILE ]; then
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
else
touch $HARBIAN_SEC_CONF_FILE
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
fi
fi
else
ok "$KERNEL_OPTION is disabled, nothing to do"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/2.21_disable_hfs.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12/13 Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
# 2.21 Disable Mounting of hfs Filesystems (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
HARBIAN_SEC_CONF_FILE='/etc/modprobe.d/harbian-security-workaround.conf'
KERNEL_OPTION="CONFIG_HFS_FS"
MODULE_NAME="hfs"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
crit "$MODULE_NAME is not set to blacklist"
fi
else
ok "$MODULE_NAME's kernel option is disabled"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
warn "$MODULE_NAME is not set to blacklist, add to config file $HARBIAN_SEC_CONF_FILE"
if [ -w $HARBIAN_SEC_CONF_FILE ]; then
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
else
touch $HARBIAN_SEC_CONF_FILE
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
fi
fi
else
ok "$KERNEL_OPTION is disabled, nothing to do"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/2.22_disable_hfsplus.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12/13 Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
# 2.22 Disable Mounting of hfsplus Filesystems (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
HARBIAN_SEC_CONF_FILE='/etc/modprobe.d/harbian-security-workaround.conf'
KERNEL_OPTION="CONFIG_HFSPLUS_FS"
MODULE_NAME="hfsplus"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
crit "$MODULE_NAME is not set to blacklist"
fi
else
ok "$MODULE_NAME's kernel option is disabled"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
warn "$MODULE_NAME is not set to blacklist, add to config file $HARBIAN_SEC_CONF_FILE"
if [ -w $HARBIAN_SEC_CONF_FILE ]; then
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
else
touch $HARBIAN_SEC_CONF_FILE
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
fi
fi
else
ok "$KERNEL_OPTION is disabled, nothing to do"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/2.23_disable_squashfs.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12/13 Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
# 2.23 Disable Mounting of squashfs Filesystems (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
HARBIAN_SEC_CONF_FILE='/etc/modprobe.d/harbian-security-workaround.conf'
KERNEL_OPTION="CONFIG_SQUASHFS"
MODULE_NAME="squashfs"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
crit "$MODULE_NAME is not set to blacklist"
fi
else
ok "$MODULE_NAME's kernel option is disabled"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
warn "$MODULE_NAME is not set to blacklist, add to config file $HARBIAN_SEC_CONF_FILE"
if [ -w $HARBIAN_SEC_CONF_FILE ]; then
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
else
touch $HARBIAN_SEC_CONF_FILE
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
fi
fi
else
ok "$KERNEL_OPTION is disabled, nothing to do"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/2.24_disable_udf.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12/13 Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
# 2.24 Disable Mounting of udf Filesystems (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
HARBIAN_SEC_CONF_FILE='/etc/modprobe.d/harbian-security-workaround.conf'
KERNEL_OPTION="CONFIG_UDF_FS"
MODULE_NAME="udf"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
crit "$MODULE_NAME is not set to blacklist"
fi
else
ok "$MODULE_NAME's kernel option is disabled"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
debug "$MODULE_NAME's kernel option is enabled"
check_blacklist_module_set $MODULE_NAME
if [ $FNRET = 0 ]; then
ok "$MODULE_NAME was set to blacklist"
else
warn "$MODULE_NAME is not set to blacklist, add to config file $HARBIAN_SEC_CONF_FILE"
if [ -w $HARBIAN_SEC_CONF_FILE ]; then
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
else
touch $HARBIAN_SEC_CONF_FILE
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
fi
fi
else
ok "$KERNEL_OPTION is disabled, nothing to do"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/2.25_disable_automounting.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
# 2.25 Disable Automounting (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
SERVICE_NAME="autofs"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $SERVICE_NAME
if [ $FNRET = 0 ]; then
info "Checking if $SERVICE_NAME is enabled"
is_service_active $SERVICE_NAME
if [ $FNRET = 0 ]; then
crit "$SERVICE_NAME is active"
else
ok "$SERVICE_NAME is inactived"
fi
else
ok "$SERVICE_NAME is not installed"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $SERVICE_NAME
if [ $FNRET = 0 ]; then
info "Checking if $SERVICE_NAME is active"
is_service_active $SERVICE_NAME
if [ $FNRET = 0 ]; then
if [ $OS_RELEASE -eq 2 ]; then
:
else
is_debian_9
fi
if [ $FNRET = 0 ]; then
info "Disabling $SERVICE_NAME"
systemctl stop $SERVICE_NAME
systemctl disable $SERVICE_NAME
is_pkg_installed $SERVICE_NAME
if [ $FNRET = 0 ]; then
uninstall_pkg $SERVICE_NAME
else
:
fi
else
info "Disabling $SERVICE_NAME"
update-rc.d $SERVICE_NAME remove > /dev/null 2>&1
fi
else
ok "$SERVICE_NAME is disabled"
is_pkg_installed $SERVICE_NAME
if [ $FNRET = 0 ]; then
uninstall_pkg $SERVICE_NAME
else
:
fi
fi
else
ok "$SERVICE_NAME is not installed"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/2.26_home_nosuid.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9 Hardening
#
#
# 2.26 Set nosuid option for /home filesystem/Partition (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Quick factoring as many script use the same logic
PARTITION="/home"
OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a filesystem/partition"
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
elif [ $FNRET = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/2.27_nfs_nosuid.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9 Hardening
#
#
# 2.27 Set nosuid option for nfs/nfs4 filesystem/Partition (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Quick factoring as many script use the same logic
PARTITION_TYPE="nfs"
OPTION="nosuid"
FSTAB='/etc/fstab'
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION_TYPE is a filesystem/partition"
is_mounted "$PARTITION_TYPE"
if [ $FNRET -gt 0 ]; then
no_entity " There is no mount directory with file system type $PARTITION_TYPE"
FNRET=2
else
ok "$PARTITION_TYPE is a partition"
has_mount_option $PARTITION_TYPE $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION_TYPE has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION_TYPE has $OPTION in fstab"
has_mounted_option $PARTITION_TYPE $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION_TYPE is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION_TYPE mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION_TYPE is correctly set"
elif [ $FNRET = 2 ]; then
no_entity " There is no mount directory with file system type $PARTITION_TYPE"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
for PARTITION in $(grep $PARTITION_TYPE $FSTAB | grep -v $OPTION | awk '{print $2}')
do
add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
done
elif [ $FNRET = 3 ]; then
info "Remounting $PARTITION_TYPE from fstab"
remount_partition $PARTITION_TYPE
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/2.28_nfs_noexec.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9 Hardening
#
#
# 2.28 Set noexec option for nfs/nfs4 filesystem/Partition (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Quick factoring as many script use the same logic
PARTITION_TYPE="nfs"
OPTION="noexec"
FSTAB='/etc/fstab'
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION_TYPE is a filesystem/partition"
is_mounted "$PARTITION_TYPE"
if [ $FNRET -gt 0 ]; then
no_entity " There is no mount directory with file system type $PARTITION_TYPE"
FNRET=2
else
ok "$PARTITION_TYPE is a partition"
has_mount_option $PARTITION_TYPE $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION_TYPE has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION_TYPE has $OPTION in fstab"
has_mounted_option $PARTITION_TYPE $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION_TYPE is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION_TYPE mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION_TYPE is correctly set"
elif [ $FNRET = 2 ]; then
no_entity " There is no mount directory with file system type $PARTITION_TYPE"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
for PARTITION in $(grep $PARTITION_TYPE $FSTAB | grep -v $OPTION | awk '{print $2}')
do
add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
done
elif [ $FNRET = 3 ]; then
info "Remounting $PARTITION_TYPE from fstab"
remount_partition $PARTITION_TYPE
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/2.29_nfs_RPCSEC_GSS.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9 Hardening
#
#
# 2.29 Set RPCSEC_GSS option for nfs/nfs4 filesystem/Partition (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Quick factoring as many script use the same logic
PARTITION_TYPE="nfs"
OPTION="sec=krb5:krb5i:krb5p"
FSTAB='/etc/fstab'
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION_TYPE is a filesystem/partition"
is_mounted "$PARTITION_TYPE"
if [ $FNRET -gt 0 ]; then
no_entity " There is no mount directory with file system type $PARTITION_TYPE"
FNRET=2
else
ok "$PARTITION_TYPE is a partition"
has_mount_option $PARTITION_TYPE $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION_TYPE has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION_TYPE has $OPTION in fstab"
has_mounted_option $PARTITION_TYPE $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION_TYPE is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION_TYPE mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION_TYPE is correctly set"
elif [ $FNRET = 2 ]; then
no_entity " There is no mount directory with file system type $PARTITION_TYPE"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
for PARTITION in $(grep $PARTITION_TYPE $FSTAB | grep -v $OPTION | awk '{print $2}')
do
add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
done
elif [ $FNRET = 3 ]; then
info "Remounting $PARTITION_TYPE from fstab"
remount_partition $PARTITION_TYPE
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/2.2_tmp_nodev.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux Debian 7/8/9/10/11/12/13 or CentOS Hardening
# Modify by: Samson-W (sccxboy@gmail.com)
#
#
# 2.2 Set nodev option for /tmp Partition/filesystem (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Quick factoring as many script use the same logic
PARTITION="/tmp"
OPTION="nodev"
SERVICENAME="tmp.mount"
SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount"
CENTOS_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition/filesystem"
FNRET=0
#If /tmp is set in /etc/fstab, only check /etc/fstab and disable tmp.mount service if it's exist
is_a_partition "$PARTITION"
if [ $FNRET -eq 0 ]; then
ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION
if [ $FNRET -eq 0 ]; then
ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=4
else
ok "$PARTITION mounted with $OPTION"
FNRET=0
fi
else
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
fi
else
warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service"
if [ $OS_RELEASE -eq 2 ]; then
UNITSERVICEPATH=$CENTOS_SERVICEPATHa
else
UNITSERVICEPATH=$DEBIAN_SERVICEPATH
fi
if [ -e $UNITSERVICEPATH ]; then
has_mount_option_systemd $UNITSERVICEPATH $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in systemd service!"
FNRET=3
else
ok "$PARTITION has $OPTION in systemd service"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=5
else
ok "$PARTITION mounted with $OPTION"
FNRET=0
fi
fi
else
crit "$UNITSERVICEPATH is not exist! Please apply 2.1 first!"
FNRET=2
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
UNITSERVICEPATH=$CENTOS_SERVICEPATH
else
UNITSERVICEPATH=$DEBIAN_SERVICEPATH
fi
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "System unit $UNITSERVICEPATH is not exist! Please apply 2.1 first!"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab"
is_mounted $PARTITION
if [ $FNRET = 1 ]; then
mount $PARTITION
else
remount_partition $PARTITION
fi
elif [ $FNRET = 3 ]; then
info "Adding $OPTION to systemd"
add_option_to_systemd $UNITSERVICEPATH $OPTION $SERVICENAME
remount_partition_by_systemd $SERVICENAME $PARTITION
elif [ $FNRET = 4 ]; then
info "Remounting $PARTITION from fstab"
is_mounted $PARTITION
if [ $FNRET = 1 ]; then
mount $PARTITION
else
remount_partition $PARTITION
fi
elif [ $FNRET = 5 ]; then
info "Remounting $PARTITION from systemd"
remount_partition_by_systemd $SERVICENAME $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/2.3_tmp_nosuid.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux Debian 7/8/9/10/11/12/13 or CentOS Hardening
# Modify by: Samson-W (sccxboy@gmail.com)
#
#
# 2.3 Set nosuid option for /tmp Partition/filesystem (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Quick factoring as many script use the same logic
PARTITION="/tmp"
OPTION="nosuid"
SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount"
SERVICENAME="tmp.mount"
CENTOS_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition/filesystem"
FNRET=0
#If /tmp is set in /etc/fstab, only check /etc/fstab and disable tmp.mount service if it's exist
is_a_partition "$PARTITION"
if [ $FNRET -eq 0 ]; then
ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION
if [ $FNRET -eq 0 ]; then
ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=4
else
ok "$PARTITION mounted with $OPTION"
FNRET=0
fi
else
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
fi
else
warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service"
if [ $OS_RELEASE -eq 2 ]; then
UNITSERVICEPATH=$CENTOS_SERVICEPATH
else
UNITSERVICEPATH=$DEBIAN_SERVICEPATH
fi
if [ -e $UNITSERVICEPATH ]; then
has_mount_option_systemd $UNITSERVICEPATH $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in systemd service!"
FNRET=3
else
ok "$PARTITION has $OPTION in systemd service"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=5
else
ok "$PARTITION mounted with $OPTION"
FNRET=0
fi
fi
else
crit "$UNITSERVICEPATH is not exist! Please apply 2.1 first!"
FNRET=2
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
UNITSERVICEPATH=$CENTOS_SERVICEPATH
else
UNITSERVICEPATH=$DEBIAN_SERVICEPATH
fi
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "System unit $UNITSERVICEPATH is not exist! Please apply 2.1 first!"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab"
is_mounted $PARTITION
if [ $FNRET = 1 ]; then
mount $PARTITION
else
remount_partition $PARTITION
fi
elif [ $FNRET = 3 ]; then
info "Adding $OPTION to systemd"
add_option_to_systemd $UNITSERVICEPATH $OPTION $SERVICENAME
remount_partition_by_systemd $SERVICENAME $PARTITION
elif [ $FNRET = 4 ]; then
info "Remounting $PARTITION from fstab"
is_mounted $PARTITION
if [ $FNRET = 1 ]; then
mount $PARTITION
else
remount_partition $PARTITION
fi
elif [ $FNRET = 5 ]; then
info "Remounting $PARTITION from systemd"
remount_partition_by_systemd $SERVICENAME $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/2.4_tmp_noexec.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux Debian 7/8/9/10/11/12/13 or CentOS Hardening
# Modify by: Samson-W (sccxboy@gmail.com)
#
#
# 2.4 Set noexec option for /tmp Partition/filesystem (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Quick factoring as many script use the same logic
PARTITION="/tmp"
OPTION="noexec"
SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount"
SERVICENAME="tmp.mount"
CENTOS_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition/filesystem"
FNRET=0
#If /tmp is set in /etc/fstab, only check /etc/fstab and disable tmp.mount service if it's exist
is_a_partition "$PARTITION"
if [ $FNRET -eq 0 ]; then
ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION
if [ $FNRET -eq 0 ]; then
ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=4
else
ok "$PARTITION mounted with $OPTION"
FNRET=0
fi
else
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
fi
else
warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service"
if [ $OS_RELEASE -eq 2 ]; then
UNITSERVICEPATH=$CENTOS_SERVICEPATH
else
UNITSERVICEPATH=$DEBIAN_SERVICEPATH
fi
if [ -e $UNITSERVICEPATH ]; then
has_mount_option_systemd $UNITSERVICEPATH $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in systemd service!"
FNRET=3
else
ok "$PARTITION has $OPTION in systemd service"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=5
else
ok "$PARTITION mounted with $OPTION"
FNRET=0
fi
fi
else
crit "$UNITSERVICEPATH is not exist! Please apply 2.1 first!"
FNRET=2
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
UNITSERVICEPATH=$CENTOS_SERVICEPATH
else
UNITSERVICEPATH=$DEBIAN_SERVICEPATH
fi
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "System unit $UNITSERVICEPATH is not exist! Please apply 2.1 first!"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab"
is_mounted $PARTITION
if [ $FNRET = 1 ]; then
mount $PARTITION
else
remount_partition $PARTITION
fi
elif [ $FNRET = 3 ]; then
info "Adding $OPTION to systemd"
add_option_to_systemd $UNITSERVICEPATH $OPTION $SERVICENAME
remount_partition_by_systemd $SERVICENAME $PARTITION
elif [ $FNRET = 4 ]; then
info "Remounting $PARTITION from fstab"
is_mounted $PARTITION
if [ $FNRET = 1 ]; then
mount $PARTITION
else
remount_partition $PARTITION
fi
elif [ $FNRET = 5 ]; then
info "Remounting $PARTITION from systemd"
remount_partition_by_systemd $SERVICENAME $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/2.5_var_partition.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 2.5 Create Separate Partition for /var (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# Quick factoring as many script use the same logic
PARTITION="/var"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
is_mounted "$PARTITION"
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted"
FNRET=1
else
ok "$PARTITION is mounted"
fi
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
else
info "mounting $PARTITION"
mount $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No parameter for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/2.6.1_var_tmp_partition.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 2.6.1 Create Separate Partition for /var/tmp (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# Quick factoring as many script use the same logic
PARTITION="/var/tmp"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
is_mounted "$PARTITION"
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted"
FNRET=1
else
ok "$PARTITION is mounted"
fi
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
else
info "mounting $PARTITION"
mount $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No parameter for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/2.6.2_var_tmp_nodev.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 2.6.2 Set nodev option for /var/tmp Partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Quick factoring as many script use the same logic
PARTITION="/var/tmp"
OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
elif [ $FNRET = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/2.6.3_var_tmp_nosuid.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 2.6.3 Set nosuid option for /var/tmp Partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Quick factoring as many script use the same logic
PARTITION="/var/tmp"
OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
elif [ $FNRET = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/2.6.4_var_tmp_noexec.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 2.6.4 Set noexec option for /var/tmp Partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# Quick factoring as many script use the same logic
PARTITION="/var/tmp"
OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!"
FNRET=1
else
ok "$PARTITION has $OPTION in fstab"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
elif [ $FNRET = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/2.7_var_log_partition.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 2.7 Create Separate Partition for /var/log (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# Quick factoring as many script use the same logic
PARTITION="/var/log"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
is_mounted "$PARTITION"
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted"
FNRET=1
else
ok "$PARTITION is mounted"
FNRET=0
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
else
info "mounting $PARTITION"
mount $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No parameter for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/2.8_var_log_audit_partition.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 2.8 Create Separate Partition for /var/log/audit (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
# Quick factoring as many script use the same logic
PARTITION="/var/log/audit"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
is_mounted "$PARTITION"
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted"
FNRET=1
else
ok "$PARTITION is mounted"
fi
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
else
info "mounting $PARTITION"
mount $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No parameter for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/2.9_home_partition.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 2.9 Create Separate Partition for /home (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# Quick factoring as many script use the same logic
PARTITION="/home"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
is_mounted "$PARTITION"
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted"
FNRET=1
else
ok "$PARTITION is mounted"
fi
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
else
info "mounting $PARTITION"
mount $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No parameter for this script
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/3.1_bootloader_ownership.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
# 3.1 Set User/Group Owner on bootloader config (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
# Assertion : Grub Based.
FILE='/boot/grub/grub.cfg'
FILE_GRUB2='/boot/grub2/grub.cfg'
USER='root'
GROUP='root'
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
has_file_correct_ownership $FILE_GRUB2 $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE_GRUB2 has correct ownership"
else
crit "$FILE_GRUB2 ownership was not set to $USER:$GROUP"
fi
else
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
has_file_correct_ownership $FILE_GRUB2 $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE_GRUB2 has correct ownership"
else
info "fixing $FILE_GRUB2 ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE_GRUB2
fi
else
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
info "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE
fi
fi
}
# This function will check config parameters required
check_config() {
if [ $OS_RELEASE -eq 2 ]; then
is_pkg_installed "grub2-pc"
else
is_pkg_installed "grub-pc"
fi
if [ $FNRET != 0 ]; then
warn "Grub is not installed, not handling configuration"
exit 128
fi
does_user_exist $USER
if [ $FNRET != 0 ]; then
crit "$USER does not exist"
exit 128
fi
does_group_exist $GROUP
if [ $FNRET != 0 ]; then
crit "$GROUP does not exist"
exit 128
fi
if [ $OS_RELEASE -eq 2 ]; then
does_file_exist $FILE_GRUB2
if [ $FNRET != 0 ]; then
crit "$FILE_GRUB2 does not exist"
exit 128
fi
else
does_file_exist $FILE
if [ $FNRET != 0 ]; then
crit "$FILE does not exist"
exit 128
fi
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/3.2_bootloader_permissions.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
# 3.2 Set Permissions on bootloader config (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
# Assertion : Grub Based.
FILE='/boot/grub/grub.cfg'
PKGNAME='grub-pc'
PERMISSIONS='400'
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
FILE='/boot/grub2/grub.cfg'
else
:
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
FNRET=0
else
crit "$FILE permissions were not set to $PERMISSIONS"
FNRET=1
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
FILE='/boot/grub2/grub.cfg'
else
:
fi
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE
fi
}
# This function will check config parameters required
check_config() {
if [ $OS_RELEASE -eq 2 ]; then
FILE='/boot/grub2/grub.cfg'
PKGNAME='grub2-pc'
else
:
fi
is_pkg_installed "$PKGNAME"
if [ $FNRET != 0 ]; then
warn "$PKGNAME is not installed, not handling configuration"
exit 128
fi
if [ $FNRET != 0 ]; then
crit "$FILE does not exist"
exit 128
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/3.3_bootloader_password.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
# 3.3 Set Boot Loader Password (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
FILE='/boot/grub/grub.cfg'
PKGNAME='grub-pc'
USER_PATTERN="^set superusers"
PWD_PATTERN="^password_pbkdf2"
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
FILE='/boot/grub2/grub.cfg'
else
:
fi
does_pattern_exist_in_file $FILE "$USER_PATTERN"
if [ $FNRET != 0 ]; then
crit "$USER_PATTERN not present in $FILE"
else
ok "$USER_PATTERN is present in $FILE"
fi
does_pattern_exist_in_file $FILE "$PWD_PATTERN"
if [ $FNRET != 0 ]; then
crit "$PWD_PATTERN not present in $FILE"
else
ok "$PWD_PATTERN is present in $FILE"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
FILE='/boot/grub2/grub.cfg'
else
:
fi
does_pattern_exist_in_file $FILE "$USER_PATTERN"
if [ $FNRET != 0 ]; then
warn "$USER_PATTERN not present in $FILE, please configure password for grub"
else
ok "$USER_PATTERN is present in $FILE"
fi
does_pattern_exist_in_file $FILE "$PWD_PATTERN"
if [ $FNRET != 0 ]; then
warn "$PWD_PATTERN not present in $FILE, please configure password for grub"
else
ok "$PWD_PATTERN is present in $FILE"
fi
:
}
# This function will check config parameters required
check_config() {
if [ $OS_RELEASE -eq 2 ]; then
FILE='/boot/grub2/grub.cfg'
PKGNAME='grub2-pc'
else
:
fi
is_pkg_installed "$PKGNAME"
if [ $FNRET != 0 ]; then
warn "$PKGNAME is not installed, not handling configuration"
exit 128
fi
if [ $FNRET != 0 ]; then
crit "$FILE does not exist"
exit 128
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/3.4_root_password.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 3.4 Require Authentication for Single-User Mode (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
FILE="/etc/shadow"
PATTERN="^root:[*\!]:"
# This function will be called if the script status is on enabled / audit mode
audit () {
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET != 1 ]; then
crit "$PATTERN is present in $FILE"
else
ok "$PATTERN is not present in $FILE"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET != 1 ]; then
warn "$PATTERN is present in $FILE, please put a root password"
else
ok "$PATTERN is not present in $FILE"
fi
:
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/4.1.1_ensure_ufw_installed.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 13
#
#
# 4.1.1 Ensure ufw is installed
#
set -e
set -u
HARDENING_LEVEL=2
audit () {
is_debian_ge_13
if [ $FNRET = 0 ]; then
pkg_installed_check 'ufw'
else
ok "Rule is not applicable to OS versions prior to Debian 13."
FNRET=0
fi
}
apply () {
# The main framework automatically calls audit() first to set FNRET based on the current system state.
# Therefore, we just use the existing $FNRET instead of calling is_debian_ge_13 again which would clobber it.
if [ $FNRET = 0 ]; then
ok "Already compliant. Nothing to apply for 4.1.1 Ensure ufw is installed."
elif [ $FNRET != 0 ]; then
is_debian_ge_13
local is_supported=$FNRET
if [ $is_supported = 0 ]; then
pkg_installed_apply 'ufw'
else
ok "Rule is not applicable to OS versions prior to Debian 13."
fi
fi
}
check_config() {
:
}
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory?"
exit 128
fi
================================================
FILE: bin/hardening/4.1.2_ensure_ufw_service_configured.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 13
#
#
# 4.1.2 Ensure ufw service is configured
#
set -e
set -u
HARDENING_LEVEL=2
audit () {
is_debian_ge_13
if [ $FNRET = 0 ]; then
service_enable_check 'ufw.service'
else
ok "Rule is not applicable to OS versions prior to Debian 13."
FNRET=0
fi
}
apply () {
# The main framework automatically calls audit() first to set FNRET based on the current system state.
# Therefore, we just use the existing $FNRET instead of calling is_debian_ge_13 again which would clobber it.
if [ $FNRET = 0 ]; then
ok "Already compliant. Nothing to apply for 4.1.2 Ensure ufw service is configured."
elif [ $FNRET != 0 ]; then
is_debian_ge_13
local is_supported=$FNRET
if [ $is_supported = 0 ]; then
service_enable_apply 'ufw.service'
else
ok "Rule is not applicable to OS versions prior to Debian 13."
fi
fi
}
check_config() {
:
}
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory?"
exit 128
fi
================================================
FILE: bin/hardening/4.1_restrict_core_dumps.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12/13 or CentOS Hardening
#Modify by: Samson-W (samson@hardenedlinux.org)
#
#
# 4.1 Restrict Core Dumps (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
LIMIT_FILE='/etc/security/limits.conf'
LIMIT_PATTERN='^\*[[:space:]]*hard[[:space:]]*core[[:space:]]*0$'
SYSCTL_PARAM='fs.suid_dumpable'
SYSCTL_EXP_RESULT=0
SERVICE_NAME='kdump'
audit_debian () {
does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN
if [ $FNRET != 0 ]; then
crit "$LIMIT_PATTERN not present in $LIMIT_FILE"
else
ok "$LIMIT_PATTERN present in $LIMIT_FILE"
fi
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
}
audit_centos () {
is_service_active $SERVICE_NAME
if [ $FNRET -eq 0 ]; then
crit "$SERVICE_NAME is active"
FNRET=1
else
ok "$SERVICE_NAME is inactived"
FNRET=0
fi
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
audit_centos
else
audit_debian
fi
}
apply_debian () {
does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN
if [ $FNRET != 0 ]; then
warn "$LIMIT_PATTERN not present in $LIMIT_FILE, adding at the end of $LIMIT_FILE"
add_end_of_file $LIMIT_FILE "* hard core 0"
else
ok "$LIMIT_PATTERN present in $LIMIT_FILE"
fi
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ $FNRET != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
}
apply_centos () {
if [ $FNRET -eq 1 ]; then
info "Disabling $SERVICE_NAME"
systemctl stop $SERVICE_NAME
systemctl disable $SERVICE_NAME
else
ok "$SERVICE_NAME is disabled"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
apply_centos
else
apply_debian
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/4.2_enable_nx_support.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 4.2 Enable XD/NX Support on 32-bit x86 Systems (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PATTERN='NX[[:space:]]\(Execute[[:space:]]Disable\)[[:space:]]protection:[[:space:]]active'
# Check if the NX bit is supported and noexec=off hasn't been asked
nx_supported_and_enabled() {
if grep -q ' nx ' /proc/cpuinfo; then
# NX supported, but if noexec=off specified, it's not enabled
if $SUDO_CMD grep -qi 'noexec=off' /proc/cmdline; then
FNRET=1 # supported but disabled
else
FNRET=0 # supported and enabled
fi
else
FNRET=1 # not supported
fi
}
# This function will be called if the script status is on enabled / audit mode
audit () {
does_pattern_exist_in_dmesg $PATTERN
if [ $FNRET != 0 ]; then
nx_supported_and_enabled
if [ $FNRET != 0 ]; then
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
else
ok "NX is supported and enabled"
fi
else
ok "$PATTERN is present in dmesg"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_pattern_exist_in_dmesg $PATTERN
if [ $FNRET != 0 ]; then
nx_supported_and_enabled
if [ $FNRET != 0 ]; then
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
else
ok "NX is supported and enabled"
fi
else
ok "$PATTERN is present in dmesg"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/4.3_enable_randomized_vm_placement.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 4.3 Enable Randomized Virtual Memory Region Placement (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
SYSCTL_PARAM='kernel.randomize_va_space'
SYSCTL_EXP_RESULT=2
# This function will be called if the script status is on enabled / audit mode
audit () {
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/4.4_disable_prelink.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
# 4.4 Disable Prelink (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGE='prelink'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed!"
else
ok "$PACKAGE is absent"
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
"$(which $PACKAGE)" -ua
uninstall_pkg $PACKAGE
else
ok "$PACKAGE is absent"
fi
elif [ $OS_RELEASE -eq 1 ]; then
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
/usr/sbin/prelink -ua
uninstall_pkg $PACKAGE
else
ok "$PACKAGE is absent"
fi
else
crit "Current OS is not support!"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/4.5_enable_apparmor.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12/13 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
# 4.5 Activate AppArmor (Scored)
# Add by Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGES='apparmor apparmor-profiles apparmor-utils'
KEYWORD="GRUB_CMDLINE_LINUX"
PATTERN="apparmor=1[[:space:]]*security=apparmor"
SETSTRING="apparmor=1 security=apparmor"
GRUBFILE='/etc/default/grub'
SERVICENAME='apparmor.service'
SELINUXSETSTRING="security=selinux"
audit_debian () {
if [ $(grep -c "${SELINUXSETSTRING}" /proc/cmdline) -eq 1 ]; then
ok "SELinux was active. So pass."
return 0
fi
for PACKAGE in ${PACKAGES}
do
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is absent!"
FNRET=1
fi
done
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
# Since Debian 10 (Buster), AppArmor is enabled by default. It's a system service
is_debian_ge_10
if [ $FNRET = 0 ]; then
is_service_active $SERVICENAME
if [ $FNRET -eq 0 ]; then
ok "$SERVICENAME is active!"
FNRET=0
else
crit "$SERVICENAME is inactive!"
FNRET=2
fi
else
if [ $(grep -c "${SETSTRING}" /proc/cmdline) -eq 1 ]; then
ok "There are ${SETSTRING} to ${KEYWORD} in ${GRUBFILE}"
is_mounted "/sys/kernel/security"
if [ ${FNRET} -eq 0 -a $(/usr/sbin/aa-status 2>&1 | grep -c "apparmor filesystem is not mounted.") -eq 1 ]; then
crit "AppArmor profiles not enable in the system "
FNRET=3
elif [ ${FNRET} -eq 0 -a $(/usr/sbin/aa-status | grep 'profiles are loaded' | awk '{print $1}') -gt 0 ]; then
ok "AppArmor profiles is enable in the system "
FNRET=0
fi
else
crit "There are ${SETSTRING} to ${KEYWORD} not in ${GRUBFILE}"
FNRET=2
fi
fi
fi
}
audit_centos () {
ok "AppArmor is only support for Debian, So pass!"
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
audit_centos
else
audit_debian
fi
}
apply_debian () {
if [ $(grep -c "${SELINUXSETSTRING}" /proc/cmdline) -eq 1 ]; then
ok "SELinux was active. So pass."
return 0
fi
if [ $FNRET = 0 ]; then
ok "AppArmor profiles is enable in the system "
elif [ $FNRET = 1 ]; then
warn "$PACKAGE is not installed, install $PACKAGES"
for PACKAGE in ${PACKAGES}
do
apt_install $PACKAGE
done
elif [ $FNRET = 2 ]; then
# Since Debian 10 (Buster), AppArmor is enabled by default. It's a system service
is_debian_ge_10
if [ $FNRET = 0 ]; then
warn "Start $SERVICENAME"
systemctl start $SERVICENAME
else
warn "Set ${SETSTRING} to ${GRUBFILE} in ${GRUBFILE}, need to reboot the system and enable AppArmor profiles after setting it."
sed -i "s;\(${KEYWORD}=\)\(\".*\)\(\"\);\1\2 ${SETSTRING}\3;" ${GRUBFILE}
/usr/sbin/update-grub2
fi
elif [ $FNRET = 3 ]; then
warn "Enable AppArmor profiles in the system "
/usr/sbin/aa-enforce /etc/apparmor.d/*
fi
}
apply_centos () {
ok "AppArmor is only support for Debian, So pass!"
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
apply_centos
else
apply_debian
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/4.6_enable_selinux.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9/10/11/12/13 or CentOS 8 Hardening
#
#
# 4.6 Activate SELinux (Scored)
# Add by Author : Samson-W (samson@hardenedlinux.org)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGES='selinux-basics selinux-policy-default'
SETSTRING="security=selinux"
PROC_CMDLINE='/proc/cmdline'
SELINUXCONF_FILE='/etc/selinux/config'
SELINUXENFORCE_MODE='SELINUX=enforcing'
LSM_RUN_STATUS_FILE='/sys/kernel/security/lsm'
audit_debian () {
set +e
check_aa_status
set -e
if [ $FNRET = 0 ]; then
ok "AppArmor was active. So pass."
return 0
fi
for PACKAGE in ${PACKAGES}
do
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is absent!"
FNRET=1
return
fi
done
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
fi
if [ $(grep -c "${SETSTRING}" $PROC_CMDLINE) -eq 1 ]; then
ok "SELinux is active."
does_valid_pattern_exist_in_file $SELINUXCONF_FILE $SELINUXENFORCE_MODE
if [ ${FNRET} -eq 0 -a $(getenforce | grep -c 'Enforcing') -eq 1 ]; then
ok "SELinux is in Enforcing mode."
FNRET=0
else
crit "SELinux is not in Enforcing mode."
FNRET=3
return
fi
else
crit "SELinux is inactived."
FNRET=2
return
fi
}
audit_centos () {
for PACKAGE in ${PACKAGES}
do
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is absent!"
FNRET=1
else
FNRET=0
fi
done
if [ $FNRET -eq 0 ]; then
if [ $(grep -c selinux $LSM_RUN_STATUS_FILE) -eq 1 ]; then
ok "SELinux was activated."
does_valid_pattern_exist_in_file $SELINUXCONF_FILE $SELINUXENFORCE_MODE
if [ ${FNRET} -eq 0 -a $(getenforce | grep -c 'Enforcing') -eq 1 ]; then
ok "SELinux is in Enforcing mode."
FNRET=0
else
crit "SELinux is not in Enforcing mode."
FNRET=3
fi
else
crit "SELinux is inactived."
FNRET=2
fi
else
crit "SELinux related packages are not installed."
FNRET=1
fi
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
audit_centos
else
audit_debian
fi
}
apply_debian () {
set +e
check_aa_status
set -e
if [ $FNRET = 0 ]; then
ok "AppArmor was active. So pass."
return 0
fi
case $FNRET in
0) ok "SELinux is active and in Enforcing mode."
;;
2) warn "Set SELinux to activate, and need reboot"
selinux-activate
warn "Set SELinux to enforcing mode, and need reboot"
replace_in_file $SELINUXCONF_FILE 'SELINUX=.*' $SELINUXENFORCE_MODE
;;
3) warn "Set SELinux to enforcing mode, and need reboot"
replace_in_file $SELINUXCONF_FILE 'SELINUX=.*' $SELINUXENFORCE_MODE
;;
# When return 1 or 5
*) warn "$PACKAGE is not installed, install $PACKAGES"
for PACKAGE in ${PACKAGES}
do
install_package $PACKAGE
done
warn "Set SELinux to activate, and need reboot"
selinux-activate
warn "Set SELinux to enforcing mode, and need reboot"
replace_in_file $SELINUXCONF_FILE 'SELINUX=.*' $SELINUXENFORCE_MODE
;;
esac
}
apply_centos () {
if [ $FNRET = 0 ]; then
ok "SELinux is active and in Enforcing mode."
elif [ $FNRET = 1 ]; then
warn "$PACKAGE is not installed, install $PACKAGES"
for PACKAGE in ${PACKAGES}
do
install_package $PACKAGE
done
elif [ $FNRET = 2 ]; then
warn "Set SELinux to activate, and need reboot"
elif [ $FNRET = 3 ]; then
warn "Set SELinux to enforcing mode, and need reboot"
replace_in_file $SELINUXCONF_FILE 'SELINUX=.*' $SELINUXENFORCE_MODE
else
:
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
apply_centos
else
apply_debian
fi
}
# This function will check config parameters required
check_config() {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES='libselinux libselinux-utils selinux-policy-targeted'
else
:
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/4.7_enable_selinux_policy.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9/10/11/12/13 or CentOS 8 Hardening
#
#
# 4.7 Enable SELinux targeted policy (Scored)
# Add by Author : Samson-W (samson@hardenedlinux.org)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
SELINUXCONF_FILE='/etc/selinux/config'
SELINUXTYPE_VALUE='SELINUXTYPE=default'
audit_debian () {
set +e
check_aa_status
set -e
if [ $FNRET = 0 ]; then
ok "AppArmor was active. So pass."
return 0
fi
does_valid_pattern_exist_in_file $SELINUXCONF_FILE $SELINUXTYPE_VALUE
if [ ${FNRET} -eq 0 ]; then
ok "SELinux targeted policy was enabled."
FNRET=0
else
crit "SELinux targeted policy is not enable."
FNRET=1
fi
}
audit_centos () {
does_valid_pattern_exist_in_file $SELINUXCONF_FILE $SELINUXTYPE_VALUE
if [ ${FNRET} -eq 0 ]; then
ok "SELinux targeted policy was enabled."
FNRET=0
else
crit "SELinux targeted policy is not enable."
FNRET=1
fi
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
audit_centos
else
audit_debian
fi
}
apply_debian () {
set +e
check_aa_status
set -e
if [ $FNRET = 0 ]; then
ok "AppArmor was active. So pass."
return 0
fi
if [ $FNRET = 0 ]; then
ok "SELinux targeted policy was enabled."
elif [ $FNRET = 1 ]; then
warn "Set SELinux targeted policy to enable, and need reboot"
replace_in_file $SELINUXCONF_FILE 'SELINUXTYPE=.*' $SELINUXTYPE_VALUE
else
:
fi
}
apply_centos () {
if [ $FNRET = 0 ]; then
ok "SELinux targeted policy was enabled."
elif [ $FNRET = 1 ]; then
warn "Set SELinux targeted policy to enable, and need reboot"
replace_in_file $SELINUXCONF_FILE 'SELINUXTYPE=.*' $SELINUXTYPE_VALUE
else
:
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
apply_centos
else
apply_debian
fi
}
# This function will check config parameters required
check_config() {
if [ $OS_RELEASE -eq 2 ]; then
SELINUXTYPE_VALUE='SELINUXTYPE=targeted'
else
:
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/4.8_disable_usb_devices.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9/10/11/12/13 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
# 4.8 Disable USB storage Devices
# TODO: CentOS
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
BLACKRULEPATTERN='install[[:blank:]].*usb_storage[[:blank:]].*/bin/true'
BLACKRULE='install usb_storage /bin/true'
BLACKCONFILE='/etc/modprobe.d/blacklist.conf'
BLACKCONDIR='/etc/modprobe.d'
audit_debian () {
SEARCH_RES=0
for FILE_SEARCHED in $BLACKCONDIR; do
if [ $SEARCH_RES = 1 ]; then break; fi
if test -d $FILE_SEARCHED; then
debug "$FILE_SEARCHED is a directory"
for file_in_dir in $(ls $FILE_SEARCHED); do
does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$BLACKRULEPATTERN"
if [ $FNRET != 0 ]; then
debug "$BLACKRULEPATTERN is not present in $FILE_SEARCHED/$file_in_dir"
else
ok "$BLACKRULEPATTERN is present in $FILE_SEARCHED/$file_in_dir"
SEARCH_RES=1
break
fi
done
else
does_pattern_exist_in_file "$FILE_SEARCHED" "^$BLACKRULEPATTERN"
if [ $FNRET != 0 ]; then
debug "$BLACKRULEPATTERN is not present in $FILE_SEARCHED"
else
ok "$BLACKRULEPATTERN is present in $BLACKCONDIR"
SEARCH_RES=1
fi
fi
done
if [ $SEARCH_RES = 0 ]; then
crit "$BLACKRULEPATTERN is not present in $BLACKCONDIR"
fi
}
audit_centos () {
:
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
audit_centos
else
audit_debian
fi
}
# This function will be called if the script status is on enabled mode
apply () {
SEARCH_RES=0
for FILE_SEARCHED in $BLACKCONDIR; do
if [ $SEARCH_RES = 1 ]; then break; fi
if test -d $FILE_SEARCHED; then
debug "$FILE_SEARCHED is a directory"
for file_in_dir in $(ls $FILE_SEARCHED); do
does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$BLACKRULEPATTERN"
if [ $FNRET != 0 ]; then
debug "$BLACKRULEPATTERN is not present in $FILE_SEARCHED/$file_in_dir"
else
ok "$BLACKRULEPATTERN is present in $FILE_SEARCHED/$file_in_dir"
SEARCH_RES=1
break
fi
done
else
does_pattern_exist_in_file "$FILE_SEARCHED" "^$BLACKRULEPATTERN "
if [ $FNRET != 0 ]; then
debug "$BLACKRULEPATTERN is not present in $FILE_SEARCHED"
else
ok "$BLACKRULEPATTERN is present in $BLACKCONDIR"
SEARCH_RES=1
fi
fi
done
if [ $SEARCH_RES = 0 ]; then
warn "$BLACKRULEPATTERN is not present in $BLACKCONDIR"
if [ -f $BLACKCONFILE ]; then
warn "Add $BLACKRULE to $BLACKCONFILE"
add_end_of_file $BLACKCONFILE "$BLACKRULE"
add_end_of_file $BLACKCONFILE "blacklist usb_storage"
else
warn "Create $BLACKCONFILE and add $BLACKRULE to $BLACKCONFILE"
touch $BLACKCONFILE
chmod 644 $BLACKCONFILE
add_end_of_file $BLACKCONFILE "blacklist usb_storage"
add_end_of_file $BLACKCONFILE "$BLACKRULE"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/5.1.1_disable_nis.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
# 5.1.1 Ensure NIS is not installed (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGE='nis'
PACKAGE_CENTOS='ypserv'
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGE=$PACKAGE_CENTOS
fi
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed!"
else
ok "$PACKAGE is absent"
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGE=$PACKAGE_CENTOS
fi
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
uninstall_pkg $PACKAGE
else
ok "$PACKAGE is absent"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/5.1.2_disable_rsh.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12/13 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
# 5.1.2 Ensure rsh server is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Based on aptitude search '~Prsh-server'
PACKAGES='rsh-server rsh-redone-server heimdal-servers'
PACKAGE_CENTOS='rsh-server'
FILE='/etc/inetd.conf'
PATTERN='^(shell|login|exec)'
audit_debian () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, checking configuration"
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, $PACKAGE services are enabled!"
else
ok "$PATTERN is not present in $FILE"
fi
fi
else
ok "$PACKAGE is absent"
fi
done
}
audit_centos () {
is_pkg_installed $PACKAGE_CENTOS
if [ $FNRET = 0 ]; then
crit "$PACKAGE_CENTOS is installed!"
else
ok "$PACKAGE_CENTOS is absent"
fi
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
audit_centos
else
audit_debian
fi
}
apply_debian () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
uninstall_pkg $PACKAGE
else
ok "$PACKAGE is absent"
fi
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN is not present in $FILE"
fi
fi
done
}
apply_centos () {
is_pkg_installed $PACKAGE_CENTOS
if [ $FNRET = 0 ]; then
crit "$PACKAGE_CENTOS is installed, purging it"
uninstall_pkg $PACKAGE_CENTOS
else
ok "$PACKAGE_CENTOS is absent"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
apply_centos
else
apply_debian
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/5.1.3_disable_rsh_client.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
# 5.1.3 Ensure rsh client is not installed (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Based on aptitude search '~Prsh-client', excluding ssh-client OFC
PACKAGES='rsh-client rsh-redone-client heimdal-clients'
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
ok "Redhat or CentOS does not have this check, so PASS"
else
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed"
else
ok "$PACKAGE is absent"
fi
done
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
ok "Redhat or CentOS does not have this check, so PASS"
else
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, purging"
uninstall_pkg $PACKAGE
else
ok "$PACKAGE is absent"
fi
done
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/5.1.4_disable_talk.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12/13 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
# 5.1.4 Ensure talk server is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGES='inetutils-talkd talkd'
FILE='/etc/inetd.conf'
PATTERN='^(talk|ntalk)'
PACKAGES_CENTOS='talk-server'
audit_debian () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, checking configuration"
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, $PACKAGE services are enabled!"
else
ok "$PATTERN is not present in $FILE"
fi
fi
else
ok "$PACKAGE is absent"
fi
done
}
audit_centos () {
for PACKAGE in $PACKAGES_CENTOS; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed"
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
audit_centos
else
audit_debian
fi
}
apply_debian () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
uninstall_pkg $PACKAGE
else
ok "$PACKAGE is absent"
fi
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN is not present in $FILE"
fi
fi
done
}
apply_centos () {
for PACKAGE in $PACKAGES_CENTOS; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
uninstall_pkg $PACKAGE
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
apply_centos
else
apply_debian
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/5.1.5_disable_talk_client.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
# 5.1.5 Ensure talk client is not installed (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGES='talk inetutils-talk'
PACKAGES_CENTOS='talk'
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_CENTOS
fi
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed"
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_CENTOS
fi
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, purging"
uninstall_pkg $PACKAGE
else
ok "$PACKAGE is absent"
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/5.1.6_disable_telnet_server.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12/13 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
# 5.1.6 Ensure telnet server is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Based on aptitude search '~Ptelnet-server'
PACKAGES='telnetd inetutils-telnetd telnetd-ssl krb5-telnetd heimdal-servers'
FILE='/etc/inetd.conf'
PATTERN='^telnet'
PACKAGE_CENTOS='telnet-server'
audit_debian () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, checking configuration"
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, $PACKAGE services are enabled!"
else
ok "$PATTERN is not present in $FILE"
fi
fi
else
ok "$PACKAGE is absent"
fi
done
}
audit_centos () {
is_pkg_installed $PACKAGE_CENTOS
if [ $FNRET = 0 ]; then
crit "$PACKAGE_CENTOS is installed"
else
ok "$PACKAGE_CENTOS is absent"
fi
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
audit_centos
else
audit_debian
fi
}
apply_debian () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
uninstall_pkg $PACKAGE
else
ok "$PACKAGE is absent"
fi
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN is not present in $FILE"
fi
fi
done
}
apply_centos () {
is_pkg_installed $PACKAGE_CENTOS
if [ $FNRET = 0 ]; then
crit "$PACKAGE_CENTOS is installed, purging it"
uninstall_pkg $PACKAGE_CENTOS
else
ok "$PACKAGE_CENTOS is absent"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
apply_centos
else
apply_debian
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/5.1.7_disable_inetd.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
# 5.1.7 Ensure xinetd is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGES='openbsd-inetd xinetd rlinetd'
PACKAGES_CENTOS='xinetd'
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_CENTOS
fi
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed"
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_CENTOS
fi
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, purging"
uninstall_pkg $PACKAGE
else
ok "$PACKAGE is absent"
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/5.2_install_screen.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 5.2 Install screen (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
PACKAGE='screen'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
warn "$PACKAGE is absent, installing it"
if [ $OS_RELEASE -eq 2 ]; then
yum install -y $PACKAGE
else
apt_install $PACKAGE
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/5.3_enable_openssh_server.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 5.3 Ensure openssh server is enabled (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGES='openssh-server openssh-client'
SERVICE_NAME='ssh.service'
SERVICE_NAME_CENTOS='sshd.service'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES
do
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
fi
done
if [ $OS_RELEASE -eq 2 ]; then
SERVICE_NAME=$SERVICE_NAME_CENTOS
fi
is_service_active $SERVICE_NAME
if [ $FNRET = 0 ]; then
ok "$SERVICE_NAME is active"
else
crit "$SERVICE_NAME is inactive"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES
do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
warn "$PACKAGE is absent, installing it"
if [ $OS_RELEASE -eq 2 ]; then
yum install -y $PACKAGE
else
apt_install $PACKAGE
fi
fi
done
if [ $OS_RELEASE -eq 2 ]; then
SERVICE_NAME=$SERVICE_NAME_CENTOS
fi
is_service_active $SERVICE_NAME
if [ $FNRET = 0 ]; then
ok "$SERVICE_NAME is active"
else
warn "$SERVICE_NAME is inactive, set enable this service"
systemctl enable $SERVICE_NAME
systemctl daemon-reload
systemctl start $SERVICE_NAME
fi
}
# This function will check config parameters required
check_config() {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES='openssh-server openssh-clients'
else
:
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/5.4_disable_ctrl_alt_del_target.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9 or CentOS Hardening
#
#
# 5.4 Ensure ctrl-alt-del is disabled (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
TARGETNAME='ctrl-alt-del.target'
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $(find /lib/systemd/ /etc/systemd/ -name ctrl-alt-del.target -exec ls -l {} \; | grep -c "/dev/null") -ne $(find /lib/systemd/ /etc/systemd/ -name ctrl-alt-del.target -exec ls -l {} \; | wc -l) ]; then
crit "$TARGETNAME is enabled."
FNRET=1
else
ok "$TARGETNAME is disabled."
FNRET=0
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$TARGETNAME is disabled."
else
TARGETS=$(find /lib/systemd/ /etc/systemd/ -name ctrl-alt-del.target -exec ls {} \;| grep -v "/dev/null" | awk '{print $NF}')
for TARGET in $TARGETS
do
warn "Disable $TARGET"
if [ $TARGET == "/etc/systemd/*" ]; then
systemctl mask $TARGET
else
rm $TARGET
fi
done
systemctl daemon-reload
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/5.5_ensure_installed_sudo.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9 or CentOS Hardening
#
#
# 5.8 Ensure sudo is installed (Scored)
# Add feature:
# Ensure sudo log file is set to /var/log/sudo.log
# Add new by:
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGE='sudo'
CONFIGFILE='/etc/sudoers'
LOGFILENAME='/var/log/sudo.log'
LOGFILENAME_REP='\/var\/log\/sudo.log'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=1
else
ok "$PACKAGE is installed"
if [ $(grep -c "^Defaults.*logfile=" $CONFIGFILE) -eq 1 ]; then
if [ $(grep "^Defaults.*logfile=" $CONFIGFILE | grep -c "$LOGFILENAME") -eq 1 ]; then
ok "Log file is set to $LOGFILENAME in $CONFIGFILE"
FNRET=0
else
crit "Log file path was set, but is not set to $LOGFILENAME"
FNRET=3
fi
else
crit "sudo Log file is not set in $CONFIGFILE"
FNRET=2
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
elif [ $FNRET = 1 ]; then
warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
elif [ $FNRET = 2 ]; then
warn "sudo Log file is not set in $CONFIGFILE, add set to"
add_end_of_file $CONFIGFILE "Defaults logfile="$LOGFILENAME""
else
warn "Log file path was set, but is not set to $LOGFILENAME, modify"
replace_in_file $CONFIGFILE "logfile=.*" "logfile=$LOGFILENAME_REP"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/6.10_disable_http_server.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
# 6.10 Ensure HTTP Server is not enabled (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
HARDENING_EXCEPTION=http
# Based on aptitude search '~Phttpd'
PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd'
PACKAGES_CENTOS='httpd pcp-pmda-nginx'
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_CENTOS
fi
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
if [ $ISEXCEPTION -eq 1 ]; then
warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!"
else
crit "$PACKAGE is installed!"
fi
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_CENTOS
fi
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
if [ $ISEXCEPTION -eq 1 ]; then
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else
crit "$PACKAGE is installed, purging it"
uninstall_pkg $PACKAGE
fi
else
ok "$PACKAGE is absent"
fi
done
}
# This function will create the config file for this check with default values
create_config() {
cat <
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
VIRULSERVER='clamav-daemon'
VIRULSERVER_CENTOS='clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd'
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -ne 2 ]; then
if [ $(dpkg -l | grep -c $VIRULSERVER) -ge 1 ]; then
if [ $(systemctl | grep "${VIRULSERVER}.service" | grep -c "active running") -ne 1 ]; then
crit "$VIRULSERVER is not running"
FNRET=2
else
ok "$VIRULSERVER is enable"
FNRET=0
fi
else
crit "$VIRULSERVER is not installed"
FNRET=1
fi
#CentOS:OS_RELEASE -eq 2
else
if [ $(rpm -qa | grep -c clamd) -ge 1 ]; then
ok "Clamav is installed"
FNRET=0
else
crit "Clamav is not install"
FNRET=1
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -ne 2 ]; then
if [ $FNRET = 0 ]; then
ok "$VIRULSERVER is enable"
elif [ $FNRET = 1 ]; then
warn "Install $VIRULSERVER"
apt-get install -y $VIRULSERVER
else
warn "Start server $VIRULSERVER"
systemctl start $VIRULSERVER
fi
#Centos: OS_RELEASE -eq 2
else
if [ $FNRET = 0 ]; then
ok "$VIRULSERVER_CENTOS is enable"
elif [ $FNRET = 1 ]; then
warn "Install $VIRULSERVER_CENTOS"
yum install -y $VIRULSERVER_CENTOS
else
warn "Start server $VIRULSERVER"
systemctl start $VIRULSERVER
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/6.18_ensure_virusscan_program_update_is_enabled.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9/10/11/12/13 Hardening
# todo test for centos
#
# 6.18 Ensure virul scan Server update is enabled (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
CLAMAVCONF_DIR='/etc/clamav/clamd.conf'
UPDATE_SERVER='clamav-freshclam'
audit_debian () {
does_file_exist $CLAMAVCONF_DIR
if [ $FNRET -eq 0 ]; then
UPDATE_DIR=$(grep -i databasedirectory "$CLAMAVCONF_DIR" | awk '{print $2}')
if [ -d $UPDATE_DIR -a -e $CLAMAVCONF_DIR ]; then
NOWTIME=$(date +"%s")
# This file extension name maybe change to .cvd or .cld
VIRUSTIME=$(stat -c "%Y" "$UPDATE_DIR"/daily.*)
INTERVALTIME=$((${NOWTIME}-${VIRUSTIME}))
if [ "${INTERVALTIME}" -ge 604800 ];then
crit "Clamav database file has a date older than seven days from the current date"
FNRET=3
else
ok "Clamav database file has a date less than seven days from the current date"
FNRET=0
fi
else
crit "Clamav update dir is not configuration"
FNRET=2
fi
else
crit "Clamav config file $CLAMAVCONF_DIR not exist"
FNRET=1
fi
}
# todo
audit_centos () {
:
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
audit_centos
else
audit_debian
fi
}
apply_debian () {
if [ $FNRET = 0 ]; then
ok "Clamav database file has a date less than seven days from the current date"
elif [ $FNRET = 1 ]; then
warn "Clamav $CLAMAVCONF_DIR is not exist, please check that is exist or check config"
elif [ $FNRET = 2 ]; then
warn "Clamav update dir is not exist, please check that is exist or check config"
elif [ $FNRET = 3 ]; then
warn "Clamav database file has a date older than seven days from the current date, start clamav-freshclam.service to update"
apt-get install -y $UPDATE_SERVER
systemctl start $UPDATE_SERVER
else
:
fi
}
# todo
apply_centos () {
:
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
apply_centos
else
apply_debian
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/6.19_configure_ntp.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 or CentOS Hardening
# todo base centos7 v2r3 of STIG
#
# 6.19 Configure Network Time Protocol (NTP) (Scored)
# Modify Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
HARDENING_EXCEPTION=ntp
ANALOGOUS_PKG='chrony systemd-timesyncd'
PACKAGE='ntp'
NTP_CONF_DEFAULT_PATTERN='^restrict -4 default (kod nomodify notrap nopeer noquery|ignore)'
NTP_CONF_FILE='/etc/ntp.conf'
NTP_INIT_PATTERN='RUNASUSER=ntp'
NTP_INIT_FILE='/etc/init.d/ntp'
NTP_POOL_CFG_PATTERN='^(server|pool)'
NTP_POOL_CFG='pool 2.debian.pool.ntp.org iburst'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PKG in $ANALOGOUS_PKG; do
is_pkg_installed $PKG
if [ $FNRET = 0 ]; then
ok "Analogous pagkage $PKG is installed. So pass check."
exit
fi
done
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed, checking configuration"
does_pattern_exist_in_file $NTP_CONF_FILE $NTP_POOL_CFG_PATTERN
if [ $FNRET != 0 ]; then
crit "$NTP_POOL_CFG_PATTERN not found in $NTP_CONF_FILE"
else
ok "$NTP_POOL_CFG_PATTERN found in $NTP_CONF_FILE"
fi
does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN
if [ $FNRET != 0 ]; then
crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE"
else
ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
fi
does_pattern_exist_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN"
if [ $FNRET != 0 ]; then
crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE"
else
ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $ANALOGOUS_PKG
if [ $FNRET = 0 ]; then
ok "Analogous pagkage $ANALOGOUS_PKG is installed. So pass check. "
else
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE
info "Checking $PACKAGE configuration"
fi
does_pattern_exist_in_file $NTP_CONF_FILE $NTP_POOL_CFG_PATTERN
if [ $FNRET != 0 ]; then
warn "$NTP_POOL_CFG_PATTERN not found in $NTP_CONF_FILE, adding it"
backup_file $NTP_CONF_FILE
add_end_of_file $NTP_CONF_FILE $NTP_POOL_CFG
else
ok "$NTP_POOL_CFG_PATTERN found in $NTP_CONF_FILE"
fi
does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN
if [ $FNRET != 0 ]; then
warn "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE, adding it"
backup_file $NTP_CONF_FILE
add_end_of_file $NTP_CONF_FILE "restrict -4 default kod notrap nomodify nopeer noquery"
else
ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
fi
does_pattern_exist_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN"
if [ $FNRET != 0 ]; then
warn "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE, adding it"
backup_file $NTP_INIT_FILE
add_line_file_before_pattern $NTP_INIT_FILE $NTP_INIT_PATTERN "^UGID"
else
ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/6.1_disable_xwindow_system.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 6.1 Ensure the X Window system is not installed (Scored)
#
# todo test for centos
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
HARDENING_EXCEPTION=x11
# Based on aptitude search '~Pxserver'
PACKAGES='xserver-xorg-core xserver-xorg-core-dbg xserver-common xserver-xephyr xserver-xfbdev tightvncserver vnc4server fglrx-driver xvfb xserver-xorg-video-nvidia-legacy-173xx xserver-xorg-video-nvidia-legacy-96xx xnest'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
if [ $ISEXCEPTION -eq 1 ]; then
warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!"
else
crit "$PACKAGE is installed!"
fi
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
if [ $ISEXCEPTION -eq 1 ]; then
warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!"
else
crit "$PACKAGE is installed, purging it"
uninstall_pkg $PACKAGE
fi
else
ok "$PACKAGE is absent"
fi
done
}
# This function will create the config file for this check with default values
create_config() {
cat <
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
HARDENING_EXCEPTION=ntp
ANALOGOUS_PKG='ntp systemd-timesyncd'
PACKAGE='chrony'
NTP_CONF_FILE='/etc/chrony/chrony.conf'
NTP_SERVER_PATTERN='^(server|pool)'
NTP_POOL_CFG='pool 2.debian.pool.ntp.org iburst'
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
ok "Redhat or CentOS does not have this check, so PASS"
else
for PKG in $ANALOGOUS_PKG; do
is_pkg_installed $PKG
if [ $FNRET = 0 ]; then
ok "Analogous pagkage $PKG is installed. So pass check."
exit
fi
done
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed, checking configuration"
does_pattern_exist_in_file $NTP_CONF_FILE $NTP_SERVER_PATTERN
if [ $FNRET != 0 ]; then
crit "$NTP_SERVER_PATTERN not found in $NTP_CONF_FILE"
else
ok "$NTP_SERVER_PATTERN found in $NTP_CONF_FILE"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
ok "Redhat or CentOS does not have this check, so PASS"
else
is_pkg_installed $ANALOGOUS_PKG
if [ $FNRET = 0 ]; then
ok "Analogous pagkage $ANALOGOUS_PKG is installed. So pass check."
else
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE
info "Checking $PACKAGE configuration"
does_pattern_exist_in_file $NTP_CONF_FILE $NTP_SERVER_PATTERN
if [ $FNRET != 0 ]; then
warn "$NTP_SERVER_PATTERN not found in $NTP_CONF_FILE, adding it"
backup_file $NTP_CONF_FILE
add_end_of_file $NTP_CONF_FILE $NTP_POOL_CFG
else
ok "$NTP_SERVER_PATTERN found in $NTP_CONF_FILE"
fi
exit 1
fi
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/6.2_disable_avahi_server.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
# 6.2 Ensure Avahi Server is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
HARDENING_EXCEPTION=dns
PACKAGES='avahi-daemon libavahi-common-data libavahi-common3 libavahi-core7'
PKGS_PATTERN_CENTOS='avahi'
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PKGS_PATTERN_CENTOS
fi
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
if [ $ISEXCEPTION -eq 1 ]; then
warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!"
else
crit "$PACKAGE is installed!"
fi
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PKGS_PATTERN_CENTOS
fi
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
if [ $ISEXCEPTION -eq 1 ]; then
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else
crit "$PACKAGE is installed, purging it"
if [ $OS_RELEASE -eq 2 ]; then
for PKGNAME in $(rpm -qa | grep $PACKAGES); do
yum autoremove $PKGNAME -y
done
else
apt-get purge $PACKAGE -y
apt-get autoremove
fi
fi
else
ok "$PACKAGE is absent"
fi
done
}
# This function will create the config file for this check with default values
create_config() {
cat <
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGES='ntp chrony systemd-timesyncd'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
warn "$PACKAGE is absent"
else
ok "$PACKAGE is installed"
exit $FNRET
fi
done
crit "$PACKAGES is absent"
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
warn "$PACKAGE is absent, install..."
apt-get install -y $PACKAGE
exit $FNRET
else
ok "$PACKAGE is installed,"
exit $FNRET
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/6.6_disable_ldap.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
# 6.6 Ensure LDAP is not enabled (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
HARDENING_EXCEPTION=ldap
PACKAGES='slapd'
PACKAGES_CENTOS='openldap-servers'
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_CENTOS
fi
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
if [ $ISEXCEPTION -eq 1 ]; then
warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!"
else
crit "$PACKAGE is installed!"
fi
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGES=$PACKAGES_CENTOS
fi
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
if [ $ISEXCEPTION -eq 1 ]; then
warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
else
crit "$PACKAGE is installed, purging it"
uninstall_pkg $PACKAGE
fi
else
ok "$PACKAGE is absent"
fi
done
}
# This function will create the config file for this check with default values
create_config() {
cat < /dev/null
fi
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
}
# This function will create the config file for this check with default values
create_config() {
cat < /dev/null
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/7.1.3_disable_interface_promisc_mode.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 7.1.3 Disable promiscuous mode for network interface (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
KEYWORD='promisc'
# This function will be called if the script status is on enabled / audit mode
audit () {
COUNT=$(ip link | grep -i "${KEYWORD}" | wc -l)
if [ $COUNT -gt 0 ]; then
crit "The total number of network interfaces with ${KEYWORD} mode set is ${COUNT}"
FNRET=1
else
ok "Not set ${KEYWORD} mode for network interface in the system."
FNRET=0
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET != 0 ]; then
warn "Disable promiscuous mode for network interface"
for INTERFACE in $(ip link | grep -i promisc | awk -F: '{print $2}')
do
ip link set dev ${INTERFACE} multicast off promisc off
done
else
ok "Not set ${KEYWORD} mode for network interface in the system."
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/7.2.1_disable_source_routed_packets.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 7.2.1 Disable Source Routed Packet Acceptance (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
SYSCTL_PARAMS='net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0'
# This function will be called if the script status is on enabled / audit mode
audit () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT value -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/7.2.2_disable_icmp_redirect.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 7.2.2 Disable ICMP Redirect Acceptance (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
SYSCTL_PARAMS='net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0'
# This function will be called if the script status is on enabled / audit mode
audit () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/7.2.3_disable_secure_icmp_redirect.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 7.2.3 Disable Secure ICMP Redirect Acceptance (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
SYSCTL_PARAMS='net.ipv4.conf.all.secure_redirects=1 net.ipv4.conf.default.secure_redirects=1'
# This function will be called if the script status is on enabled / audit mode
audit () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/7.2.4_log_martian_packets.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 7.2.4 Log Suspicious Packets (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
SYSCTL_PARAMS='net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1'
# This function will be called if the script status is on enabled / audit mode
audit () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/7.2.5_ignore_broadcast_requests.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 7.2.5 Enable Ignore Broadcast Requests (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
SYSCTL_PARAMS='net.ipv4.icmp_echo_ignore_broadcasts=1'
# This function will be called if the script status is on enabled / audit mode
audit () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist --Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/7.2.6_enable_bad_error_message_protection.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 7.2.6 Enable Bad Error Message Protection (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
SYSCTL_PARAMS='net.ipv4.icmp_ignore_bogus_error_responses=1'
# This function will be called if the script status is on enabled / audit mode
audit () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/7.2.7_enable_source_route_validation.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 7.2.7 Enable RFC-recommended Source Route Validation (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
SYSCTL_PARAMS='net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1'
# This function will be called if the script status is on enabled / audit mode
audit () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/7.2.8_enable_tcp_syn_cookies.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 7.2.8 Enable TCP SYN Cookies (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
SYSCTL_PARAMS='net.ipv4.tcp_syncookies=1'
# This function will be called if the script status is on enabled / audit mode
audit () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/7.3.1_disable_ipv6_router_advertisement.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 7.3.1 Disable IPv6 Router Advertisements (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
SYSCTL_PARAMS='net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_sysctl_param_exists "net.ipv6"
if [ $FNRET != 0 ]; then
ok "ipv6 is disabled"
else
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
done
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_sysctl_param_exists "net.ipv6"
if [ $FNRET != 0 ]; then
ok "ipv6 is disabled"
else
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT, fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
done
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/7.3.2_disable_ipv6_redirect.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 7.3.2 Disable IPv6 Redirect Acceptance (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
SYSCTL_PARAMS='net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_sysctl_param_exists "net.ipv6"
if [ $FNRET != 0 ]; then
ok "ipv6 is disabled"
else
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
done
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_sysctl_param_exists "net.ipv6"
if [ $FNRET != 0 ]; then
ok "ipv6 is disabled"
else
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT, fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
done
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/7.4.1_install_tcp_wrapper.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
# 7.4.1 Install TCP Wrappers (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGE='tcpd'
PACKAGE_CENTOS='tcp_wrappers'
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
is_centos_8
if [ $FNRET == 0 ]; then
tcp_wrappers_warn
ok "So PASS."
return 0
else
PACKAGE=$PACKAGE_CENTOS
fi
fi
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
is_centos_8
if [ $FNRET == 0 ]; then
tcp_wrappers_warn
ok "So PASS."
return 0
else
PACKAGE=$PACKAGE_CENTOS
fi
fi
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
if [ $OS_RELEASE -eq 2 ]; then
yum install $PACKAGE -y
else
apt_install $PACKAGE
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/7.4.2_hosts_allow.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 7.4.2 Create /etc/hosts.allow (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
FILE='/etc/hosts.allow'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_centos_8
if [ $FNRET == 0 ]; then
tcp_wrappers_warn
ok "So PASS."
return 0
else
does_file_exist $FILE
if [ $FNRET != 0 ]; then
crit "$FILE does not exist"
else
ok "$FILE exist"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_centos_8
if [ $FNRET == 0 ]; then
tcp_wrappers_warn
ok "So PASS."
return 0
else
does_file_exist $FILE
if [ $FNRET != 0 ]; then
warn "$FILE does not exist, creating it"
touch $FILE
warn "You may want to fill it with allowed networks"
else
ok "$FILE exist"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/7.4.3_hosts_allow_permissions.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 7.4.3 Verify Permissions on /etc/hosts.allow (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
FILE='/etc/hosts.allow'
PERMISSIONS='644'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_centos_8
if [ $FNRET == 0 ]; then
tcp_wrappers_warn
ok "So PASS."
return 0
else
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_centos_8
if [ $FNRET == 0 ]; then
tcp_wrappers_warn
ok "So PASS."
return 0
else
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/7.4.4_hosts_deny.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 7.4.4 Create /etc/hosts.deny (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
FILE='/etc/hosts.deny'
PATTERN='ALL: ALL'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_centos_8
if [ $FNRET == 0 ]; then
tcp_wrappers_warn
ok "So PASS."
return 0
else
does_file_exist $FILE
if [ $FNRET != 0 ]; then
crit "$FILE does not exist"
else
ok "$FILE exists, checking configuration"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET != 0 ]; then
crit "$PATTERN is not present in $FILE, we have to deny everything"
else
ok "$PATTERN is present in $FILE"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_centos_8
if [ $FNRET == 0 ]; then
tcp_wrappers_warn
ok "So PASS."
return 0
else
does_file_exist $FILE
if [ $FNRET != 0 ]; then
warn "$FILE does not exist, creating it"
touch $FILE
else
ok "$FILE exists"
fi
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET != 0 ]; then
crit "$PATTERN is not present in $FILE, we have to deny everything"
add_end_of_file $FILE "$PATTERN"
warn "YOU MAY HAVE CUT YOUR ACCESS, CHECK BEFORE DISCONNECTING"
else
ok "$PATTERN is present in $FILE"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/7.4.5_hosts_deny_permissions.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 7.4.5 Verify Permissions on /etc/hosts.deny (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
FILE='/etc/hosts.deny'
PERMISSIONS='644'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_centos_8
if [ $FNRET == 0 ]; then
tcp_wrappers_warn
ok "So PASS."
return 0
else
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_centos_8
if [ $FNRET == 0 ]; then
tcp_wrappers_warn
ok "So PASS."
return 0
else
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/7.6_disable_wireless.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9/10/11/12/13 or CentOS Hardening
#
#
# 7.6 Ensure wireless interfaces are disabled (Not Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $(lspci | grep -ic wireless ) -eq 0 ]; then
ok "The OS is not wireless device! "
FNRET=0
else
if [ $(wc -l /proc/net/wireless) -lt 3 ]; then
ok "Wireless interfaces are disabled!"
FNRET=0
else
crit "Wireless interfaces is not disabled!"
FNRET=1
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "Wireless interfaces are disabled!"
else
warn "Wireless interfaces is not disabled! Disabled wireless."
nmcli radio wifi off
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
## Source Root Dir Parameter
#if [ ! -r /etc/default/cis-hardening ]; then
# echo "There is no /etc/default/cis-hardening file, cannot source CIS_ROOT_DIR variable, aborting"
# exit 128
#else
# . /etc/default/cis-hardening
# if [ -z ${CIS_ROOT_DIR:-} ]; then
# echo "No CIS_ROOT_DIR variable, aborting"
# exit 128
# fi
#fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/7.7.1_enable_firewall.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12/13 or CentOS Hardening
#
#
# 7.7.1 Ensure Firewall is active (Scored)
# Corresponds to the original 7.7
# Modify Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Quick note here : CIS recommends your iptables rules to be persistent.
# Do as you want, but this script does not handle this
PACKAGES='iptables iptables-persistent'
PACKAGES_CENTOS='iptables iptables-services nftables firewalld'
SERVICENAME='netfilter-persistent'
SERVICENAME_CENTOS='iptables ip6tables'
PACKAGE_NFT='nftables'
SERVICENAME_NFT='nftables.service'
audit_debian () {
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
for PACKAGE in $PACKAGES
do
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=1
break
else
ok "$PACKAGE is installed"
FNRET=0
fi
done
if [ $FNRET = 0 ]; then
if [ $(systemctl status ${SERVICENAME} | grep -c "Active:.active") -ne 1 ]; then
crit "${SERVICENAME} service is not active"
FNRET=2
else
ok "${SERVICENAME} service is active"
FNRET=0
fi
fi
# check nftables
else
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
crit "$PACKAGE_NFT is not installed!"
FNRET=3
else
ok "$PACKAGE_NFT is installed"
FNRET=0
fi
if [ $FNRET = 0 ]; then
if [ $(systemctl status ${SERVICENAME_NFT} | grep -c "Active:.active") -ne 1 ]; then
crit "${SERVICENAME_NFT} service is not active"
FNRET=4
else
ok "${SERVICENAME_NFT} service is active"
FNRET=0
fi
fi
fi
}
audit_centos () {
for PACKAGE in $PACKAGES_CENTOS
do
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=1
break
else
ok "$PACKAGE is installed"
FNRET=0
fi
done
if [ $FNRET = 0 ]; then
for SERVICENAME in $SERVICENAME_CENTOS
do
if [ $(systemctl status ${SERVICENAME} | grep -c "Active:.active") -ne 1 ]; then
crit "${SERVICENAME} service is not active"
FNRET=2
else
ok "${SERVICENAME} service is active"
FNRET=0
fi
done
fi
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
audit_centos
else
audit_debian
fi
}
apply_debian () {
if [ $FNRET = 0 ]; then
ok "Firewall is enabled"
elif [ $FNRET = 1 ]; then
for PACKAGE in $PACKAGES
do
warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
done
elif [ $FNRET = 3 ]; then
warn "$PACKAGE_NFT is absent, installing it"
apt_install $PACKAGE_NFT
elif [ $FNRET = 2 ]; then
warn "Enable ${SERVICENAME} service to activate"
is_service_enabled ${SERVICENAME}
if [ $FNRET = 1 ]; then
systemctl enable ${SERVICENAME}
systemctl daemon-reload
fi
systemctl start ${SERVICENAME}
elif [ $FNRET = 4 ]; then
warn "Enable ${SERVICENAME_NFT} service to activate"
is_service_enabled ${SERVICENAME_NFT}
if [ $FNRET = 1 ]; then
systemctl enable ${SERVICENAME_NFT}
systemctl daemon-reload
fi
systemctl start ${SERVICENAME_NFT}
else
:
fi
}
apply_centos () {
if [ $FNRET = 0 ]; then
ok "$PACKAGES_CENTOS is installed"
elif [ $FNRET = 1 ]; then
for PACKAGE in $PACKAGES_CENTOS
do
warn "$PACKAGE is absent, installing it"
yum_install $PACKAGE
done
elif [ $FNRET = 2 ]; then
warn "Enable ${SERVICENAME_CENTOS} service to activate"
for SERVICENAME in ${SERVICENAME_CENTOS}
do
is_service_enabled ${SERVICENAME}
if [ $FNRET = 1 ]; then
systemctl enable ${SERVICENAME}
systemctl daemon-reload
else
:
fi
systemctl start ${SERVICENAME}
done
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
apply_centos
else
apply_debian
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/7.7.2_ensure_set_firewall_rules.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9/10/11/12/13 Hardening
#
#
# 7.7.2 Ensure the Firewall is set rules (Scored)
# Include ipv4 and ipv6
# Add this feature:Author : Samson wen, Samson
#
#set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
IPS4=$(which iptables)
IPS6=$(which ip6tables)
PACKAGE_NFT='nftables'
# Quick note here : CIS recommends your iptables rules to be persistent.
# Do as you want, but this script does not handle this
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
if [ $(${IPS4} -S | grep -Ec "^-A|^-I") -eq 0 -o $(${IPS6} -S | grep -Ec "^-A|^-I") -eq 0 ]; then
crit "Iptables/Ip6tables is not set rule!"
FNRET=1
else
ok "Iptables/Ip6tables rules are set!"
FNRET=0
fi
else
if [ $(nft list ruleset 2>/dev/null | grep -v '^table' | grep -v 'chain.*{' | grep -v '}' | grep -v 'policy' | grep -v '^$' | wc -l) -gt 0 ]; then
ok "nftables rules are set!"
FNRET=10
else
crit "Nftables is not set rule!"
FNRET=2
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "Iptables/Ip6tables rules are set!"
elif [ $FNRET = 10 ]; then
ok "Nftables rules are set!"
elif [ $FNRET = 1 ]; then
warn "Iptables/Ip6tables rules are not set, need the administrator to manually add it."
elif [ $FNRET = 2 ]; then
warn "Nftables rules are not set, need the administrator to manually add it."
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/7.7.3_ensure_firewall_set_protect_dos_attacks.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9/10/11/12/13 Hardening
#
#
# 7.7.3 Ensure the Firewall is set rules of protect DOS attacks (Scored)
# Include ipv4 and ipv6
# Add this feature:Author : Samson wen, Samson
#
#set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
IPS4=$(which iptables)
IPS6=$(which ip6tables)
PACKAGE_NFT='nftables'
IPV4_RET=1
IPV6_RET=1
IPV6_ISENABLE=1
# Quick note here : CIS recommends your iptables rules to be persistent.
# Do as you want, but this script does not handle this
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
# ipv4
if [ $(${IPS4} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then
info "Iptables is not set rules of protect DOS attacks!"
IPV4_RET=1
else
info "Iptables has set rules for protect DOS attacks!"
IPV4_RET=0
fi
# ipv6
check_ipv6_is_enable
IPV6_ISENABLE=$FNRET
if [ $IPV6_ISENABLE = 0 ]; then
if [ $(${IPS6} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then
info "Ip6tables is not set rules of protect DOS attacks!"
IPV6_RET=1
else
info "Ip6tables has set rules for protect DOS attacks!"
IPV6_RET=0
fi
fi
if [ $IPV6_ISENABLE -eq 0 ]; then
if [ $IPV4_RET -eq 1 -o $IPV6_RET -eq 1 ]; then
crit "Iptables/ip6tables is not set rules of protect DOS attacks!"
FNRET=1
else
ok "Iptables/ip6tables has set rules for protect DOS attacks!"
FNRET=0
fi
else
if [ $IPV4_RET -eq 1 ]; then
crit "Iptables is not set rules of protect DOS attacks!"
FNRET=1
else
ok "Iptables has set rules for protect DOS attacks!"
FNRET=0
fi
fi
else
if [ $(nft list ruleset 2>/dev/null | grep -v '^$' | grep -c 'limit.*burst') -gt 0 ]; then
FNRET=10
ok "nftables has set rules for protect DOS attacks!"
else
FNRET=11
crit "nftables is not set rules for protect DOS attacks!"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 10 ]; then
ok "nftables has set rules for protect DOS attacks!"
elif [ $FNRET = 11 ]; then
crit "nftables is not set rules for protect DOS attacks!"
elif [ $FNRET = 0 ]; then
if [ $IPV6_ISENABLE -eq 0 ]; then
ok "Iptables/Ip6tables has set rules for protect DOS attacks!"
else
ok "Iptables has set rules for protect DOS attacks!"
fi
else
if [ $IPV6_ISENABLE -eq 0 ]; then
warn "Iptables/Ip6tables is not set rules of protect DOS attacks! need the administrator to manually add it."
else
warn "Iptables is not set rules of protect DOS attacks! need the administrator to manually add it."
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/7.7.4.1_ensure_default_deny_firewall_policy.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9/10/11/12/13 Hardening
#
#
# 7.7.4.1 Ensure default deny firewall policy (Scored)
# for ipv4
# Add this feature:Author : Samson wen, Samson
#
#set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
IPS4=$(which iptables)
PACKAGE_NFT='nftables'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
if [ $(${IPS4} -S | grep -c "\-P INPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P OUTPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P FORWARD DROP") -eq 0 ]; then
crit "Iptables: Firewall policy is not default deny!"
FNRET=1
else
ok "Iptables has set default deny for firewall policy!"
FNRET=0
fi
else
if [ $(nft list chain ip filter INPUT 2>/dev/null | grep -c 'input.*policy drop') -eq 0 -o $(nft list chain ip filter OUTPUT 2>/dev/null | grep -c 'output.*policy drop') -eq 0 -o $(nft list chain ip filter FORWARD 2>/dev/null | grep -c 'forward.*policy drop') -eq 0 ]; then
crit "nftables: Firewall policy is not default deny!"
FNRET=11
else
ok "nftables has set default deny for firewall policy!"
FNRET=10
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 10 ]; then
ok "nftables has set default deny for firewall policy!"
elif [ $FNRET = 11 ]; then
warn "nftables is not set default deny for firewall policy! need the administrator to manually add it."
elif [ $FNRET = 0 ]; then
ok "Iptables has set default deny for firewall policy!"
else
warn "Iptables is not set default deny for firewall policy! need the administrator to manually add it. Howto set: iptables -P INPUT DROP; iptables -P OUTPUT DROP; iptables -P FORWARD DROP."
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/7.7.4.2_ensure_loopback_traffic_is_configured.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9/10/11/12/13 Hardening
#
#
# 7.7.4.2 Ensure loopback traffic is configured (Scored)
# Include ipv4 and ipv6
# Add this feature:Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
INPUT_ACCEPT=1
OUTPUT_ACCEPT=1
INPUT_DENY=1
IP4VERSION="IPS4"
PACKAGE_NFT='nftables'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
# Check the loopback interface to accept INPUT traffic.
ensure_lo_traffic_input_is_accept "$IP4VERSION"
if [ $FNRET = 0 ]; then
INPUT_ACCEPT=0
info "Iptables loopback traffic INPUT has configured!"
else
INPUT_ACCEPT=1
info "Iptables: loopback traffic INPUT is not configured!"
fi
# Check the loopback interface to accept OUTPUT traffic.
ensure_lo_traffic_output_is_accept "$IP4VERSION"
if [ $FNRET = 0 ]; then
OUTPUT_ACCEPT=0
info "Iptables loopback traffic OUTPUT has configured!"
else
OUTPUT_ACCEPT=1
info "Iptables: loopback traffic OUTPUT is not configured!"
fi
# all other interfaces to deny traffic to the loopback network.
ensure_lo_traffic_other_if_input_is_deny "$IP4VERSION"
if [ $FNRET = 0 ]; then
INPUT_DENY=0
info "Iptables loopback traffic INPUT deny from other interfaces has configured!"
else
INPUT_DENY=1
info "Iptables: loopback traffic INPUT deny from other interfaces is not configured!"
fi
if [ $INPUT_ACCEPT -eq 0 -a $OUTPUT_ACCEPT -eq 0 -a $INPUT_DENY -eq 0 ]; then
ok "Loopback traffic rules are configured!"
else
crit "Loopback traffic rules are not configured!"
fi
else
if [ $(nft list chain ip filter INPUT 2>/dev/null | grep -c 'lo.*accept') -gt 0 -a $(nft list chain ip filter OUTPUT 2>/dev/null | grep -c 'lo.*accept') -gt 0 -a $(nft list chain ip filter INPUT 2>/dev/null | grep -c 'saddr.*127.0.0.0/8.*drop') -gt 0 ]; then
ok "nftables loopback traffic INPUT/OUTPUT/deny-other-loopback-interfaces has configured!"
FNRET=10
else
crit "nftables loopback traffic INPUT/OUTPUT/deny-other-loopback-interfaces is not configured!"
FNRET=11
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 10 ]; then
ok "nftables loopback traffic INPUT/OUTPUT/deny-other-loopback-interfaces has configured!"
elif [ $FNRET = 11 ]; then
warn "nftables loopback traffic INPUT/OUTPUT/deny-other-loopback-interfaces is not configured! Need the administrator to manually add it. "
else
if [ $INPUT_ACCEPT = 0 ]; then
ok "Iptables loopback traffic INPUT has configured!"
else
warn "Iptables loopback traffic INPUT is not configured! Need the administrator to manually add it. Howto set: iptables -A INPUT -i lo -j ACCEPT"
fi
if [ $OUTPUT_ACCEPT = 0 ]; then
ok "Iptables loopback traffic OUTPUT has configured!"
else
warn "Iptables loopback traffic OUTPUT is not configured! Need the administrator to manually add it. Howto set: iptables -A OUTPUT -o lo -j ACCEPT"
fi
if [ $INPUT_DENY = 0 ]; then
ok "Iptables loopback traffic INPUT deny from other interfaces has configured!"
else
warn "Iptables loopback traffic INPUT deny from 127.0.0.0/8 is not configured! Need the administrator to manually add it. Howto set: iptables -A INPUT -s 127.0.0.0/8 -j DROP"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/7.7.4.3_ensure_firewall_rules_exist_for_all_open_ports.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9/10/11/12/13 Hardening
#
#
# 7.7.4.3 Ensure firewall rules exist for all open ports (Scored)
# Add this feature:Author : Samson wen, Samson
#
#set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
IPS4=$(which iptables)
PACKAGE_NFT='nftables'
NETLISTENLIST="/dev/shm/7.7.4.3"
PROTO_PORT="/dev/shm/proto_port_pair"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
ISNFTABLES=1
else
ISNFTABLES=0
fi
# For ipv4
rm -f $NETLISTENLIST
rm -f $PROTO_PORT
netstat -ln | egrep -w '^tcp|^udp' > $NETLISTENLIST
cat $NETLISTENLIST | while read LISTENING
do
PROTO_TYPE=$(echo ${LISTENING} | awk '{print $1}')
LISTEN_PORT=$(echo ${LISTENING} | awk '{print $4}' | awk -F: '{print $2}')
if [ $ISNFTABLES = 1 ]; then
if [ $($IPS4 -S | grep "^\-A INPUT \-p $PROTO_TYPE" | grep -c "\-\-dport $LISTEN_PORT \-m state \-\-state NEW \-j ACCEPT") -ge 1 ]; then
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT was set firewall rules."
else
echo "${PROTO_TYPE} ${LISTEN_PORT}" >> $PROTO_PORT
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules."
fi
else
if [ $(nft list chain ip filter INPUT 2>/dev/null | grep -c "dport.*$LISTEN_PORT.*new.*accept") -ge 1 ]; then
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT was set firewall(nft) rules."
else
echo "${PROTO_TYPE} ${LISTEN_PORT}" >> $PROTO_PORT
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall(nft) rules."
fi
fi
done
rm -f $NETLISTENLIST
if [ $ISNFTABLES = 1 ]; then
if [ -f $PROTO_PORT ]; then
crit "Iptables is not set firewall rules exist for all open ports!"
else
ok "Iptables has set firewall rules exist for all open ports!"
fi
else
if [ -f $PROTO_PORT ]; then
crit "Nftables is not set firewall rules exist for all open ports!"
else
ok "Nftables has set firewall rules exist for all open ports!"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ -f $PROTO_PORT ]; then
cat $PROTO_PORT | while read NOSETPAIR
do
PROTO_TYPE=$(echo ${NOSETPAIR} | awk '{print $1}')
LISTEN_PORT=$(echo ${NOSETPAIR} | awk '{print $2}')
if [ $ISNFTABLES = 1 ]; then
warn "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules, need the administrator to manually add it. Howto set: iptables -A INPUT -p --dport -m state --state NEW -j ACCEPT"
else
warn "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules, need the administrator to manually add it. "
fi
done
rm -f $PROTO_PORT
else
if [ $ISNFTABLES = 1 ]; then
ok "Iptables has set firewall rules exist for all open ports!"
else
ok "Nftables has set firewall rules exist for all open ports!"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/7.7.4.4_ensure_outbound_and_established_connections_are_configured.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9/10/11/12/13 Hardening
#
#
# 7.7.4.4 Ensure outbound and established connections are configured (Not Scored)
# Add this feature:Author : Samson wen, Samson
#
#set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
RET_VALUE1=1
RET_VALUE2=1
PROTOCOL_LIST="tcp udp icmp"
IP4VERSION="IPS4"
PACKAGE_NFT='nftables'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
IS_NFT=1
else
IS_NFT=0
fi
for protocol in $PROTOCOL_LIST
do
if [ $IS_NFT = 1 ]; then
# Check INPUT with ESTABLISHED is config
check_input_with_established_is_accept "${protocol}" "$IP4VERSION"
if [ $FNRET = 0 ]; then
RET_VALUE1=0
info "Portocol $protocol INPUT is conf"
else
RET_VALUE1=1
info "Portocol $protocol INPUT is not conf"
break
fi
# Check outbound is config
check_outbound_connect_is_accept "${protocol}" "$IP4VERSION"
if [ $FNRET = 0 ]; then
RET_VALUE2=0
info "Portocol $protocol outbound is conf"
else
RET_VALUE2=1
info "Portocol $protocol outbound is not conf"
break
fi
else
if [ $(nft list chain ip filter INPUT 2>/dev/null | grep -c "${protocol}.*established.*accept") -ge 1 -a $(nft list chain ip filter OUTPUT 2>/dev/null | grep -c "${protocol}.*established.*accept") -ge 1 ]; then
ok "Portocol $protocol INPUT was conf(nft). Outbound and established connections are configured!"
FNRET=10
else
crit "Portocol $protocol INPUT is not conf(nft). Outbound and established connections are not configured!"
FNRET=11
fi
return
fi
done
if [ $RET_VALUE1 -eq 0 -a $RET_VALUE2 -eq 0 ]; then
ok "Outbound and established connections are configured!"
FNRET=0
else
crit "Outbound and established connections are not configured!"
FNRET=1
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "Portocol $protocol INPUT was conf. Outbound and established connections are configured!"
elif [ $FNRET = 11 ]; then
warn "Portocol $protocol INPUT is not conf(nft). Outbound and established connections are not configured!"
elif [ $FNRET = 10 ]; then
ok "Portocol $protocol INPUT was conf(nft). Outbound and established connections are configured!"
elif [ $FNRET = 1 ]; then
warn "Portocol $protocol INPUT is not conf(nft). Outbound and established connections are not configured!"
else
:
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/7.7.5.1_ensure_default_deny_firewall_policy_for_v6.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9/10/11/12/13 Hardening
#
#
# 7.7.5.1 Ensure default deny firewall policy for v6 (Scored)
# for ipv6
# Add this feature:Author : Samson wen, Samson
#
#set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
IPS6=$(which ip6tables)
IPV6_ENABLE=1
PACKAGE_NFT='nftables'
# This function will be called if the script status is on enabled / audit mode
audit () {
check_ipv6_is_enable
IPV6_ENABLE=$FNRET
if [ $IPV6_ENABLE -eq 0 ]; then
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
if [ $(${IPS6} -S | grep -c "\-P INPUT DROP") -eq 0 -o $(${IPS6} -S | grep -c "\-P OUTPUT DROP") -eq 0 -o $(${IPS6} -S | grep -c "\-P FORWARD DROP") -eq 0 ]; then
crit "Ip6tables: Firewall policy is not default deny!"
FNRET=1
else
ok "Ip6tables has set default deny for firewall policy!"
FNRET=0
fi
else
if [ $(nft list chain ip6 filter INPUT 2>/dev/null | grep -c 'input.*policy.*drop') -eq 0 -o $(nft list chain ip6 filter OUTPUT 2>/dev/null | grep -c 'output.*policy.*drop') -eq 0 -o $(nft list chain ip6 filter FORWARD 2>/dev/null | grep -c 'forward.*policy.*drop') -eq 0 ]; then
crit "nftables's ipv6: Firewall policy is not default deny!"
FNRET=11
else
ok "nftables's ipv6 has set default deny for firewall policy!"
FNRET=10
fi
fi
else
ok "Ipv6 has set disabled, so pass."
FNRET=0
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $IPV6_ENABLE -eq 0 ]; then
if [ $FNRET = 0 ]; then
ok "Ip6tables has set default deny for firewall policy!"
elif [ $FNRET = 1 ]; then
warn "Ip6tables is not set default deny for firewall policy! need the administrator to manually add it. Howto set: ip6tables -P INPUT DROP; ip6tables -P OUTPUT DROP; ip6tables -P FORWARD DROP."
elif [ $FNRET = 10 ]; then
ok "nftables's ipv6 has set default deny for firewall policy!"
elif [ $FNRET = 11 ]; then
warn "nftables's ipv6: Firewall policy is not default deny!"
fi
else
ok "Ipv6 has set disabled, so pass."
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/7.7.5.2_ensure_loopback_traffic_is_configured_for_v6.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9/10/11/12/13 Hardening
#
#
# 7.7.5.2 Ensure loopback traffic is configured for v6 (Scored)
# For ipv6
# Add this feature:Author : Samson wen, Samson
#
#set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
INPUT_ACCEPT=1
OUTPUT_ACCEPT=1
INPUT_DENY=1
IP6VERSION="IPS6"
IPV6_ENABLE=1
PACKAGE_NFT='nftables'
# This function will be called if the script status is on enabled / audit mode
audit () {
check_ipv6_is_enable
IPV6_ENABLE=$FNRET
if [ $IPV6_ENABLE -eq 0 ]; then
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
# Check the loopback interface to accept INPUT traffic.
ensure_lo_traffic_input_is_accept $IP6VERSION
if [ $FNRET = 0 ]; then
INPUT_ACCEPT=0
info "Ip6tables loopback traffic INPUT has configured!"
else
INPUT_ACCEPT=1
info "Ip6tables: loopback traffic INPUT is not configured!"
fi
# Check the loopback interface to accept OUTPUT traffic.
ensure_lo_traffic_output_is_accept $IP6VERSION
if [ $FNRET = 0 ]; then
OUTPUT_ACCEPT=0
info "Ip6tables loopback traffic OUTPUT has configured!"
else
OUTPUT_ACCEPT=1
info "Ip6tables: loopback traffic OUTPUT is not configured!"
fi
# all other interfaces to deny traffic to the loopback network.
ensure_lo_traffic_other_if_input_is_deny $IP6VERSION
if [ $FNRET = 0 ]; then
INPUT_DENY=0
info "Ip6tables loopback traffic INPUT deny from other interfaces has configured!"
else
INPUT_DENY=1
info "Ip6tables: loopback traffic INPUT deny from other interfaces is not configured!"
fi
if [ $INPUT_ACCEPT -eq 0 -a $OUTPUT_ACCEPT -eq 0 -a $OUTPUT_ACCEPT -eq 0 ]; then
ok "Loopback traffic rules were configured for v6!"
else
crit "Loopback traffic rules are not configured for v6!"
fi
else
if [ $(nft list chain ip6 filter INPUT 2>/dev/null | grep -c 'lo.*accept') -gt 0 -a $(nft list chain ip6 filter OUTPUT 2>/dev/null | grep -c 'lo.*accept') -gt 0 -a $(nft list chain ip6 filter INPUT 2>/dev/null | grep -c 'saddr.*fe80::/64.*drop') -gt 0 ]; then
ok "nftables's ipv6 loopback traffic INPUT/OUTPUT/deny-other-loopback-interfaces has configured!"
FNRET=10
else
crit "nftables's ipv6 loopback traffic INPUT/OUTPUT/deny-other-loopback-interfaces is not configured!"
FNRET=11
fi
fi
else
ok "Ipv6 has set disabled, so pass."
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $IPV6_ENABLE -eq 0 ]; then
if [ $FNRET = 10 ]; then
ok "nftables's ipv6 loopback traffic INPUT/OUTPUT/deny-other-loopback-interfaces has configured!"
elif [ $FNRET = 11 ]; then
warn "nftables's ipv6 loopback traffic INPUT/OUTPUT/deny-other-loopback-interfaces is not configured!"
else
if [ $INPUT_ACCEPT = 0 ]; then
ok "Ip6tables loopback traffic INPUT has configured!"
else
warn "Ip6tables loopback traffic INPUT is not configured! need the administrator to manually add it. Howto set: ip6tables -A INPUT -i lo -j ACCEPT"
fi
if [ $OUTPUT_ACCEPT = 0 ]; then
ok "Ip6tables loopback traffic OUTPUT has configured!"
else
warn "Ip6tables loopback traffic OUTPUT is not configured! need the administrator to manually add it. Howto set: ip6tables -A OUTPUT -o lo -j ACCEPT"
fi
if [ $INPUT_DENY = 0 ]; then
ok "Ip6tables loopback traffic INPUT deny from other interfaces has configured!"
else
warn "Ip6tables loopback traffic INPUT deny from 127.0.0.0/8 is not configured! need the administrator to manually add it. Howto set: ip6tables -A INPUT -s ::1 -j DROP"
fi
fi
else
ok "Ipv6 has set disabled, so pass."
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/7.7.5.3_ensure_firewall_rules_exist_for_all_open_ports_for_v6.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9/10/11/12/13 Hardening
#
#
# 7.7.5.3 Ensure default deny firewall policy for v6 (Scored)
# For ipv6
# Add this feature:Author : Samson wen, Samson
#
#set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
IPS6=$(which ip6tables)
IPV6_ENABLE=1
PACKAGE_NFT='nftables'
NETLISTENLIST="/dev/shm/7.7.5.3"
PROTO_PORT="/dev/shm/proto_port_pair_v6"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
ISNFTABLES=1
else
ISNFTABLES=0
fi
rm -f $NETLISTENLIST
rm -f $PROTO_PORT
check_ipv6_is_enable
IPV6_ENABLE=$FNRET
# For ipv6
if [ $IPV6_ENABLE -eq 0 ]; then
netstat -ln | egrep -w '^tcp6|^udp6' > $NETLISTENLIST
cat $NETLISTENLIST | while read LISTENING
do
PROTO_TYPE=$(echo ${LISTENING} | awk '{print $1}')
if [ "$PROTO_TYPE" == 'tcp6' ]; then
PROTO_TYPE="tcp"
fi
if [ "$PROTO_TYPE" == 'udp6' ]; then
PROTO_TYPE="udp"
fi
LISTEN_PORT=$(echo ${LISTENING} | awk '{print $4}' | awk -F: '{print $NF}')
if [ $ISNFTABLES = 1 ]; then
if [ $($IPS6 -S 2>/dev/null | grep "^\-A INPUT \-p $PROTO_TYPE" | grep -c "\-\-dport $LISTEN_PORT \-m state \-\-state NEW \-j ACCEPT") -ge 1 ]; then
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT was set ipv6 firewall rules."
else
echo "${PROTO_TYPE} ${LISTEN_PORT}" >> $PROTO_PORT
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set ipv6 firewall rules."
fi
else
if [ $(nft list chain ip6 filter INPUT 2>/dev/null | grep -c "dport.*$LISTEN_PORT.*new.*accept") -ge 1 ]; then
info "Service(nft): protocol $PROTO_TYPE listening port $LISTEN_PORT was set firewall(nft) rules."
else
echo "${PROTO_TYPE} ${LISTEN_PORT}" >> $PROTO_PORT
info "Service(nft): protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall(nft) rules."
fi
fi
done
rm -f $NETLISTENLIST
if [ $ISNFTABLES = 1 ]; then
if [ -f $PROTO_PORT ]; then
crit "Ip6tables is not set firewall rules exist for all open ports!"
else
ok "Ip6tables has set firewall rules exist for all open ports!"
fi
else
if [ -f $PROTO_PORT ]; then
crit "Nftables is not set firewall rules exist for all open ports!"
else
ok "Nftables has set firewall rules exist for all open ports!"
fi
fi
else
ok "Ipv6 has set disabled, so pass."
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $IPV6_ENABLE -eq 0 ]; then
if [ -f $PROTO_PORT ]; then
cat $PROTO_PORT | while read NOSETPAIR
do
PROTO_TYPE=$(echo ${NOSETPAIR} | awk '{print $1}')
LISTEN_PORT=$(echo ${NOSETPAIR} | awk '{print $2}')
if [ $ISNFTABLES = 1 ]; then
warn "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules, need the administrator to manually add it. Howto set: ip6tables -A INPUT -p --dport -m state --state NEW -j ACCEPT"
else
warn "Nftables Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules, need the administrator to manually add it. "
fi
done
rm -f $PROTO_PORT
else
if [ $ISNFTABLES = 1 ]; then
ok "Ip6tables has set firewall rules exist for all open ports!"
else
ok "Nftables'ip6 has set firewall rules exist for all open ports!"
fi
fi
else
ok "Ipv6 has set disabled, so pass."
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/7.7.5.4_ensure_outbound_and_established_connections_are_configured_for_v6.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9/10/11/12/13 Hardening
#
#
# 7.7.5.4 Ensure outbound and established connections are configured for v6 (Not Scored)
# For ipv6
# Add this feature:Author : Samson wen, Samson
#
#set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PROTOCOL_LIST="tcp udp icmp"
IP6VERSION="IPS6"
IPV6_ENABLE=1
RET_VALUE1=1
RET_VALUE2=1
PACKAGE_NFT='nftables'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
IS_NFT=1
else
IS_NFT=0
fi
check_ipv6_is_enable
IPV6_ENABLE=$FNRET
if [ $IPV6_ENABLE -eq 0 ]; then
for protocol in $PROTOCOL_LIST
do
if [ $IS_NFT = 1 ]; then
# Check INPUT with ESTABLISHED is config
check_input_with_established_is_accept "${protocol}" "$IP6VERSION"
if [ $FNRET = 0 ]; then
RET_VALUE1=0
info "Portocol $protocol INPUT is conf"
else
RET_VALUE1=1
info "Portocol $protocol INPUT is not conf"
fi
# Check outbound is config
check_outbound_connect_is_accept "${protocol}" $IP6VERSION
if [ $FNRET = 0 ]; then
RET_VALUE2=0
info "Portocol $protocol outbound is conf"
else
RET_VALUE2=1
info "Portocol $protocol outbound is not conf"
fi
else
if [ $(nft list chain ip6 filter INPUT 2>/dev/null | grep -c "${protocol}.*established.*accept") -ge 1 -a $(nft list chain ip6 filter OUTPUT 2>/dev/null | grep -c "${protocol}.*established.*accept") -ge 1 ]; then
ok "Nftables's ipv6 Portocol $protocol INPUT was conf(nft). Outbound and established connections are configured!"
FNRET=10
else
crit "Nftables's ipv6 Portocol $protocol INPUT is not conf(nft). Outbound and established connections are not configured!"
FNRET=11
fi
return
fi
done
if [ $RET_VALUE1 -eq 0 -a $RET_VALUE2 -eq 0 ]; then
ok "Outbound and established connections are configured for v6."
FNRET=0
else
crit "Outbound and established connections are not configured for v6."
FNRET=1
fi
else
ok "Ipv6 has set disabled, so pass."
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $IPV6_ENABLE -eq 0 ]; then
if [ $FNRET = 0 ]; then
ok "Portocol $protocol INPUT was conf. Outbound and established connections are configured!"
elif [ $FNRET = 11 ]; then
warn "Nftables's ipv6 Portocol $protocol INPUT is not conf(nft). Outbound and established connections are not configured!"
elif [ $FNRET = 10 ]; then
ok "Portocol $protocol INPUT was conf(nft). Outbound and established connections are configured!"
elif [ $FNRET = 1 ]; then
warn "Nftables's ipv6 Portocol $protocol INPUT is not conf(nft). Outbound and established connections are not configured!"
fi
else
ok "Ipv6 has set disabled, so pass."
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.0_enable_auditd_kernel.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 8.0 Ensure CONFIG_AUDIT is enabled in your running kernel
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
# Note : Not part of the CIS guide, but what's the point of configuring software not compatible with your kernel? :)
KERNEL_OPTION="CONFIG_AUDIT"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
ok "$KERNEL_OPTION is enabled"
else
crit "$KERNEL_OPTION is disabled, auditd will not work"
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
is_kernel_option_enabled $KERNEL_OPTION
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
ok "$KERNEL_OPTION is enabled"
else
warn "I cannot fix $KERNEL_OPTION disabled, to make auditd work, recompile your kernel please"
fi
:
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.1.1_audit_log_storage.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 8.1.1.1 Configure Audit Log Storage Size (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
FILE='/etc/audit/auditd.conf'
PATTERN='max_log_file'
VALUE=5
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
crit "$FILE does not exist"
else
ok "$FILE exists, checking configuration"
does_pattern_exist_in_file $FILE "^$PATTERN[[:space:]]"
if [ $FNRET != 0 ]; then
crit "$PATTERN is not present in $FILE"
else
ok "$PATTERN is present in $FILE"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
warn "$FILE does not exist, creating it"
touch $FILE
else
ok "$FILE exists"
fi
does_pattern_exist_in_file $FILE "^$PATTERN[[:space:]]"
if [ $FNRET != 0 ]; then
warn "$PATTERN is not present in $FILE, adding it"
add_end_of_file $FILE "$PATTERN = $VALUE"
else
ok "$PATTERN is present in $FILE"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.1.2_halt_when_audit_log_full.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 8.1.1.2 Disable System on Audit Log Full (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
FILE='/etc/audit/auditd.conf'
OPTIONS='space_left_action=email action_mail_acct=root admin_space_left_action=halt'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
crit "$FILE does not exist"
else
ok "$FILE exists, checking configuration"
for AUDIT_OPTION in $OPTIONS; do
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET != 0 ]; then
crit "$PATTERN is not present in $FILE"
else
ok "$PATTERN is present in $FILE"
fi
done
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
warn "$FILE does not exist, creating it"
touch $FILE
else
ok "$FILE exists"
fi
for AUDIT_OPTION in $OPTIONS; do
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET != 0 ]; then
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$AUDIT_PARAM"
if [ $FNRET != 0 ]; then
info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end"
add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE"
else
info "Parameter $AUDIT_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$AUDIT_PARAM[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE"
fi
else
ok "$PATTERN is present in $FILE"
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.1.3_keep_all_audit_logs.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 8.1.1.3 Keep All Auditing Information (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
FILE='/etc/audit/auditd.conf'
OPTIONS='max_log_file_action=keep_logs'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
crit "$FILE does not exist"
else
ok "$FILE exists, checking configuration"
for AUDIT_OPTION in $OPTIONS; do
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET != 0 ]; then
crit "$PATTERN is not present in $FILE"
else
ok "$PATTERN is present in $FILE"
fi
done
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
warn "$FILE does not exist, creating it"
touch $FILE
else
ok "$FILE exists"
fi
for AUDIT_OPTION in $OPTIONS; do
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET != 0 ]; then
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$AUDIT_PARAM"
if [ $FNRET != 0 ]; then
info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end"
add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE"
else
info "Parameter $AUDIT_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$AUDIT_PARAM[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE"
fi
else
ok "$PATTERN is present in $FILE"
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.1.4_set_failure_mode.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9/10 or CentOS Hardening
#
#
# 8.1.1.4 Set failure mode of audit service (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules'
PATTERN='failure'
SETVALUE=2
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
crit "$FILE does not exist"
FNRET=1
else
ok "$FILE exists, checking configuration"
VALUE=$(auditctl -s | grep failure | awk '{print $2}')
if [ $VALUE -ge 1 -a $VALUE -le 2 ]; then
ok "$PATTERN value is ok in $FILE"
FNRET=0
else
crit "$PATTERN value is incorrect in $FILE"
FNRET=2
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
elif [ $FNRET = 1 ]; then
warn "$FILE does not exist, creating it"
touch $FILE
LINENUM=$(grep '^[^#]' $FILE -n | awk -F: 'NR==1{print $1}')
sed -i "${LINENUM}a -f $SETVALUE" $FILE
elif [ $FNRET = 2 ]; then
warn "$PATTERN value is incorrect in $FILE, reset it"
replace_in_file $FILE "^-f[[:space:]]*.*" "-f $SETVALUE"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.1.5_ensure_set_remote_server.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9/10 or CentOS Hardening
#
#
# 8.1.1.5 Ensure set remote_server for audit service (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
PACKAGE='audispd-plugins'
PATTERN='remote_server'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET = 1 ]; then
crit "$PACKAGE is not installed."
FNRET=1
else
does_file_exist $FILE
if [ $FNRET != 0 ]; then
crit "$FILE does not exist"
FNRET=2
else
ok "$FILE exists, checking configuration"
VALUE=$(grep remote_server $FILE | awk -F= '{print $2}' | wc -w)
if [ $VALUE -gt 0 ]; then
ok "$PATTERN value is set in $FILE"
FNRET=0
else
crit "$PATTERN value not set in $FILE"
FNRET=3
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
elif [ $FNRET = 1 ]; then
warn "$PACKAGE is not installed, need install."
install_package $PACKAGE
elif [ $FNRET = 2 ]; then
warn "$FILE is not exist, please manual check."
elif [ $FNRET = 3 ]; then
warn "$PATTERN value is incorrect in $FILE, please Manual configuration"
fi
}
# This function will check config parameters required
check_config() {
#Ubuntu
if [ $OS_RELEASE -eq 3 ]; then
FILE='/etc/audit/audisp-remote.conf'
else
FILE='/etc/audisp/audisp-remote.conf'
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.1.6_ensure_set_encrypt_for_audit_remote.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9/10 or CentOS Hardening
#
#
# 8.1.1.6 Ensure enable_krb5 set to yes for remote audit service (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
PACKAGE='audispd-plugins'
PATTERN='enable_krb5'
SETVALUE='yes'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET = 1 ]; then
crit "$PACKAGE is not installed."
FNRET=1
else
does_file_exist $FILE
if [ $FNRET != 0 ]; then
crit "$FILE does not exist"
FNRET=2
else
ok "$FILE exists, checking configuration"
VALUE=$(grep $PATTERN $FILE | grep -v '^#' | awk -F= '{print $2}' | wc -w)
if [ $VALUE -gt 0 ]; then
VALUE=$(grep $PATTERN $FILE | grep -v '^#' | awk -F= '{print $2}')
if [ $VALUE == $SETVALUE ]; then
ok "$PATTERN value is ok in $FILE"
FNRET=0
else
crit "$PATTERN value is incorrect in $FILE"
FNRET=4
fi
else
crit "$PATTERN is not exist on $FILE"
FNRET=3
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
elif [ $FNRET = 1 ]; then
warn "$PACKAGE is not installed, need install."
install_package $PACKAGE
elif [ $FNRET = 2 ]; then
warn "$FILE is not exist, please manual check."
elif [ $FNRET = 3 ]; then
warn "$PATTERN value not exist in $FILE, need manual operation set it and ensure Kerberos is correct set."
elif [ $FNRET = 4 ]; then
warn "$PATTERN value is incorrect in $FILE, need manual operation set it and ensure Kerberos is correct set."
fi
}
# This function will check config parameters required
check_config() {
#Ubuntu
if [ $OS_RELEASE -eq 3 ]; then
FILE='/etc/audit/audisp-remote.conf'
else
FILE='/etc/audisp/audisp-remote.conf'
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.1.7_ensure_set_action_for_audit_storage_full.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9/10 or CentOS Hardening
#
#
# 8.1.1.7 Ensure set action for audit storage volume is fulled (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
PACKAGE='audispd-plugins'
PATTERN='disk_full_action'
SETVALUE='syslog'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET = 1 ]; then
crit "$PACKAGE is not installed."
FNRET=1
else
does_file_exist $FILE
if [ $FNRET != 0 ]; then
crit "$FILE does not exist"
FNRET=2
else
ok "$FILE exists, checking configuration"
VALUE=$(grep -v "^#" $FILE | grep -ic "$PATTERN")
if [ $VALUE -gt 0 ]; then
VALUE=$(grep $PATTERN $FILE | grep -v '^#' | awk -F= '{print $2}')
if [ $VALUE == $SETVALUE ]; then
ok "$PATTERN value is ok in $FILE"
FNRET=0
else
crit "$PATTERN value is incorrect in $FILE"
FNRET=4
fi
else
crit "$PATTERN is not exist on $FILE"
FNRET=3
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
elif [ $FNRET = 1 ]; then
warn "$PACKAGE is not installed, need install."
install_package $PACKAGE
elif [ $FNRET = 2 ]; then
warn "$FILE is not exist, please manual check."
elif [ $FNRET = 3 ]; then
warn "$PATTERN value not exist in $FILE, add it"
add_end_of_file $FILE "${PATTERN} = $SETVALUE"
elif [ $FNRET = 4 ]; then
warn "$PATTERN value is incorrect in $FILE, reset it"
replace_in_file $FILE "^${PATTERN}[[:space:]].*" "${PATTERN} = $SETVALUE"
fi
}
# This function will check config parameters required
check_config() {
#Ubuntu
if [ $OS_RELEASE -eq 3 ]; then
FILE='/etc/audit/audisp-remote.conf'
else
FILE='/etc/audisp/audisp-remote.conf'
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.1.8_ensure_set_action_for_net_fail.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9/10 or CentOS Hardening
#
#
# 8.1.1.8 Ensure set action for network failure on remote audit service (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
PACKAGE='audispd-plugins'
PATTERN='network_failure_action'
SETVALUE='syslog'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET = 1 ]; then
crit "$PACKAGE is not installed."
FNRET=1
else
does_file_exist $FILE
if [ $FNRET != 0 ]; then
crit "$FILE does not exist"
FNRET=2
else
ok "$FILE exists, checking configuration"
VALUE=$(grep -v "^#" $FILE | grep -ic "$PATTERN")
if [ $VALUE -gt 0 ]; then
VALUE=$(grep $PATTERN $FILE | grep -v '^#' | awk -F= '{print $2}')
if [ $VALUE == $SETVALUE ]; then
ok "$PATTERN value is ok in $FILE"
FNRET=0
else
crit "$PATTERN value is incorrect in $FILE"
FNRET=4
fi
else
crit "$PATTERN is not exist on $FILE"
FNRET=3
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
elif [ $FNRET = 1 ]; then
warn "$PACKAGE is not installed, need install."
install_package $PACKAGE
elif [ $FNRET = 2 ]; then
warn "$FILE is not exist, please manual check."
elif [ $FNRET = 3 ]; then
warn "$PATTERN value not exist in $FILE, add it"
add_end_of_file $FILE "${PATTERN} = $SETVALUE"
elif [ $FNRET = 4 ]; then
warn "$PATTERN value is incorrect in $FILE, reset it"
replace_in_file $FILE "^${PATTERN}[[:space:]].*" "${PATTERN} = $SETVALUE"
fi
}
# This function will check config parameters required
check_config() {
#Ubuntu
if [ $OS_RELEASE -eq 3 ]; then
FILE='/etc/audit/audisp-remote.conf'
else
FILE='/etc/audisp/audisp-remote.conf'
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.1.9_set_space_left_audit.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9/10 or CentOS Hardening
#
#
# 8.1.1.9 Set space left for auditd service (Scored)
# If the value of the "space_left" keyword is set to more than 25 percent of the total partition size, this is a finding.
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
FILE='/etc/audit/auditd.conf'
PATTERN='space_left'
LOGFILESYSTEM='/var/log/audit/'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
crit "$FILE does not exist"
FNRET=1
else
if [ -d $LOGFILESYSTEM ]; then
ok "$FILE exists, checking configuration"
DISKSIZE=$(df -B 1m $LOGFILESYSTEM | grep -v "Filesystem" | awk '{printf $2}')
LEFTSIZE=$(bc <<<${DISKSIZE}*0.25 | awk '{print int($1)}')
if [ $(grep "^space_left.=.*" $FILE | awk '{printf $3}' | wc -c) -eq 0 ]; then
crit "$PATTERN is not configure in the $FILE."
FNRET=3
else
SETSIZE=$(grep "^space_left.=.*" $FILE | awk '{printf $3}')
if [ "${SETSIZE}" -gt "${LEFTSIZE}" ]; then
crit "Space left value: ${SETSIZE} is more than audit log filesystem 25%"
FNRET=4
else
ok "Space left value: ${SETSIZE} is less than/equal to audit log filesystem 25%"
FNRET=0
fi
fi
else
crit "$LOGFILESYSTEM is not present"
FNRET=2
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE."
elif [ $FNRET = 1 -o $FNRET = 2 ]; then
warn "$FILE is not exist, please manual check."
elif [ $FNRET = 3 ]; then
warn "$PATTERN value not exist in $FILE, add it"
DISKSIZE=$(df -B 1m $LOGFILESYSTEM | grep -v "Filesystem" | awk '{printf $2}')
LEFTSIZE=$(bc <<<${DISKSIZE}*0.25) | awk '{print int($1)}'
add_end_of_file $FILE "${PATTERN} = $LEFTSIZE"
elif [ $FNRET = 4 ]; then
warn "$PATTERN value is incorrect in $FILE, reset it"
DISKSIZE=$(df -B 1m $LOGFILESYSTEM | grep -v "Filesystem" | awk '{printf $2}')
LEFTSIZE=$(bc <<<${DISKSIZE}*0.25) | awk '{print int($1)}'
replace_in_file $FILE "^${PATTERN}[[:space:]].*" "${PATTERN} = $LEFTSIZE"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.10_record_dac_edit.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 8.1.10 Collect Discretionary Access Control Permission Modification Events (Scored)
# Modify by: Samson-W (sccxboy@gmail.com)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
d_IFS=$IFS
IFS=$'\n'
is_64bit_arch
if [ $FNRET=0 ]; then
AUDIT_PARAMS=$ARCH64_AUDIT_PARAMS
else
AUDIT_PARAMS=$ARCH32_AUDIT_PARAMS
fi
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode
apply () {
d_IFS=$IFS
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
# This function will check config parameters required
check_config() {
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k perm_mod'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k perm_mod'
else
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.11_record_failed_access_file.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 8.1.11 Collect Unsuccessful Unauthorized Access Attempts to Files (Scored)
# Modify by: Samson-W (sccxboy@gmail.com)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
d_IFS=$IFS
IFS=$'\n'
is_64bit_arch
if [ $FNRET=0 ]; then
AUDIT_PARAMS=$ARCH64_AUDIT_PARAMS
else
AUDIT_PARAMS=$ARCH32_AUDIT_PARAMS
fi
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode
apply () {
d_IFS=$IFS
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required
check_config() {
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -k access'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -k access'
else
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.12_record_syscall_execve.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 8.1.12 Collect the execution of privileged functions Events (Scored)
# Author: Samson-W (sccxboy@gmail.com)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S execve -C uid!=euid -F key=execpriv
-a always,exit -F arch=b64 -S execve -C gid!=egid -F key=execpriv'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S execve -C uid!=euid -F key=execpriv
-a always,exit -F arch=b32 -S execve -C gid!=egid -F key=execpriv'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
d_IFS=$IFS
IFS=$'\n'
is_64bit_arch
if [ $FNRET=0 ]; then
AUDIT_PARAMS=$ARCH64_AUDIT_PARAMS
else
AUDIT_PARAMS=$ARCH32_AUDIT_PARAMS
fi
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode
apply () {
d_IFS=$IFS
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.13_record_successful_mount.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 8.1.13 Collect Successful File System Mounts (Scored)
# Modify by: Samson-W (sccxboy@gmail.com)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
d_IFS=$IFS
IFS=$'\n'
is_64bit_arch
if [ $FNRET=0 ]; then
AUDIT_PARAMS=$ARCH64_AUDIT_PARAMS
else
AUDIT_PARAMS=$ARCH32_AUDIT_PARAMS
fi
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode
apply () {
d_IFS=$IFS
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required
check_config() {
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -k mounts
-a always,exit -F arch=b32 -S mount -k mounts'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S mount -k mounts'
else
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts'
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.14_record_file_deletions.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 8.1.14 Collect File Deletion Events by User (Scored)
# Modify by: Samson-W (sccxboy@gmail.com)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
d_IFS=$IFS
IFS=$'\n'
is_64bit_arch
if [ $FNRET=0 ]; then
AUDIT_PARAMS=$ARCH64_AUDIT_PARAMS
else
AUDIT_PARAMS=$ARCH32_AUDIT_PARAMS
fi
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode
apply () {
d_IFS=$IFS
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required
check_config() {
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -k delete'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -k delete'
else
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete'
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.15_record_sudoers_edit.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 8.1.15 Collect Changes to System Administration Scope (sudoers) (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
AUDIT_PARAMS='-w /etc/sudoers -p wa -k sudoers
-w /etc/sudoers.d/ -p wa -k sudoers'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
d_IFS=$IFS
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode
apply () {
d_IFS=$IFS
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.16_record_sudo_usage.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 8.1.16 Collect System Administrator Actions (sudolog) (Scored)
# Modify by: Samson-W (sccxboy@gmail.com)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
AUDIT_VALUE='-w /var/log/sudo.log -p wa -k sudoaction'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
d_IFS=$IFS
IFS=$'\n'
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
FNRET=2
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode
apply () {
# define custom IFS and save default one
d_IFS=$IFS
IFS=$'\n'
if [ $FNRET = 2 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
elif [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
IFS=$d_IFS
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.17_record_kernel_modules.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 8.1.17 Collect Kernel Module Loading and Unloading (Scored)
# Modify by: Samson-W (sccxboy@gmail.com)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
ARCH64_AUDIT_PARAMS='-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-w /bin/kmod -p x -k modules
-a always,exit -F arch=b32 -S init_module -S delete_module -S create_module -S finit_module -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -S create_module -S finit_module -k modules'
ARCH32_AUDIT_PARAMS='-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-w /bin/kmod -p x -k modules
-a always,exit -F arch=b32 -S init_module -S delete_module -S create_module -S finit_module -k modules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
d_IFS=$IFS
IFS=$'\n'
is_64bit_arch
if [ $FNRET=0 ]; then
AUDIT_PARAMS=$ARCH64_AUDIT_PARAMS
else
AUDIT_PARAMS=$ARCH32_AUDIT_PARAMS
fi
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode
apply () {
d_IFS=$IFS
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.18_record_Events_netfilter.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 10/11/12/13 Hardening
#
#
# 8.1.18 Record netfilter related Events (Scored)
# Author: Samson-W (samson@hardenedlinux.org) author add this
# todo test for centos
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules'
PACKAGE_NFT='nftables'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
ok "OS not support nft, so pass"
else
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
ok "OS not support nft, so pass"
else
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
fi
}
# This function will check config parameters required
check_config() {
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS='-w /etc/nftables.conf -p wa -k nft_config_file_change
-w /usr/share/netfilter-persistent/plugins.d/ -p wa -k nft_config_file_change
-w /usr/sbin/netfilter-persistent -p x -k nft_persistent_use
-w /usr/sbin/nft -p x -k nft_cmd_use'
else
AUDIT_PARAMS='-w /etc/nftables.conf -p wa -k nft_config_file_change
-w /usr/share/netfilter-persistent/plugins.d/ -p wa -k nft_config_file_change
-w /usr/sbin/netfilter-persistent -p x -F auid>=1000 -F auid!=4294967295 -k nft_persistent_use
-w /usr/sbin/nft -p x -F auid>=1000 -F auid!=4294967295 -k nft_cmd_use'
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.19_record_sshkeysign_usage.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12/13 or CentOS Hardening
#
#
# 8.1.19 Recorded ssh-keysign command usage (Scored)
# Author : Samson wen, Samson
#
set -u # One variable unset, it's over
#set -e # One error, it's over
HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules'
AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode
apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
}
# This function will check config parameters required
check_config() {
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -k privileged-ssh
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -k privileged-ssh"
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -k privileged-ssh
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -k privileged-ssh"
else
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
fi
if [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
else
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.20_record_open_by_handle_at_syscall.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 8.1.20 Recorded open_by_handle_at syscall (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode
apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
}
# This function will check config parameters required
check_config() {
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS='-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -k access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -k access'
else
AUDIT_PARAMS='-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12/13 or CentOS Hardening
#
#
# 8.1.21 Recorded Events that privileged-passwd command usage (Scored)
# Author : Samson wen, Samson
#
set -u # One variable unset, it's over
set -e # One error, it's over
HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules'
AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode
apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
}
# This function will check config parameters required
check_config() {
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/bin/passwd -F perm=x -k privileged-passwd
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -k privileged-passwd
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -k privileged-passwd
-a always,exit -F path=/usr/bin/chage -F perm=x -k privileged-passwd"
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/bin/passwd -F perm=x -k privileged-passwd
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -k privileged-passwd
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -k privileged-passwd
-a always,exit -F path=/bin/chage -F perm=x -k privileged-passwd"
else
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
fi
if [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
else
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12/13 or CentOS Hardening
#
#
# 8.1.22 Recorded Events that privileged-priv-change command usage (Scored)
# Author : Samson wen, Samson
#
set -u # One variable unset, it's over
set -e # One error, it's over
HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules'
AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode
apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
}
# This function will check config parameters required
check_config() {
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/bin/su -F perm=x -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudo -F perm=x -k privileged-priv_change
-a always,exit -F path=/usr/bin/newgrp -F perm=x -k privileged-priv_change
-a always,exit -F path=/usr/bin/chsh -F perm=x -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -k privileged-priv_change
-a always,exit -F path=/usr/bin/chfn -F perm=x -k privileged-priv_change"
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/bin/su -F perm=x -k privileged-priv_change
-a always,exit -F path=/bin/sudo -F perm=x -k privileged-priv_change
-a always,exit -F path=/bin/newgrp -F perm=x -k privileged-priv_change
-a always,exit -F path=/bin/chsh -F perm=x -k privileged-priv_change
-a always,exit -F path=/bin/sudoedit -F perm=x -k privileged-priv_change
-a always,exit -F path=/bin/chfn -F perm=x -k privileged-priv_change"
else
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change"
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change"
fi
if [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
else
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12/13 or CentOS Hardening
#
#
# 8.1.23 Recorded Events that privileged-postfix command usage (Scored)
# Author : Samson wen, Samson
#
set -u # One variable unset, it's over
set -e # One error, it's over
HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules'
AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode
apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
}
# This function will check config parameters required
check_config() {
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/postdrop -F perm=x -k privileged-postfix
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -k privileged-postfix'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/postdrop -F perm=x -k privileged-postfix
-a always,exit -F path=/sbin/postqueue -F perm=x -k privileged-postfix'
else
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
-a always,exit -F path=/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
fi
if [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
else
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.24_record_crontab_cmd_usage.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12/13 or CentOS Hardening
#
#
# 8.1.24 Recorded crontab command usage (Scored)
# Author : Samson wen, Samson
#
set -u # One variable unset, it's over
set -e # One error, it's over
HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules'
AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode
apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
}
# This function will check config parameters required
check_config() {
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/bin/crontab -F perm=x -k privileged-cron'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/bin/crontab -F perm=x -k privileged-cron'
else
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
fi
if [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
else
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12/13 or CentOS Hardening
#
#
# 8.1.25 Recorded pam_timestamp_check command usage (Scored)
# Author : Samson wen, Samson
#
set -u # One variable unset, it's over
set -e # One error, it's over
HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules'
AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode
apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
}
# This function will check config parameters required
check_config() {
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -k privileged-pam'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -k privileged-pam'
else
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
fi
if [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
else
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12/13 or CentOS Hardening
#
#
# 8.1.26 Recorded pam_tally/pam_tally2 command usage(Only for Debian) (Scored)
# Replaced pam_tally2 with faillock in debian 11
# Author : Samson wen, Samson Author add this
#
set -u # One variable unset, it's over
set -e # One error, it's over
FILE='/etc/audit/rules.d/audit.rules'
HARDENING_LEVEL=4
# This function will be called if the script status is on enabled / audit mode
audit () {
# This feature is only for debian
if [ $OS_RELEASE -eq 2 ]; then
ok "CentOS/Redhat is not support, so pass"
else
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
fi
}
# This function will be called if the script status is on enabled mode
apply () {
# This feature is only for debian
if [ $OS_RELEASE -eq 2 ]; then
ok "CentOS/Redhat is not support, so pass"
else
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
fi
}
# This function will check config parameters required
# Replaced pam_tally2 with faillock in debian 11
check_config() {
# support to ubuntu
if [ $OS_RELEASE -eq 3 ]; then
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS='-a always,exit -F path=/usr/sbin/faillock -F perm=wxa -k privileged-pam'
else
AUDIT_PARAMS='-a always,exit -F path=/usr/sbin/faillock -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
fi
else
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
if [ $OS_RELEASE -lt 11 ]; then
AUDIT_PARAMS='-a always,exit -F path=/sbin/pam_tally -F perm=wxa -k privileged-pam
-a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -k privileged-pam'
else
AUDIT_PARAMS='-a always,exit -F path=/usr/sbin/faillock -F perm=wxa -k privileged-pam'
fi
else
if [ $OS_RELEASE -lt 11 ]; then
AUDIT_PARAMS='-a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
-a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
else
AUDIT_PARAMS='-a always,exit -F path=/usr/sbin/faillock -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
fi
fi
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.27_record_Events_that_modify_conf_files.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9/10 or CentOS Hardening
#
#
# 8.1.27 Record Events That Modify configuration files (Scored)
# Author: Samson-W (sccxboy@gmail.com) author add this
#
set -u # One variable unset, it's over
set -e # One error, it's over
HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists! Rule: $AUDIT_VALUE"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode
apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "Path does not exist when applying a rule: $AUDIT_VALUE! Please check that the file path exists!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
}
# This function will check config parameters required
check_config() {
# CentOS 8
if [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS='-a always,exit -F path=/etc/audisp/audisp-remote.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/audit/auditd.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/default/grub -F perm=wa -k config_file_change
-a always,exit -F path=/etc/fstab -F perm=wa -k config_file_change
-a always,exit -F path=/etc/hosts.deny -F perm=wa -k config_file_change
-a always,exit -F path=/etc/login.defs -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/audit/rules.d/ -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/pam.d/ -F perm=wa -k config_file_change
-a always,exit -F path=/etc/profile -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/profile.d/ -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/security/ -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/sysconfig/iptables -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/sysconfig/ip6tables -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/sysconfig/ip6tables-config -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/sysconfig/iptables-config -F perm=wa -k config_file_change
-a always,exit -F path=/etc/sysctl.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/rsyslog.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/audisp/plugins.d/au-remote.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/logrotate.conf -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/logrotate.d/ -F perm=wa -k config_file_change'
# Ubuntu
elif [ $OS_RELEASE -eq 3 ]; then
AUDIT_PARAMS='-a always,exit -F path=/etc/audit/audisp-remote.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/audit/auditd.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/default/grub -F perm=wa -k config_file_change
-a always,exit -F path=/etc/fstab -F perm=wa -k config_file_change
-a always,exit -F path=/etc/hosts.deny -F perm=wa -k config_file_change
-a always,exit -F path=/etc/login.defs -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/audit/rules.d/ -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/pam.d/ -F perm=wa -k config_file_change
-a always,exit -F path=/etc/profile -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/profile.d/ -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/security/ -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/iptables/ -F perm=wa -k config_file_change
-a always,exit -F path=/etc/sysctl.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/rsyslog.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/audit/plugins.d/au-remote.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/logrotate.conf -F perm=wa -k config_file_change'
# Debian
elif [ $OS_RELEASE -eq 1 -o $OS_RELEASE -eq 9 -o $OS_RELEASE -eq 10 -o $OS_RELEASE -eq 11 -o $OS_RELEASE -eq 12 -o $OS_RELEASE -eq 13 ]; then
AUDIT_PARAMS='-a always,exit -F path=/etc/audisp/audisp-remote.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/audit/auditd.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/default/grub -F perm=wa -k config_file_change
-a always,exit -F path=/etc/fstab -F perm=wa -k config_file_change
-a always,exit -F path=/etc/hosts.deny -F perm=wa -k config_file_change
-a always,exit -F path=/etc/login.defs -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/audit/rules.d/ -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/pam.d/ -F perm=wa -k config_file_change
-a always,exit -F path=/etc/profile -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/profile.d/ -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/security/ -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/iptables/ -F perm=wa -k config_file_change
-a always,exit -F path=/etc/sysctl.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/rsyslog.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/audisp/plugins.d/au-remote.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/logrotate.conf -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/logrotate.d/ -F perm=wa -k config_file_change'
else
warn "No support!!!"
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.28_record_acl_cmd_usage.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 8.1.28 Recorded Events that privileged-acl command usage (Scored)
# Author : Samson wen, Samson
#
# todo to ensure path in debian
set -u # One variable unset, it's over
set -e # One error, it's over
FILE='/etc/audit/rules.d/audit.rules'
HARDENING_LEVEL=4
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode
apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
}
# This function will check config parameters required
check_config() {
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS='-a always,exit -F path=/usr/bin/setfacl -F perm=x -k perm_chng
-a always,exit -F path=/usr/bin/chacl -F perm=x -k perm_chng'
else
AUDIT_PARAMS='-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng'
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.29_record_usermod_cmd_usage.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12/13 or CentOS Hardening
#
#
# 8.1.29 Recorded Events that usermod command usage (Scored)
# Author : Samson wen, Samson
#
set -u # One variable unset, it's over
set -e # One error, it's over
FILE='/etc/audit/rules.d/audit.rules'
HARDENING_LEVEL=4
AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode
apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
}
# This function will check config parameters required
check_config() {
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/usermod -F perm=x -k privileged-usermod'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/usermod -F perm=x -k privileged-usermod'
else
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod'
fi
if [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
else
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.2_enable_auditd.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 8.1.2 Install and Enable auditd Service (Scored)
# Modify by: Samson-W (sccxboy@gmail.com)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
PACKAGE='auditd'
PACKAGE_CENTOS='audit'
SERVICE_NAME='auditd'
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGE=$PACKAGE_CENTOS
fi
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
is_service_enabled $SERVICE_NAME
if [ $FNRET = 0 ]; then
ok "$SERVICE_NAME is enabled"
else
crit "$SERVICE_NAME is not enabled"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGE=$PACKAGE_CENTOS
fi
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
warn "$PACKAGE is absent, installing it"
if [ $OS_RELEASE -eq 2 ]; then
yum install -y $PACKAGE
else
apt_install $PACKAGE
fi
fi
is_service_enabled $SERVICE_NAME
if [ $FNRET = 0 ]; then
ok "$SERVICE_NAME is enabled"
else
warn "$SERVICE_NAME is not enabled, enabling it"
is_debian_9
if [ $FNRET = 0 -o $OS_RELEASE -eq 2 ]; then
systemctl enable $SERVICE_NAME
systemctl start $SERVICE_NAME
else
update-rc.d $SERVICE_NAME remove > /dev/null 2>&1
update-rc.d $SERVICE_NAME defaults > /dev/null 2>&1
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.30_record_unix_update_cmd_usage.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 8.1.30 Recorded Events that unix_update command usage (Scored)
# Author : Samson wen, Samson
#
set -u # One variable unset, it's over
set -e # One error, it's over
FILE='/etc/audit/rules.d/audit.rules'
HARDENING_LEVEL=4
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode
apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
}
# This function will check config parameters required
check_config() {
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS='-a always,exit -F path=/sbin/unix_update -F perm=x -k privileged-unix-update'
else
AUDIT_PARAMS='-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update'
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.31_record_file_transfer_related.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9/10 Hardening
#
#
# 8.1.31 Collect file transfer related items (Scored)
# Add by Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
echo "DONT_AUDITD_BY_UID $DONT_AUDITD_BY_UID"
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
IFS=$d_IFS
RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
does_valid_pattern_exist_in_file $FILE "$RESULT"
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$RESULT is not in file $FILE"
else
ok "$RESULT is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode
apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
does_valid_pattern_exist_in_file $FILE "$RESULT"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
}
# This function will check config parameters required
check_config() {
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS='-a always,exit -F path=/usr/bin/scp -F perm=x -k file_transfer_exec
-a always,exit -F path=/usr/bin/wget -F perm=x -k file_transfer_exec
-a always,exit -F path=/usr/bin/sftp -F perm=x -k file_transfer_exec
-a always,exit -F path=/usr/bin/curl -F perm=x -k file_transfer_exec'
else
AUDIT_PARAMS='-a always,exit -F path=/usr/bin/scp -F perm=x -F auid>=1000 -F auid!=4294967295 -k file_transfer_exec
-a always,exit -F path=/usr/bin/wget -F perm=x -F auid>=1000 -F auid!=4294967295 -k file_transfer_exec
-a always,exit -F path=/usr/bin/sftp -F perm=x -F auid>=1000 -F auid!=4294967295 -k file_transfer_exec
-a always,exit -F path=/usr/bin/curl -F perm=x -F auid>=1000 -F auid!=4294967295 -k file_transfer_exec'
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.32_record_ufw_of_debian_like.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 Hardening
#
# This script only support Debian-like desktop, So set to x11 service list
# 8.1.32 Collect ufw related items (Scored)
# Add by Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
HARDENING_EXCEPTION=x11
# Find all files with setuid or setgid set
AUDIT_PARAMS='-a always,exit -F dir=/etc/ufw/ -F perm=wa -k ufw_config_file_chg
-a always,exit -F path=/etc/default/ufw -F perm=wa -k ufw_config_file_chg
-a always,exit -F path=/usr/sbin/ufw -F perm=wax -k ufw_command_wax
'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $ISEXCEPTION -eq 1 ]; then
warn "Exception is set to 1, so it's pass!"
else
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
IFS=$d_IFS
RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
does_valid_pattern_exist_in_file $FILE "$RESULT"
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$RESULT is not in file $FILE"
else
ok "$RESULT is present in $FILE"
fi
fi
done
IFS=$d_IFS
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $ISEXCEPTION -eq 1 ]; then
warn "Exception is set to 1, so it's pass!"
else
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
does_valid_pattern_exist_in_file $FILE "$RESULT"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
fi
}
# This function will create the config file for this check with default values
create_config() {
cat <
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
AUDIT_PARAMS='-a always,exit -F path=/sbin/iptables-restore -F perm=x -k iptables_restore_exec
-a always,exit -F path=/sbin/ip6tables-restore -F perm=x -k iptables_restore_exec'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
IFS=$d_IFS
RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
does_valid_pattern_exist_in_file $FILE "$RESULT"
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$RESULT is not in file $FILE"
else
ok "$RESULT is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode
apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
does_valid_pattern_exist_in_file $FILE "$RESULT"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.34_record_privileged_commands.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 8.1.34 Collect Use of Privileged Commands (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
does_valid_pattern_exist_in_file $FILE "$RESULT"
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$RESULT is not in file $FILE"
else
ok "$RESULT is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode
apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
does_valid_pattern_exist_in_file $FILE "$RESULT"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
}
# This function will check config parameters required
check_config() {
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
# Find all files with setuid or setgid set
AUDIT_PARAMS=$(find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print \
"-a always,exit -F path=" $1 " -F perm=x -k privileged" }')
else
# Find all files with setuid or setgid set
AUDIT_PARAMS=$(find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print \
"-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 \
-k privileged" }')
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.35_freeze_auditd_conf.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 or CentOS Hardening
#
#
# 8.1.35 Make the Audit Configuration Immutable (Scored)
# Modify by: Samson-W (sccxboy@gmail.com)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
AUDIT_PARAMS='-e 2'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
d_IFS=$IFS
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode
apply () {
d_IFS=$IFS
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.3_audit_bootloader.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS 8 Hardening
# Modify author:
# Samson-W (sccxboy@gmail.com)
#
#
# 8.1.3 Enable Auditing for Processes That Start Prior to auditd (Scored)
#
# todo test for centos
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
FILE='/etc/default/grub'
KEYWORD='GRUB_CMDLINE_LINUX'
OPTION='audit'
SETVAL=1
SERVICENAME='auditd.service'
PROCCMDLIN='/proc/cmdline'
# This function will be called if the script status is on enabled / audit mode
audit () {
# Debian 10 (Buster), auditd is a system service
is_debian_ge_10
if [ $FNRET = 0 ]; then
is_service_active $SERVICENAME
if [ $FNRET -eq 0 ]; then
ok "$SERVICENAME is active!"
FNRET=0
else
crit "$SERVICENAME is inactive!"
FNRET=1
fi
else
if [ $(grep -c "${OPTION}=${SETVAL}" $PROCCMDLIN) -eq 1 ]; then
ok "There are "${OPTION}=${SETVAL}" in $PROCCMDLIN"
FNRET=0
else
crit "There aren't "${OPTION}=${SETVAL}" in ${PROCCMDLIN}"
FNRET=1
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "${OPTION}'s set is correctly."
elif [ $FNRET = 1 ]; then
# Debian 10 (Buster), auditd is a system service
is_debian_ge_10
if [ $FNRET = 0 ]; then
warn "Start $SERVICENAME"
systemctl start $SERVICENAME
else
does_valid_pattern_exist_in_file $FILE "${OPTION}=${SETVAL}"
if [ $FNRET = 0 ]; then
warn "$OPTION was present in $FILE, just need to reboot the system after setting it"
else
warn "$OPTION is not present in $FILE, add it to $KEYWORD line, need to reboot the system after setting it"
sed -i "s;\(${KEYWORD}=\)\(\".*\)\(\"\);\1\2 ${OPTION}=${SETVAL}\3;" $FILE
if [ $OS_RELEASE -eq 1 ]; then
/usr/sbin/update-grub2
elif [ $OS_RELEASE -eq 2 ]; then
grub2-mkconfig –o /boot/grub2/grub.cfg
fi
fi
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.4_record_date_time_edit.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 8.1.4 Record Events That Modify Date and Time Information (Scored)
# Modify by: Samson-W (sccxboy@gmail.com)
#
set -e # One error, it is over
set -u # One variable unset, it is over
HARDENING_LEVEL=4
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change'
# Only for arch is 32 bit
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
d_IFS=$IFS
IFS=$'\n'
is_64bit_arch
if [ $FNRET=0 ]; then
AUDIT_PARAMS=$ARCH64_AUDIT_PARAMS
else
AUDIT_PARAMS=$ARCH32_AUDIT_PARAMS
fi
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
does_pattern_exist_in_file $FILE ""$AUDIT_VALUE""
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode
apply () {
d_IFS=$IFS
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
does_pattern_exist_in_file $FILE ""$AUDIT_VALUE""
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.5_record_user_group_edit.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 8.1.5 Record Events That Modify User/Group Information (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
AUDIT_PARAMS='-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
d_IFS=$IFS
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode
apply () {
d_IFS=$IFS
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.6_record_network_edit.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 8.1.6 Record Events That Modify the System's Network Environment (Scored)
# Modify by: Samson-W (sccxboy@gmail.com)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
ARCH64_AUDIT_PARAMS='-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/network -p wa -k system-locale'
ARCH32_AUDIT_PARAMS='-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/network -p wa -k system-locale'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
d_IFS=$IFS
IFS=$'\n'
is_64bit_arch
if [ $FNRET=0 ]; then
AUDIT_PARAMS=$ARCH64_AUDIT_PARAMS
else
AUDIT_PARAMS=$ARCH32_AUDIT_PARAMS
fi
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode
apply () {
d_IFS=$IFS
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.7_record_mac_edit.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 8.1.7 Record Events That Modify the System's Mandatory Access Controls (Scored)
# Modify by: Samson-W (sccxboy@gmail.com)
#
# todo test for centos
set -u # One variable unset, it's over
set -e # One error, it's over
HARDENING_LEVEL=4
SELINUX_PKG="selinux-basics"
SELINUX_PKG_CENTOS="selinux-policy"
APPARMOR_PKG="apparmor"
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
# Set default to apparmor
AUDIT_PARAMS=$AA_AUDIT_PARAMS
# define custom IFS and save default one
d_IFS=$IFS
IFS=$'\n'
if [ $OS_RELEASE -eq 2 ]; then
SELINUX_PKG=$SELINUX_PKG_CENTOS
fi
is_pkg_installed $SELINUX_PKG
if [ $FNRET = 0 ]; then
AUDIT_PARAMS=$SE_AUDIT_PARAMS
info "SELinux has installed!"
else
is_pkg_installed $APPARMOR_PKG
if [ $FNRET = 0 ]; then
AUDIT_PARAMS=$AA_AUDIT_PARAMS
info "Apparmor has installed!"
else
crit "SELinux and Apparmor not install!"
fi
fi
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode
apply () {
d_IFS=$IFS
IFS=$'\n'
if [ $OS_RELEASE -eq 2 ]; then
SELINUX_PKG=$SELINUX_PKG_CENTOS
fi
is_pkg_installed $SELINUX_PKG
if [ $FNRET = 0 ]; then
AUDIT_PARAMS=$SE_AUDIT_PARAMS
info "SELinux has installed!"
else
is_pkg_installed $APPARMOR_PKG
if [ $FNRET = 0 ]; then
AUDIT_PARAMS=$AA_AUDIT_PARAMS
info "Apparmor has installed!"
else
crit "SELinux and Apparmor not install!"
fi
fi
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
# This function will check config parameters required
check_config() {
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
SE_AUDIT_PARAMS="-a always,exit -F dir=/etc/selinux/ -F perm=wa -k MAC-policy
-a always,exit -F dir=/usr/share/selinux/ -F perm=wa -k MAC-policy
-a always,exit -F path=/usr/bin/audit2allow -F perm=wax -k MAC_Event
-a always,exit -F path=/usr/bin/chcon -F perm=wax -k MAC_Event
-a always,exit -F path=/usr/bin/newrole -F perm=wax -k MAC_Event
-a always,exit -F path=/usr/sbin/semanage -F perm=wax -k MAC_Event
-a always,exit -F path=/usr/sbin/setsebool -F perm=wax -k MAC_Event
-a always,exit -F path=/usr/sbin/restorecon -F perm=wax -k MAC_Event
-a always,exit -F path=/usr/sbin/fixfiles -F perm=wax -k MAC_Event
-a always,exit -F path=/usr/sbin/setenforce -F perm=wax -k MAC_Event
-a always,exit -F path=/usr/sbin/setfiles -F perm=wax -k MAC_Event"
AA_AUDIT_PARAMS='-w /etc/apparmor/ -p wa -k MAC-policy
-w /etc/apparmor.d/ -p wa -k MAC-policy
-a always,exit -F path=/sbin/apparmor_parser -F perm=x -k MAC-policy'
else
SE_AUDIT_PARAMS="-a always,exit -F dir=/etc/selinux/ -F perm=wa -k MAC-policy
-a always,exit -F dir=/usr/share/selinux/ -F perm=wa -k MAC-policy
-a always,exit -F path=/usr/bin/audit2allow -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/bin/chcon -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/bin/newrole -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/sbin/semanage -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/sbin/setsebool -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/sbin/restorecon -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/sbin/fixfiles -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/sbin/setenforce -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/sbin/setfiles -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event"
AA_AUDIT_PARAMS='-w /etc/apparmor/ -p wa -k MAC-policy
-w /etc/apparmor.d/ -p wa -k MAC-policy
-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k MAC-policy'
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.8_record_login_logout.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
# 8.1.8 Collect Login and Logout Events (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
AUDIT_PARAMS='-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins'
AUDIT_PARAMS_CENTOS='-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
fi
# define custom IFS and save default one
d_IFS=$IFS
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
fi
d_IFS=$IFS
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.1.9_record_session_init.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)
#
#
# 8.1.9 Collect Session Initiation Information (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
AUDIT_PARAMS='-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session'
AUDIT_PARAMS_CENTOS='-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
fi
# define custom IFS and save default one
d_IFS=$IFS
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_CENTOS
fi
d_IFS=$IFS
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path does not exist! Please check that the file path exists!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.2.1_install_rsyslog.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9 Hardening
#
#
# 8.2.1 Install the rsyslog package (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# In debian, rsyslog has been chosen
PACKAGE='rsyslog'
PACKAGE_NG='syslog-ng'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE_NG
if [ $FNRET = 0 ]; then
ok "$PACKAGE_NG has installed, so pass."
FNRET=0
else
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=1
else
ok "$PACKAGE is installed."
FNRET=0
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed or $PACKAGE_NG is installed."
else
crit "$PACKAGE is absent, installing it."
apt_install $PACKAGE
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.2.2_enable_rsyslog.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9 Hardening
#
#
# 8.2.2 Ensure the rsyslog Service is activated (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
SERVICE_NAME="rsyslog"
PACKAGE_NG='syslog-ng'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE_NG
if [ $FNRET = 0 ]; then
ok "$PACKAGE_NG has installed, so pass."
FNRET=0
else
info "Checking if $SERVICE_NAME is enabled"
is_service_enabled $SERVICE_NAME
if [ $FNRET = 0 ]; then
ok "$SERVICE_NAME is enabled"
FNRET=0
else
crit "$SERVICE_NAME is disabled"
FNRET=1
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET != 0 ]; then
info "Enabling $SERVICE_NAME"
systemctl enable $SERVICE_NAME > /dev/null 2>&1
systemctl daemon-reload $SERVICE_NAME > /dev/null 2>&1
systemctl start $SERVICE_NAME > /dev/null 2>&1
else
ok "$SERVICE_NAME is enabled or $PACKAGE_NG is installed."
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.2.3_set_logfile_perm_cfg_rsyslog.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12/13 Hardening
#
#
# 8.2.3 Create and Set Permissions on rsyslog Log Files by conf file (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGE_NG='syslog-ng'
PERMISSIONS='0640'
USER='root'
GROUP='adm'
OWNER_USER_KEY='$FileOwner'
OWNER_GROUP_KEY='$FileGroup'
PERMIS_KEY='$FileCreateMode'
FILE='/etc/rsyslog.conf'
FILE_WIDE='/etc/rsyslog.d/*.conf'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE_NG
if [ $FNRET = 0 ]; then
ok "$PACKAGE_NG has installed, so pass."
else
does_file_exist "$FILE"
if [ $FNRET != 0 ]; then
crit "$FILE is not exist! "
else
does_pattern_exist_in_file "$FILE" "^\\$OWNER_USER_KEY"
if [ $FNRET != 0 ]; then
crit "$OWNER_USER_KEY is not exist in $FILE"
else
OWNER_USER_NAME=$(grep "^\\$OWNER_USER_KEY" $FILE $FILE_WIDE 2>>/dev/null | awk -F: '{print $2}' | awk '{print $2}')
if [ "$OWNER_USER_NAME" != "$USER" ]; then
crit "File owner not set is root!"
else
ok "File owner set is root!"
fi
fi
does_pattern_exist_in_file "$FILE" "^\\$OWNER_GROUP_KEY"
if [ $FNRET != 0 ]; then
crit "$OWNER_GROUP_KEY is not exist in $FILE"
else
OWNER_GROUP_NAME=$(grep "^\\$OWNER_GROUP_KEY" $FILE $FILE_WIDE 2>>/dev/null | awk -F: '{print $2}' | awk '{print $2}')
if [ "$OWNER_GROUP_NAME" != "$GROUP" ]; then
crit "File group not set is $GROUP!"
else
ok "File group set is $GROUP!"
fi
fi
does_pattern_exist_in_file "$FILE" "^\\$PERMIS_KEY"
if [ $FNRET != 0 ]; then
info "$PERMIS_KEY is not exist in $FILE"
PERMIS_KEY_NAME=$(find /etc/rsyslog.d/ -name "*.conf" | xargs grep "^\\$PERMIS_KEY" 2>>/dev/null | awk -F':' '{print $2}' | awk '{print $2}')
if [ "X$PERMIS_KEY_NAME" = "X" ]; then
crit "$PERMIS_KEY is not set in $FILE or $FILE_WIDE!"
elif [ "$PERMIS_KEY_NAME" != "$PERMISSIONS" -a "$PERMIS_KEY_NAME" != "0$PERMISSIONS" ]; then
CONFIG_NAME=$(find /etc/rsyslog.d/ -name "*.conf" | xargs grep "^\\$PERMIS_KEY" 2>>/dev/null | awk -F':' '{print $1}')
crit "File permissions not set is $PERMISSIONS in $CONFIG_NAME!"
else
CONFIG_NAME=$(find /etc/rsyslog.d/ -name "*.conf" | xargs grep "^\\$PERMIS_KEY" 2>>/dev/null | awk -F':' '{print $1}')
ok "File permissions set is $PERMISSIONS in $CONFIG_NAME!"
fi
else
info "$PERMIS_KEY was existed in $FILE"
PERMIS_KEY_NAME=$(grep "^\\$PERMIS_KEY" $FILE 2>>/dev/null | awk '{print $2}')
if [ "$PERMIS_KEY_NAME" != "$PERMISSIONS" -a "$PERMIS_KEY_NAME" != "0$PERMISSIONS" ]; then
crit "File permissions not set is $PERMISSIONS!"
else
ok "File permissions set is $PERMISSIONS in $FILE!"
fi
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE_NG
if [ $FNRET = 0 ]; then
ok "$PACKAGE_NG has installed, so pass."
else
does_file_exist "$FILE"
if [ $FNRET != 0 ]; then
crit "$FILE is not exist! Please check."
else
does_pattern_exist_in_file "$FILE" "^\\$OWNER_USER_KEY"
if [ $FNRET != 0 ]; then
warn "$OWNER_USER_KEY is not exist in $FILE, add it"
add_end_of_file $FILE "$OWNER_USER_KEY $USER"
else
OWNER_USER_NAME=$(grep "^\\$OWNER_USER_KEY" $FILE $FILE_WIDE 2>>/dev/null | awk -F: '{print $2}' | awk '{print $2}')
if [ "$OWNER_USER_NAME" != "$USER" ]; then
warn "File owner not set is $USER! Reset it"
replace_in_file $FILE "$OWNER_USER_KEY.*" "$OWNER_USER_KEY $USER"
else
ok "File owner set is $USER!"
fi
fi
does_pattern_exist_in_file "$FILE" "^\\$OWNER_GROUP_KEY"
if [ $FNRET != 0 ]; then
warn "$OWNER_GROUP_KEY is not exist in $FILE, add it"
add_end_of_file $FILE "$OWNER_GROUP_KEY $GROUP"
else
OWNER_GROUP_NAME=$(grep "^\\$OWNER_GROUP_KEY" $FILE $FILE_WIDE 2>>/dev/null | awk -F: '{print $2}' | awk '{print $2}')
if [ "$OWNER_GROUP_NAME" != "$GROUP" ]; then
warn "File group not set is $GROUP! Reset it"
replace_in_file $FILE "$OWNER_GROUP_KEY.*" "$OWNER_GROUP_KEY $GROUP"
else
ok "File group set is $GROUP!"
fi
fi
does_pattern_exist_in_file "$FILE" "^\\$PERMIS_KEY"
if [ $FNRET != 0 ]; then
info "$PERMIS_KEY is not exist in $FILE"
PERMIS_KEY_NAME=$(find /etc/rsyslog.d/ -name "*.conf" | xargs grep "^\\$PERMIS_KEY" 2>>/dev/null | awk -F':' '{print $2}' | awk '{print $2}')
if [ "X$PERMIS_KEY_NAME" = "X" ]; then
warn "$PERMIS_KEY is not exist in $FILE or $FILE_WIDE, add it to $FILE"
add_end_of_file $FILE "$PERMIS_KEY $PERMISSIONS"
elif [ "$PERMIS_KEY_NAME" != "$PERMISSIONS" -a "$PERMIS_KEY_NAME" != "0$PERMISSIONS" ]; then
CONFIG_NAME=$(find /etc/rsyslog.d/ -name "*.conf" | xargs grep "^\\$PERMIS_KEY" 2>>/dev/null | awk -F':' '{print $1}')
warn "File permissions not set is $PERMISSIONS in $CONFIG_NAME! Reset it"
replace_in_file $CONFIG_NAME "$PERMIS_KEY.*" "$PERMIS_KEY $PERMISSIONS"
else
CONFIG_NAME=$(find /etc/rsyslog.d/ -name "*.conf" | xargs grep "^\\$PERMIS_KEY" 2>>/dev/null | awk -F':' '{print $1}')
ok "File permissions set is $PERMISSIONS in $CONFIG_NAME!"
fi
else
info "$PERMIS_KEY is exist in $FILE"
PERMIS_KEY_NAME=$(grep "^\\$PERMIS_KEY" $FILE 2>>/dev/null | awk -F: '{print $2}' | awk '{print $2}')
if [ "$PERMIS_KEY_NAME" != "$PERMISSIONS" -a "$PERMIS_KEY_NAME" != "0$PERMISSIONS" ]; then
warn "File permissions not set is $PERMISSIONS in $FILE! Reset it"
replace_in_file $FILE "$PERMIS_KEY.*" "$PERMIS_KEY $PERMISSIONS"
else
ok "File permissions set is $PERMISSIONS in $FILE!"
fi
fi
fi
fi
}
# This function will create the config file for this check with default values
create_config() {
cat <
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PATTERN='^*.*[^I][^I]*@'
PACKAGE_NG='syslog-ng'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE_NG
if [ $FNRET = 0 ]; then
ok "$PACKAGE_NG has installed, so pass."
else
FILES="$SYSLOG_BASEDIR/rsyslog.conf $SYSLOG_BASEDIR/rsyslog.d/*.conf"
does_pattern_exist_in_file "$FILES" "$PATTERN"
if [ $FNRET != 0 ]; then
crit "$PATTERN is not present in $FILES"
else
ok "$PATTERN is present in $FILES"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE_NG
if [ $FNRET = 0 ]; then
ok "$PACKAGE_NG has installed, so pass."
else
FILES="$SYSLOG_BASEDIR/rsyslog.conf $SYSLOG_BASEDIR/rsyslog.d/*.conf"
does_pattern_exist_in_file "$FILES" "$PATTERN"
if [ $FNRET != 0 ]; then
crit "$PATTERN is not present in $FILES, please manual operation set a remote host to send your logs"
else
ok "$PATTERN is present in $FILES"
fi
fi
}
# This function will create the config file for this check with default values
create_config() {
cat < /dev/null 2>&1
update-rc.d $SERVICE_NAME defaults > /dev/null 2>&1
else
systemctl enable $SERVICE_NAME
systemctl start $SERVICE_NAME
fi
else
ok "$SERVICE_NAME is enabled"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.3.3_set_logfile_perm.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 8.3.3 Create and Set Permissions on syslog-ng Log Files (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PERMISSIONS='640'
USER='root'
GROUP='adm'
SERVICE_NAME_R="rsyslog"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $SERVICE_NAME_R
if [ $FNRET = 0 ]; then
ok "$SERVICE_NAME_R has installed, so pass."
FNRET=0
else
does_file_exist "$SYSLOG_BASEDIR/syslog-ng.conf"
if [ $FNRET != 0 ]; then
warn "$SYSLOG_BASEDIR/syslog-ng.conf is not exist! "
FNRET=1
else
FILES=$(grep "file(" $SYSLOG_BASEDIR/syslog-ng.conf | grep '"' | cut -d'"' -f 2)
for FILE in $FILES; do
does_file_exist $FILE
if [ $FNRET != 0 ]; then
crit "$FILE does not exist"
else
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi
done
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $SERVICE_NAME_R
if [ $FNRET = 0 ]; then
ok "$SERVICE_NAME_R has installed, so pass."
FNRET=0
else
does_file_exist "$SYSLOG_BASEDIR/syslog-ng.conf"
if [ $FNRET != 0 ]; then
warn "$SYSLOG_BASEDIR/syslog-ng.conf is not exist! "
else
FILES=$(grep "file(" $SYSLOG_BASEDIR/syslog-ng.conf | grep '"' | cut -d'"' -f 2)
for FILE in $FILES; do
does_file_exist $FILE
if [ $FNRET != 0 ]; then
info "$FILE does not exist, create $FILE"
extend_touch_file $FILE
fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE
fi
done
fi
fi
}
# This function will create the config file for this check with default values
create_config() {
cat <
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
LOGDIR='/var/log'
ERRPERFILELIST='/dev/shm/8.5-filelist'
PERMISS_MODE='/7137'
# This function will be called if the script status is on enabled / audit mode
audit () {
find $LOGDIR -type f -perm $PERMISS_MODE -ls > $ERRPERFILELIST
countnum=$(wc -l < $ERRPERFILELIST)
if [ "$countnum" -gt 0 ]; then
crit "Permissions of all log files are not correctly configured!"
cat $ERRPERFILELIST
FNRET=1
else
ok "Permissions of all log files have correctly configured!"
rm $ERRPERFILELIST
FNRET=0
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "Permissions of all log files have correctly configured!"
else
warn "Permissions of all log files are not correctly configured! Set it"
find $LOGDIR -type f -perm $PERMISS_MODE -exec chmod a-x,go-w,o-r {} \;
if [ -r $ERRPERFILELIST ]; then
rm $ERRPERFILELIST
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR/lib/main.sh" ]; then
. "$CIS_ROOT_DIR/lib/main.sh"
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.6_verify_integrity_packages.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 8.6 Verifies integrity all packages (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=5
# This function will be called if the script status is on enabled / audit mode
audit () {
verify_integrity_all_packages
if [ $FNRET != 0 ]; then
crit "Verify integrity all packages is fail!"
else
ok "Verify integrity all packages is ok."
fi
}
# This function will be called if the script status is on enabled mode
apply () {
warn "This check item need to confirm manually. No automatic fix is available."
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.7.1_journald_config_compress.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9/10/11/12/13
#
#
# 8.7.1 Ensure journald is configured to compress large log files (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
CONFFILE='/etc/systemd/journald.conf'
OPTION='Compress'
OPTION_VAL='yes'
# This function will be called if the script status is on enabled / audit mode
audit () {
check_param_pair_by_str $CONFFILE $OPTION $OPTION_VAL
if [ $FNRET = 0 ]; then
ok "$OPTION set is $OPTION_VAL in $CONFFILE."
elif [ $FNRET = 1 ]; then
crit "$CONFFILE is not found!"
elif [ $FNRET = 2 ]; then
crit "$OPTION set is not $OPTION_VAL in $CONFFILE!"
elif [ $FNRET = 3 ]; then
crit "$OPTION is not present in $CONFFILE!"
fi
}
apply () {
if [ $FNRET = 0 ]; then
ok "$OPTION set is $OPTION_VAL in $CONFFILE."
elif [ $FNRET = 1 ]; then
crit "$CONFFILE is not found, please check!"
elif [ $FNRET = 2 ]; then
warn "$OPTION set is not $OPTION_VAL in $CONFFILE, reset to $OPTION_VAL"
reset_option_str_to_journald $CONFFILE $OPTION $OPTION_VAL
elif [ $FNRET = 3 ]; then
warn "$OPTION is not present in $CONFFILE, add to $CONFFILE"
add_end_of_file $CONFFILE "${OPTION}=${OPTION_VAL}"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/8.7.2_journald_config_storage.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9/10/11/12/13
#
#
# 8.7.2 Ensure journald is configured to write logfiles to persistent disk (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
CONFFILE='/etc/systemd/journald.conf'
OPTION='Storage'
OPTION_VAL='persistent'
# This function will be called if the script status is on enabled / audit mode
audit () {
check_param_pair_by_str $CONFFILE $OPTION $OPTION_VAL
if [ $FNRET = 0 ]; then
ok "$OPTION set is $OPTION_VAL in $CONFFILE."
elif [ $FNRET = 1 ]; then
crit "$CONFFILE is not found!"
elif [ $FNRET = 2 ]; then
crit "$OPTION set is not $OPTION_VAL in $CONFFILE!"
elif [ $FNRET = 3 ]; then
crit "$OPTION is not present in $CONFFILE!"
fi
}
apply () {
if [ $FNRET = 0 ]; then
ok "$OPTION set is $OPTION_VAL in $CONFFILE."
elif [ $FNRET = 1 ]; then
crit "$CONFFILE is not found, please check!"
elif [ $FNRET = 2 ]; then
warn "$OPTION set is not $OPTION_VAL in $CONFFILE, reset to $OPTION_VAL"
reset_option_str_to_journald $CONFFILE $OPTION $OPTION_VAL
elif [ $FNRET = 3 ]; then
warn "$OPTION is not present in $CONFFILE, add to $CONFFILE"
add_end_of_file $CONFFILE "${OPTION}=${OPTION_VAL}"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.1.1_enable_cron.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 9.1.1 Enable cron Daemon (Scored)
# Modify by: Samson-W (sccxboy@gmail.com)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGE="cron"
SERVICE_NAME="cron"
PACKAGE_CENTOS="cronie"
SERVICE_NAME_CENTOS="crond"
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGE=$PACKAGE_CENTOS
SERVICE_NAME=$SERVICE_NAME_CENTOS
fi
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
is_service_enabled $SERVICE_NAME
if [ $FNRET = 0 ]; then
ok "$SERVICE_NAME is enabled"
else
crit "$SERVICE_NAME is disabled"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGE=$PACKAGE_CENTOS
SERVICE_NAME=$SERVICE_NAME_CENTOS
fi
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
if [ $OS_RELEASE -eq 2 ]; then
yum install -y $PACKAGE
else
apt_install $PACKAGE
fi
is_service_enabled $SERVICE_NAME
if [ $FNRET != 0 ]; then
info "Enabling $SERVICE_NAME"
is_debian_9
if [ $FNRET = 0 -o $OS_RELEASE -eq 2 ]; then
systemctl enable $SERVICE_NAME > /dev/null 2>&1
systemctl start $SERVICE_NAME > /dev/null 2>&1
else
update-rc.d $SERVICE_NAME remove > /dev/null 2>&1
update-rc.d $SERVICE_NAME defaults > /dev/null 2>&1
fi
else
ok "$SERVICE_NAME is enabled"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.1.2_crontab_perm_ownership.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 9.1.2 Set User/Group Owner and Permission on /etc/crontab (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/crontab'
PERMISSIONS='600'
USER='root'
GROUP='root'
# This function will be called if the script status is on enabled / audit mode
audit () {
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
info "$FILE does not exist"
touch $FILE
fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE
fi
}
# This function will check config parameters required
check_config() {
does_user_exist $USER
if [ $FNRET != 0 ]; then
crit "$USER does not exist"
exit 128
fi
does_group_exist $GROUP
if [ $FNRET != 0 ]; then
crit "$GROUP does not exist"
exit 128
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.1.3_cron_hourly_perm_ownership.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 9.1.3 Set User/Group Owner and Permission on /etc/cron.hourly (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/cron.hourly'
PERMISSIONS='700'
USER='root'
GROUP='root'
# This function will be called if the script status is on enabled / audit mode
audit () {
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
info "$FILE does not exist"
touch $FILE
fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE
fi
}
# This function will check config parameters required
check_config() {
does_user_exist $USER
if [ $FNRET != 0 ]; then
crit "$USER does not exist"
exit 128
fi
does_group_exist $GROUP
if [ $FNRET != 0 ]; then
crit "$GROUP does not exist"
exit 128
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.1.4_cron_daily_perm_ownership.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 9.1.4 Set User/Group Owner and Permission on /etc/cron.daily (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/cron.daily'
PERMISSIONS='700'
USER='root'
GROUP='root'
# This function will be called if the script status is on enabled / audit mode
audit () {
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
info "$FILE does not exist"
touch $FILE
fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE
fi
}
# This function will check config parameters required
check_config() {
does_user_exist $USER
if [ $FNRET != 0 ]; then
crit "$USER does not exist"
exit 128
fi
does_group_exist $GROUP
if [ $FNRET != 0 ]; then
crit "$GROUP does not exist"
exit 128
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.1.5_cron_weekly_perm_ownership.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 9.1.5 Set User/Group Owner and Permission on /etc/cron.weekly (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/cron.weekly'
PERMISSIONS='700'
USER='root'
GROUP='root'
# This function will be called if the script status is on enabled / audit mode
audit () {
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
info "$FILE does not exist"
touch $FILE
fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE
fi
}
# This function will check config parameters required
check_config() {
does_user_exist $USER
if [ $FNRET != 0 ]; then
crit "$USER does not exist"
exit 128
fi
does_group_exist $GROUP
if [ $FNRET != 0 ]; then
crit "$GROUP does not exist"
exit 128
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.1.6_cron_monthly_perm_ownership.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 9.1.6 Set User/Group Owner and Permission on /etc/cron.monthly (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/cron.monthly'
PERMISSIONS='700'
USER='root'
GROUP='root'
# This function will be called if the script status is on enabled / audit mode
audit () {
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
info "$FILE does not exist"
touch $FILE
fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE
fi
}
# This function will check config parameters required
check_config() {
does_user_exist $USER
if [ $FNRET != 0 ]; then
crit "$USER does not exist"
exit 128
fi
does_group_exist $GROUP
if [ $FNRET != 0 ]; then
crit "$GROUP does not exist"
exit 128
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.1.7_cron_d_perm_ownership.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 9.1.7 Set User/Group Owner and Permission on /etc/cron.d (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/cron.d'
PERMISSIONS='700'
USER='root'
GROUP='root'
# This function will be called if the script status is on enabled / audit mode
audit () {
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
info "$FILE does not exist"
touch $FILE
fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE
fi
}
# This function will check config parameters required
check_config() {
does_user_exist $USER
if [ $FNRET != 0 ]; then
crit "$USER does not exist"
exit 128
fi
does_group_exist $GROUP
if [ $FNRET != 0 ]; then
crit "$GROUP does not exist"
exit 128
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.1.8_cron_users.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
#
#
# 9.1.8 Restrict at/cron to Authorized Users (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
FILES_ABSENT='/etc/cron.deny /etc/at.deny'
FILES_PRESENT='/etc/cron.allow /etc/at.allow'
PERMISSIONS='644'
USER='root'
GROUP='root'
# This function will be called if the script status is on enabled / audit mode
audit () {
for FILE in $FILES_ABSENT; do
does_file_exist $FILE
if [ $FNRET = 0 ]; then
crit "$FILE exists"
else
ok "$FILE is absent"
fi
done
for FILE in $FILES_PRESENT; do
does_file_exist $FILE
if [ $FNRET != 0 ]; then
crit "$FILE is absent"
else
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for FILE in $FILES_ABSENT; do
does_file_exist $FILE
if [ $FNRET = 0 ]; then
warn "$FILE exists"
rm $FILE
else
ok "$FILE is absent"
fi
done
for FILE in $FILES_PRESENT; do
does_file_exist $FILE
if [ $FNRET != 0 ]; then
warn "$FILE is absent"
touch $FILE
fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
warn "$FILE permissions were not set to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE
fi
done
}
# This function will check config parameters required
check_config() {
does_user_exist $USER
if [ $FNRET != 0 ]; then
crit "$USER does not exist"
exit 128
fi
does_group_exist $GROUP
if [ $FNRET != 0 ]; then
crit "$GROUP does not exist"
exit 128
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.2.10_pam_maxclassrepeat_cracklib.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12/13 or CentOS Hardening
#
#
# 9.2.10 Set Password Creation Requirement Parameters Using pam_cracklib: audit maxclassrepeat option (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGE='libpam-cracklib'
PAMLIBNAME='pam_cracklib.so'
PATTERN='^password.*pam_cracklib.so'
FILE='/etc/pam.d/common-password'
# Redhat/CentOS default use pam_pwquality
FILE_CENTOS='/etc/security/pwquality.conf'
OPTIONNAME='maxclassrepeat'
# condition
CONDT_VAL=4
audit_debian () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=1
else
ok "$PACKAGE is installed"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
check_param_pair_by_pam $FILE $PAMLIBNAME $OPTIONNAME le $CONDT_VAL
if [ $FNRET = 0 ]; then
ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL"
else
crit "$OPTIONNAME set condition is greater than $CONDT_VAL"
#FNRET=3
fi
else
crit "$PATTERN is not present in $FILE"
FNRET=2
fi
fi
}
audit_centos () {
check_param_pair_by_value $FILE_CENTOS $OPTIONNAME le $CONDT_VAL
if [ $FNRET = 0 ]; then
ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 1 ]; then
crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 2 ]; then
crit "Option $OPTIONNAME is not conf in $FILE_CENTOS"
elif [ $FNRET = 3 ]; then
crit "Config file $FILE_CENTOS is not exist!"
fi
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
# debian11/debian12 default use pam_pwquality, same as centos
elif [ $OS_RELEASE -eq 2 -o $OS_RELEASE -eq 11 -o $OS_RELEASE -eq 12 -o $OS_RELEASE -eq 13 ]; then
audit_centos
else
crit "Current OS is not support!"
FNRET=44
fi
}
apply_debian () {
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
elif [ $FNRET = 1 ]; then
warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
elif [ $FNRET = 2 ]; then
warn "$PATTERN is not present in $FILE, add default config to $FILE"
add_line_file_before_pattern $FILE "password requisite pam_cracklib.so retry=3 minlen=15 difok=3" "# pam-auth-update(8) for details."
elif [ $FNRET = 3 ]; then
crit "$FILE is not exist, please check"
elif [ $FNRET = 4 ]; then
warn "$OPTIONNAME is not conf"
add_option_to_password_check $FILE $PAMLIBNAME "$OPTIONNAME=$CONDT_VAL"
elif [ $FNRET = 5 ]; then
warn "$OPTIONNAME set is not match legally, reset it to $CONDT_VAL"
reset_option_to_password_check $FILE $PAMLIBNAME "$OPTIONNAME" "$CONDT_VAL"
fi
}
apply_centos () {
if [ $FNRET = 0 ]; then
ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 1 ]; then
warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_CENTOS"
replace_in_file $FILE_CENTOS "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL"
elif [ $FNRET = 2 ]; then
warn "$OPTIONNAME is not conf, add to $FILE_CENTOS"
add_end_of_file $FILE_CENTOS "$OPTIONNAME = $CONDT_VAL"
elif [ $FNRET = 3 ]; then
crit "Config file $FILE_CENTOS is not exist!"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
# debian11/debian12 default use pam_pwquality, same as centos
elif [ $OS_RELEASE -eq 2 -o $OS_RELEASE -eq 11 -o $OS_RELEASE -eq 12 -o $OS_RELEASE -eq 13 ]; then
apply_centos
else
crit "Current OS is not support!"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.2.11_pam_deny_times_tally2.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12/13 or CentOS 8 Hardening
#
#
# 9.2.11 Set deny times for Password Attempts (Scored)
# Replaced pam_tally2 with pam_faillock in debian 11
# The number in the original document is 9.2.2
# for login and ssh service
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGE='libpam-modules-bin'
AUTHFILE='/etc/pam.d/common-auth'
ADDPATTERNLINE='# pam-auth-update(8) for details.'
DENYOPTION='deny'
DENY_VAL=3
# This function will be called if the script status is on enabled / audit mode
audit_before11 () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=11
else
ok "$PACKAGE is installed"
does_pattern_exist_in_file $AUTHFILE $AUTHPATTERN
if [ $FNRET = 0 ]; then
ok "$AUTHPATTERN is present in $AUTHFILE."
check_param_pair_by_pam $AUTHFILE $PAMLIBNAME $DENYOPTION le $DENY_VAL
if [ $FNRET = 0 ]; then
ok "$DENYOPTION set condition is less-than-or-equal-to $DENY_VAL"
else
crit "$DENYOPTION set condition is not $DENY_VAL"
fi
else
crit "$AUTHPATTERN is not present in $AUTHFILE"
FNRET=2
fi
fi
}
audit_debian11 () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=11
else
ok "$PACKAGE is installed"
does_pattern_exist_in_file $AUTHFILE $AUTHPATTERN
if [ $FNRET = 0 ]; then
ok "$AUTHPATTERN is present in $AUTHFILE."
check_param_pair_by_value $SECCONFFILE $DENYOPTION le $DENY_VAL
if [ $FNRET = 0 ]; then
ok "Option $DENYOPTION set condition is less than or equal to $DENY_VAL in $SECCONFFILE"
elif [ $FNRET = 1 ]; then
crit "Option $DENYOPTION set condition is greater than $DENY_VAL in $SECCONFFILE"
elif [ $FNRET = 2 ]; then
crit "Option $DENYOPTION is not conf in $SECCONFFILE"
elif [ $FNRET = 3 ]; then
crit "Config file $SECCONFFILE is not exist!"
fi
else
crit "$AUTHPATTERN is not present in $AUTHFILE"
FNRET=12
fi
fi
}
audit () {
if [ $ISDEBIAN11 -eq 1 ]; then
audit_debian11
else
audit_before11
fi
}
apply_before11 () {
if [ $FNRET = 0 ]; then
ok "$DENYOPTION set condition is less-than-or-equal-to $DENY_VAL"
elif [ $FNRET = 11 ]; then
warn "Apply:$PACKAGE is absent, installing it"
install_package $PACKAGE
elif [ $FNRET = 2 ]; then
warn "Apply:$AUTHPATTERN is not present in $AUTHFILE"
if [ $OS_RELEASE -eq 2 ]; then
add_line_file_after_pattern_lastline "$AUTHFILE" "$AUTHRULE" "$ADDPATTERNLINE"
else
add_line_file_after_pattern "$AUTHFILE" "$AUTHRULE" "$ADDPATTERNLINE"
fi
elif [ $FNRET = 3 ]; then
crit "$AUTHFILE is not exist, please check"
elif [ $FNRET = 4 ]; then
warn "Apply:$DENYOPTION is not conf"
add_option_to_auth_check $AUTHFILE $PAMLIBNAME "$DENYOPTION=$DENY_VAL"
elif [ $FNRET = 5 ]; then
warn "Apply:$DENYOPTION set is not match legally, reset it to $DENY_VAL"
reset_option_to_password_check $AUTHFILE $PAMLIBNAME "$DENYOPTION" "$DENY_VAL"
fi
}
# Input:
# Param1: return-value of call check_param_pair_by_value
# Function: Perform corresponding repair actions based on the return value of the error.
apply_secconffile() {
FNRET=$1
if [ $FNRET = 0 ]; then
ok "Option $DENYOPTION set condition is less than or equal to $DENY_VAL in $SECCONFFILE"
elif [ $FNRET = 1 ]; then
warn "Reset option $DENYOPTION to $DENY_VAL in $SECCONFFILE"
replace_in_file $SECCONFFILE "^$DENYOPTION.*" "$DENYOPTION = $DENY_VAL"
elif [ $FNRET = 2 ]; then
warn "$DENYOPTION is not conf, add to $SECCONFFILE"
add_end_of_file $SECCONFFILE "$DENYOPTION = $DENY_VAL"
elif [ $FNRET = 3 ]; then
warn "Config file $SECCONFFILE is not exist! Please check it by yourself"
else
warn "This param $FNRET was not defined!!!"
fi
}
apply_debian11 () {
if [ $FNRET = 0 ]; then
ok "$DENYOPTION set condition is less than or equal to $DENY_VAL in $SECCONFFILE"
elif [ $FNRET = 11 ]; then
warn "Apply:$PACKAGE is absent, installing it"
install_package $PACKAGE
does_pattern_exist_in_file $AUTHFILE $AUTHPATTERN
if [ $FNRET != 0 ]; then
add_line_file_after_pattern "$AUTHFILE" "$AUTHRULE" "$ADDPATTERNLINE"
check_param_pair_by_value $SECCONFFILE $DENYOPTION le $DENY_VAL
apply_secconffile $FNRET
fi
elif [ $FNRET = 12 ]; then
add_line_file_after_pattern "$AUTHFILE" "$AUTHRULE" "$ADDPATTERNLINE"
check_param_pair_by_value $SECCONFFILE $DENYOPTION le $DENY_VAL
apply_secconffile $FNRET
else
apply_secconffile $FNRET
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $ISDEBIAN11 = 1 ]; then
apply_debian11
else
apply_before11
fi
}
# This function will check config parameters required
check_config() {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGE='pam'
PAMLIBNAME='pam_faillock.so'
AUTHPATTERN='^auth[[:space:]]*required[[:space:]]*pam_faillock.so'
AUTHFILE='/etc/pam.d/password-auth'
AUTHRULE='auth required pam_faillock.so deny=3 even_deny_root unlock_time=900'
ADDPATTERNLINE='auth[[:space:]]*required'
elif [ $OS_RELEASE -eq 1 ]; then
ISDEBIAN11=0
PAMLIBNAME='pam_tally2.so'
AUTHPATTERN='^auth[[:space:]]*required[[:space:]]*pam_tally2.so'
AUTHRULE='auth required pam_tally2.so deny=3 even_deny_root unlock_time=900'
# ubuntu/debian11/debian12
elif [ $OS_RELEASE -eq 3 -o $OS_RELEASE -eq 11 -o $OS_RELEASE -eq 12 -o $OS_RELEASE -eq 13 ]; then
ISDEBIAN11=1
SECCONFFILE='/etc/security/faillock.conf'
AUTHPATTERN='^auth[[:space:]]*required[[:space:]]*pam_faillock.so'
AUTHRULE='auth required pam_faillock.so'
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.2.12_pam_lockout_failed_tally2.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12/13 or CentOS 8 Hardening
#
#
# 9.2.12 Set Lockout for Failed Password Attempts (Scored)
# Replaced pam_tally2 with pam_faillock in debian 11
# for login and ssh service
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGE='libpam-modules-bin'
AUTHFILE='/etc/pam.d/common-auth'
ADDPATTERNLINE='# pam-auth-update(8) for details.'
UNLOCKOPTION='unlock_time'
UNLOCK_VAL=900
# This function will be called if the script status is on enabled / audit mode
audit_before11 () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=11
else
ok "$PACKAGE is installed"
does_pattern_exist_in_file $AUTHFILE $AUTHPATTERN
if [ $FNRET = 0 ]; then
ok "$AUTHPATTERN is present in $AUTHFILE."
check_param_pair_by_pam $AUTHFILE $PAMLIBNAME $UNLOCKOPTION ge $UNLOCK_VAL
if [ $FNRET = 0 ]; then
ok "$UNLOCKOPTION set condition is greater-than-or-equal-to $UNLOCK_VAL"
else
crit "$UNLOCKOPTION set condition is not $UNLOCK_VAL"
fi
else
crit "$AUTHPATTERN is not present in $AUTHFILE"
FNRET=2
fi
fi
}
audit_debian11 () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=11
else
ok "$PACKAGE is installed"
does_pattern_exist_in_file $AUTHFILE $AUTHPATTERN
if [ $FNRET = 0 ]; then
ok "$AUTHPATTERN is present in $AUTHFILE."
check_param_pair_by_value $SECCONFFILE $UNLOCKOPTION le $UNLOCK_VAL
if [ $FNRET = 0 ]; then
ok "Option $UNLOCKOPTION set condition is less than or equal to $UNLOCK_VAL in $SECCONFFILE"
elif [ $FNRET = 1 ]; then
crit "Option $UNLOCKOPTION set condition is greater than $UNLOCK_VAL in $SECCONFFILE"
elif [ $FNRET = 2 ]; then
crit "Option $UNLOCKOPTION is not conf in $SECCONFFILE"
elif [ $FNRET = 3 ]; then
crit "Config file $SECCONFFILE is not exist!"
fi
else
crit "$AUTHPATTERN is not present in $AUTHFILE"
FNRET=12
fi
fi
}
audit () {
if [ $ISDEBIAN11 = 1 ]; then
audit_debian11
else
audit_before11
fi
}
apply_before11 () {
if [ $FNRET = 0 ]; then
ok "$UNLOCKOPTION set condition is greater-than-or-equal-to $UNLOCK_VAL"
elif [ $FNRET = 1 ]; then
warn "Apply:$PACKAGE is absent, installing it"
install_package $PACKAGE
elif [ $FNRET = 2 ]; then
warn "Apply:$AUTHPATTERN is not present in $AUTHFILE"
if [ $OS_RELEASE -eq 2 ]; then
add_line_file_after_pattern_lastline "$AUTHFILE" "$AUTHRULE" "$ADDPATTERNLINE"
else
add_line_file_after_pattern "$AUTHFILE" "$AUTHRULE" "$ADDPATTERNLINE"
fi
elif [ $FNRET = 3 ]; then
crit "$AUTHFILE is not exist, please check"
elif [ $FNRET = 4 ]; then
warn "Apply:$UNLOCKOPTION is not conf"
add_option_to_auth_check $AUTHFILE $PAMLIBNAME "$UNLOCKOPTION=$UNLOCK_VAL"
elif [ $FNRET = 5 ]; then
warn "Apply:$UNLOCKOPTION set is not match legally, reset it to $UNLOCK_VAL"
reset_option_to_auth_check $AUTHFILE $PAMLIBNAME "$UNLOCKOPTION" "$UNLOCK_VAL"
fi
}
# Input:
# Param1: return-value of call check_param_pair_by_value
# Function: Perform corresponding repair actions based on the return value of the error.
apply_secconffile() {
FNRET=$1
if [ $FNRET = 0 ]; then
ok "Option $UNLOCKOPTION set condition is less than or equal to $UNLOCK_VAL in $SECCONFFILE"
elif [ $FNRET = 1 ]; then
warn "Reset option $UNLOCKOPTION to $UNLOCK_VAL in $SECCONFFILE"
replace_in_file $SECCONFFILE "^$UNLOCKOPTION.*" "$UNLOCKOPTION = $UNLOCK_VAL"
elif [ $FNRET = 2 ]; then
warn "$UNLOCKOPTION is not conf, add to $SECCONFFILE"
add_end_of_file $SECCONFFILE "$UNLOCKOPTION = $UNLOCK_VAL"
elif [ $FNRET = 3 ]; then
warn "Config file $SECCONFFILE is not exist! Please check it by yourself"
else
warn "This param $FNRET was not defined!!!"
fi
}
apply_debian11 () {
if [ $FNRET = 0 ]; then
ok "$UNLOCKOPTION set condition is less than or equal to $UNLOCK_VAL in $SECCONFFILE"
elif [ $FNRET = 11 ]; then
warn "Apply:$PACKAGE is absent, installing it"
install_package $PACKAGE
does_pattern_exist_in_file $AUTHFILE $AUTHPATTERN
if [ $FNRET != 0 ]; then
add_line_file_after_pattern "$AUTHFILE" "$AUTHRULE" "$ADDPATTERNLINE"
check_param_pair_by_value $SECCONFFILE $UNLOCKOPTION le $UNLOCK_VAL
apply_secconffile $FNRET
fi
elif [ $FNRET = 12 ]; then
add_line_file_after_pattern "$AUTHFILE" "$AUTHRULE" "$ADDPATTERNLINE"
check_param_pair_by_value $SECCONFFILE $UNLOCKOPTION le $UNLOCK_VAL
apply_secconffile $FNRET
else
apply_secconffile $FNRET
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $ISDEBIAN11 = 1 ]; then
apply_debian11
else
apply_before11
fi
}
# This function will check config parameters required
check_config() {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGE='pam'
PAMLIBNAME='pam_faillock.so'
AUTHPATTERN='^auth[[:space:]]*required[[:space:]]*pam_faillock.so'
AUTHFILE='/etc/pam.d/password-auth'
AUTHRULE='auth required pam_faillock.so deny=3 even_deny_root unlock_time=900'
ADDPATTERNLINE='auth[[:space:]]*required'
elif [ $OS_RELEASE -eq 1 ]; then
ISDEBIAN11=0
PAMLIBNAME='pam_tally2.so'
AUTHPATTERN='^auth[[:space:]]*required[[:space:]]*pam_tally2.so'
AUTHRULE='auth required pam_tally2.so deny=3 even_deny_root unlock_time=900'
# ubuntu/debian11/debian12
elif [ $OS_RELEASE -eq 3 -o $OS_RELEASE -eq 11 -o $OS_RELEASE -eq 12 -o $OS_RELEASE -eq 13 ]; then
ISDEBIAN11=1
SECCONFFILE='/etc/security/faillock.conf'
AUTHPATTERN='^auth[[:space:]]*required[[:space:]]*pam_faillock.so'
AUTHRULE='auth required pam_faillock.so'
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.2.13_pam_even_deny_root_tally2.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9/10/11/12/13 or CentOS 8 Hardening
#
#
# 9.2.13 Ensure unsuccessful root logon occur the associated account must be locked. (Scored)
# Replaced pam_tally2 with pam_faillock in debian 11
# Author : Samson wen, Samson
# for login and ssh service
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGE='libpam-modules-bin'
AUTHFILE='/etc/pam.d/common-auth'
ADDPATTERNLINE='# pam-auth-update(8) for details.'
DENYROOT='even_deny_root'
# This function will be called if the script status is on enabled / audit mode
audit_before11 () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=1
else
ok "$PACKAGE is installed"
does_pattern_exist_in_file $AUTHFILE $AUTHPATTERN
if [ $FNRET = 0 ]; then
ok "$AUTHPATTERN is present in $AUTHFILE."
check_no_param_option_by_pam $PAMLIBNAME $DENYROOT $AUTHFILE
if [ $FNRET = 0 ]; then
ok "$DENYROOT is already configured"
else
crit "$DENYROOT is not present in $AUTHFILE"
fi
else
crit "$AUTHPATTERN is not present in $AUTHFILE"
FNRET=2
fi
fi
}
audit_debian11 () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=11
else
ok "$PACKAGE is installed"
does_pattern_exist_in_file $AUTHFILE $AUTHPATTERN
if [ $FNRET = 0 ]; then
ok "$AUTHPATTERN is present in $AUTHFILE."
check_no_param_option_by_value $SECCONFFILE $DENYROOT
if [ $FNRET = 0 ]; then
ok "Option $DENYROOT is conf in $SECCONFFILE"
elif [ $FNRET = 1 ]; then
crit "Config file $SECCONFFILE is not exist!"
elif [ $FNRET = 2 ]; then
crit "Option $DENYROOT is not conf in $SECCONFFILE"
fi
else
crit "$AUTHPATTERN is not present in $AUTHFILE"
FNRET=12
fi
fi
}
audit () {
if [ $ISDEBIAN11 = 1 ]; then
audit_debian11
else
audit_before11
fi
}
apply_before11 () {
if [ $FNRET = 0 ]; then
ok "$DENYROOT is already configured"
elif [ $FNRET = 1 ]; then
warn "Apply:$PACKAGE is absent, installing it"
install_package $PACKAGE
elif [ $FNRET = 2 ]; then
warn "Apply:$AUTHPATTERN is not present in $AUTHFILE"
if [ $OS_RELEASE -eq 2 ]; then
add_line_file_after_pattern_lastline "$AUTHFILE" "$AUTHRULE" "$ADDPATTERNLINE"
else
add_line_file_after_pattern "$AUTHFILE" "$AUTHRULE" "$ADDPATTERNLINE"
fi
elif [ $FNRET = 3 ]; then
crit "$AUTHFILE is not exist, please check"
elif [ $FNRET = 4 ]; then
warn "Apply:$DENYROOT is not conf"
add_option_to_auth_check $AUTHFILE $PAMLIBNAME $DENYROOT
fi
}
# Input:
# Param1: return-value of call check_no_param_option_by_value
# Function: Perform corresponding repair actions based on the return value of the error.
apply_secconffile() {
FNRET=$1
if [ $FNRET = 0 ]; then
ok "Option $DENYROOT is conf in $SECCONFFILE"
elif [ $FNRET = 1 ]; then
warn "Config file $SECCONFFILE is not exist! Please check it by yourself"
elif [ $FNRET = 2 ]; then
warn "Option $DENYROOT is not conf in $SECCONFFILE, add it "
add_end_of_file $SECCONFFILE "$DENYROOT"
else
warn "This param $FNRET was not defined!!!"
fi
}
apply_debian11 () {
if [ $FNRET = 0 ]; then
ok "Option $DENYROOT is conf in $SECCONFFILE"
elif [ $FNRET = 11 ]; then
warn "Apply:$PACKAGE is absent, installing it"
install_package $PACKAGE
does_pattern_exist_in_file $AUTHFILE $AUTHPATTERN
if [ $FNRET != 0 ]; then
add_line_file_after_pattern "$AUTHFILE" "$AUTHRULE" "$ADDPATTERNLINE"
check_no_param_option_by_value $SECCONFFILE $DENYROOT
apply_secconffile $FNRET
fi
elif [ $FNRET = 12 ]; then
add_line_file_after_pattern "$AUTHFILE" "$AUTHRULE" "$ADDPATTERNLINE"
check_no_param_option_by_value $SECCONFFILE $DENYROOT
apply_secconffile $FNRET
else
apply_secconffile $FNRET
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $ISDEBIAN11 = 1 ]; then
apply_debian11
else
apply_before11
fi
}
# This function will check config parameters required
check_config() {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGE='pam'
PAMLIBNAME='pam_faillock.so'
AUTHPATTERN='^auth[[:space:]]*required[[:space:]]*pam_faillock.so'
AUTHFILE='/etc/pam.d/password-auth'
AUTHRULE='auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900'
ADDPATTERNLINE='auth[[:space:]]*required'
DENYROOT='even_deny_root'
elif [ $OS_RELEASE -eq 1 ]; then
ISDEBIAN11=0
PAMLIBNAME='pam_tally2.so'
AUTHPATTERN='^auth[[:space:]]*required[[:space:]]*pam_tally2.so'
AUTHRULE='auth required pam_tally2.so deny=3 even_deny_root unlock_time=900'
# ubuntu/debian11/debian12
elif [ $OS_RELEASE -eq 3 -o $OS_RELEASE -eq 11 -o $OS_RELEASE -eq 12 -o $OS_RELEASE -eq 13 ]; then
ISDEBIAN11=1
SECCONFFILE='/etc/security/faillock.conf'
AUTHPATTERN='^auth[[:space:]]*required[[:space:]]*pam_faillock.so'
AUTHRULE='auth required pam_faillock.so'
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.2.14_pam_dictcheck_pwquality.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 11/12/13/Ubuntu 16~22.4 and CentOS Hardening
#
#
# 9.2.14 Must prevent the use of dictionary words for passwords: audit dictcheck option (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGES='libpam-pwquality libpwquality1 libpwquality-common'
# Redhat/CentOS default use pam_pwquality
FILE_CENTOS='/etc/security/pwquality.conf'
OPTIONNAME='dictcheck'
# condition
CONDT_VAL=1
audit_centos () {
check_param_pair_by_value $FILE_CENTOS $OPTIONNAME ge $CONDT_VAL
if [ $FNRET = 0 ]; then
ok "Option $OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 1 ]; then
crit "Option $OPTIONNAME set condition is greater than or not equal $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 2 ]; then
ok "Option $OPTIONNAME is not conf in $FILE_CENTOS, but because it default is enable, so pass"
elif [ $FNRET = 3 ]; then
crit "Config file $FILE_CENTOS is not exist!"
fi
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 1 ]; then
FNRET=0
ok "Option $OPTIONNAME is not support in Debian 7/8/9/10, so pass."
# debian11/debian12 ubuntu 16~ default use pam_pwquality, same as centos
elif [ $OS_RELEASE -eq 2 -o $OS_RELEASE -eq 3 -o $OS_RELEASE -eq 11 -o $OS_RELEASE -eq 12 -o $OS_RELEASE -eq 13 ]; then
audit_centos
else
crit "Current OS is not support!"
FNRET=44
fi
}
apply_centos () {
if [ $FNRET = 0 ]; then
ok "$OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 1 ]; then
warn "Set option $OPTIONNAME to $CONDT_VAL in $FILE_CENTOS"
replace_in_file $FILE_CENTOS "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL"
elif [ $FNRET = 2 ]; then
ok "Option $OPTIONNAME is not conf in $FILE_CENTOS, but because default set enable, so pass"
elif [ $FNRET = 3 ]; then
warn "Config file $FILE_CENTOS is not exist! Install $PACKAGES"
# For ubuntu deiban11 debian12
if [ $OS_RELEASE -eq 3 -o $OS_RELEASE -eq 11 -o $OS_RELEASE -eq 12 -o $OS_RELEASE -eq 13 ]; then
apt_install $PACKAGES
elif [ $OS_RELEASE -eq 2 ]; then
yum_install $PACKAGES
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
ok "Option $OPTIONNAME is not support in Debian 7/8/9/10, so pass."
# debian11/debian12 ubuntu 16~ default use pam_pwquality, same as centos
elif [ $OS_RELEASE -eq 2 -o $OS_RELEASE -eq 3 -o $OS_RELEASE -eq 11 -o $OS_RELEASE -eq 12 -o $OS_RELEASE -eq 13 ]; then
apply_centos
else
crit "Current OS is not support!"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.2.15_pam_printlastlog_to_showfailed_lastlog.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 or CentOS 8 Hardening
#
#
# 9.2.15 Set login display the date and time of last fail logon (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGE='libpam-modules'
PATTERN='^session.*pam_lastlog.so'
FILE='/etc/pam.d/login'
KEYWORD='pam_lastlog.so'
OPTIONNAME='showfailed'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=1
else
ok "$PACKAGE is installed"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
check_no_param_option_by_pam $KEYWORD $OPTIONNAME $FILE
if [ $FNRET = 0 ]; then
ok "$OPTIONNAME is already configured"
else
crit "$OPTIONNAME is not configured $FNRET"
fi
else
crit "$PATTERN is not present in $FILE"
FNRET=2
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
elif [ $FNRET = 1 ]; then
warn "$PACKAGE is absent, installing it"
install_package $PACKAGE
elif [ $FNRET = 2 ]; then
warn "$PATTERN is not present in $FILE"
is_debian_13
if [ $FNRET = 0 ]; then
add_line_file_after_pattern $FILE "session optional pam_lastlog.so showfailed" "session optional pam_mail.so standard"
else
add_line_file_before_pattern $FILE "session optional pam_lastlog.so showfailed" "# pam-auth-update(8) for details."
fi
elif [ $FNRET = 3 ]; then
crit "$FILE is not exist, please check"
elif [ $FNRET = 4 ]; then
warn "$OPTIONNAME is not conf in $FILE, add $OPTIONNAME "
add_option_to_session_check $FILE $KEYWORD $OPTIONNAME
fi
}
# This function will check config parameters required
check_config() {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGE='pam'
PATTERN='^session.*pam_lastlog.so'
FILE='/etc/pam.d/postlogin'
KEYWORD='pam_lastlog.so'
OPTIONNAME='showfailed'
elif [ $OS_RELEASE -eq 13 ]; then
PACKAGE='libpam-lastlog2'
else
:
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.2.16_pam_limit_password_reuse.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 or CentOS 8 Hardening
#
#
# 9.2.16 Limit Password Reuse (Scored)
# The number in the original document is 9.2.3
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGE='libpam-modules'
PATTERN='^password.*pam_pwhistory.so'
FILES='/etc/pam.d/common-password'
KEYWORD='pam_pwhistory.so'
ADDPATTERNLINE='# pam-auth-update(8) for details.'
AUTHRULE='password required pam_pwhistory.so remember=5'
OPTIONNAME='remember'
CONDT_VAL=5
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=1
else
ok "$PACKAGE is installed"
for FILE in $FILES; do
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
check_param_pair_by_pam $FILE $KEYWORD $OPTIONNAME ge $CONDT_VAL
if [ $FNRET = 0 ]; then
ok "$OPTIONNAME set condition is greater-than-or-equal-to $CONDT_VAL"
reset_ok
return
else
crit "$OPTIONNAME set condition is not greater-than-or-equal-to $CONDT_VAL"
fi
else
crit "$PATTERN is not present in $FILE"
FNRET=2
fi
done
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$OPTIONNAME set condition is greater-than-or-equal-to $CONDT_VAL"
elif [ $FNRET = 1 ]; then
crit "$PACKAGE is absent, installing it"
install_package $PACKAGE
elif [ $FNRET = 2 ]; then
if [ $OS_RELEASE -eq 2 ]; then
add_line_file_after_pattern_lastline "$FILE" "$AUTHRULE" "$ADDPATTERNLINE"
else
add_line_file_before_pattern $FILE "$AUTHRULE" "$ADDPATTERNLINE"
fi
elif [ $FNRET = 3 ]; then
crit "$FILE is not exist, please check"
elif [ $FNRET = 4 ]; then
crit "$OPTIONNAME is not conf in $FILE"
add_option_to_password_check $FILE $KEYWORD "$OPTIONNAME=$CONDT_VAL"
elif [ $FNRET = 5 ]; then
reset_option_to_password_check $FILE $KEYWORD $OPTIONNAME $CONDT_VAL
crit "$OPTIONNAME set is not greater-than-or-equal-to $CONDT_VAL, reset it to $CONDT_VAL"
fi
}
# This function will check config parameters required
check_config() {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGE='pam'
FILES='/etc/pam.d/system-auth /etc/pam.d/password-auth'
AUTHRULE='password requisite pam_pwhistory.so use_authtok remember=5 retry=3'
ADDPATTERNLINE='password[[:space:]]*requisite'
else
:
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.2.17_pam_password_sha512_unix.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12/13 or CentOS Hardening
#
#
# 9.2.13 Set password with the SHA512 algorithm (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGE='libpam-modules'
PATTERN='^password.*pam_unix.so'
FILE='/etc/pam.d/common-password'
KEYWORD='pam_unix.so'
OPTIONNAME='sha512'
ROUNDS_KEY='rounds'
ROUNDS_V='5000'
# For CentOS
FILES='/etc/pam.d/system-auth /etc/pam.d/password-auth'
audit_debian () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=1
else
ok "$PACKAGE is installed"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
check_no_param_option_by_pam $KEYWORD $OPTIONNAME $FILE
if [ $FNRET = 0 ]; then
ok "$OPTIONNAME is already configured"
else
crit "$OPTIONNAME is not configured"
fi
check_param_pair_by_pam $FILE $KEYWORD $ROUNDS_KEY ge $ROUNDS_V
if [ $FNRET = 0 ]; then
ok "$ROUNDS_KEY set condition is $ROUNDS_V"
else
crit "$ROUNDS_KEY set is not match legally, $ROUNDS_KEY is set $ROUNDS_V"
#FNRET=3
fi
else
crit "$PATTERN is not present in $FILE"
FNRET=2
fi
fi
}
audit_centos () {
for FILE in $FILES; do
does_pattern_exist_in_file $FILE "$PATTERN.*$OPTIONNAME"
if [ $FNRET -eq 0 ]; then
ok "$OPTIONNAME is already configured in $FILE"
else
crit "$OPTIONNAME is not configured in $FILE"
fi
done
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
audit_centos
else
audit_debian
fi
}
apply_debian () {
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
elif [ $FNRET = 1 ]; then
warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
elif [ $FNRET = 2 ]; then
warn "$PATTERN is not present in $FILE"
add_line_file_before_pattern $FILE "password [success=1 default=ignore] pam_unix.so obscure sha512 rounds=5000" "# pam-auth-update(8) for details."
fi
check_no_param_option_by_pam $KEYWORD $OPTIONNAME $FILE
if [ $FNRET = 3 ]; then
crit "$FILE is not exist, please check"
elif [ $FNRET = 4 ]; then
warn "$OPTIONNAME is not conf in $FILE"
add_option_to_password_check $FILE $KEYWORD $OPTIONNAME
fi
check_param_pair_by_pam $FILE $KEYWORD $ROUNDS_KEY ge $ROUNDS_V
if [ $FNRET = 3 ]; then
crit "$FILE is not exist, please check"
elif [ $FNRET = 4 ]; then
warn "$ROUNDS_KEY is not conf"
add_option_to_password_check $FILE $KEYWORD "$ROUNDS_KEY=$ROUNDS_V"
elif [ $FNRET = 5 ]; then
warn "$ROUNDS_KEY set is not match legally, reset it to $ROUNDS_V"
reset_option_to_password_check $FILE $KEYWORD "$ROUNDS_KEY" "$ROUNDS_V"
fi
}
apply_centos () {
for FILE in $FILES; do
does_pattern_exist_in_file $FILE "$PATTERN.*$OPTIONNAME"
if [ $FNRET -eq 0 ]; then
ok "$OPTIONNAME is already configured in $FILE"
else
warn "$OPTIONNAME is not configured in $FILE, set it"
sed -i "s;\($PATTERN.*\);\1 $OPTIONNAME;" $FILE
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
apply_centos
else
apply_debian
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.2.18_pam_auth_without_nullpwd_unix.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12/13 or CentOS 8 Hardening
#
#
# 9.2.18 Configure password without blank or null passwords (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGE='libpam-modules'
PATTERN='^auth.*pam_unix.so'
FILE='/etc/pam.d/common-auth'
KEYWORD='pam_unix.so'
OPTIONNAME1='nullok'
OPTIONNAME2='nullok_secure'
audit_debian () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=1
else
ok "$PACKAGE is installed"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
check_auth_option_nullok_by_pam $KEYWORD $OPTIONNAME1 $OPTIONNAME2
if [ $FNRET = 0 ]; then
ok "$OPTIONNAME1 is not configured"
elif [ $FNRET = 4 ]; then
crit "$OPTIONNAME1 is configured"
elif [ $FNRET = 5 ]; then
crit "$OPTIONNAME2 is configured"
fi
else
crit "$PATTERN is not present in $FILE"
FNRET=2
fi
fi
}
audit_centos () {
for FILE in $FILES; do
does_pattern_exist_in_file $FILE $OPTIONNAME
if [ $FNRET = 0 ]; then
crit "$OPTIONNAME is configured in $FILE"
FNRET=1
else
ok "$OPTIONNAME is not configured in $FILE"
FNRET=0
fi
done
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
audit_centos
else
audit_debian
fi
}
apply_debian () {
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
elif [ $FNRET = 1 ]; then
crit "$PACKAGE is absent, installing it"
install_package $PACKAGE
elif [ $FNRET = 2 ]; then
ok "$PATTERN is not present in $FILE, not need add"
elif [ $FNRET = 3 ]; then
crit "$FILE is not exist, please check"
elif [ $FNRET = 4 ]; then
info "Delete option $OPTIONNAME1 from $FILE"
sed -i "s/$OPTIONNAME1//" $FILE
elif [ $FNRET = 5 ]; then
info "Delete option $OPTIONNAME2 from $FILE"
sed -i "s/$OPTIONNAME2//" $FILE
fi
}
apply_centos () {
for FILE in $FILES; do
does_pattern_exist_in_file $FILE $OPTIONNAME
if [ $FNRET = 0 ]; then
crit "$OPTIONNAME is configured in $FILE"
info "Delete option $OPTIONNAME from $FILE"
backup_file $FILE
sed -i "s/$OPTIONNAME//" $FILE
else
ok "$OPTIONNAME is not configured in $FILE"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 2 ]; then
apply_centos
else
apply_debian
fi
}
# This function will check config parameters required
check_config() {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGE='pam'
FILES='/etc/pam.d/system-auth /etc/pam.d/password-auth'
OPTIONNAME='nullok'
else
:
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.2.1_pam_retry_cracklib.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12/13 or CentOS Hardening
#
#
# 9.2.1 Set Password Creation Requirement Parameters Using pam_cracklib: audit retry option (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGE='libpam-cracklib'
PAMLIBNAME='pam_cracklib.so'
PATTERN='^password.*pam_cracklib.so'
FILE='/etc/pam.d/common-password'
# Redhat/CentOS default use pam_pwquality
PACKAGE_CENTOS='libpwquality'
PAMLIBNAME_CENTOS='pam_pwquality.so'
PATTERN_CENTOS='^password.*pam_pwquality.so'
FILE_CENTOS='/etc/pam.d/system-auth'
# debian11/debian12 default use pam_pwquality
PACKAGE_DEBIAN11='libpam-pwquality'
PAMLIBNAME_DEBIAN11='pam_pwquality.so'
PATTERN_DEBIAN11='^password.*pam_pwquality.so'
OPTIONNAME='retry'
# condition
CONDT_VAL=3
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=1
else
ok "$PACKAGE is installed"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
check_param_pair_by_pam $FILE $PAMLIBNAME $OPTIONNAME le $CONDT_VAL
if [ $FNRET = 0 ]; then
ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL"
else
crit "$OPTIONNAME set condition is greater than $CONDT_VAL"
#FNRET=3
fi
else
crit "$PATTERN is not present in $FILE"
FNRET=2
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
elif [ $FNRET = 1 ]; then
crit "$PACKAGE is absent, installing it"
if [ $OS_RELEASE -eq 2 ]; then
yum install -y $PACKAGE
else
apt_install $PACKAGE
fi
elif [ $FNRET = 2 ]; then
crit "$PATTERN is not present in $FILE, add default config to $FILE"
add_line_file_before_pattern $FILE "password requisite pam_cracklib.so retry=3 minlen=15 difok=3" "# pam-auth-update(8) for details."
elif [ $FNRET = 3 ]; then
crit "$FILE is not exist, please check"
elif [ $FNRET = 4 ]; then
crit "$OPTIONNAME is not conf"
add_option_to_password_check $FILE $PAMLIBNAME "$OPTIONNAME=$CONDT_VAL"
elif [ $FNRET = 5 ]; then
crit "$OPTIONNAME set is not match legally, reset it to $CONDT_VAL"
reset_option_to_password_check $FILE $PAMLIBNAME "$OPTIONNAME" "$CONDT_VAL"
fi
}
# This function will check config parameters required
check_config() {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGE=$PACKAGE_CENTOS
PAMLIBNAME=$PAMLIBNAME_CENTOS
PATTERN=$PATTERN_CENTOS
FILE=$FILE_CENTOS
fi
if [ $OS_RELEASE -eq 11 -o $OS_RELEASE -eq 12 -o $OS_RELEASE -eq 13 ]; then
PACKAGE=$PACKAGE_DEBIAN11
PAMLIBNAME=$PAMLIBNAME_DEBIAN11
PATTERN=$PATTERN_DEBIAN11
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.2.2_pam_minlen_cracklib.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12/13 or CentOS Hardening
#
#
# 9.2.2 Set Password Creation Requirement Parameters Using pam_cracklib: audit minlen option (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGE='libpam-cracklib'
PAMLIBNAME='pam_cracklib.so'
PATTERN='^password.*pam_cracklib.so'
FILE='/etc/pam.d/common-password'
# Redhat/CentOS default use pam_pwquality
FILE_CENTOS='/etc/security/pwquality.conf'
OPTIONNAME='minlen'
# condition
CONDT_VAL=15
audit_debian () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=1
else
ok "$PACKAGE is installed"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
check_param_pair_by_pam $FILE $PAMLIBNAME $OPTIONNAME ge $CONDT_VAL
if [ $FNRET = 0 ]; then
ok "$OPTIONNAME set condition is greater than or equal to $CONDT_VAL"
else
crit "$OPTIONNAME set condition is less than $CONDT_VAL"
#FNRET=3
fi
else
crit "$PATTERN is not present in $FILE"
FNRET=2
fi
fi
}
audit_centos () {
check_param_pair_by_value $FILE_CENTOS $OPTIONNAME ge $CONDT_VAL
if [ $FNRET = 0 ]; then
ok "Option $OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 1 ]; then
crit "Option $OPTIONNAME set condition is less than $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 2 ]; then
crit "Option $OPTIONNAME is not conf in $FILE_CENTOS"
elif [ $FNRET = 3 ]; then
crit "Config file $FILE_CENTOS is not exist!"
fi
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
# debian11/debian12 default use pam_pwquality, same as centos
elif [ $OS_RELEASE -eq 2 -o $OS_RELEASE -eq 11 -o $OS_RELEASE -eq 12 -o $OS_RELEASE -eq 13 ]; then
audit_centos
else
crit "Current OS is not support!"
FNRET=44
fi
}
apply_debian () {
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
elif [ $FNRET = 1 ]; then
warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
elif [ $FNRET = 2 ]; then
warn "$PATTERN is not present in $FILE, add default config to $FILE"
add_line_file_before_pattern $FILE "password requisite pam_cracklib.so retry=3 minlen=$OPTIONNAME difok=3" "# pam-auth-update(8) for details."
elif [ $FNRET = 3 ]; then
crit "$FILE is not exist, please check"
elif [ $FNRET = 4 ]; then
warn "$OPTIONNAME is not conf, reset"
add_option_to_password_check $FILE $PAMLIBNAME "$OPTIONNAME=$CONDT_VAL"
elif [ $FNRET = 5 ]; then
warn "$OPTIONNAME set is not match legally, reset it to $CONDT_VAL"
reset_option_to_password_check $FILE $PAMLIBNAME "$OPTIONNAME" "$CONDT_VAL"
fi
}
apply_centos () {
if [ $FNRET = 0 ]; then
ok "$OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 1 ]; then
warn "Set option $OPTIONNAME to $CONDT_VAL in $FILE_CENTOS"
replace_in_file $FILE_CENTOS "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL"
elif [ $FNRET = 2 ]; then
warn "$OPTIONNAME is not conf, add to $FILE_CENTOS"
add_end_of_file $FILE_CENTOS "$OPTIONNAME = $CONDT_VAL"
elif [ $FNRET = 3 ]; then
crit "Config file $FILE_CENTOS is not exist!"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
# debian11/debian12 default use pam_pwquality, same as centos
elif [ $OS_RELEASE -eq 2 -o $OS_RELEASE -eq 11 -o $OS_RELEASE -eq 12 -o $OS_RELEASE -eq 13 ]; then
apply_centos
else
crit "Current OS is not support!"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.2.3_pam_dcredit_cracklib.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9/10/11/12/13 or CentOS Hardening
#
#
# 9.2.3 Set Password Creation Requirement Parameters Using pam_cracklib: audit dcredit option (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGE='libpam-cracklib'
PAMLIBNAME='pam_cracklib.so'
PATTERN='^password.*pam_cracklib.so'
FILE='/etc/pam.d/common-password'
# Redhat/CentOS default use pam_pwquality
FILE_CENTOS='/etc/security/pwquality.conf'
OPTIONNAME='dcredit'
# condition
CONDT_VAL=-1
audit_debian () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=1
else
ok "$PACKAGE is installed"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
check_param_pair_by_pam $FILE $PAMLIBNAME $OPTIONNAME le $CONDT_VAL
if [ $FNRET = 0 ]; then
ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL"
else
crit "$OPTIONNAME set condition is greater than $CONDT_VAL"
#FNRET=3
fi
else
crit "$PATTERN is not present in $FILE"
FNRET=2
fi
fi
}
audit_centos () {
check_param_pair_by_value $FILE_CENTOS $OPTIONNAME le $CONDT_VAL
if [ $FNRET = 0 ]; then
ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 1 ]; then
crit "Option $OPTIONNAME set condition is not set greater than $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 2 ]; then
crit "Option $OPTIONNAME is not conf in $FILE_CENTOS"
elif [ $FNRET = 3 ]; then
crit "Config file $FILE_CENTOS is not exist!"
fi
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
# debian11/debian12 default use pam_pwquality, same as centos
elif [ $OS_RELEASE -eq 2 -o $OS_RELEASE -eq 11 -o $OS_RELEASE -eq 12 -o $OS_RELEASE -eq 13 ]; then
audit_centos
else
crit "Current OS is not support!"
FNRET=44
fi
}
apply_debian () {
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
elif [ $FNRET = 1 ]; then
crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE
elif [ $FNRET = 2 ]; then
crit "$PATTERN is not present in $FILE, add default config to $FILE"
add_line_file_before_pattern $FILE "password requisite pam_cracklib.so retry=3 minlen=15 difok=3" "# pam-auth-update(8) for details."
elif [ $FNRET = 3 ]; then
crit "$FILE is not exist, please check"
elif [ $FNRET = 4 ]; then
crit "$OPTIONNAME is not conf"
add_option_to_password_check $FILE $PAMLIBNAME "$OPTIONNAME=$CONDT_VAL"
elif [ $FNRET = 5 ]; then
crit "$OPTIONNAME set is not match legally, reset it to $CONDT_VAL"
reset_option_to_password_check $FILE $PAMLIBNAME "$OPTIONNAME" "$CONDT_VAL"
fi
}
apply_centos () {
if [ $FNRET = 0 ]; then
ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 1 ]; then
warn "Set option $OPTIONNAME to $CONDT_VAL in $FILE_CENTOS"
replace_in_file $FILE_CENTOS "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL"
elif [ $FNRET = 2 ]; then
warn "$OPTIONNAME is not conf, add to $FILE_CENTOS"
add_end_of_file $FILE_CENTOS "$OPTIONNAME = $CONDT_VAL"
elif [ $FNRET = 3 ]; then
crit "Config file $FILE_CENTOS is not exist!"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
# debian11/debian12 default use pam_pwquality, same as centos
elif [ $OS_RELEASE -eq 2 -o $OS_RELEASE -eq 11 -o $OS_RELEASE -eq 12 -o $OS_RELEASE -eq 13 ]; then
apply_centos
else
crit "Current OS is not support!"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.2.4_pam_ucredit_cracklib.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9/10/11/12/13 or CentOS Hardening
#
#
# 9.2.4 Set Password Creation Requirement Parameters Using pam_cracklib: audit ucredit option (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGE='libpam-cracklib'
PAMLIBNAME='pam_cracklib.so'
PATTERN='^password.*pam_cracklib.so'
FILE='/etc/pam.d/common-password'
# Redhat/CentOS default use pam_pwquality
FILE_CENTOS='/etc/security/pwquality.conf'
OPTIONNAME='ucredit'
# condition
CONDT_VAL=-1
audit_debian () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=1
else
ok "$PACKAGE is installed"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
check_param_pair_by_pam $FILE $PAMLIBNAME $OPTIONNAME le $CONDT_VAL
if [ $FNRET = 0 ]; then
ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL"
else
crit "$OPTIONNAME set condition is greater than $CONDT_VAL"
#FNRET=3
fi
else
crit "$PATTERN is not present in $FILE"
FNRET=2
fi
fi
}
audit_centos () {
check_param_pair_by_value $FILE_CENTOS $OPTIONNAME le $CONDT_VAL
if [ $FNRET = 0 ]; then
ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 1 ]; then
crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 2 ]; then
crit "Option $OPTIONNAME is not conf in $FILE_CENTOS"
elif [ $FNRET = 3 ]; then
crit "Config file $FILE_CENTOS is not exist!"
fi
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
# debian11/debian12 default use pam_pwquality, same as centos
elif [ $OS_RELEASE -eq 2 -o $OS_RELEASE -eq 11 -o $OS_RELEASE -eq 12 -o $OS_RELEASE -eq 13 ]; then
audit_centos
else
crit "Current OS is not support!"
FNRET=44
fi
}
apply_debian () {
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
elif [ $FNRET = 1 ]; then
crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE
elif [ $FNRET = 2 ]; then
crit "$PATTERN is not present in $FILE, add default config to $FILE"
add_line_file_before_pattern $FILE "password requisite pam_cracklib.so retry=3 minlen=15 difok=3" "# pam-auth-update(8) for details."
elif [ $FNRET = 3 ]; then
crit "$FILE is not exist, please check"
elif [ $FNRET = 4 ]; then
crit "$OPTIONNAME is not conf"
add_option_to_password_check $FILE $PAMLIBNAME "$OPTIONNAME=$CONDT_VAL"
elif [ $FNRET = 5 ]; then
crit "$OPTIONNAME set is not match legally, reset it to $CONDT_VAL"
reset_option_to_password_check $FILE $PAMLIBNAME "$OPTIONNAME" "$CONDT_VAL"
fi
}
apply_centos () {
if [ $FNRET = 0 ]; then
ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 1 ]; then
warn "Set option $OPTIONNAME to $CONDT_VAL in $FILE_CENTOS"
replace_in_file $FILE_CENTOS "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL"
elif [ $FNRET = 2 ]; then
warn "$OPTIONNAME is not conf, add to $FILE_CENTOS"
add_end_of_file $FILE_CENTOS "$OPTIONNAME = $CONDT_VAL"
elif [ $FNRET = 3 ]; then
crit "Config file $FILE_CENTOS is not exist!"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
# debian11/debian12 default use pam_pwquality, same as centos
elif [ $OS_RELEASE -eq 2 -o $OS_RELEASE -eq 11 -o $OS_RELEASE -eq 12 -o $OS_RELEASE -eq 13 ]; then
apply_centos
else
crit "Current OS is not support!"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.2.5_pam_ocredit_cracklib.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9/10/11/12/13 or CentOS Hardening
#
#
# 9.2.5 Set Password Creation Requirement Parameters Using pam_cracklib: audit ocredit option (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGE='libpam-cracklib'
PAMLIBNAME='pam_cracklib.so'
PATTERN='^password.*pam_cracklib.so'
FILE='/etc/pam.d/common-password'
# Redhat/CentOS default use pam_pwquality
FILE_CENTOS='/etc/security/pwquality.conf'
OPTIONNAME='ocredit'
# condition
CONDT_VAL=-1
audit_debian () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=1
else
ok "$PACKAGE is installed"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
check_param_pair_by_pam $FILE $PAMLIBNAME $OPTIONNAME le $CONDT_VAL
if [ $FNRET = 0 ]; then
ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL"
else
crit "$OPTIONNAME set condition is greater than $CONDT_VAL"
#FNRET=3
fi
else
crit "$PATTERN is not present in $FILE"
FNRET=2
fi
fi
}
audit_centos () {
check_param_pair_by_value $FILE_CENTOS $OPTIONNAME le $CONDT_VAL
if [ $FNRET = 0 ]; then
ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 1 ]; then
crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 2 ]; then
crit "Option $OPTIONNAME is not conf in $FILE_CENTOS"
elif [ $FNRET = 3 ]; then
crit "Config file $FILE_CENTOS is not exist!"
fi
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
# debian11/debian12 default use pam_pwquality, same as centos
elif [ $OS_RELEASE -eq 2 -o $OS_RELEASE -eq 11 -o $OS_RELEASE -eq 12 -o $OS_RELEASE -eq 13 ]; then
audit_centos
else
crit "Current OS is not support!"
FNRET=44
fi
}
apply_debian () {
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
elif [ $FNRET = 1 ]; then
crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE
elif [ $FNRET = 2 ]; then
crit "$PATTERN is not present in $FILE, add default config to $FILE"
add_line_file_before_pattern $FILE "password requisite pam_cracklib.so retry=3 minlen=15 difok=3" "# pam-auth-update(8) for details."
elif [ $FNRET = 3 ]; then
crit "$FILE is not exist, please check"
elif [ $FNRET = 4 ]; then
crit "$OPTIONNAME is not conf"
add_option_to_password_check $FILE $PAMLIBNAME "$OPTIONNAME=$CONDT_VAL"
elif [ $FNRET = 5 ]; then
crit "$OPTIONNAME set is not match legally, reset it to $CONDT_VAL"
reset_option_to_password_check $FILE $PAMLIBNAME "$OPTIONNAME" "$CONDT_VAL"
fi
}
apply_centos () {
if [ $FNRET = 0 ]; then
ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 1 ]; then
warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_CENTOS"
replace_in_file $FILE_CENTOS "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL"
elif [ $FNRET = 2 ]; then
warn "$OPTIONNAME is not conf, add to $FILE_CENTOS"
add_end_of_file $FILE_CENTOS "$OPTIONNAME = $CONDT_VAL"
elif [ $FNRET = 3 ]; then
crit "Config file $FILE_CENTOS is not exist!"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
# debian11/debian12 default use pam_pwquality, same as centos
elif [ $OS_RELEASE -eq 2 -o $OS_RELEASE -eq 11 -o $OS_RELEASE -eq 12 -o $OS_RELEASE -eq 13 ]; then
apply_centos
else
crit "Current OS is not support!"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.2.6_pam_lcredit_cracklib.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9/10/11/12/13 or CentOS Hardening
#
#
# 9.2.6 Set Password Creation Requirement Parameters Using pam_cracklib: audit lcredit option (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGE='libpam-cracklib'
PAMLIBNAME='pam_cracklib.so'
PATTERN='^password.*pam_cracklib.so'
FILE='/etc/pam.d/common-password'
# Redhat/CentOS default use pam_pwquality
FILE_CENTOS='/etc/security/pwquality.conf'
OPTIONNAME='lcredit'
# condition
CONDT_VAL=-1
audit_debian () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=1
else
ok "$PACKAGE is installed"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
check_param_pair_by_pam $FILE $PAMLIBNAME $OPTIONNAME le $CONDT_VAL
if [ $FNRET = 0 ]; then
ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL"
else
crit "$OPTIONNAME set condition is greater than $CONDT_VAL"
#FNRET=3
fi
else
crit "$PATTERN is not present in $FILE"
FNRET=2
fi
fi
}
audit_centos () {
check_param_pair_by_value $FILE_CENTOS $OPTIONNAME le $CONDT_VAL
if [ $FNRET = 0 ]; then
ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 1 ]; then
crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 2 ]; then
crit "Option $OPTIONNAME is not conf in $FILE_CENTOS"
elif [ $FNRET = 3 ]; then
crit "Config file $FILE_CENTOS is not exist!"
fi
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
# debian11/debian12 default use pam_pwquality, same as centos
elif [ $OS_RELEASE -eq 2 -o $OS_RELEASE -eq 11 -o $OS_RELEASE -eq 12 -o $OS_RELEASE -eq 13 ]; then
audit_centos
else
crit "Current OS is not support!"
FNRET=44
fi
}
apply_debian () {
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
elif [ $FNRET = 1 ]; then
warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
elif [ $FNRET = 2 ]; then
warn "$PATTERN is not present in $FILE, add default config to $FILE"
add_line_file_before_pattern $FILE "password requisite pam_cracklib.so retry=3 minlen=15 difok=3" "# pam-auth-update(8) for details."
elif [ $FNRET = 3 ]; then
crit "$FILE is not exist, please check"
elif [ $FNRET = 4 ]; then
warn "$OPTIONNAME is not conf"
add_option_to_password_check $FILE $PAMLIBNAME "$OPTIONNAME=$CONDT_VAL"
elif [ $FNRET = 5 ]; then
warn "$OPTIONNAME set is not match legally, reset it to $CONDT_VAL"
reset_option_to_password_check $FILE $PAMLIBNAME "$OPTIONNAME" "$CONDT_VAL"
fi
}
apply_centos () {
if [ $FNRET = 0 ]; then
ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 1 ]; then
warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_CENTOS"
replace_in_file $FILE_CENTOS "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL"
elif [ $FNRET = 2 ]; then
warn "$OPTIONNAME is not conf, add to $FILE_CENTOS"
add_end_of_file $FILE_CENTOS "$OPTIONNAME = $CONDT_VAL"
elif [ $FNRET = 3 ]; then
crit "Config file $FILE_CENTOS is not exist!"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
# debian11/debian12 default use pam_pwquality, same as centos
elif [ $OS_RELEASE -eq 2 -o $OS_RELEASE -eq 11 -o $OS_RELEASE -eq 12 -o $OS_RELEASE -eq 13 ]; then
apply_centos
else
crit "Current OS is not support!"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.2.7_pam_difok_cracklib.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12/13 or CentOS Hardening
#
#
# 9.2.7 Set Password Creation Requirement Parameters Using pam_cracklib: audit difok option (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGE='libpam-cracklib'
PAMLIBNAME='pam_cracklib.so'
PATTERN='^password.*pam_cracklib.so'
FILE='/etc/pam.d/common-password'
# Redhat/CentOS default use pam_pwquality
FILE_CENTOS='/etc/security/pwquality.conf'
OPTIONNAME='difok'
# condition
CONDT_VAL=8
audit_debian () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=1
else
ok "$PACKAGE is installed"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
check_param_pair_by_pam $FILE $PAMLIBNAME $OPTIONNAME ge $CONDT_VAL
if [ $FNRET = 0 ]; then
ok "$OPTIONNAME set condition is greater than or equal to $CONDT_VAL"
else
crit "$OPTIONNAME set condition is less than $CONDT_VAL"
#FNRET=3
fi
else
crit "$PATTERN is not present in $FILE"
FNRET=2
fi
fi
}
audit_centos () {
check_param_pair_by_value $FILE_CENTOS $OPTIONNAME ge $CONDT_VAL
if [ $FNRET = 0 ]; then
ok "Option $OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 1 ]; then
crit "Option $OPTIONNAME set condition is less than $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 2 ]; then
crit "Option $OPTIONNAME is not conf in $FILE_CENTOS"
elif [ $FNRET = 3 ]; then
crit "Config file $FILE_CENTOS is not exist!"
fi
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
# debian11/debian12 default use pam_pwquality, same as centos
elif [ $OS_RELEASE -eq 2 -o $OS_RELEASE -eq 11 -o $OS_RELEASE -eq 12 -o $OS_RELEASE -eq 13 ]; then
audit_centos
else
crit "Current OS is not support!"
FNRET=44
fi
}
apply_debian () {
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
elif [ $FNRET = 1 ]; then
warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
elif [ $FNRET = 2 ]; then
warn "$PATTERN is not present in $FILE, add default config to $FILE"
add_line_file_before_pattern $FILE "password requisite pam_cracklib.so retry=3 minlen=15 difok=3" "# pam-auth-update(8) for details."
elif [ $FNRET = 3 ]; then
crit "$FILE is not exist, please check"
elif [ $FNRET = 4 ]; then
warn "$OPTIONNAME is not conf"
add_option_to_password_check $FILE $PAMLIBNAME "$OPTIONNAME=$CONDT_VAL"
elif [ $FNRET = 5 ]; then
warn "$OPTIONNAME set is not match legally, reset it to $CONDT_VAL"
reset_option_to_password_check $FILE $PAMLIBNAME "$OPTIONNAME" "$CONDT_VAL"
fi
}
apply_centos () {
if [ $FNRET = 0 ]; then
ok "$OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 1 ]; then
warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_CENTOS"
replace_in_file $FILE_CENTOS "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL"
elif [ $FNRET = 2 ]; then
warn "$OPTIONNAME is not conf, add to $FILE_CENTOS"
add_end_of_file $FILE_CENTOS "$OPTIONNAME = $CONDT_VAL"
elif [ $FNRET = 3 ]; then
crit "Config file $FILE_CENTOS is not exist!"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
# debian11/debian12 default use pam_pwquality, same as centos
elif [ $OS_RELEASE -eq 2 -o $OS_RELEASE -eq 11 -o $OS_RELEASE -eq 12 -o $OS_RELEASE -eq 13 ]; then
apply_centos
else
crit "Current OS is not support!"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.2.8_pam_minclass_cracklib.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12/13 or CentOS Hardening
#
#
# 9.2.8 Set Password Creation Requirement Parameters Using pam_cracklib: audit minclass option (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGE='libpam-cracklib'
PAMLIBNAME='pam_cracklib.so'
PATTERN='^password.*pam_cracklib.so'
FILE='/etc/pam.d/common-password'
# Redhat/CentOS default use pam_pwquality
FILE_CENTOS='/etc/security/pwquality.conf'
OPTIONNAME='minclass'
# condition
CONDT_VAL=4
audit_debian () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=1
else
ok "$PACKAGE is installed"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
check_param_pair_by_pam $FILE $PAMLIBNAME $OPTIONNAME ge $CONDT_VAL
if [ $FNRET = 0 ]; then
ok "$OPTIONNAME set condition is greater than or equal to $CONDT_VAL"
else
crit "$OPTIONNAME set condition is less than $CONDT_VAL"
#FNRET=3
fi
else
crit "$PATTERN is not present in $FILE"
FNRET=2
fi
fi
}
audit_centos () {
check_param_pair_by_value $FILE_CENTOS $OPTIONNAME ge $CONDT_VAL
if [ $FNRET = 0 ]; then
ok "Option $OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 1 ]; then
crit "Option $OPTIONNAME set condition is less than $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 2 ]; then
crit "Option $OPTIONNAME is not conf in $FILE_CENTOS"
elif [ $FNRET = 3 ]; then
crit "Config file $FILE_CENTOS is not exist!"
fi
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
# debian11/debian12 default use pam_pwquality, same as centos
elif [ $OS_RELEASE -eq 2 -o $OS_RELEASE -eq 11 -o $OS_RELEASE -eq 12 -o $OS_RELEASE -eq 13 ]; then
audit_centos
else
crit "Current OS is not support!"
FNRET=44
fi
}
apply_debian () {
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
elif [ $FNRET = 1 ]; then
warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
elif [ $FNRET = 2 ]; then
warn "$PATTERN is not present in $FILE, add default config to $FILE"
add_line_file_before_pattern $FILE "password requisite pam_cracklib.so retry=3 minlen=15 difok=3" "# pam-auth-update(8) for details."
elif [ $FNRET = 3 ]; then
crit "$FILE is not exist, please check"
elif [ $FNRET = 4 ]; then
warn "$OPTIONNAME is not conf"
add_option_to_password_check $FILE $PAMLIBNAME "$OPTIONNAME=$CONDT_VAL"
elif [ $FNRET = 5 ]; then
warn "$OPTIONNAME set is not match legally, reset it to $CONDT_VAL"
reset_option_to_password_check $FILE $PAMLIBNAME "$OPTIONNAME" "$CONDT_VAL"
fi
}
apply_centos () {
if [ $FNRET = 0 ]; then
ok "$OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 1 ]; then
warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_CENTOS"
replace_in_file $FILE_CENTOS "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL"
elif [ $FNRET = 2 ]; then
warn "$OPTIONNAME is not conf, add to $FILE_CENTOS"
add_end_of_file $FILE_CENTOS "$OPTIONNAME = $CONDT_VAL"
elif [ $FNRET = 3 ]; then
crit "Config file $FILE_CENTOS is not exist!"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
# debian11/debian12 default use pam_pwquality, same as centos
elif [ $OS_RELEASE -eq 2 -o $OS_RELEASE -eq 11 -o $OS_RELEASE -eq 12 -o $OS_RELEASE -eq 13 ]; then
apply_centos
else
crit "Current OS is not support!"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.2.9_pam_maxrepeat_cracklib.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12/13 or CentOS Hardening
#
#
# 9.2.9 Set Password Creation Requirement Parameters Using pam_cracklib: audit maxrepeat option (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGE='libpam-cracklib'
PAMLIBNAME='pam_cracklib.so'
PATTERN='^password.*pam_cracklib.so'
FILE='/etc/pam.d/common-password'
# Redhat/CentOS default use pam_pwquality
FILE_CENTOS='/etc/security/pwquality.conf'
OPTIONNAME='maxrepeat'
# condition
CONDT_VAL=3
audit_debian () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=1
else
ok "$PACKAGE is installed"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
check_param_pair_by_pam $FILE $PAMLIBNAME $OPTIONNAME le $CONDT_VAL
if [ $FNRET = 0 ]; then
ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL"
else
crit "$OPTIONNAME set condition is greater than $CONDT_VAL"
#FNRET=3
fi
else
crit "$PATTERN is not present in $FILE"
FNRET=2
fi
fi
}
audit_centos () {
check_param_pair_by_value $FILE_CENTOS $OPTIONNAME le $CONDT_VAL
if [ $FNRET = 0 ]; then
ok "Option $OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 1 ]; then
crit "Option $OPTIONNAME set condition is greater than $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 2 ]; then
crit "Option $OPTIONNAME is not conf in $FILE_CENTOS"
elif [ $FNRET = 3 ]; then
crit "Config file $FILE_CENTOS is not exist!"
fi
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
# debian11/debian12 default use pam_pwquality, same as centos
elif [ $OS_RELEASE -eq 2 -o $OS_RELEASE -eq 11 -o $OS_RELEASE -eq 12 -o $OS_RELEASE -eq 13 ]; then
audit_centos
else
crit "Current OS is not support!"
FNRET=44
fi
}
apply_debian () {
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
elif [ $FNRET = 1 ]; then
warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
elif [ $FNRET = 2 ]; then
warn "$PATTERN is not present in $FILE, add default config to $FILE"
add_line_file_before_pattern $FILE "password requisite pam_cracklib.so retry=3 minlen=15 difok=3" "# pam-auth-update(8) for details."
elif [ $FNRET = 3 ]; then
crit "$FILE is not exist, please check"
elif [ $FNRET = 4 ]; then
warn "$OPTIONNAME is not conf"
add_option_to_password_check $FILE $PAMLIBNAME "$OPTIONNAME=$CONDT_VAL"
elif [ $FNRET = 5 ]; then
warn "$OPTIONNAME set is not match legally, reset it to $CONDT_VAL"
reset_option_to_password_check $FILE $PAMLIBNAME "$OPTIONNAME" "$CONDT_VAL"
fi
}
apply_centos () {
if [ $FNRET = 0 ]; then
ok "$OPTIONNAME set condition is less than or equal to $CONDT_VAL in $FILE_CENTOS"
elif [ $FNRET = 1 ]; then
warn "Reset option $OPTIONNAME to $CONDT_VAL in $FILE_CENTOS"
replace_in_file $FILE_CENTOS "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL"
elif [ $FNRET = 2 ]; then
warn "$OPTIONNAME is not conf, add to $FILE_CENTOS"
add_end_of_file $FILE_CENTOS "$OPTIONNAME = $CONDT_VAL"
elif [ $FNRET = 3 ]; then
crit "Config file $FILE_CENTOS is not exist!"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
# debian11/debian12 default use pam_pwquality, same as centos
elif [ $OS_RELEASE -eq 2 -o $OS_RELEASE -eq 11 -o $OS_RELEASE -eq 12 -o $OS_RELEASE -eq 13 ]; then
apply_centos
else
crit "Current OS is not support!"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.3.10_disable_sshd_setenv.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 9.3.10 Do Not Allow Users to Set Environment Options (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGE='openssh-server'
OPTIONS='PermitUserEnvironment=no'
FILE='/etc/ssh/sshd_config'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=5
else
ok "$PACKAGE is installed"
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE
if [ $FNRET = 0 ]; then
ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
FNRET=0
else
crit "The keyword value pair "\"$SSH_PARAM $SSH_VALUE\"" does not exist in the sshd runtime configuration."
PATTERN="^$SSH_PARAM[[:space:]]*"
PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
FNRET=1
else
crit "$PATTERN_INFO is not present in $FILE"
FNRET=2
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
case $FNRET in
0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
;;
1) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
2) warn "$PATTERN_INFO is not present in $FILE, need add to sshd_config and reload"
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
5) warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
;;
*) ;;
esac
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.3.11_sshd_ciphers.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 9.3.11 Use Only Approved Cipher in Counter Mode (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGE='openssh-server'
OPTIONS='Ciphers=chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
FILE='/etc/ssh/sshd_config'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=5
else
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUES=$(echo $OPTIONS | cut -d= -f 2)
VALUES_CHECK=$(echo $SSH_VALUES | sed 's@,@ @g')
VALUES_RUNTIME=$(sshd -T | grep -i $SSH_PARAM | awk '{print $2}')
SET_VALUES_TMP=""
for VALUE in $VALUES_CHECK; do
if [ $(echo $VALUES_RUNTIME | grep -wc $VALUE) -eq 1 ]; then
ok "$VALUE has set in the runtime configuration."
else
SET_VALUES_TMP+="$VALUE"
crit "$VALUE is not set in the runtime configuration."
fi
done
SET_VALUES=$(echo ${SET_VALUES_TMP%?})
if [ "${SET_VALUES}Harbian" = "Harbian" ]; then
FNRET=0
else
crit "Need to add set values ${SET_VALUES} to sshd_config."
FNRET=1
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUES=$(echo $OPTIONS | cut -d= -f 2)
case $FNRET in
0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUES, it's correct."
;;
1) VALUES_CHECK=$(echo $SSH_VALUES | sed 's@,@ @g')
VALUES_RUNTIME=$(sshd -T | grep -i $SSH_PARAM | awk '{print $2}')
SET_VALUES_TMP=""
for VALUE in $VALUES_CHECK; do
if [ $(echo $VALUES_RUNTIME | grep -wc $VALUE) -eq 1 ]; then
debug "$VALUE has set in the runtime configuration."
else
debug "$VALUE is not set in the runtime configuration."
SET_VALUES_TMP+="$VALUE,"
fi
done
SET_VALUES=$(echo ${SET_VALUES_TMP%?})
if [ "${SET_VALUES}Harbian" = "Harbian" ]; then
:
else
warn "Need to add set values ${SET_VALUES} to sshd_config."
PATTERN="^$SSH_PARAM[[:space:]]*"
does_pattern_exist_in_file $FILE "$PATTERN"
SET_VALUES_NOW="${VALUES_RUNTIME},${SET_VALUES}"
if [ $FNRET = 0 ]; then
warn "$SSH_PARAM has exist $FILE, replace new values $SET_VALUES_NOW to $FILE, fixing and reload"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SET_VALUES_NOW"
/etc/init.d/ssh reload > /dev/null 2>&1
else
warn "$SSH_PARAM is not present in $FILE, need add to sshd_config and reload"
add_end_of_file $FILE "$SSH_PARAM $SET_VALUES_NOW"
/etc/init.d/ssh reload > /dev/null 2>&1
fi
fi
;;
5) warn "$PACKAGE is absent, installing it"
install_package $PACKAGE
;;
*) ;;
esac
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.3.12_sshd_idle_timeout.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 9.3.12 Set Idle Timeout Interval for User Login (Scored)
# Modify by: Samson-W (sccxboy@gmail.com)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGE='openssh-server'
FILE='/etc/ssh/sshd_config'
# This function will be called if the script status is on enabled / audit mode
audit () {
OPTIONS="ClientAliveInterval=$SSHD_TIMEOUT ClientAliveCountMax=0"
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=5
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE
if [ $FNRET = 0 ]; then
ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
FNRET=0
else
crit "The keyword value pair "\"$SSH_PARAM $SSH_VALUE\"" does not exist in the sshd runtime configuration."
PATTERN="^$SSH_PARAM[[:space:]]*"
PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
FNRET=1
else
crit "$PATTERN_INFO is not present in $FILE"
FNRET=2
fi
fi
done
fi
}
# This function will be called if the script status is on enabled mode
apply () {
OPTIONS="ClientAliveInterval=$SSHD_TIMEOUT ClientAliveCountMax=0"
if [ $FNRET = 5 ]; then
warn "$PACKAGE is absent, installing it"
install_package $PACKAGE
else
:
fi
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE
if [ $FNRET = 0 ]; then
ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
else
warn "The keyword value pair "\"$SSH_PARAM $SSH_VALUE\"" does not exist in the sshd runtime configuration."
PATTERN="^$SSH_PARAM[[:space:]]*"
PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
else
warn "$PATTERN_INFO is not present in $FILE, need add to sshd_config and reload"
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
fi
fi
done
}
# This function will create the config file for this check with default values
create_config() {
cat < /dev/null 2>&1
;;
2) warn "$PATTERN_INFO is not present in $FILE, need add to sshd_config and reload"
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
5) warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
;;
*) ;;
esac
}
# This function will create the config file for this check with default values
create_config() {
cat <
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGE='openssh-server'
OPTIONS='PrintLastLog=yes'
FILE='/etc/ssh/sshd_config'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=5
else
ok "$PACKAGE is installed"
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE
if [ $FNRET = 0 ]; then
ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
FNRET=0
else
crit "The keyword value pair "\"$SSH_PARAM $SSH_VALUE\"" does not exist in the sshd runtime configuration."
PATTERN="^$SSH_PARAM[[:space:]]*"
PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
FNRET=1
else
crit "$PATTERN_INFO is not present in $FILE"
FNRET=2
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
case $FNRET in
0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
;;
1) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
2) warn "$PATTERN_INFO is not present in $FILE, need add to sshd_config and reload"
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
5) warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
;;
*) ;;
esac
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.3.16_sshd_IgnoreUserKnownHosts.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 9.3.16 Set SSHD ignoreuserknownhosts to yes (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGE='openssh-server'
OPTIONS='IgnoreUserKnownHosts=yes'
FILE='/etc/ssh/sshd_config'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=5
else
ok "$PACKAGE is installed"
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE
if [ $FNRET = 0 ]; then
ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
FNRET=0
else
crit "The keyword value pair "\"$SSH_PARAM $SSH_VALUE\"" does not exist in the sshd runtime configuration."
PATTERN="^$SSH_PARAM[[:space:]]*"
PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
FNRET=1
else
crit "$PATTERN_INFO is not present in $FILE"
FNRET=2
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
case $FNRET in
0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
;;
1) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
2) warn "$PATTERN_INFO is not present in $FILE, need add to sshd_config and reload"
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
5) warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
;;
*) ;;
esac
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.3.17_sshd_GSSAPIAuthentication.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 9.3.17 Set SSHD GSSAPIAuthentication to yes (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGE='openssh-server'
OPTIONS='GSSAPIAuthentication=no'
FILE='/etc/ssh/sshd_config'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=5
else
ok "$PACKAGE is installed"
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE
if [ $FNRET = 0 ]; then
ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
FNRET=0
else
crit "The keyword value pair "\"$SSH_PARAM $SSH_VALUE\"" does not exist in the sshd runtime configuration."
PATTERN="^$SSH_PARAM[[:space:]]*"
PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
FNRET=1
else
crit "$PATTERN_INFO is not present in $FILE"
FNRET=2
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
case $FNRET in
0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
;;
1) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
2) warn "$PATTERN_INFO is not present in $FILE, need add to sshd_config and reload"
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
5) warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
;;
*) ;;
esac
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.3.18_sshd_KerberosAuthentication.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 9.3.18 Set SSHD KerberosAuthentication to yes (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGE='openssh-server'
OPTIONS='KerberosAuthentication=no'
FILE='/etc/ssh/sshd_config'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=5
else
ok "$PACKAGE is installed"
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE
if [ $FNRET = 0 ]; then
ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
FNRET=0
else
crit "The keyword value pair "\"$SSH_PARAM $SSH_VALUE\"" does not exist in the sshd runtime configuration."
PATTERN="^$SSH_PARAM[[:space:]]*"
PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
FNRET=1
else
crit "$PATTERN_INFO is not present in $FILE"
FNRET=2
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
case $FNRET in
0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
;;
1) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
2) warn "$PATTERN_INFO is not present in $FILE, need add to sshd_config and reload"
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
5) warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
;;
*) ;;
esac
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.3.19_sshd_StrictModes.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 9.3.19 Set SSHD StrictModes to yes (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGE='openssh-server'
OPTIONS='StrictModes=yes'
FILE='/etc/ssh/sshd_config'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=5
else
ok "$PACKAGE is installed"
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE
if [ $FNRET = 0 ]; then
ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
FNRET=0
else
crit "The keyword value pair "\"$SSH_PARAM $SSH_VALUE\"" does not exist in the sshd runtime configuration."
PATTERN="^$SSH_PARAM[[:space:]]*"
PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
FNRET=1
else
crit "$PATTERN_INFO is not present in $FILE"
FNRET=2
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
case $FNRET in
0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
;;
1) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
2) warn "$PATTERN_INFO is not present in $FILE, need add to sshd_config and reload"
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
5) warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
;;
*) ;;
esac
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.3.1_sshd_protocol.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 9.3.1 Set SSH Protocol to 2 (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGE='openssh-server'
OPTIONS='Protocol=2'
FILE='/etc/ssh/sshd_config'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
fi
done
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE
fi
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi
/etc/init.d/ssh reload > /dev/null 2>&1
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.3.20_sshd_compression.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 9.3.20 Set SSHD Compression to no (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGE='openssh-server'
OPTIONS='Compression=no'
FILE='/etc/ssh/sshd_config'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=5
else
ok "$PACKAGE is installed"
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE
if [ $FNRET = 0 ]; then
ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
FNRET=0
else
crit "The keyword value pair "\"$SSH_PARAM $SSH_VALUE\"" does not exist in the sshd runtime configuration."
PATTERN="^$SSH_PARAM[[:space:]]*"
PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
FNRET=1
else
crit "$PATTERN_INFO is not present in $FILE"
FNRET=2
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
case $FNRET in
0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
;;
1) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
2) warn "$PATTERN_INFO is not present in $FILE, need add to sshd_config and reload"
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
5) warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
;;
*) ;;
esac
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.3.21_sshd_MACs.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 9.3.21 Set SSHD MACs to hmac-sha2-256,hmac-sha2-512 (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGE='openssh-server'
OPTIONS='MACs=hmac-sha2-256,hmac-sha2-512'
FILE='/etc/ssh/sshd_config'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=5
else
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUES=$(echo $OPTIONS | cut -d= -f 2)
VALUES_CHECK=$(echo $SSH_VALUES | sed 's@,@ @g')
VALUES_RUNTIME=$(sshd -T | grep -i $SSH_PARAM | awk '{print $2}')
SET_VALUES_TMP=""
for VALUE in $VALUES_CHECK; do
if [ $(echo $VALUES_RUNTIME | grep -wc $VALUE) -eq 1 ]; then
ok "$VALUE has set in the runtime configuration."
else
SET_VALUES_TMP+="$VALUE"
crit "$VALUE is not set in the runtime configuration."
fi
done
SET_VALUES=$(echo ${SET_VALUES_TMP%?})
if [ "${SET_VALUES}Harbian" = "Harbian" ]; then
FNRET=0
else
crit "Need to add set values ${SET_VALUES} to sshd_config."
FNRET=1
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUES=$(echo $OPTIONS | cut -d= -f 2)
case $FNRET in
0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUES, it's correct."
;;
1) VALUES_CHECK=$(echo $SSH_VALUES | sed 's@,@ @g')
VALUES_RUNTIME=$(sshd -T | grep -i $SSH_PARAM | awk '{print $2}')
SET_VALUES_TMP=""
for VALUE in $VALUES_CHECK; do
if [ $(echo $VALUES_RUNTIME | grep -wc $VALUE) -eq 1 ]; then
debug "$VALUE has set in the runtime configuration."
else
debug "$VALUE is not set in the runtime configuration."
SET_VALUES_TMP+="$VALUE,"
fi
done
SET_VALUES=$(echo ${SET_VALUES_TMP%?})
if [ "${SET_VALUES}Harbian" = "Harbian" ]; then
:
else
warn "Need to add set values ${SET_VALUES} to sshd_config."
PATTERN="^$SSH_PARAM[[:space:]]*"
does_pattern_exist_in_file $FILE "$PATTERN"
SET_VALUES_NOW="${VALUES_RUNTIME},${SET_VALUES}"
if [ $FNRET = 0 ]; then
warn "$SSH_PARAM has exist $FILE, replace new values $SET_VALUES_NOW to $FILE, fixing and reload"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SET_VALUES_NOW"
/etc/init.d/ssh reload > /dev/null 2>&1
else
warn "$SSH_PARAM is not present in $FILE, need add to sshd_config and reload"
add_end_of_file $FILE "$SSH_PARAM $SET_VALUES_NOW"
/etc/init.d/ssh reload > /dev/null 2>&1
fi
fi
;;
5) warn "$PACKAGE is absent, installing it"
install_package $PACKAGE
;;
*) ;;
esac
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.3.22_ssh_check_pub_hostkey_permission.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 9.3.22 Check SSH public host key permission (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
USER='root'
GROUP='root'
PERMISSIONS='0644'
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $(find /etc/ssh/ -name "*ssh_host*key" ! -uid 0 -o ! -gid 0 | wc -l) -gt 0 ]; then
crit "There are file ownership was not set to $USER:$GROUP"
else
ok "There are file has correct ownership"
fi
if [ $(find /etc/ssh/ -name "*.pub" -perm /133 | wc -l) -gt 0 ]; then
crit "There are file file has a mode more permissive than $PERMISSIONS"
else
ok "Not any file has a mode more permissive than $PERMISSIONS"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $(find /etc/ssh/ -name "*ssh_host*key" ! -uid 0 -o ! -gid 0 | wc -l) -gt 0 ]; then
warn "There are file ownership was not set to $USER:$GROUP"
find /etc/ssh/ -name "*ssh_host*key" ! -uid 0 -o ! -gid 0 -exec chown $USER:$GROUP {} \;
else
ok "There are file has correct ownership"
fi
if [ $(find /etc/ssh/ -name "*.pub" -perm /133 | wc -l) -gt 0 ]; then
warn "Set ssh public host key permission to $PERMISSIONS"
find /etc/ssh/ -name "*.pub" -perm /133 -exec chmod $PERMISSIONS {} \;
else
ok "Any file has a mode more permissive than $PERMISSIONS"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.3.23_ssh_check_priv_hostkey_permission.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 9.3.23 Check SSH private host key permission (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
USER='root'
GROUP='root'
PERMISSIONS='0600'
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $(find /etc/ssh/ -name "*ssh_host*key" ! -uid 0 -o ! -gid 0 | wc -l) -gt 0 ]; then
crit "There are file ownership was not set to $USER:$GROUP"
else
ok "There are file has correct ownership"
fi
if [ $(find /etc/ssh/ -name "*ssh_host*key" -perm /177 | wc -l) -gt 0 ]; then
crit "There are file file has a mode more permissive than $PERMISSIONS"
else
ok "Not any file has a mode more permissive than $PERMISSIONS"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $(find /etc/ssh/ -name "*ssh_host*key" ! -uid 0 -o ! -gid 0 | wc -l) -gt 0 ]; then
warn "There are file ownership was not set to $USER:$GROUP"
find /etc/ssh/ -name "*ssh_host*key" ! -uid 0 -o ! -gid 0 -exec chown $USER:$GROUP {} \;
else
ok "There are file has correct ownership"
fi
if [ $(find /etc/ssh/ -name "*ssh_host*key" -perm /177 | wc -l) -gt 0 ]; then
warn "Set ssh private host key permission to 0600"
find /etc/ssh/ -name "*ssh_host*key" -perm /177 -exec chmod $PERMISSIONS {} \;
else
ok "any file has a mode more permissive than "0600""
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.3.24_sshd_kexalgorithms.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9 Hardening
#
#
# 9.3.25 Ensure only strong Key Exchange algorithms are used (Scored)
# Author : Samson wen, Samson
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGE='openssh-server'
# The only Key Exchange Algorithms currently FIPS 140-2 approved are:
# ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,
# diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
OPTIONS='KexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256'
FILE='/etc/ssh/sshd_config'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=5
else
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUES=$(echo $OPTIONS | cut -d= -f 2)
VALUES_CHECK=$(echo $SSH_VALUES | sed 's@,@ @g')
VALUES_RUNTIME=$(sshd -T | grep -iw "^${SSH_PARAM}" | awk '{print $2}')
SET_VALUES_TMP=""
for VALUE in $VALUES_CHECK; do
if [ $(echo $VALUES_RUNTIME | grep -wc $VALUE) -eq 1 ]; then
ok "$VALUE has set in the runtime configuration."
else
SET_VALUES_TMP+="$VALUE"
crit "$VALUE is not set in the runtime configuration."
fi
done
SET_VALUES=$(echo ${SET_VALUES_TMP%?})
if [ "${SET_VALUES}Harbian" = "Harbian" ]; then
FNRET=0
else
crit "Need to add set values ${SET_VALUES} to sshd_config."
FNRET=1
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUES=$(echo $OPTIONS | cut -d= -f 2)
case $FNRET in
0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUES, it's correct."
;;
1) VALUES_CHECK=$(echo $SSH_VALUES | sed 's@,@ @g')
VALUES_RUNTIME=$(sshd -T | grep -iw "^${SSH_PARAM}" | awk '{print $2}')
SET_VALUES_TMP=""
for VALUE in $VALUES_CHECK; do
if [ $(echo $VALUES_RUNTIME | grep -wc $VALUE) -eq 1 ]; then
debug "$VALUE has set in the runtime configuration."
else
debug "$VALUE is not set in the runtime configuration."
SET_VALUES_TMP+="$VALUE,"
fi
done
SET_VALUES=$(echo ${SET_VALUES_TMP%?})
if [ "${SET_VALUES}Harbian" = "Harbian" ]; then
:
else
warn "Need to add set values ${SET_VALUES} to sshd_config."
PATTERN="^$SSH_PARAM[[:space:]]*"
does_pattern_exist_in_file $FILE "$PATTERN"
SET_VALUES_NOW="${VALUES_RUNTIME},${SET_VALUES}"
if [ $FNRET = 0 ]; then
warn "$SSH_PARAM has exist $FILE, replace new values $SET_VALUES_NOW to $FILE, fixing and reload"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SET_VALUES_NOW"
/etc/init.d/ssh reload > /dev/null 2>&1
else
warn "$SSH_PARAM is not present in $FILE, need add to sshd_config and reload"
add_end_of_file $FILE "$SSH_PARAM $SET_VALUES_NOW"
/etc/init.d/ssh reload > /dev/null 2>&1
fi
fi
;;
5) warn "$PACKAGE is absent, installing it"
install_package $PACKAGE
;;
*) ;;
esac
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.3.25_sshd_logingracetime.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9 Hardening
#
#
# 9.3.25 Ensure SSH LoginGraceTime is set to one minute or less (Scored)
# Author: Samson-W (sccxboy@gmail.com)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGE='openssh-server'
FILE='/etc/ssh/sshd_config'
OPTIONS='LoginGraceTime=60'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=5
else
ok "$PACKAGE is installed"
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE
if [ $FNRET = 0 ]; then
ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
FNRET=0
else
crit "The keyword value pair "\"$SSH_PARAM $SSH_VALUE\"" does not exist in the sshd runtime configuration."
PATTERN="^$SSH_PARAM[[:space:]]*"
PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
FNRET=1
else
crit "$PATTERN_INFO is not present in $FILE"
FNRET=2
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
case $FNRET in
0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
;;
1) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
2) warn "$PATTERN_INFO is not present in $FILE, need add to sshd_config and reload"
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
5) warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
;;
*) ;;
esac
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.3.2_sshd_loglevel.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 9.3.2 Set LogLevel to INFO (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGE='openssh-server'
OPTIONS='LogLevel=INFO'
FILE='/etc/ssh/sshd_config'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=5
else
ok "$PACKAGE is installed"
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE
if [ $FNRET = 0 ]; then
ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
FNRET=0
else
crit "The keyword value pair "\"$SSH_PARAM $SSH_VALUE\"" does not exist in the sshd runtime configuration."
PATTERN="^$SSH_PARAM[[:space:]]*"
PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
FNRET=1
else
crit "$PATTERN_INFO is not present in $FILE"
FNRET=2
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
case $FNRET in
0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
;;
1) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
2) warn "$PATTERN_INFO is not present in $FILE, need add to sshd_config and reload"
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
5) warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
;;
*) ;;
esac
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.3.3_sshd_conf_perm_ownership.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 9.3.3 Set Permissions on /etc/ssh/sshd_config (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/ssh/sshd_config'
PERMISSIONS='600'
USER='root'
GROUP='root'
# This function will be called if the script status is on enabled / audit mode
audit () {
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
info "$FILE does not exist"
touch $FILE
fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE
fi
}
# This function will check config parameters required
check_config() {
does_user_exist $USER
if [ $FNRET != 0 ]; then
crit "$USER does not exist"
exit 128
fi
does_group_exist $GROUP
if [ $FNRET != 0 ]; then
crit "$GROUP does not exist"
exit 128
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.3.4_disable_x11_forwarding.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 9.3.4 Disable SSH X11 Forwarding (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGE='openssh-server'
OPTIONS='X11Forwarding=no'
FILE='/etc/ssh/sshd_config'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=5
else
ok "$PACKAGE is installed"
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE
if [ $FNRET = 0 ]; then
ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
FNRET=0
else
crit "The keyword value pair "\"$SSH_PARAM $SSH_VALUE\"" does not exist in the sshd runtime configuration."
PATTERN="^$SSH_PARAM[[:space:]]*"
PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
FNRET=1
else
crit "$PATTERN_INFO is not present in $FILE"
FNRET=2
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
case $FNRET in
0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
;;
1) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
2) warn "$PATTERN_INFO is not present in $FILE, need add to sshd_config and reload"
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
5) warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
;;
*) ;;
esac
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.3.5_sshd_maxauthtries.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 9.3.5 Set SSH MaxAuthTries to 4 or Less (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGE='openssh-server'
OPTIONS='MaxAuthTries=4'
FILE='/etc/ssh/sshd_config'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=5
else
ok "$PACKAGE is installed"
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE
if [ $FNRET = 0 ]; then
ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
FNRET=0
else
crit "The keyword value pair "\"$SSH_PARAM $SSH_VALUE\"" does not exist in the sshd runtime configuration."
PATTERN="^$SSH_PARAM[[:space:]]*"
PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
FNRET=1
else
crit "$PATTERN_INFO is not present in $FILE"
FNRET=2
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
case $FNRET in
0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
;;
1) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
2) warn "$PATTERN_INFO is not present in $FILE, need add to sshd_config and reload"
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
5) warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
;;
*) ;;
esac
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.3.6_enable_sshd_ignorerhosts.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 9.3.6 Set SSH IgnoreRhosts to Yes (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGE='openssh-server'
OPTIONS='IgnoreRhosts=yes'
FILE='/etc/ssh/sshd_config'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=5
else
ok "$PACKAGE is installed"
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE
if [ $FNRET = 0 ]; then
ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
FNRET=0
else
crit "The keyword value pair "\"$SSH_PARAM $SSH_VALUE\"" does not exist in the sshd runtime configuration."
PATTERN="^$SSH_PARAM[[:space:]]*"
PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
FNRET=1
else
crit "$PATTERN_INFO is not present in $FILE"
FNRET=2
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
case $FNRET in
0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
;;
1) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
2) warn "$PATTERN_INFO is not present in $FILE, need add to sshd_config and reload"
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
5) warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
;;
*) ;;
esac
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.3.7_disable_sshd_hostbasedauthentication.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 9.3.7 Set SSH HostbasedAuthentication to No (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGE='openssh-server'
OPTIONS='HostbasedAuthentication=no'
FILE='/etc/ssh/sshd_config'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=5
else
ok "$PACKAGE is installed"
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE
if [ $FNRET = 0 ]; then
ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
FNRET=0
else
crit "The keyword value pair "\"$SSH_PARAM $SSH_VALUE\"" does not exist in the sshd runtime configuration."
PATTERN="^$SSH_PARAM[[:space:]]*"
PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
FNRET=1
else
crit "$PATTERN_INFO is not present in $FILE"
FNRET=2
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
case $FNRET in
0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
;;
1) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
2) warn "$PATTERN_INFO is not present in $FILE, need add to sshd_config and reload"
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
5) warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
;;
*) ;;
esac
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.3.8_disable_root_login.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 9.3.8 Disable SSH Root Login (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGE='openssh-server'
OPTIONS='PermitRootLogin=no'
FILE='/etc/ssh/sshd_config'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=5
else
ok "$PACKAGE is installed"
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE
if [ $FNRET = 0 ]; then
ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
FNRET=0
else
crit "The keyword value pair "\"$SSH_PARAM $SSH_VALUE\"" does not exist in the sshd runtime configuration."
PATTERN="^$SSH_PARAM[[:space:]]*"
PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
FNRET=1
else
crit "$PATTERN_INFO is not present in $FILE"
FNRET=2
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
case $FNRET in
0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
;;
1) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
2) warn "$PATTERN_INFO is not present in $FILE, need add to sshd_config and reload"
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
5) warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
;;
*) ;;
esac
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.3.9_disable_sshd_permitemptypasswords.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 9.3.9 Set SSH PermitEmptyPasswords to No (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGE='openssh-server'
OPTIONS='PermitEmptyPasswords=no'
FILE='/etc/ssh/sshd_config'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=5
else
ok "$PACKAGE is installed"
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
check_sshd_conf_for_one_value_runtime $SSH_PARAM $SSH_VALUE
if [ $FNRET = 0 ]; then
ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
FNRET=0
else
crit "The keyword value pair "\"$SSH_PARAM $SSH_VALUE\"" does not exist in the sshd runtime configuration."
PATTERN="^$SSH_PARAM[[:space:]]*"
PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
crit "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect."
FNRET=1
else
crit "$PATTERN_INFO is not present in $FILE"
FNRET=2
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN_INFO="$SSH_PARAM $SSH_VALUE"
case $FNRET in
0) ok "The value of keyword $SSH_PARAM has set to $SSH_VALUE, it's correct."
;;
1) warn "The value of keyword $SSH_PARAM is not set to $SSH_VALUE, it's incorrect. Fixing and reload config"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
2) warn "$PATTERN_INFO is not present in $FILE, need add to sshd_config and reload"
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
/etc/init.d/ssh reload > /dev/null 2>&1
;;
5) warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE
;;
*) ;;
esac
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening/9.4_pam_restrict_su.sh
================================================
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 7/8/9 Hardening
#
#
# 9.4 Restrict Access to the su Command (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGE='login'
PACKAGE_CENTOS='util-linux'
PATTERN='^auth[[:space:]]*required[[:space:]]*pam_wheel.so'
FILE='/etc/pam.d/su'
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 2 ]; then
PACKAGE=$PACKAGE_CENTOS
else
:
fi
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
install_package $PACKAGE
fi
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
add_line_file_before_pattern $FILE "auth required pam_wheel.so use_uid" "# Uncomment this if you want wheel members to be able to"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
================================================
FILE: bin/hardening.sh
================================================
#!/bin/bash
#
# harbian audit Debian 9 / CentOS Hardening
# Authors : Thibault Dewailly, OVH
# Authors : Samson wen, Samson
#
# Main script : Execute hardening considering configuration
#
LONG_SCRIPT_NAME=$(basename $0)
SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh}
DISABLED_CHECKS=0
PASSED_CHECKS=0
FAILED_CHECKS=0
TOTAL_CHECKS=0
TOTAL_TREATED_CHECKS=0
AUDIT=0
APPLY=0
AUDIT_ALL=0
AUDIT_ALL_ENABLE_PASSED=0
ALLOW_SERVICE_LIST=0
SET_HARDENING_LEVEL=0
SUDO_MODE=''
INIT_G_CONFIG=0
FINAL_G_CONFIG=0
DONT_BY_UID_G_CONFIG=127
usage() {
cat << EOF
$LONG_SCRIPT_NAME [OPTIONS], where RUN_MODE is one of:
--help -h
Show this help
--init
Initialize the global configuration file(/etc/default/cis-hardening) based
on the release version number.
--apply
Apply hardening for enabled scripts.
Beware that NO confirmation is asked whatsoever, which is why you're warmly
advised to use --audit before, which can be regarded as a dry-run mode.
--audit
Audit configuration for enabled scripts.
No modification will be made on the system, we'll only report on your system
compliance for each script.
--audit-all
Same as --audit, but for *all* scripts, even disabled ones.
This is a good way to peek at your compliance level if all scripts were enabled,
and might be a good starting point.
--audit-all-enable-passed
Same as --audit-all, but in addition, will *modify* the individual scripts
configurations to enable those which passed for your system.
This is an easy way to enable scripts for which you're already compliant.
However, please always review each activated script afterwards, this option
should only be regarded as a way to kickstart a configuration from scratch.
Don't run this if you have already customized the scripts enable/disable
configurations, obviously.
--set-hardening-level
Modifies the configuration to enable/disable tests given an hardening level,
between 1 to 5. Don't run this if you have already customized the scripts
enable/disable configurations.
1: very basic policy, failure to pass tests at this level indicates severe
misconfiguration of the machine that can have a huge security impact
2: basic policy, some good practice rules that, once applied, shouldn't
break anything on most systems
3: best practices policy, passing all tests might need some configuration
modifications (such as specific partitioning, etc.)
4: high security policy, passing all tests might be time-consuming and
require high adaptation of your workflow
5: placebo, policy rules that might be very difficult to apply and maintain,
with questionable security benefits, need to confirm manually
--allow-service
Use with --set-hardening-level.
Modifies the policy to allow a certain kind of services on the machine, such
as http, mail, etc. Can be specified multiple times to allow multiple services.
Use --allow-service-list to get a list of supported services.
Example:
bin/hardening.sh --set-hardening-level 5 --allow-service dns,http
--final
The final action that needs to be done when all repairs are completed. The action items are:
1. Use passwd to change the password of the regular and root user to update the user
password strength and robustness;
2. Aide reinitializes.
--dont-auditd-by-uid <1/0>
Auditd rules do not use uid parameter, for all user to auditd. If set 1 will not use uid, else if
set 0 will use uid. Default is 0.
OPTIONS:
--only
Modifies the RUN_MODE to only work on the test_number script.
Can be specified multiple times to work only on several scripts.
The test number is the numbered prefix of the script,
i.e. the test number of 1.2_script_name.sh is 1.2.
--sudo
This option lets you audit your system as a normal user, but allows sudo
escalation to gain read-only access to root files. Note that you need to
provide a sudoers file with NOPASSWD option in /etc/sudoers.d/ because
the '-n' option instructs sudo not to prompt for a password.
Finally note that '--sudo' mode only works for audit mode.
EOF
exit 0
}
if [ $# = 0 ]; then
usage
fi
declare -a TEST_LIST ALLOWED_SERVICES_LIST
# Arguments parsing
while [[ $# > 0 ]]; do
ARG="$1"
case $ARG in
--audit)
AUDIT=1
;;
--audit-all)
AUDIT_ALL=1
;;
--audit-all-enable-passed)
AUDIT_ALL_ENABLE_PASSED=1
;;
--apply)
APPLY=1
;;
--allow-service-list)
ALLOW_SERVICE_LIST=1
;;
--allow-service)
ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2"
shift
;;
--set-hardening-level)
SET_HARDENING_LEVEL="$2"
shift
;;
--only)
TEST_LIST[${#TEST_LIST[@]}]="$2"
shift
;;
--sudo)
SUDO_MODE='--sudo'
;;
-h|--help)
usage
;;
--init)
INIT_G_CONFIG=1
;;
--final)
FINAL_G_CONFIG=1
;;
--dont-auditd-by-uid)
DONT_BY_UID_G_CONFIG="$2"
shift
;;
*)
usage
;;
esac
shift
done
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# For --dont-auditd-by-uid
if [ -z "$DONT_BY_UID_G_CONFIG" ]; then
usage
else
if [ $DONT_BY_UID_G_CONFIG -ne 127 ]; then
if [ $DONT_BY_UID_G_CONFIG -eq 1 ]; then
echo "Set dont use uid for auditd rules"
sed -i 's/^DONT_AUDITD_BY_UID=.*/DONT_AUDITD_BY_UID=1/g' $CIS_ROOT_DIR/etc/hardening.cfg
else
echo "Set use uid for auditd rules"
sed -i 's/^DONT_AUDITD_BY_UID=.*/DONT_AUDITD_BY_UID=0/g' $CIS_ROOT_DIR/etc/hardening.cfg
fi
exit 0
fi
fi
[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh
[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
### Debian: OS_RELEASE=1 Redhat/centos: OS_RELEASE=2 Ubuntu: OS_RELEASE=3 Debian9~12: OS_RELEASE=9~12
# For --init
if [ $INIT_G_CONFIG -eq 1 ]; then
if [ -r /etc/redhat-release ]; then
info "This OS is redhat/CentOS."
sed -i 's/^OS_RELEASE=.*/OS_RELEASE=2/g' /etc/default/cis-hardening
. /etc/default/cis-hardening
elif [ -r /etc/lsb-release ]; then
if [ $(grep -i Ubuntu /etc/lsb-release -c) -ge 1 ]; then
info "This OS is Ubuntu."
sed -i 's/^OS_RELEASE=.*/OS_RELEASE=3/g' /etc/default/cis-hardening
. /etc/default/cis-hardening
fi
elif [ -r /etc/debian_version ]; then
get_debian_ver
sed -i "s/^OS_RELEASE=.*/OS_RELEASE=${FNRET}/g" /etc/default/cis-hardening
info "This OS is Debian $FNRET."
. /etc/default/cis-hardening
else
crit "This OS not support!"
exit 128
fi
exit 0
fi
if [ $OS_RELEASE -eq 1 ]; then
info "Start auditing for Debian."
elif [ $OS_RELEASE -eq 9 ]; then
info "Start auditing for Debian9."
elif [ $OS_RELEASE -eq 10 ]; then
info "Start auditing for Debian10."
elif [ $OS_RELEASE -eq 11 ]; then
info "Start auditing for Debian11."
elif [ $OS_RELEASE -eq 12 ]; then
info "Start auditing for Debian12."
elif [ $OS_RELEASE -eq 13 ]; then
info "Start auditing for Debian13."
elif [ $OS_RELEASE -eq 2 ]; then
info "Start auditing for redhat/CentOS."
elif [ $OS_RELEASE -eq 3 ]; then
info "Start auditing for Ubuntu."
else
crit "This OS not support!"
exit 128
fi
# For --final
if [ $FINAL_G_CONFIG -eq 1 ]; then
# Reset passwd for regular and root user
USERSNAME=$(cat /etc/passwd | awk -F':' '{if($3>=1000 && $3<65534) {print $1}}')
for USER in $USERSNAME; do
RESETCONTIN="n"
read -p "Will password of $USER be reset, are you sure to continue?(y/N)" RESETCONTIN
if [ "$RESETCONTIN" == "y" ]; then
passwd $USER
else
continue
fi
done
RESETCONTIN="n"
read -p "Will password of root be reset, are you sure to continue?(y/N)" RESETCONTIN
if [ "$RESETCONTIN" == "y" ]; then
passwd
fi
# Reinit aide database
info "Will reinitialize the AIDE database"
if [ $OS_RELEASE -eq 1 -o $OS_RELEASE -eq 3 ]; then
aideinit
elif [ $OS_RELEASE -eq 2 ]; then
aide --init
else
aide --config /etc/aide/aide.conf --init
is_debian_13
if [ $FNRET -eq 0 ]; then
:
else
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
fi
fi
exit 0
fi
# If --allow-service-list is specified, don't run anything, just list the supported services
if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then
declare -a HARDENING_EXCEPTIONS_LIST
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
template=$(grep "^HARDENING_EXCEPTION=" "$SCRIPT" | cut -d= -f2)
[ -n "$template" ] && HARDENING_EXCEPTIONS_LIST[${#HARDENING_EXCEPTIONS_LIST[@]}]="$template"
done
echo "Supported services are: "$(echo "${HARDENING_EXCEPTIONS_LIST[@]}" | tr " " "\n" | sort -u | tr "\n" " ")
exit 0
fi
# If --set-hardening-level is specified, don't run anything, just apply config for each script
if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then
if ! grep -q "^[12345]$" <<< "$SET_HARDENING_LEVEL" ; then
echo "Bad --set-hardening-level specified ('$SET_HARDENING_LEVEL'), expected 1 to 5"
exit 1
fi
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
SCRIPT_BASENAME=$(basename $SCRIPT .sh)
script_level=$(grep "^HARDENING_LEVEL=" "$SCRIPT" | cut -d= -f2)
if [ -z "$script_level" ] ; then
echo "The script $SCRIPT_BASENAME doesn't have a hardening level, configuration untouched for it"
continue
fi
wantedstatus=disabled
[ "$script_level" -le "$SET_HARDENING_LEVEL" ] && wantedstatus=enabled
sed -i -re "s/^status=.+/status=$wantedstatus/" $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
# If use --allow-service to set, add ISEXCEPTION=1 to SCRTPT_BASENAME.cfg
template=$(grep "^HARDENING_EXCEPTION=" "$SCRIPT" | cut -d= -f2)
if [ -n "$template" -a $(echo "${ALLOWED_SERVICES_LIST[@]}" | grep -wc "$template") -eq 1 ]; then
sed -i "s/^ISEXCEPTION=./ISEXCEPTION=1/" $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
fi
done
echo "Configuration modified to enable scripts for hardening level at or below $SET_HARDENING_LEVEL"
exit 0
fi
# Parse every scripts and execute them in the required mode
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
if [ ${#TEST_LIST[@]} -gt 0 ] ; then
# --only X has been specified at least once, is this script in my list ?
SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<< "$(basename $SCRIPT)")
SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<< "$SCRIPT_PREFIX")
if ! grep -qEw "^$SCRIPT_PREFIX_RE" <<< "${TEST_LIST[@]}"; then
# not in the list
continue
fi
fi
info "Treating $SCRIPT"
if [ $AUDIT = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE"
$SCRIPT --audit $SUDO_MODE
elif [ $AUDIT_ALL = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE"
$SCRIPT --audit-all $SUDO_MODE
elif [ $AUDIT_ALL_ENABLE_PASSED = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE"
$SCRIPT --audit-all $SUDO_MODE
elif [ $APPLY = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT"
$SCRIPT
fi
SCRIPT_EXITCODE=$?
debug "Script $SCRIPT finished with exit code $SCRIPT_EXITCODE"
case $SCRIPT_EXITCODE in
0)
debug "$SCRIPT passed"
PASSED_CHECKS=$((PASSED_CHECKS+1))
if [ $AUDIT_ALL_ENABLE_PASSED = 1 ] ; then
SCRIPT_BASENAME=$(basename $SCRIPT .sh)
sed -i -re 's/^status=.+/status=enabled/' $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
fi
;;
1)
debug "$SCRIPT failed"
FAILED_CHECKS=$((FAILED_CHECKS+1))
;;
2)
debug "$SCRIPT is disabled"
DISABLED_CHECKS=$((DISABLED_CHECKS+1))
;;
esac
if [ $SCRIPT_EXITCODE -eq 3 ]; then
{
warn "$SCRIPT maybe is nonexist service or nonexist file in this system"
TOTAL_CHECKS=$((TOTAL_CHECKS+1))
}
else
{
TOTAL_CHECKS=$((TOTAL_CHECKS+1))
}
fi
done
TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS-DISABLED_CHECKS))
HARSUMMARY="/dev/shm/harbian-audit.summary"
printf "%40s\n" "################### SUMMARY ###################" > ${HARSUMMARY}
printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS" >> ${HARSUMMARY}
printf "%30s %s\n" "Total Checks Run :" "$TOTAL_TREATED_CHECKS" >> ${HARSUMMARY}
printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS" >> ${HARSUMMARY}
printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS" >> ${HARSUMMARY}
printf "%30s %.2f %%\n" "Enabled Checks Percentage :" "$( echo "($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100" | bc -l)" >> ${HARSUMMARY}
if [ $TOTAL_TREATED_CHECKS != 0 ]; then
printf "%30s %.2f %%\n" "Conformity Percentage :" "$( echo "($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100" | bc -l)" >> ${HARSUMMARY}
else
printf "%30s %s %%\n" "Conformity Percentage :" "N.A" >> ${HARSUMMARY} # No checks were run, avoid division by 0
fi
cat ${HARSUMMARY}
cat ${HARSUMMARY} | /usr/bin/logger -t "[CIS_Hardening] $SCRIPT_NAME" -p "user.info"
rm -f ${HARSUMMARY}
================================================
FILE: docs/STIG-Benchmark/stig-Ubuntu_16-04_LTS.txt
================================================
Rule ID: SV-90069r1_rule
Severity: high
Rule Title: The Ubuntu operating system must be a vendor supported release.
Description: An Ubuntu operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.
Check_content: Verify the version of the Ubuntu operating system is vendor supported.\n\nCheck the version of the Ubuntu operating system with the following command:\n\n# cat /etc/lsb-release\n\nDISTRIB_RELEASE=16.04\nDISTRIB_CODENAME=xenial\nDISTRIB_DESCRIPTION="Ubuntu 16.04.1 LTS"\n\nCurrent End of Life for Ubuntu 16.04 LTS is April 2021.\n\nIf the release is not supported by the vendor, this is a finding.
Fixtext: Upgrade to a supported version of the Ubuntu operating system.
Rule ID: SV-90071r5_rule
Severity: medium
Rule Title: Ubuntu vendor packaged system security patches and updates must be installed and up to date.
Description: Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep Ubuntu operating system and application software patched is a common mistake made by IT professionals. New patches are released daily, and it is often difficult for even experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an Ubuntu operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.
Check_content: Verify the Ubuntu operating system security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO). \n\nObtain the list of available package security updates from Ubuntu. The URL for updates is https://www.Ubuntu.com/usn/. It is important to note that updates provided by Ubuntu may not be present on the system if the underlying packages are not installed.\n\nCheck that the available package security updates have been installed on the system with the following command:\n\n# /usr/lib/update-notifier/apt-check --human-readable\n\n246 packages can be updated.\n0 updates are security updates.\n\nIf security package updates have not been performed on the system within the timeframe that the site/program documentation requires, this is a finding. \n\nTypical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from JFHQ-DoDIN.\n\nIf the Ubuntu operating system is in non-compliance with the Information Assurance Vulnerability Management (IAVM) process, this is a finding.
Fixtext: Install the Ubuntu operating system patches or updated packages available from Canonical within 30 days or sooner as local policy dictates.
Rule ID: SV-90073r3_rule
Severity: medium
Rule Title: The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.
Description: Display of a standardized and approved use notification before granting access to the Ubuntu operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for Ubuntu operating systems that can accommodate banners of 1300 characters:\n\n"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."\n\nUse the following verbiage for Ubuntu operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n"I\'ve read & consent to terms in IS user agreem\'t."\n\n
Check_content: Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the Ubuntu operating system via a Gnome graphical user logon. \n\nNote: If the system does not have a graphical user logon this item is Not Applicable. \n\nNote: If the system is using lightdm, this is a finding. There is no greater configuration that can be applied to meet the requirement. \n\nCheck that the Ubuntu operating system displays a banner at the logon screen with the following command:\n\n# grep banner-message-enable /etc/dconf/db/local.d/*\nbanner-message-enable=true\n\nIf "banner-message-enable" is not set to "true", is missing, set to "false", or is commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.\n\nCreate a database that will contain the system wide graphical user logon settings (if it does not already exist) with the following command:\n\n# sudo touch /etc/dconf/db/local.d/01-banner-message\n\nAdd the following line to the "[org/gnome/login-screen]" section of the "/etc/dconf/db/local.d/01-banner-message" file:\n\n[org/gnome/login-screen]\nbanner-message-enable=true
Rule ID: SV-90115r3_rule
Severity: medium
Rule Title: The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.
Description: Display of a standardized and approved use notification before granting access to the Ubuntu operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for Ubuntu operating systems:\n\n"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
Check_content: [u'Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the Ubuntu operating system via a command line user logon.\n\nCheck that the Ubuntu operating system displays a banner at the command line login screen with the following command:\n\n# cat /etc/issue\n\nIf the banner is set correctly it will return the following text:\n\n\u201cYou are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\u201d\n\nIf the banner text does not match the Standard Mandatory DoD Notice and Consent Banner exactly, this is a finding.
Fixtext: Configure the Ubuntu operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via command line logon.\n\nEdit the "/etc/issue" file to replace the default text with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n\n"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
Rule ID: SV-90117r3_rule
Severity: medium
Rule Title: The Ubuntu operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures.
Description: A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n\nThe session lock is implemented at the point where session activity can be determined.\n\nRegardless of where the session lock is determined and implemented, once invoked, the session lock shall remain in place until the user re-authenticates. No other activity aside from re-authentication shall unlock the system.
Check_content: Verify the operating system allows a user to lock the current graphical user interface (GUI) session. \n\nNote: If the Ubuntu operating system does not have GNOME installed, this requirement is Not Applicable.\n\nCheck to see if the Ubuntu operating system allows the user to lock the current GUI session with the following command:\n\n# gsettings get org.gnome.desktop.lock-enabled\n\ntrue\n\nIf "lock-enabled" is not set to "true", this is a finding.
Fixtext: Configure the Ubuntu operating system so that it allows a user to lock the current GUI session.\n\nNote: If the Ubuntu operating system does not have GNOME installed, this requirement is Not Applicable.\n\nSet the "lock-enabled" setting in GNOME to allow GUI session locks with the following command: \n\nNote: The command must be performed from a terminal window inside the graphical user interface (GUI).\n\n# sudo gsettings set org.gnome.desktop.lock-enabled true
Rule ID: SV-90119r2_rule
Severity: medium
Rule Title: All users must be able to directly initiate a session lock for all connection types.
Description: A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n\nThe session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, Ubuntu operating systems need to provide users with the ability to manually invoke a session lock so users may secure their session should the need arise for them to temporarily vacate the immediate physical vicinity.\n\n
Check_content: Verify the Ubuntu operating system has the \'vlock\' package installed, by running the following command:\n\n# dpkg -l | grep vlock\n\nvlock_2.2.2-7\n\nIf "vlock" is not installed, this is a finding.
Fixtext: Install the "vlock" (if it is not already installed) package by running the following command:\n\n# sudo apt-get install vlock
Rule ID: SV-90121r2_rule
Severity: medium
Rule Title: Ubuntu operating system sessions must be automatically logged out after 15 minutes of inactivity.
Description: An Ubuntu operating system needs to be able to identify when a user's sessions has idled for longer than 15 minutes. The Ubuntu operating system must logout a users' session after 15 minutes to prevent anyone from gaining access to the machine while the user is away.
Check_content: Verify the Ubuntu operating system initiates a session logout after a "15" minutes of inactivity. \n\nCheck that the proper auto logout script exists with the following command:\n\n# cat /etc/profile.d/autologout.sh\nTMOUT=900\nreadonly TMOUT\nexport TMOUT\n\nIf the file "/etc/profile.d/autologout.sh" does not exist, the timeout values are commented out, the output from the function call are not the same, this is a finding.
Fixtext: Configure the Ubuntu operating system to initiate a session logout after a "15" minutes of inactivity. \n\nCreate a file to contain the system-wide session auto logout script (if it does not already exist) with the following command:\n\n# sudo touch /etc/profile.d/autologout.sh\n\nAdd the following lines to the "/etc/profile.d/autologout.sh" script:\n\nTMOUT=900\nreadonly TMOUT\nexport TMOUT
Rule ID: SV-90123r2_rule
Severity: low
Rule Title: The Ubuntu operating system must limit the number of concurrent sessions to ten for all accounts and/or account types.
Description: Ubuntu operating system management includes the ability to control the number of users and user sessions that utilize an Ubuntu operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.
Check_content: Verify that the Ubuntu operating system limits the number of concurrent sessions to "10" for all accounts and/or account types by running the following command:\n\n# grep maxlogins /etc/security/limits.conf\n\nThe result must contain the following line:\n\n* hard maxlogins 10\n\nIf the "maxlogins" item is missing or the value is not set to "10" or less, or is commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to limit the number of concurrent sessions to ten for all accounts and/or account types.\n\nAdd the following line to the top of the /etc/security/limits.conf:\n\n* hard maxlogins 10
Rule ID: SV-90125r3_rule
Severity: medium
Rule Title: The Ubuntu operating system must prevent direct login into the root account.
Description: To assure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated.\n\nA group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users. Examples of the group authenticator is the UNIX OS "root" user account, the Windows "Administrator" account, the "sa" account, or a "helpdesk" account.\n\nFor example, the UNIX and Windows operating systems offer a \'switch user\' capability allowing users to authenticate with their individual credentials and, when needed, \'switch\' to the administrator role. This method provides for unique individual authentication prior to using a group authenticator.\n\nUsers (and any processes acting on behalf of users) need to be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization, which outlines specific user actions that can be performed on the Ubuntu operating system without identification or authentication.\n\nRequiring individuals to be authenticated with an individual authenticator prior to using a group authenticator allows for traceability of actions, as well as adding an additional level of protection of the actions that can be taken with group account knowledge.
Check_content: Verify the Ubuntu operating system prevents direct logins to the root account.\n\nCheck that the Ubuntu operating system prevents direct logins to the root account with the following command:\n\n# grep root /etc/shadow \n\nroot L 11/11/2017 0 99999 7 -1 \n\nIf any output is returned and the second field is not an "L", this is a finding.
Fixtext: Configure the Ubuntu operating system to prevent direct logins to the root account.\n\nRun the following command to lock the root account:\n\n# passwd -l root
Rule ID: SV-90129r3_rule
Severity: medium
Rule Title: The Ubuntu operating system must enforce password complexity by requiring that at least one upper-case character be used.
Description: Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Check_content: Verify the Ubuntu operating system enforces password complexity by requiring that at least one upper-case character be used.\n\nDetermine if the field "ucredit" is set in the "/etc/security/pwquality.conf" or "/etc/pwquality.conf.d/*.conf" files with the following command:\n\n# grep -i "ucredit" /etc/security/pwquality.conf /etc/pwquality.conf.d/*.conf\nucredit=-1\n\nIf the "ucredit" parameter is not equal to "-1", or is commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to enforce password complexity by requiring that at least one upper-case character be used.\n\nAdd or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the /etc/pwquality.conf.d/ directory to contain the "ucredit" parameter:\n\nucredit=-1
Rule ID: SV-90131r3_rule
Severity: medium
Rule Title: The Ubuntu operating system must enforce password complexity by requiring that at least one lower-case character be used.
Description: Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Check_content: Verify the Ubuntu operating system enforces password complexity by requiring that at least one lower-case character be used.\n\nDetermine if the field "lcredit" is set in the "/etc/security/pwquality.conf" or "/etc/pwquality.conf.d/*.conf" files with the following command:\n\n# grep -i "lcredit" /etc/security/pwquality.conf /etc/pwquality.conf.d/*.conf\nlcredit=-1\n\nIf the "lcredit" parameter is not equal to "-1", or is commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to enforce password complexity by requiring that at least one lower-case character be used.\n\nAdd or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the /etc/pwquality.conf.d/ directory to contain the "lcredit" parameter:\n\nlcredit=-1
Rule ID: SV-90133r3_rule
Severity: medium
Rule Title: The Ubuntu operating system must enforce password complexity by requiring that at least one numeric character be used.
Description: Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Check_content: Verify the Ubuntu operating system enforces password complexity by requiring that at least one numeric character be used.\n\nDetermine if the field "dcredit" is set in the "/etc/security/pwquality.conf" or "/etc/pwquality.conf.d/*.conf" files with the following command:\n\n# grep -i "dcredit" /etc/security/pwquality.conf etc/pwquality.conf.d/*.conf\ndcredit=-1\n\nIf the "dcredit" parameter is not equal to "-1", or is commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to enforce password complexity by requiring that at least one numeric character be used.\n\nAdd or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the /etc/pwquality.conf.d/ directory to contain the "dcredit" parameter:\n\ndcredit=-1
Rule ID: SV-90135r3_rule
Severity: medium
Rule Title: All passwords must contain at least one special character.
Description: Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nSpecial characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.
Check_content: Verify the Ubuntu operating system enforces password complexity by requiring that at least one special character be used.\n\nDetermine if the field "ocredit" is set in the "/etc/security/pwquality.conf" file or "/etc/pwquality.conf.d/*.conf" files with the following command:\n\n# grep -i "ocredit" /etc/security/pwquality.conf /etc/pwquality.conf.d/*.conf\nocredit=-1\n\nIf the "ocredit" parameter is not equal to "-1", or is commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to enforce password complexity by requiring that at least one special character be used. \n\nAdd or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the /etc/pwquality.conf.d/ directory to contain the "ocredit" parameter:\n\nocredit=-1
Rule ID: SV-90137r3_rule
Severity: medium
Rule Title: The Ubuntu operating system must require the change of at least 8 characters when passwords are changed.
Description: If the Ubuntu operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different.\n\nIf the password length is an odd number then number of changed characters must be rounded up. For example, a password length of 15 characters must require the change of at least 8 characters.
Check_content: Verify the Ubuntu operating system requires the change of at least "8" characters when passwords are changed.\n\nDetermine if the field "difok" is set in the "/etc/security/pwquality.conf" or "/etc/pwquality.conf.d/*.conf" files with the following command:\n\n# grep -i "difok" /etc/security/pwquality.conf /etc/pwquality.conf.d/*.conf\ndifok=8\n\nIf the "difok" parameter is less than "8", or is commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to require the change of at least "8" characters when passwords are changed.\n\nAdd or update the following line in the "/etc/security/pwquality.conf" or "/etc/pwquality.conf.d/*.conf" files to include the "difok=8" parameter:\n\ndifok=8
Rule ID: SV-90139r1_rule
Severity: medium
Rule Title: The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.
Description: Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.\n\nUnapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.\n\nFIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements.\n\n
Check_content: Verify that the shadow password suite configuration is set to encrypt password with a FIPS 140-2 approved cryptographic hashing algorithm.\n\nCheck the hashing algorithm that is being used to hash passwords with the following command:\n\n# cat /etc/login.defs | grep -i crypt\n\nENCRYPT_METHOD SHA512\n\nIf "ENCRYPT_METHOD" does not equal SHA512 or greater, this is a finding.
Fixtext: Configure the Ubuntu operating system to encrypt all stored passwords. \n\nEdit/Modify the following line in the "/etc/login.defs" file and set "[ENCRYPT_METHOD]" to SHA512.\n\nENCRYPT_METHOD SHA512
Rule ID: SV-90141r1_rule
Severity: medium
Rule Title: The Ubuntu operating system must employ a FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.
Description: The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy.\n\nPasswords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.\n\n
Check_content: Verify the shadow password suite configuration is set to encrypt interactive user passwords using a strong cryptographic hash with the following command:\n\nConfirm that the interactive user account passwords are using a strong password hash with the following command:\n\n# sudo cut -d: -f2 /etc/shadow\n\n$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/\n\nPassword hashes "!" or "*" indicate inactive accounts not available for logon and are not evaluated. If any interactive user password hash does not begin with "$6", this is a finding.
Fixtext: Configure the Ubuntu operating system to encrypt all stored passwords with a strong cryptographic hash.\n\nLock all interactive user accounts not using SHA-512 hashing until the passwords can be regenerated.
Rule ID: SV-90143r2_rule
Severity: medium
Rule Title: The Ubuntu operating system must employ FIPS 140-2 approved cryptographic hashing algorithms for all created passwords.
Description: The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy.\n\nPasswords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.\n\n
Check_content: Verify the shadow password suite configuration is set to create passwords using a strong cryptographic hash with the following command:\n\nCheck that a minimum number of hash rounds is configured by running the following command:\n\n# grep rounds /etc/pam.d/common-password\n\npassword [success=1 default=ignore] pam_unix.so obscure sha512 rounds=5000\n\nIf "rounds" has a value below "5000", or is commented out, this is a finding.\n
Fixtext: Configure the Ubuntu operating system to encrypt all stored passwords with a strong cryptographic hash.\n\nEdit/modify the following line in the "/etc/pam.d/common-password" file and set "rounds" to a value no lower than "5000":\n\npassword [success=1 default=ignore] pam_unix.so obscure sha512 rounds=5000
Rule ID: SV-90145r2_rule
Severity: medium
Rule Title: The pam_unix.so module must use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
Description: Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.\n\nUbuntu operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. \n\nFIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system.
Check_content: Verify that pam_unix.so auth is configured to use sha512.\n\nCheck that pam_unix.so auth is configured to use sha512 with the following command:\n\n# grep password /etc/pam.d/common-password | grep pam_unix\n\npassword [success=1 default=ignore] pam_unix.so obscure sha512\n\nIf "sha512" is not an option of the output, or is commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.\n\nEdit/modify the following line in the file "/etc/pam.d/common-password" file to include the sha512 option for pam_unix.so:\n\npassword [success=1 default=ignore] pam_unix.so obscure sha512 shadow remember=5
Rule ID: SV-90149r1_rule
Severity: medium
Rule Title: Emergency administrator accounts must never be automatically removed or disabled.
Description: Emergency accounts are privileged accounts that are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. \n\nEmergency accounts are different from infrequently used accounts (i.e., local logon accounts used by the organization's system administrators when network or normal logon/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts.\n\nTo address access requirements, many Ubuntu operating systems can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.
Check_content: Verify the Ubuntu operating system is configured such that the emergency administrator account is never automatically removed or disabled. \n\nCheck to see if the root account password or account expires with the following command:\n\n# sudo chage -l root\n\nPassword expires :never\n\nIf "Password expires" or "Account expires" is set to anything other than "never", this is a finding.
Fixtext: Replace "[Emergency_Administrator]" in the following command with the correct emergency administrator account. Run the following command as an administrator:\n\n# sudo chage -I -1 -M 99999 [Emergency_Administrator]
Rule ID: SV-90151r2_rule
Severity: medium
Rule Title: Passwords for new users must have a 24 hours/1 day minimum password lifetime restriction.
Description: Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.
Check_content: Verify that the Ubuntu operating system enforces a 24 hours/1 day minimum password lifetime for new user accounts by running the following command:\n\n# grep -i pass_min_days /etc/login.defs\n\nPASS_MIN_DAYS 1\n\nIf the "PASS_MIN_DAYS" parameter value is less than or equal to "1", or commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum password lifetime.\n\nAdd, or modify the following line in the "/etc/login.defs" file:\n\nPASS_MIN_DAYS 1
Rule ID: SV-90153r2_rule
Severity: medium
Rule Title: Passwords for new users must have a 60-day maximum password lifetime restriction.
Description: Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the Ubuntu operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the Ubuntu operating system passwords could be compromised.
Check_content: Verify that the Ubuntu operating system enforces a 60-day maximum password lifetime for new user accounts by running the following command:\n\n# grep -i pass_max_days /etc/login.defs\nPASS_MAX_DAYS 60\n\nIf the "PASS_MAX_DAYS" parameter value is less than "60", or commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to enforce a 60-day maximum password lifetime.\n\nAdd, or modify the following line in the "/etc/login.defs" file:\n\nPASS_MAX_DAYS 60
Rule ID: SV-90155r2_rule
Severity: medium
Rule Title: Passwords must be prohibited from reuse for a minimum of five generations.
Description: Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.
Check_content: Verify that the Ubuntu operating system prevents passwords from being reused for a minimum of five generations by running the following command:\n\n# grep -i remember /etc/pam.d/common-password\n\npassword [success=1 default=ignore] pam_unix.so obscure sha512 remember=5 rounds=5000\n\nIf the "remember" parameter value is not greater than or equal to "5", is commented out, or is not set at all this is a finding.
Fixtext: Configure the Ubuntu operating system prevents passwords from being reused for a minimum of five generations.\n\nAdd or modify the "remember" parameter value to the following line in "/etc/pam.d/common-password" file:\n\npassword [success=1 default=ignore] pam_unix.so obscure sha512 remember=5 rounds=5000
Rule ID: SV-90157r3_rule
Severity: medium
Rule Title: Passwords must have a minimum of 15-characters.
Description: The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.\n\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.
Check_content: Verify that the Ubuntu operating system enforces a minimum "15" character password length.\n\nDetermine if the field "minlen" is set in the "/etc/security/pwquality.conf" or "/etc/pwquality.conf.d/*.conf" files with the following command:\n\n# grep -i minlen /etc/security/pwquality.conf /etc/pwquality.conf.d/*.conf\nminlen=15\n\nIf "minlen" parameter value is not "15" or higher, or is commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to enforce a minimum 15-character password length.\n\nAdd or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the /etc/pwquality.conf.d/ directory to contain the "minlen" parameter:\n\nminlen=15
Rule ID: SV-90159r1_rule
Severity: high
Rule Title: The Ubuntu operating system must not have accounts configured with blank or null passwords.
Description: If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.
Check_content: To verify that null passwords cannot be used, run the following command: \n\n# grep pam_unix.so /etc/pam.d/* | grep nullok\nIf this produces any output, it may be possible to log on with accounts with empty passwords.\n\nIf null passwords can be used, this is a finding.
Fixtext: If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating.\n\nRemove any instances of the "nullok" option in files under "/etc/pam.d/" to prevent logons with empty passwords.
Rule ID: SV-90161r4_rule
Severity: medium
Rule Title: The Ubuntu operating system must prevent the use of dictionary words for passwords.
Description: If the Ubuntu operating system allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.
Check_content: Verify the Ubuntu operating system prevents the use of dictionary words for passwords.\n\nDetermine if the field "dictcheck" is set in the "/etc/security/pwquality.conf" or "/etc/pwquality.conf.d/*.conf" files with the following command:\n\n# grep dictcheck /etc/security/pwquality.conf /etc/pwquality.conf.d/*.conf\n\ndictcheck=1\n\nIf the "dictcheck" parameter is not set to "1", or is commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to prevent the use of dictionary words for passwords.\n\nAdd or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the /etc/pwquality.conf.d/ directory to contain the "dictcheck" parameter:\n\ndictcheck=1
Rule ID: SV-90163r1_rule
Severity: medium
Rule Title: The passwd command must be configured to prevent the use of dictionary words as passwords.
Description: If the Ubuntu operating system allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.
Check_content: Verify the "passwd" command uses the common-password settings.\n\nCheck that the "passwd" command uses the common-password option with the following command:\n\n# grep common-password /etc/pam.d/passwd\n\n@ include common-password\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to prevent the use of dictionary words for passwords. \n\nEdit the file "/etc/pam.d/passwd" and add the following line: \n\n@ include common-password
Rule ID: SV-90165r3_rule
Severity: medium
Rule Title: Account identifiers (individuals, groups, roles, and devices) must disabled after 35 days of inactivity.
Description: Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.\n\nUbuntu operating systems need to track periods of inactivity and disable application identifiers after 35 days of inactivity.
Check_content: Verify the account identifiers (individuals, groups, roles, and devices) are disabled after "35" days of inactivity with the following command:\n\nCheck the account inactivity value by performing the following command:\n\n# sudo grep -i inactive /etc/default/useradd\n\nINACTIVE=35\n\nIf "INACTIVE" is not set to a value "0<[VALUE]<=35", or is commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to disable account identifiers after 35 days of inactivity after the password expiration. \n\nRun the following command to change the configuration for useradd:\n\n# sudo useradd -D -f 35\n\nDoD recommendation is 35 days, but a lower value is acceptable. The value "-1" will disable this feature, and "0" will disable the account immediately after the password expires.
Rule ID: SV-90167r3_rule
Severity: medium
Rule Title: The Ubuntu operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts.
Description: By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.\n\n
Check_content: Verify the Ubuntu operating system automatically locks an account until the account lock is released by an administrator when three unsuccessful logon attempts are made.\n\nCheck that the Ubuntu operating system automatically locks an account after three unsuccessful attempts with the following command:\n\n# grep pam_tally /etc/pam.d/common-auth\n\nauth required pam_tally2.so onerr=fail deny=3\n\nIf "onerr=fail deny=3" is not used in "/etc/pam.d/common-auth" or is called with "unlock_time", this is a finding.
Fixtext: Configure the Ubuntu operating system to automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts are made by appending the following line to the "/etc/pam.d/common-auth file":\n\n"auth required pam_tally2.so onerr=fail deny=3"
Rule ID: SV-90169r2_rule
Severity: medium
Rule Title: The Ubuntu operating system must require users to re-authenticate for privilege escalation and changing roles.
Description: Without re-authentication, users may access resources or perform tasks for which they do not have authorization. \n\nWhen Ubuntu operating systems provide the capability to escalate a functional capability or change security roles, it is critical the user re-authenticate.\n\n
Check_content: Verify that "/etc/sudoers" has no occurrences of "NOPASSWD" or "!authenticate".\n\nCheck that the "/etc/sudoers" file has no occurrences of "NOPASSWD" or "!authenticate" by running the following command:\n\n# sudo egrep -i \'(nopasswd|!authenticate)\' /etc/sudoers /etc/sudoers.d/*\n\n%wheel ALL=(ALL) NOPASSWD: ALL\n\nIf any occurrences of "NOPASSWD" or "!authenticate" return from the command, this is a finding.
Fixtext: Remove any occurrence of "NOPASSWD" or "!authenticate" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory.
Rule ID: SV-90171r1_rule
Severity: medium
Rule Title: Temporary user accounts must be provisioned with an expiration time of 72 hours or less.
Description: If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation.\n\nTemporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation.\n\nIf temporary accounts are used, the Ubuntu operating system must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address access requirements, many Ubuntu operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.
Check_content: Verify that temporary accounts have been provisioned with an expiration date for 72 hours.\n\nFor every existing temporary account, run the following command to obtain its account expiration information.\n\n# sudo chage -l system_account_name\n\nVerify each of these accounts has an expiration date set within 72 hours.\nIf any temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.
Fixtext: If a temporary account must be created configure the system to terminate the account after a 72 hour time period with the following command to set an expiration date on it. Substitute "system_account_name" with the account to be created.\n\n# sudo chage -E `date -d "+3 days" +%Y-%m-%d` system_account_name
Rule ID: SV-90173r1_rule
Severity: medium
Rule Title: The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.
Description: Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.
Check_content: Verify the Ubuntu operating system enforces a delay of at least 4 seconds between logon prompts following a failed logon attempt.\n\nCheck that the Ubuntu operating system enforces a delay of at least 4 seconds between logon prompts with the following command:\n\n# grep pam_faildelay /etc/pam.d/common-auth*\n\nauth required pam_faildelay.so delay=4000000\n\nIf the line is not present, or is commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.\n\nEdit the file "/etc/pam.d/common-auth" and set the parameter "pam_faildelay" to a value of 4000000 or greater:\n\nauth required pam_faildelay.so delay=4000000
Rule ID: SV-90175r3_rule
Severity: high
Rule Title: Unattended or automatic login via the GUI must not be allowed.
Description: Failure to restrict system access to authenticated users negatively impacts Ubuntu operating system security.
Check_content: Verify that unattended or automatic login via the GUI is disabled.\n\nCheck that unattended or automatic login is disabled with the following command:\n\n# sudo grep -i autologin-user /etc/lightdm/lightdm.conf\n\nautologin-user=\nautologin-user-timeout=0\n\nIf the "autologin-user" parameter is blank, or is commented out, this is a finding.\nIf the "autologin-user-timeout" parameter is not 0, or is commented out, this is a finding.\n
Fixtext: Configure the GUI to not allow unattended or automatic login to the system.\n\nComment the following lines in "/etc/lightdm/lightdm.conf" file:\n\n#autologin-user=\n#autologin-user-timeout=0
Rule ID: SV-90177r1_rule
Severity: low
Rule Title: The Ubuntu operating system must display the date and time of the last successful account logon upon logon.
Description: Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.
Check_content: Verify users are provided with feedback on when account accesses last occurred.\n\nCheck that "pam_lastlog" is used and not silent with the following command:\n\n# grep pam_lastlog /etc/pam.d/login\n\nsession required pam_lastlog.so showfailed\n\nIf "pam_lastlog" is missing from "/etc/pam.d/login" file, or the "silent" option is present, this is a finding.
Fixtext: Configure the Ubuntu operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/postlogin-ac". \n\nAdd the following line to the top of "/etc/pam.d/login":\n\nsession required pam_lastlog.so showfailed
Rule ID: SV-90179r1_rule
Severity: high
Rule Title: There must be no .shosts files on the Ubuntu operating system.
Description: The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.
Check_content: Verify there are no ".shosts" files on the Ubuntu operating system.\n\nCheck the system for the existence of these files with the following command:\n\n# sudo find / -name \'*.shosts\'\n\nIf any ".shosts" files are found, this is a finding.
Fixtext: Remove any found ".shosts" files from the Ubuntu operating system.\n\n# rm /[path]/[to]/[file]/.shosts
Rule ID: SV-90181r2_rule
Severity: high
Rule Title: There must be no shosts.equiv files on the Ubuntu operating system.
Description: The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.
Check_content: Verify there are no "shosts.equiv" files on the Ubuntu operating system.\n\nCheck for the existence of these files with the following command:\n\n# find / -name shosts.equiv\n\nIf a "shosts.equiv" file is found, this is a finding.
Fixtext: Remove any found "shosts.equiv" files from the Ubuntu operating system.\n\n# rm /etc/ssh/shosts.equiv
Rule ID: SV-90183r2_rule
Severity: high
Rule Title: The Ubuntu operating system must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
Description: Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The Ubuntu operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\n
Check_content: Verify the system is configured to run in FIPS mode.\n\nCheck that the system is configured to run in FIPS mode with the following command:\n\n# grep -i 1 /proc/sys/crypto/fips_enabled\n1\n\nIf a value of "1" is not returned, this is a finding.
Fixtext: Configure the system to run in FIPS mode. Add "fips=1" to the kernel parameter during the Ubuntu operating systems install.\n\nNote: Enabling a FIPS mode on a pre-existing system involves a number of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 16.04 FIPS 140-2 security policy document for instructions. A subscription to the "Ubuntu Advantage" plan is required in order to obtain the FIPS Kernel cryptographic modules and enable FIPS.
Rule ID: SV-90185r3_rule
Severity: high
Rule Title: Ubuntu operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.
Description: To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.\n\nAccess control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system.
Check_content: [u'Verify that an encrypted root password is set. This is only applicable on systems that use a basic Input/Output System BIOS.\n\nRun the following command to verify the encrypted password is set:\n\n# grep \u2013i password /boot/grub/grub.cfg\n\npassword_pbkdf2 root grub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG\n\nIf the root password entry does not begin with \u201cpassword_pbkdf2\u201d, this is a finding.
Fixtext: Configure the system to require a password for authentication upon booting into single-user and maintenance modes.\n\nGenerate an encrypted (grub) password for root with the following command:\n\n# grub-mkpasswd-pbkdf2\nEnter Password:\nReenter Password:\nPBKDF2 hash of your password is\ngrub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG\n\n\nIt will generate a long password encrypted like this:\ngrub.pbkdf2.sha512.10000.FC58373BCA15A797C418C1EA7FFB007BF5A5 \n\nCopy the complete generated code.\nEdit the file /etc/grub.d/40_custom (or a custom configuration file in the /etc/grub.d/ directory):\n\nAt the end of the file add the following commands:\n\nsetsuperusers="root"\npassword_pbkdf2 root grub.pbkdf2.sha512.10000.LONGSTRING\n\nSave the file and exit\nRun: sudo update-grub\nReboot
Rule ID: SV-90187r2_rule
Severity: high
Rule Title: Ubuntu operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.
Description: To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.\n\nAccess control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system.
Check_content: [u'Verify that an encrypted root password is set. This is only applicable on Ubuntu operating systems that use UEFI.\n\nRun the following command to verify the encrypted password is set:\n\n# grep \u2013i password /boot/efi/EFI/grub.cfg\npassword_pbkdf2 root grub.pbkdf2.sha512.10000.VeryLongString\n\nIf the root password entry does not begin with \u201cpassword_pbkdf2\u201d, this is a finding.
Fixtext: Configure the system to require a password for authentication upon booting into single-user and maintenance modes.\n\nGenerate an encrypted (grub) password for root with the following command:\n\n# grub-mkpasswd-pbkdf2\nEnter Password:\nReenter Password:\nPBKDF2 hash of your password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG\n\nUsing the hash from the output, modify the "/etc/grub.d/10_linux" file with the following command to add a boot password for the root entry:\n\n# cat << EOF > set superusers="root" password_pbkdf2 root grub.pbkdf2.sha512.VeryLongString > EOF\n\nGenerate an updated "grub.conf" file with the new password using the following commands:\n\n# grub-mkconfig --output=/tmp/grub2.cfg\n# mv /tmp/grub2.cfg /boot/efi/EFI/grub.cfg
Rule ID: SV-90189r1_rule
Severity: high
Rule Title: All persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
Description: Ubuntu operating systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).\n\n
Check_content: [u'Verify the Ubuntu operating system prevents unauthorized disclosure or modification of all information requiring at rest protection by using disk encryption. \n\nIf there is a documented and approved reason for not having data-at-rest encryption, this requirement is Not Applicable.\n\nDetermine the partition layout for the system with the following command:\n\n# fdisk \u2013l\n\nVerify that the system partitions are all encrypted with the following command:\n\n# more /etc/crypttab\n\nEvery persistent disk partition present must have an entry in the file. If any partitions other than pseudo file systems (such as /proc or /sys) are not listed, this is a finding.
Fixtext: Configure the Ubuntu operating system to prevent unauthorized modification of all information at rest by using disk encryption. \n\nEncrypting a partition in an already-installed system is more difficult, because you need to resize and change existing partitions. To encrypt an entire partition, dedicate a partition for encryption in the partition layout.
Rule ID: SV-90191r1_rule
Severity: medium
Rule Title: All public directories must be owned by root to prevent unauthorized and unintended information transferred via shared system resources.
Description: Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.\n\nThis requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies.\n\nThere may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.
Check_content: Verify that all public directories are owned by root to prevent unauthorized and unintended information transferred via shared system resources.\n\nCheck to see that all public directories have the public sticky bit set by running the following command:\n\n# sudo find / -type d -perm -0002 -exec ls -lLd {} \\;\n\ndrwxrwxrwxt 7 root root 4096 Jul 26 11:19 /tmp\n\nIf any of the returned directories are not owned by root, this is a finding.
Fixtext: Configure all public directories to be owned by root to prevent unauthorized and unintended information transferred via shared system resources.\n\nSet the owner of all public directories as root using the command, replace "[Public Directory]" with any directory path not owned by root:\n\n# sudo chown root [Public Directory]
Rule ID: SV-90193r3_rule
Severity: medium
Rule Title: All world-writable directories must be group-owned by root, sys, bin, or an application group.
Description: If a world-writable directory has the sticky bit set and is not group-owned by a privileged Group Identifier (GID), unauthorized users may be able to modify files created by others.\n\nThe only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.\n
Check_content: Verify that all world-writable directories are group-owned by root to prevent unauthorized and unintended information transferred via shared system resources.\n\nCheck the system for world-writable directories with the following command:\n\n# sudo find / -type d -perm -0002 -exec ls -lLd {} \\;\n\ndrwxrwxrwxt 7 root root 4096 Jul 26 11:19 /tmp\n\nIf any world-writable directories are not owned by root, sys, bin, or an application group associated with the directory, this is a finding.
Fixtext: Change the group of the world-writable directories to root, sys, bin, or an application group with the following command, replacing "[world-writable Directory]":\n\n# sudo chgrp root [world-writable Directory]
Rule ID: SV-90195r3_rule
Severity: medium
Rule Title: A file integrity tool must be installed to verify correct operation of all security functions in the Ubuntu operating system.
Description: Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.\n\nThis requirement applies to Ubuntu operating systems performing security function verification/testing and/or systems and environments that require this functionality.
Check_content: Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the correct operation of all security functions.\n\nCheck that the AIDE package is installed with the following command:\n\n# sudo apt list aide\n\naide/xenial,now 0.16~a2.git20130520-3 amd64 [installed]\n\nIf AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. \n\nIf there is no application installed to perform integrity checks, this is a finding.
Fixtext: Install the AIDE package by running the following command:\n\n# sudo apt-get install aide
Rule ID: SV-90197r2_rule
Severity: medium
Rule Title: The file integrity tool must perform verification of the correct operation of security functions: upon system start-up and/or restart; upon command by a user with privileged access; and/or every 30 days.
Description: Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.\n\nNotifications provided by information systems include, for example, electronic alerts to system administrators, messages to local computer consoles, and/or hardware indications, such as lights.\n\nThis requirement applies to Ubuntu operating systems performing security function verification/testing and/or systems and environments that require this functionality.
Check_content: Verify that Advanced Intrusion Detection Environment (AIDE) performs a verification of the operation of security functions every 30 days.\n\nNote: A file integrity tool other than AIDE may be used, but the tool must be executed at least once per week.\n\nCheck that AIDE is being executed every 30 days or less with the following command:\n\n# ls -al /etc/cron.daily/aide\n\n-rwxr-xr-x 1 root root 26049 Oct 24 2014 /etc/cron.daily/aide\n\nIf the "/etc/cron.daily/aide" file does not exist or the cron job is not configured to run at least every 30 days, this is a finding.
Fixtext: The cron file for AIDE is fairly complex as it creates the report. The easiest way to create the file is to update the AIDE package with the following command:\n\n# sudo apt-get install aide
Rule ID: SV-90199r3_rule
Severity: low
Rule Title: The file integrity tool must be configured to verify Access Control Lists (ACLs).
Description: ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools.
Check_content: Verify the file integrity tool is configured to verify Access Control Lists (ACLs).\n\nUse the following command to determine if the file is in a location other than "/etc/aide/aide.conf":\n\n# find / -name aide.conf\n\nCheck the "aide.conf" file to determine if the "acl" rule has been added to the rule list being applied to the files and directories selection lists with the following command:\n\n# egrep "[+]?acl" /etc/aide/aide.conf\n\nVarFile = OwnerMode+n+l+X+acl\n\nIf the "acl" rule is not being used on all selection lines in the "/etc/aide.conf" file, is commented out, or ACLs are not being checked by another file integrity tool, this is a finding.
Fixtext: Configure the file integrity tool to check file and directory ACLs. \n\nIf AIDE is installed, ensure the "acl" rule is present on all file and directory selection lists.
Rule ID: SV-90201r1_rule
Severity: low
Rule Title: The file integrity tool must be configured to verify extended attributes.
Description: Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.
Check_content: Verify the file integrity tool is configured to verify extended attributes.\n\nCheck to see if Advanced Intrusion Detection Environment (AIDE) is installed with the following command:\n\n# dpkg -l |grep aide\n\nii aide 0.16~a2.git20130520-3\nii aide-common 0.16~a2.git20130520-3\n\nIf AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system.\n\nIf there is no application installed to perform integrity checks, this is a finding.\n\nNote: AIDE is highly configurable at install time. These commands assume the "aide.conf" file is under the "/etc" directory. \n\nUse the following command to determine if the file is in another location:\n\n# find / -name aide.conf\n\nCheck the "aide.conf" file to determine if the "xattrs" rule has been added to the rule list being applied to the files and directories selection lists with the following command:\n\n# egrep "[+]?xattrs" /etc/aide/aide.conf\n\nVarFile = OwnerMode+n+l+X+xattrs\n\nIf the "xattrs" rule is not being used on all selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.
Fixtext: Configure the file integrity tool to check file and directory extended attributes. \n\nIf AIDE is installed, ensure the "xattrs" rule is present on all file and directory selection lists.
Rule ID: SV-90203r3_rule
Severity: medium
Rule Title: The file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered.
Description: Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the Ubuntu operating system. Changes to Ubuntu operating system configurations can have unintended side effects, some of which may be relevant to security.\n\nSecurity function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.\n\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.\n\nNotifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights.\n\nThis capability must take into account operational requirements for availability for selecting an appropriate response. The organization may choose to shut down or restart the information system upon security function anomaly detection.\n\n
Check_content: Verify that Advanced Intrusion Detection Environment (AIDE) notifies the system administrator when anomalies in the operation of any security functions are discovered.\n\nCheck that AIDE notifies the system administrator when anomalies in the operation of any security functions are discovered with the following command:\n\n# sudo grep SILENTREPORTS /etc/default/aide\n\nSILENTREPORTS=no\n\nIf the "/etc/cron.daily/aide" file does not exist, the cron job is configured with the "SILENTREPORTS=yes" option, or the line is commented out, this is a finding.
Fixtext: Modify the "SILENTREPORTS" parameter in "/etc/default/aide" file with a value "no" of if it does not already exist:\n\nSILENTREPORTS=no\n
Rule ID: SV-90205r2_rule
Severity: medium
Rule Title: The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of audit tools.
Description: Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject code into the existing tools with the purpose of providing the capability to hide or erase system activity from the audit logs.\n\nTo address this risk, audit tools must be cryptographically signed in order to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files.
Check_content: Verify that Advanced Intrusion Detection Environment (AIDE) to properly configured to use cryptographic mechanisms to protect the integrity of audit tools.\n\nCheck the selection lines that aide is configured to add/check with the following command:\n\n# egrep '(\\/usr\\/sbin\\/(audit|au))' /etc/aide/aide.conf\n\n/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/audispd p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattr+sha512\n\nIf any of the seven audit tools does not have an appropriate selection line, this is a finding.
Fixtext: Add or update the following selection lines to "/etc/aide/aide.conf", in order to protect the integrity of the audit tools.\n\n# Audit Tools\n/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/audispd p+i+n+u+g+s+b+acl+xattr+sha512\n/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattr+sha512
Rule ID: SV-90207r2_rule
Severity: medium
Rule Title: Advance package Tool (APT) must be configured to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.
Description: Changes to any software components can have significant effects on the overall security of the Ubuntu operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device drivers, or Ubuntu operating system components must be signed with a certificate recognized and approved by the organization.\n\nVerifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. Setting the "Verify-Peer" Boolean will determine whether or not the server\'s host certificate should be verified against trusted certificates. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The Ubuntu operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA.
Check_content: Verify that Advance package Tool (APT) is configured to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.\n\nCheck that the "AllowUnauthenticated" variable is not set at all or set to "false" with the following command:\n\n# grep -i allowunauth /etc/apt/apt.conf.d/*\n/etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated "false";\n\nIf any of the files returned from the command with "AllowUnauthenticated" set to "true", this is a finding.
Fixtext: Configure Advance package Tool (APT) to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.\n\nRemove/Update any APT configuration file that contain the variable "AllowUnauthenticated" to "false", or remove "AllowUnauthenticated" entirely from each file. Below is an example of setting the "AllowUnauthenticated" variable to "false":\n\nAPT::Get::AllowUnauthenticated "false";
Rule ID: SV-90209r1_rule
Severity: medium
Rule Title: Advance package Tool (APT) must remove all software components after updated versions have been installed.
Description: Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.
Check_content: Verify Advance package Tool (APT) is configured to remove all software components after updated versions have been installed.\n\nCheck that APT is configured to remove all software components after updating with the following command:\n\n# grep -i remove-unused /etc/apt/apt.conf.d/50unattended-upgrades\nUnattended-Upgrade::Remove-Unused-Dependencies "true";\n\nIf the "Remove-Unused-Dependencies" parameter is not set to "true", or is missing, this is a finding.
Fixtext: Configure APT to remove all software components after updated versions have been installed.\n\nAdd or updated the following option to the "/etc/apt/apt.conf.d/50unattended-upgrades" file:\n\nUnattended-Upgrade::Remove-Unused-Dependencies "true";
Rule ID: SV-90211r2_rule
Severity: medium
Rule Title: Automatic mounting of Universal Serial Bus (USB) mass storage driver must be disabled.
Description: Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.\n\nPeripherals include, but are not limited to, such devices as flash drives, external storage, and printers.
Check_content: [u'Verify that automatic mounting of the Universal Serial Bus (USB) mass storage driver has been disabled.\n\nCheck that the USB mass storage drive has not been loaded with the following command:\n\n#lsmod | grep usb-storage\n\nIf a "usb-storage" line is returned, this is a finding.\n\nCheck that automatic mounting of the USB mass storage driver has been disabled with the following command:\n\n#sudo modprobe -vn usb-storage\n\ninstall /bin/true\n\nIf \u201cinstall /bin/true\u201d is not returned, this is a finding.
Fixtext: [u'Disable the mounting of the Universal Serial Bus (USB) mass storage driver by running the following command: \n\n# sudo echo \u201cinstall usb-storage /bin/true\u201d >> /etc/modprobe.d/DISASTIG.conf
Rule ID: SV-90213r2_rule
Severity: medium
Rule Title: File system automounter must be disabled unless required.
Description: Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.\n\n
Check_content: Verify the Ubuntu operating system disables the ability to automount devices.\n\nCheck to see if automounter service is active with the following command:\n\n# systemctl status autofs\n autofs.service - LSB: Automounts filesystems on demand\n Loaded: loaded (/etc/init.d/autofs; bad; vendor preset: enabled)\n Active: active (running) since Thu 2017-05-04 07:53:51 EDT; 6 days ago\n Docs: man:systemd-sysv-generator(8)\n CGroup: /system.slice/autofs.service\n +-24206 /usr/sbin/automount --pid-file /var/run/autofs.pid\n\nIf the "autofs" status is set to "active" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
Fixtext: Configure the Ubuntu operating system to disable the ability to automount devices.\n\nTurn off the automount service with the following command:\n\n# sudo systemctl stop autofs\n\nIf "autofs" is required for Network File System (NFS), it must be documented with the Information System Security Officer (ISSO).
Rule ID: SV-90215r2_rule
Severity: medium
Rule Title: Pam_Apparmor must be configured to allow system administrators to pass information to any other Ubuntu operating system administrator or user, change security attributes, and to confine all non-privileged users from executing functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
Description: Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.\n\nWhen discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.\n\n
Check_content: Verify the Ubuntu operating system is configured to allow system administrators to pass information to any other Ubuntu operating system administrator or user.\n\nCheck that "Pam_Apparmor" is installed on the system with the following command:\n\n# sudo apt list libpam-apparmor\n\nlibpam-apparmor/xenial-updates,now 2.10.95-0ubuntu2.7 amd64 [installed]\n\nIf the "Pam_Apparmor" package is not installed, this is a finding.\n\nCheck that Pam_Apparmor has properly configured profiles\n\n# sudo apparmor_status\n\napparmor module is loaded.\n13 profiles are loaded.\n13 profiles are in enforce mode.\n /sbin/dhclient\n ...\n lxc-container-default-with-nesting\n0 profiles are in complain mode.\n\nIf all loaded profiles are not in "enforce" mode, or there are any profiles in "complain" mode, this is a finding.
Fixtext: Configure the Ubuntu operating system to allow system administrators to pass information to any other Ubuntu operating system administrator or user.\n\nInstall "Pam_Apparmor" (if it is not installed) with the following command:\n\n# sudo apt-get install libpam-apparmor\n\nEnable/Activate "Apparmor" (if it is not already active) with the following command:\n\n# sudo systemctl enable apparmor.service\n\nStart "Apparmor" with the following command:\n\n# sudo systemctl start apparmor.service\n\nNote: Pam_Apparmor must have properly configured profiles. All configurations will be based on the actual system setup and organization. See the "Pam_Apparmor" documentation for more information on configuring profiles.
Rule ID: SV-90217r2_rule
Severity: medium
Rule Title: The Apparmor module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs and limit the ability of non-privileged users to grant other users direct access to the contents of their home directories/folders.
Description: The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.\n\nUtilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of white-listed software occurs prior to execution or at system startup.\n\nUsers' home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources.\n\n
Check_content: [u'Verify the Ubuntu operating system is configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs and access to user home directories.\n\nCheck that "Apparmor" is configured to employ application whitelisting and home directory access control with the following command:\n\n# sudo apparmor_status\n\napparmor module is loaded.\n13 profiles are loaded.\n13 profiles are in enforce mode.\n /sbin/dhclient\n ...\n lxc-container-default-with-nesting\n0 profiles are in complain mode.\n\nIf the defined profiles do not match the organization\u2019s list of authorized software, this is a finding.
Fixtext: Configure the Ubuntu operating system to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.\n\nInstall "Apparmor" (if it is not installed) with the following command:\n\n# sudo apt-get install libpam-apparmor\n\nEnable/Activate "Apparmor" (if it is not already active) with the following command:\n\n# sudo systemctl enable apparmor.service\n\nStart "Apparmor" with the following command:\n\n# sudo systemctl start apparmor.service\n\nNote: Apparmor must have properly configured profiles for applications and home directories. All configurations will be based on the actual system setup and organization and normally are on a per role basis. See the "Apparmor" documentation for more information on configuring profiles.
Rule ID: SV-90221r2_rule
Severity: high
Rule Title: The x86 Ctrl-Alt-Delete key sequence must be disabled.
Description: A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.
Check_content: Verify the Ubuntu operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed.\n\nCheck that the "ctrl-alt-del.target" (otherwise also known as reboot.target) is not active with the following command:\n\n# systemctl status ctrl-alt-del.target\nreboot.target - Reboot\n Loaded: loaded (/usr/lib/systemd/system/reboot.target; disabled)\n Active: inactive (dead)\n Docs: man:systemd.special(7)\n\nIf the "ctrl-alt-del.target" is active, this is a finding.
Fixtext: [u'Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following command:\n\n# sudo systemctl mask ctrl-alt-del.target\n\nAnd reload the daemon to take effect \n\n# sudo systemctl daemon-reload\n\nIf GNOME is active on the system, create a database to contain the system-wide setting (if it does not already exist) with the following command: \n\n# cat /etc/dconf/db/local.d/00-disable-CAD \n\nAdd the setting to disable the Ctrl-Alt-Delete sequence for GNOME:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=\u2019\u2019
Rule ID: SV-90223r2_rule
Severity: medium
Rule Title: Default permissions must be defined in such a way that all authenticated users can only read and modify their own files.
Description: Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access.
Check_content: Verify the Ubuntu operating system defines default permissions for all authenticated users in such a way that the user can only read and modify their own files.\n\nCheck that the Ubuntu operating system defines default permissions for all authenticated users with the following command: \n\n# grep -i "umask" /etc/login.defs\n\nUMASK 077\n\nIf the "UMASK" variable is set to "000", this is a finding with the severity raised to a CAT I.\n\nIf the value of "UMASK" is not set to "077", "UMASK" is commented out or "UMASK" is missing completely, this is a finding.
Fixtext: Configure the system to define the default permissions for all authenticated users in such a way that the user can only read and modify their own files.\n\nEdit the "UMASK" parameter in the "/etc/login.defs" file to match the example below:\n\nUMASK 077
Rule ID: SV-90225r2_rule
Severity: medium
Rule Title: The Ubuntu operating system must not have unnecessary accounts.
Description: Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system.
Check_content: Verify all accounts on the system are assigned to an active system, application, or user account.\n\nObtain the list of authorized system accounts from the Information System Security Officer (ISSO).\n\nCheck the system accounts on the system with the following command:\n\n# more /etc/passwd\nroot:x:0:0:root:/root:/bin/bash\n...\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\n\nAccounts such as "games" and "gopher" are not authorized accounts as they do not support authorized system functions. \n\nIf the accounts on the system do not match the provided documentation, or accounts that do not support an authorized system function are present, this is a finding.
Fixtext: Configure the system so all accounts on the system are assigned to an active system, application, or user account. \n\nRemove accounts that do not support approved system activities or that allow for a normal user to perform administrative-level actions. \n\nDocument all authorized accounts on the system.
Rule ID: SV-90227r2_rule
Severity: medium
Rule Title: Duplicate User IDs (UIDs) must not exist for interactive users.
Description: To assure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system.\n\nInteractive users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Interactive users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: \n\n1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and\n\n2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.\n\n
Check_content: Verify that the Ubuntu operating system contains no duplicate User IDs (UIDs) for interactive users.\n\nCheck that the Ubuntu operating system contains no duplicate UIDs for interactive users with the following command:\n\n# awk -F ":" \'list[$3]++{print $1, $3}\' /etc/passwd\n\nIf output is produced, and the accounts listed are interactive user accounts, this is a finding.
Fixtext: Edit the file "/etc/passwd" and provide each interactive user account that has a duplicate User ID (UID) with a unique UID.
Rule ID: SV-90229r1_rule
Severity: high
Rule Title: The root account must be the only account having unrestricted access to the system.
Description: If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire Ubuntu operating system. Multiple accounts with a UID of "0" afford an opportunity for potential intruders to guess a password for a privileged account.
Check_content: Check the Ubuntu operating system for duplicate User ID (UID) "0" assignments with the following command:\n\n# awk -F: \'$3 == 0 {print $1}\' /etc/passwd\n\nroot\n\nIf any accounts other than root have a UID of "0", this is a finding.
Fixtext: Change the User ID (UID) of any account on the system, other than root, that has a UID of "0". \n\nIf the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned.
Rule ID: SV-90231r1_rule todo?
Severity: medium
Rule Title: User accounts with temporary passwords, must require an immediate change to a permanent password after login.
Description: Without providing this capability, an account may be created without a password. Non-repudiation cannot be guaranteed once an account is created if a user is not forced to change the temporary password upon initial logon.\n\nTemporary passwords are typically used to allow access when new accounts are created or passwords are changed. It is common practice for administrators to create temporary passwords for user accounts which allow the users to log on, yet force them to change the password once they have successfully authenticated.
Check_content: Verify a policy exists that ensures when a user account is created, it is created using a method that forces a user to change their password upon their next login.\n\nIf a policy does not exist, this is a finding.
Fixtext: Create a policy that ensures when a user is created, it is created using a method that forces a user to change their password upon their next login.\n\nBelow are two examples of how to create a user account that requires the user to change their password upon their next login.\n\n# chage -d 0 [UserName]\n\nor \n\n# passwd -e [UserName]
Rule ID: SV-90233r2_rule
Severity: medium
Rule Title: Pluggable Authentication Module (PAM) must prohibit the use of cached authentications after one day.
Description: If cached authentication information is out-of-date, the validity of the authentication information may be questionable.
Check_content: Verify that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day.\n\nNote: If smart card authentication is not being used on the system this item is Not Applicable.\n\nCheck that PAM prohibits the use of cached authentications after one day with the following command:\n\n# sudo grep -i "timestamp_timeout" /etc/pam.d/*\n\ntimestamp_timeout=86400\n\nIf "timestamp_timeout" is not set to a value of "86400" or less, or is commented out, this is a finding.
Fixtext: Configure Pluggable Authentication Module (PAM) to prohibit the use of cached authentications after one day. \n\nAdd or change the following line in "/etc/pam.d/common-auth" or "/etc/pam.d/common-session" just below the line "[pam]".\n\ntimestamp_timeout = 86400
Rule ID: SV-90235r1_rule
Severity: medium
Rule Title: All files and directories must have a valid owner.
Description: Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier "UID" as the UID of the un-owned files.
Check_content: Verify all files and directories on the Ubuntu operating system have a valid owner.\n\nCheck the owner of all files and directories with the following command:\n\n# sudo find / -nouser\n\nIf any files on the system do not have an assigned owner, this is a finding.
Fixtext: Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories on the Ubuntu operating system with the "chown" command:\n\n# sudo chown
Rule ID: SV-90237r1_rule
Severity: medium
Rule Title: All files and directories must have a valid group owner.
Description: Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as the GID of the files without a valid group owner.
Check_content: Verify all files and directories on the Ubuntu operating system have a valid group.\n\nCheck the owner of all files and directories with the following command:\n\n# sudo find / -nogroup\n\nIf any files on the system do not have an assigned group, this is a finding.
Fixtext: Either remove all files and directories from the Ubuntu operating system that do not have a valid group, or assign a valid group to all files and directories on the system with the "chgrp" command:\n\n# sudo chgrp
Rule ID: SV-90239r1_rule
Severity: medium
Rule Title: All local interactive users must have a home directory assigned in the /etc/passwd file.
Description: If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.
Check_content: Verify local interactive users on the Ubuntu operating system have a home directory assigned.\n\nCheck for missing local interactive user home directories with the following command:\n\n# sudo pwck -r\nuser \'lp\': directory \'/var/spool/lpd\' does not exist\nuser \'news\': directory \'/var/spool/news\' does not exist\nuser \'uucp\': directory \'/var/spool/uucp\' does not exist\nuser \'www-data\': directory \'/var/www\' does not exist\n\nAsk the System Administrator (SA) if any users found without home directories are local interactive users. If the SA is unable to provide a response, check for users with a User Identifier (UID) of 1000 or greater with the following command:\n\n# sudo cut -d: -f 1,3 /etc/passwd | egrep ":[1-4][0-9]{2}$|:[0-9]{1,2}$"\n\nIf any interactive users do not have a home directory assigned, this is a finding.
Fixtext: Assign home directories to all local interactive users on the Ubuntu operating system that currently do not have a home directory assigned.
Rule ID: SV-90241r1_rule
Severity: medium
Rule Title: All local interactive user accounts, upon creation, must be assigned a home directory.
Description: If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.
Check_content: Verify all local interactive users on the Ubuntu operating system are assigned a home directory upon creation.\n\nCheck to see if the system is configured to create home directories for local interactive users with the following command:\n\n# grep -i create_home /etc/login.defs\nCREATE_HOME yes\n\nIf the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to assign home directories to all new local interactive users by setting the "CREATE_HOME" parameter in "/etc/login.defs" to "yes" as follows.\n\nCREATE_HOME yes
Rule ID: SV-90243r1_rule
Severity: medium
Rule Title: All local interactive user home directories defined in the /etc/passwd file must exist.
Description: If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access.
Check_content: Verify the assigned home directory of all local interactive users on the Ubuntu operating system exists.\n\nCheck the home directory assignment for all local interactive non-privileged users with the following command:\n\n# ls -ld $(awk -F: \'($3>=1000)&&($1!="nobody"){print $6}\' /etc/passwd)\n\ndrwxr-xr-x 2 smithj admin 4096 Jun 5 12:41 smithj\n\nNote: This may miss interactive users that have been assigned a privileged User ID (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.\n\nCheck that all referenced home directories exist with the following command:\n\n# pwck -r\n\nuser \'smithj\': directory \'/home/smithj\' does not exist\n\nIf any home directories referenced in "/etc/passwd" are returned as not defined, this is a finding.
Fixtext: Create home directories to all local interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in "/etc/ passwd":\n\nNote: The example will be for the user smithj, who has a home directory of "/home/smithj", a User ID (UID) of "smithj", and a Group Identifier (GID) of "users assigned" in "/etc/passwd".\n\n# mkdir /home/smithj \n# chown smithj /home/smithj\n# chgrp users /home/smithj\n# chmod 0750 /home/smithj
Rule ID: SV-90245r1_rule
Severity: medium
Rule Title: All local interactive user home directories must have mode 0750 or less permissive.
Description: Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.
Check_content: Verify the assigned home directory of all local interactive users has a mode of "0750" or less permissive.\n\nCheck the home directory assignment for all non-privileged users with the following command:\n\nNote: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.\n\n# ls -ld $(awk -F: \'($3>=1000)&&($1!="nobody"){print $6}\' /etc/passwd)\n\ndrwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj\n\nIf home directories referenced in "/etc/passwd" do not have a mode of "0750" or less permissive, this is a finding.
Fixtext: [u'Change the mode of interactive user\u2019s home directories to "0750". To change the mode of a local interactive user\u2019s home directory, use the following command:\n\nNote: The example will be for the user "smithj".\n\n# chmod 0750 /home/smithj
Rule ID: SV-90247r1_rule
Severity: medium
Rule Title: All local interactive user home directories must be group-owned by the home directory owners primary group.
Description: If the Group Identifier (GID) of a local interactive user\u2019s home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user\u2019s files, and users that share the same group may not be able to access files that they legitimately should.
Check_content: [u'Verify the assigned home directory of all local interactive users is group-owned by that user\u2019s primary Group Identifier (GID).\n\nCheck the home directory assignment for all non-privileged users on the system with the following command:\n\nNote: This may miss local interactive users that have been assigned a privileged UID. Evidence of interactive use may be obtained from a number of log files containing system logon information. The returned directory "/home/smithj" is used as an example.\n\n# ls -ld $(awk -F: \'($3>=1000)&&($1!="nobody"){print $6}\' /etc/passwd)\n\ndrwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj\n\nCheck the user\'s primary group with the following command:\n\n# grep admin /etc/group\nadmin:x:250:smithj,jonesj,jacksons\n\nIf the user home directory referenced in "/etc/passwd" is not group-owned by that user\u2019s primary GID, this is a finding.
Fixtext: [u'Change the group owner of a local interactive user\u2019s home directory to the group found in "/etc/passwd". To change the group owner of a local interactive user\u2019s home directory, use the following command:\n\nNote: The example will be for the user "smithj", who has a home directory of "/home/smithj", and has a primary group of users.\n\n# chgrp users /home/smithj
Rule ID: SV-90249r1_rule
Severity: medium
Rule Title: All local initialization files must have mode 0740 or less permissive.
Description: Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.
Check_content: Verify that all local initialization files have a mode of "0740" or less permissive.\n\nCheck the mode on all local initialization files with the following command:\n\nNote: The example will be for the smithj user, who has a home directory of "/home/smithj".\n\n# ls -al /home/smithj/.* | more\n-rwxr-xr-x 1 smithj users 896 Mar 10 2011 .profile\n-rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login\n-rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something\n\nIf any local initialization files have a mode more permissive than "0740", this is a finding.
Fixtext: Set the mode of the local initialization files to "0740" with the following command:\n\nNote: The example will be for the smithj user, who has a home directory of "/home/smithj".\n\n# chmod 0740 /home/smithj/.
Rule ID: SV-90251r1_rule
Severity: medium
Rule Title: All local interactive user initialization files executable search paths must contain only paths that resolve to the system default or the users home directory.
Description: The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO).
Check_content: [u'Verify that all local interactive user initialization files\' executable search path statements do not contain statements that will reference a working directory other than the users\u2019 home directory or the system default.\n\nCheck the executable search path statement for all local interactive user initialization files in the users\' home directory with the following commands:\n\nNote: The example will be for the smithj user, which has a home directory of "/home/smithj".\n\n# grep -i path /home/smithj/.*\n/home/smithj/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin\n/home/smithj/.bash_profile:export PATH\n\nIf any local interactive user initialization files have executable search path statements that include directories outside of their home directory, and the additional path statements are not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
Fixtext: Edit the local interactive user initialization files to change any PATH variable statements for executables that reference directories other than their home directory or the system default. If a local interactive user requires path variables to reference a directory owned by the application, it must be documented with the Information System Security Officer (ISSO).
Rule ID: SV-90253r1_rule
Severity: medium
Rule Title: Local initialization files must not execute world-writable programs.
Description: If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level.
Check_content: [u'Verify that local initialization files do not execute world-writable programs.\n\nCheck the system for world-writable files with the following command:\n\n# sudo find / -perm -002 -type f -exec ls -ld {} \\; | more\n\nFor all files listed, check for their presence in the local initialization files with the following commands:\n\nNote: The example will be for a system that is configured to create users\u2019 home directories in the "/home" directory.\n\n# grep /home/*/.*\n\nIf any local initialization files are found to reference world-writable files, this is a finding.
Fixtext: Set the mode on files being executed by the local initialization files with the following command:\n\n# chmod 0755
Rule ID: SV-90255r2_rule
Severity: medium
Rule Title: File systems that contain user home directories must be mounted to prevent files with the setuid and setguid bit set from being executed.
Description: The "nosuid" mount option causes the system to not execute setuid and setgid files with owner privileges. This option must be used for mounting any file system not containing approved setuid and setguid files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
Check_content: Verify file systems that contain user home directories are mounted with the "nosuid" option.\n\nNote: If a separate file system has not been created for the user home directories (user home directories are mounted under "/"), this is not a finding as the "nosuid" option cannot be used on the "/" system.\n\nFind the file system(s) that contain the user home directories with the following command:\n\n# awk -F: \'($3>=1000)&&($1!="nobody"){print $1,$3,$6}\' /etc/passwd\n\nsmithj:1001: /home/smithj\nrobinst:1002: /home/robinst\n\nCheck the file systems that are mounted at boot time with the following command:\n\n# more /etc/fstab\n\nUUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home ext4 rw,relatime,discard,data=ordered,nosuid 0 2\n\nIf a file system found in "/etc/fstab" refers to the user home directory file system and it does not have the "nosuid" option set, this is a finding.
Fixtext: Configure the "/etc/fstab" to use the "nosuid" option on file systems that contain user home directories for interactive users.
Rule ID: SV-90257r3_rule
Severity: medium
Rule Title: File systems that are used with removable media must be mounted to prevent files with the setuid and setguid bit set from being executed.
Description: The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
Check_content: Verify file systems that are used for removable media are mounted with the "nosuid" option.\n\nCheck the file systems that are mounted at boot time with the following command:\n\n# more /etc/fstab\n\nUUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid 0 0\n\nIf a file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set, this is a finding.
Fixtext: Configure the "/etc/fstab" to use the "nosuid" option on file systems that are associated with removable media.
Rule ID: SV-90259r3_rule
Severity: medium
Rule Title: File systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setguid bit set from being executed.
Description: The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
Check_content: Verify file systems that are being Network File System (NFS) imported are mounted with the "nosuid" option.\n\nFind the file system(s) that contain the directories being exported with the following command:\n\n# grep nfs /etc/fstab | grep nosuid\n\nUUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid 0 0\n\nIf a file system found in "/etc/fstab" refers to NFS and it does not have the "nosuid" option set, this is a finding.
Fixtext: Configure the "/etc/fstab" to use the "nosuid" option on file systems that are being imported via Network File System (NFS).
Rule ID: SV-90261r2_rule
Severity: medium
Rule Title: File systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed.
Description: The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
Check_content: Verify file systems that are being Network File System (NFS) imported are mounted with the "noexec" option.\n\nFind the file system(s) that contain the directories being exported with the following command:\n\n# grep nfs /etc/fstab | grep noexec\n\nUUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,noexec 0 0\n\nIf a file system found in "/etc/fstab" refers to NFS and it does not have the "noexec" option set, and use of NFS exported binaries is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
Fixtext: Configure the "/etc/fstab" to use the "noexec" option on file systems that are being imported via Network File System (NFS).
Rule ID: SV-90263r2_rule
Severity: medium
Rule Title: All world-writable directories must be group-owned by root, sys, bin, or an application group.
Description: If a world-writable directory has the sticky bit set and is not group-owned by a privileged Group Identifier (GID), unauthorized users may be able to modify files created by others.\n\nThe only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.
Check_content: Verify all world-writable directories are group-owned by root, sys, bin, or an application group.\n\nCheck the system for world-writable directories with the following command:\n\n# sudo find / -perm -2 -type d ! -group sys ! -group root ! -group bin -exec ls -lLd {} \\;\ndrwxrwsrwt 2 root whoops 4096 Jun 6 07:44 /var/crash\ndrwxrwsrwt 2 root whoops 4096 Jul 19 2016 /var/metrics\n\nIf any world-writable directories are not owned by root, sys, bin, or an application group associated with the directory, this is a finding.
Fixtext: Change the group of the world-writable directories to root with the following command:\n\n# chgrp root
Rule ID: SV-90265r1_rule
Severity: medium
Rule Title: Kernel core dumps must be disabled unless needed.
Description: Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition.
Check_content: Verify that kernel core dumps are disabled unless needed.\n\nCheck the status of the "kdump" service with the following command:\n\n# systemctl status kdump.service\nLoaded: not-found (Reason: No such file or directory)\nActive: inactive (dead)\n\nIf the "kdump" service is active, ask the System Administrator if the use of the service is required and documented with the Information System Security Officer (ISSO).\n\nIf the service is active and is not documented, this is a finding.
Fixtext: If kernel core dumps are not required, disable the "kdump" service with the following command:\n\n# systemctl disable kdump.service\n\nIf kernel core dumps are required, document the need with the Information System Security Officer (ISSO).
Rule ID: SV-90267r2_rule
Severity: medium
Rule Title: A separate file system must be used for user home directories (such as /home or an equivalent).
Description: The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.
Check_content: [u'Verify that a separate file system/partition has been created for non-privileged local interactive user home directories.\n\nCheck the home directory assignment for all non-privileged users, users with a User Identifier (UID) greater than 1000, on the system with the following command:\n\n# awk -F: \'($3>=1000)&&($1!="nobody"){print $1,$3,$6}\' /etc/passwd\n\nadamsj 1001 /home/adamsj \njacksonm 1002 /home/jacksonm \nsmithj 1003 /home/smithj \n\nThe output of the command will give the directory/partition that contains the home directories for the non-privileged users on the system (in this example, "/home") and users\u2019 shell. All accounts with a valid shell (such as /bin/bash) are considered interactive users.\n\nCheck that a file system/partition has been created for the non-privileged interactive users with the following command:\n\nNote: The partition of "/home" is used in the example.\n\n# grep /home /etc/fstab\nUUID=333ada18 /home ext4 noatime,nobarrier,nodev 1 2\n\nIf a separate entry for the file system/partition that contains the non-privileged interactive users\' home directories does not exist, this is a finding.
Fixtext: Migrate the "/home" directory onto a separate file system/partition.
Rule ID: SV-90269r1_rule
Severity: low
Rule Title: The Ubuntu operating system must use a separate file system for /var.
Description: The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.
Check_content: Verify that a separate file system/partition has been created for "/var".\n\nCheck that a file system/partition has been created for "/var" with the following command:\n\n# grep /var /etc/fstab\nUUID=c274f65f /var ext4 noatime,nobarrier 1 2\n\nIf a separate entry for "/var" is not in use, this is a finding.
Fixtext: Migrate the "/var" path onto a separate file system.
Rule ID: SV-90271r1_rule
Severity: low
Rule Title: The Ubuntu operating system must use a separate file system for the system audit data path.
Description: The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.
Check_content: Verify that a separate file system/partition has been created for the system audit data path.\n\nCheck that a file system/partition has been created for the system audit data path with the following command:\n\nNote: /var/log/audit is used as the example as it is a common location.\n\n#grep /var/log/audit /etc/fstab\nUUID=3645951a /var/log/audit ext4 defaults 1 2\n\nIf a separate entry for "/var/log/audit" does not exist, ask the System Administrator if the system audit logs are being written to a different file system/partition on the system, then grep for that file system/partition. \n\nIf a separate file system/partition does not exist for the system audit data path, this is a finding.
Fixtext: Migrate the system audit data path onto a separate file system.
Rule ID: SV-90273r2_rule
Severity: medium
Rule Title: The /var/log directory must be group-owned by syslog.
Description: Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the Ubuntu operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
Check_content: Verify the "/var/log" directory is group-owned by syslog.\n\nCheck that the "/var/log" directory is group owned by syslog with the following command:\n\n# ls -lad /var/log | cut -d\' \' -f4\n\nsyslog\n\nIf "syslog" is not returned as a result, this is a finding.
Fixtext: Change the group of the directory "/var/log" to "syslog" by running the following command:\n\n# sudo chgrp syslog /var/log
Rule ID: SV-90275r2_rule
Severity: medium
Rule Title: The /var/log directory must be owned by root.
Description: Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the Ubuntu operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
Check_content: Verify the /var/log directory is owned by root.\n\nCheck that the /var/log directory is owned by root with the following command:\n\n# ls -lad /var/log | cut -d\' \' -f3\n\nroot\n\nIf "root" is not returned as a result, this is a finding.
Fixtext: Change the owner of the directory /var/log to root by running the following command:\n\n# sudo chown root /var/log
Rule ID: SV-90277r3_rule
Severity: medium
Rule Title: The /var/log directory must have mode 0770 or less permissive.
Description: Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the Ubuntu operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
Check_content: Verify that the "/var/log" directory has a mode of "0770" or less.\n\nCheck the mode of the "/var/log" directory with the following command:\n\n# stat -c "%a %n" /var/log\n\n770\n\nIf a value of "0770" or less permissive is not returned, this is a finding.
Fixtext: Change the permissions of the directory "/var/log" to "0770" by running the following command:\n\n# sudo chmod 0770 /var/log
Rule ID: SV-90279r2_rule
Severity: medium
Rule Title: The /var/log/syslog file must be group-owned by adm.
Description: Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the Ubuntu operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
Check_content: Verify the "/var/log/syslog" file is group-owned by "adm".\n\nCheck that "/var/log/syslog" is group-owned by "adm" with the following command:\n\n# ls -la /var/log/syslog | cut -d\' \' -f4\n\nadm\n\nIf "adm" is not returned as a result, this is a finding.
Fixtext: Change the group of the file "/var/log/syslog" to "adm" by running the following command:\n\n# sudo chgrp adm /var/log/syslog
Rule ID: SV-90281r2_rule
Severity: medium
Rule Title: The /var/log/syslog file must be owned by syslog.
Description: Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the Ubuntu operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
Check_content: Verify that the /var/log/syslog file is owned by syslog.\n\nCheck that the /var/log/syslog file is owned by syslog with the following command:\n\n# ls -la /var/log/syslog | cut -d\' \' -f3\n\nsyslog\n\nIf "syslog" is not returned as a result, this is a finding.
Fixtext: Change the owner of the file /var/log/syslog to syslog by running the following command:\n\n# sudo chown syslog /var/log/syslog
Rule ID: SV-90283r3_rule
Severity: medium
Rule Title: The /var/log/syslog file must have mode 0640 or less permissive.
Description: Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the Ubuntu operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
Check_content: Verify that the "/var/log/syslog" file has mode "0640" or less permissive.\n\nCheck that "/var/log/syslog" has mode "0640" or less permissive with the following command:\n\n# stat -c "%a %n" /var/log/syslog\n\n640 /var/log/syslog\n\nIf a value of "640" or less permissive is not returned, this is a finding.
Fixtext: Change the permissions of the file "/var/log/syslog" to "0640" by running the following command:\n\n# sudo chmod 0640 /var/log
Rule ID: SV-90285r2_rule
Severity: medium
Rule Title: Library files must have mode 0755 or less permissive.
Description: If the Ubuntu operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nThis requirement applies to Ubuntu operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Check_content: Verify the system-wide shared library files contained in the following directories have mode "0755" or less permissive.\n\nCheck that the system-wide shared library files contained in the following directories have mode "0755" or less permissive with the following command:\n\nNote: Replace "[directory]" with one of the following paths:\n/lib\n/lib64\n/usr/lib\n\n# find /lib /lib64 /usr/lib -perm /022 -type f | xargs ls -la\n/usr/lib64/pkcs11-spy.so\n\nIf any system-wide shared library file is found to be group-writable or world-writable, this is a finding.
Fixtext: Configure the library files to be protected from unauthorized access. Run the following command, replacing "[file]" with any library file with a mode more permissive than 0755.\n\n# sudo chmod 0755 [file]
Rule ID: SV-90287r2_rule
Severity: medium
Rule Title: Library files must be owned by root.
Description: If the Ubuntu operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nThis requirement applies to Ubuntu operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Check_content: Verify the system-wide shared library files are owned by "root".\n\nCheck that the system-wide shared library files are owned by "root" with the following command:\n\n# sudo find /lib /usr/lib /lib64 ! -user root | xargs ls -la\n\nIf any system wide shared library file is returned, this is a finding.
Fixtext: Configure the system-wide shared library files (/lib, /usr/lib, /lib64) to be protected from unauthorized access. \n\nRun the following command, replacing "[FILE]" with any library file not owned by "root".\n\n# sudo chown root [FILE]
Rule ID: SV-90289r2_rule
Severity: medium
Rule Title: Library files must be group-owned by root.
Description: If the Ubuntu operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nThis requirement applies to Ubuntu operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Check_content: Verify the system-wide shared library files contained in the following directories are group-owned by "root".\n\nCheck that the system-wide shared library files are group-owned by "root" with the following command:\n\n# sudo find /lib /usr/lib /lib64 ! -group root | xargs ls -la\n\nIf any system wide shared library file is returned, this is a finding.
Fixtext: Configure the library files to be protected from unauthorized access. \n\nRun the following command, replacing "[FILE]" with any library file not group-owned by root.\n\n# sudo chgrp root [FILE]
Rule ID: SV-90291r2_rule
Severity: medium
Rule Title: System commands must have mode 0755 or less permissive.
Description: If the Ubuntu operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nThis requirement applies to Ubuntu operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Check_content: Verify the system commands contained in the following directories have mode "0755" or less permissive.\n\nCheck that the system command files contained in the following directories have mode "0755" or less permissive with the following command:\n\n# find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 | xargs ls -la\n\nIf any system commands are found to be group-writable or world-writable, this is a finding.
Fixtext: Configure the system commands to be protected from unauthorized access. \n\nRun the following command, replacing "[FILE]" with any system command with a mode more permissive than "0755".\n\n# sudo chmod 0755 [FILE]
Rule ID: SV-90293r2_rule
Severity: medium
Rule Title: System commands must be owned by root.
Description: If the Ubuntu operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nThis requirement applies to Ubuntu operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Check_content: Verify the system commands contained in the following directories are owned by "root".\n\nCheck that the system command files contained in the following directories are owned by "root" with the following command:\n\n# sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root | xargs ls -la\n\nIf any system commands are returned, this is a finding.
Fixtext: Configure the system commands to be protected from unauthorized access. \n\nRun the following command, replacing "[FILE]" with any system command file not owned by "root".\n\n# sudo chown root [FILE]
Rule ID: SV-90295r2_rule
Severity: medium
Rule Title: System commands must be group-owned by root.
Description: If the Ubuntu operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nThis requirement applies to Ubuntu operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Check_content: Verify the system commands contained in the following directories are group-owned by "root".\n\nCheck that the system command files contained in the following directories are group-owned by "root" with the following command:\n\n# sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root | xargs ls -la\n\nIf the command returns any files that are not group-owned by "root", and if they are not SGID and owned by a privileged group, this is a finding.
Fixtext: Configure the system commands to be protected from unauthorized access. \n\nRun the following command, replacing "[FILE]" with any system command file not group-owned by "root".\n\n# sudo chgrp root [FILE]
Rule ID: SV-90297r1_rule
Severity: medium
Rule Title: Audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.
Description: Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.\n\nAudit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\n\nAssociating event types with detected events in the Ubuntu operating system audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured Ubuntu operating system.\n\n
Check_content: Verify the audit service is configured to produce audit records. \n\nCheck that the audit service is installed properly with the following command:\n\n# dpkg -l | grep auditd\n\nIf the "auditd" package is not installed, this is a finding.\n\nCheck that the audit service is properly running and active on the system with the following command:\n\n# systemctl is-active auditd.service\nactive\n\nIf the command above returns "inactive", this is a finding.
Fixtext: Configure the audit service to produce audit records containing the information needed to establish when (date and time) an event occurred.\n\nInstall the audit service (if the audit service is not already installed) with the following command:\n\n# sudo apt-get install auditd\n\nEnable the audit service with the following command:\n\n# sudo systemctl enable auditd.service\n\nRestart the audit service with the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90301r2_rule
Severity: medium
Rule Title: The Ubuntu operating system must allocate audit record storage capacity to store at least one weeks worth of audit records, when audit records are not immediately sent to a central audit record storage facility.
Description: In order to ensure Ubuntu operating systems have a sufficient storage capacity in which to write the audit logs, Ubuntu operating systems need to be able to allocate audit record storage capacity.\n\nThe task of allocating audit record storage capacity is usually performed during initial installation of the Ubuntu operating system.
Check_content: [u"Verify the Ubuntu operating system allocates audit record storage capacity to store at least one week's worth of audit records when audit records are not immediately sent to a central audit record storage facility.\n\nDetermine which partition the audit records are being written to with the following command:\n\n# sudo grep log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records are written to (with the example being /var/log/audit/) with the following command:\n\n# df \u2013h /var/log/audit/\n/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit\n\nIf the audit records are not written to a partition made specifically for audit records (/var/log/audit is a separate partition), determine the amount of space being used by other files in the partition with the following command:\n\n#du \u2013sh [audit_partition]\n1.8G /var/log/audit\n\nNote: The partition size needed to capture a week's worth of audit records is based on the activity level of the system and the total storage capacity available. In normal circumstances, 10.0 GB of storage space for audit records will be sufficient.\n\nIf the audit record partition is not allocated for sufficient storage capacity, this is a finding.
Fixtext: Allocate enough storage capacity for at least one week\'s worth of audit records when audit records are not immediately sent to a central audit record storage facility.\n\nIf audit records are stored on a partition made specifically for audit records, use the "X" program to resize the partition with sufficient space to contain one week\'s worth of audit records.\n\nIf audit records are not stored on a partition made specifically for audit records, a new partition with sufficient amount of space will need be to be created.
Rule ID: SV-90303r2_rule
Severity: medium
Rule Title: The Ubuntu operating system must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.
Description: If security personnel are not notified immediately when storage volume reaches 75% utilization, they are unable to plan for audit record storage capacity expansion.
Check_content: Verify the Ubuntu operating system notifies the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.\n\nCheck that the Ubuntu operating system notifies the SA and ISSO (at a minimum) via email when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity with the following commands:\n\n#sudo grep space_left_action /etc/audit/auditd.conf\n\nspace_left_action email\n\nIf the space_left_action is set to "email" check the value of the "action_mail_acct" parameter with the following command:\n\n#sudo grep action_mail_acct parameter /etc/audit/auditd.conf\n\naction_mail_acct parameter root@localhost\n\nIf the space_left_action or the action_mail_accnt parameters are set to blanks, this is a finding.\n\nIf the space_left_action is set to "syslog", the system logs the event, this is not a finding.\n\nIf the space_left_action is set to "exec", the system executes a designated script. If this script informs the SA of the event, this is not a finding.\n\nThe action_mail_acct parameter, if missing, defaults to "root". If the "action_mail_acct parameter" is not set to the e-mail address of the system administrator(s) and/or ISSO, this is a finding. \n\nNote: If the email address of the system administrator is on a remote system a mail package must be available.
Fixtext: Configure the operating system to immediately notify the SA and ISSO (at a minimum) via email when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.\n\nEdit "/etc/audit/auditd.conf" and set the "space_left_action" parameter to "exec", "email", or "syslog". If the "space_left_action" parameter is set to "email" set the "action_mail_acct" parameter to an e-mail address for the System Administrator (SA) and Information System Security Officer (ISSO).
Rule ID: SV-90305r2_rule
Severity: medium
Rule Title: The System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.
Description: It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.\n\nAudit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.
Check_content: Verify that the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) are notified in the event of an audit processing failure.\n\nCheck that the Ubuntu operating system notifies the SA and ISSO (at a minimum) in the event of an audit processing failure with the following command:\n\n#sudo grep space_left_action /etc/audit/auditd.conf\n\naction_mail_acct = root\n\nIf the value of the "action_mail_acct" keyword is not set to "root" and/or other accounts for security personnel, the "action_mail_acct" keyword is missing, or the retuned line is commented out, this is a finding.
Fixtext: Configure "auditd" service to notify the System Administrator (SA) and Information System Security Officer (ISSO) in the event of an audit processing failure. \n\nEdit the following line in "/etc/audit/auditd.conf" to ensure that administrators are notified via email for those situations:\n\naction_mail_acct = root
Rule ID: SV-90307r1_rule
Severity: medium
Rule Title: The System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted when the audit storage volume is full.
Description: It is critical that when the Ubuntu operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include: software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.\n\nWhen availability is an overriding concern, other approved actions in response to an audit failure are as follows: \n\n1) If the failure was caused by the lack of audit record storage capacity, the Ubuntu operating system must continue generating audit records if possible (automatically restarting the audit service if necessary), overwriting the oldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, the Ubuntu operating system must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server.
Check_content: Verify that the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) are notified when the audit storage volume is full.\n\nCheck which action the Ubuntu operating system takes when the audit storage volume is full with the following command:\n\n# sudo grep max_log_file_action /etc/audit/auditd.conf\n\nmax_log_file_action=syslog\n\nIf the value of the "max_log_file_action" option is set to "ignore", "rotate", or "suspend", or the line is commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to notify the System Administrator (SA) and Information System Security Officer (ISSO) when the audit storage volume is full by configuring the "max_log_file_action" parameter in the "/etc/audit/auditd.conf" file with the a value of "syslog" or "keep_logs":\n\nmax_log_file_action=syslog
Rule ID: SV-90309r2_rule
Severity: medium
Rule Title: The audit system must take appropriate action when the audit storage volume is full.
Description: It is critical that when the Ubuntu operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include: software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.\n\nWhen availability is an overriding concern, other approved actions in response to an audit failure are as follows: \n\n1) If the failure was caused by the lack of audit record storage capacity, the Ubuntu operating system must continue generating audit records if possible (automatically restarting the audit service if necessary), overwriting the oldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, the Ubuntu operating system must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server.
Check_content: Verify the Ubuntu operating system takes the appropriate action when the audit storage volume is full. \n\nCheck that the Ubuntu operating system takes the appropriate action when the audit storage volume is full with the following command:\n\n# sudo grep disk_full_action /etc/audit/auditd.conf\n\ndisk_full_action = HALT\n\nIf the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to shut down by default upon audit failure (unless availability is an overriding concern).\n\nAdd or update the following line (depending on configuration "disk_full_action" can be set to "SYSLOG" or "SINGLE" depending on configuration) in "/etc/audit/auditd.conf" file:\n\ndisk_full_action = HALT
Rule ID: SV-90311r2_rule
Severity: medium
Rule Title: The remote audit system must take appropriate action when audit storage is full.
Description: Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.
Check_content: Verify the action that the remote audit system takes when the storage volume becomes full.\n\nCheck the action that the remote audit system takes when the storage volume becomes full with the following command:\n\n# sudo grep disk_full /etc/audisp/audisp-remote.conf\n\ndisk_full_action = single\n\nIf the value of the "disk_full_action" option is not "syslog", "single", or "halt", or the line is commented out, this is a finding.
Fixtext: Configure the remote audit system to take an appropriate action when the audit storage is full.\n\nAdd, edit or uncomment the "disk_full_action" option in "/etc/audisp/audisp-remote.conf". Set it to "syslog", "single" or "halt" like the below example:\n\ndisk_full_action = single
Rule ID: SV-90313r1_rule
Severity: medium
Rule Title: Off-loading audit records to another system must be authenticated.
Description: Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.
Check_content: [u'Verify the audit system authenticates off-loading audit records to a different system.\n\nCheck that the off-loading of audit records to a different system is authenticated with the following command:\n\n# sudo grep enable /etc/audisp/audisp-remote.conf\n\nenable_krb5 = yes\n\nIf \u201cenable_krb5\u201d option is not set to "yes" or the line is commented out, this is a finding.
Fixtext: Configure the audit system to authenticate off-loading audit records to a different system.\n\nUncomment the "enable_krb5" option in "/etc/audisp/audisp-remote.conf" and set it to "yes". See the example below.\n\nenable_krb5 = yes
Rule ID: SV-90315r2_rule
Severity: medium
Rule Title: Audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access.
Description: Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit Ubuntu operating system activity.\n\n
Check_content: Verify the audit logs have a mode of "0600" or less permissive.\n\nFirst determine where the audit logs are stored with the following command:\n\n# sudo grep -iw log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nUsing the location of the audit log file, check if the audit log has a mode of "0600" or less permissive with the following command:\n\n# sudo stat -c "%a %n" /var/log/audit/audit.log\n\n600 /var/log/audit/audit.log\n\nIf the audit log has a mode more permissive than "0600", this is a finding.
Fixtext: Configure the audit log to be protected from unauthorized read access by setting the correct permissive mode with the following command:\n\n# sudo chmod 0600 [audit_log_file]\n\nReplace "[audit_log_file]" to the correct audit log path, by default this location is "/var/log/audit/audit.log".
Rule ID: SV-90317r2_rule
Severity: medium
Rule Title: Audit log directories must have a mode of 0750 or less permissive to prevent unauthorized read access.
Description: Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit Ubuntu operating system activity.\n\n
Check_content: Verify the audit log directories have a mode of "0750" or less permissive by first determining where the audit logs are stored with the following command:\n\n# sudo grep -iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the location of the audit log, determine the directory where the audit logs are stored (ex: "/var/log/audit"). Run the following command to determine the permissions for the audit log folder:\n\n# sudo stat -c "%a %n" /var/log/audit\n750 /var/log/audit\n\nIf the audit log directory has a mode more permissive than "0750", this is a finding.
Fixtext: Configure the audit log directory to be protected from unauthorized read access by setting the correct permissive mode with the following command:\n\n# sudo chmod 0750 [audit_log_directory]\n\nReplace "[audit_log_directory]" to the correct audit log directory path, by default this location is "/var/log/audit".
Rule ID: SV-90319r2_rule
Severity: medium
Rule Title: Audit logs must be owned by root to prevent unauthorized read access.
Description: Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit Ubuntu operating system activity.\n\n
Check_content: Verify the audit logs are owned by "root". First determine where the audit logs are stored with the following command:\n\n# sudo grep -iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the location of the audit log file, determine if the audit log is owned by "root" using the following command:\n\n# sudo ls -la /var/log/audit/audit.log\nrw------- 2 root root 8096 Jun 26 11:56 /var/log/audit/audit.log\n\nIf the audit log is not owned by "root", this is a finding.
Fixtext: Configure the audit log to be protected from unauthorized read access, by setting the correct owner as "root" with the following command:\n\n# sudo chown root [audit_log_file]\n\nReplace "[audit_log_file]" to the correct audit log path, by default this location is "/var/log/audit/audit.log".
Rule ID: SV-90321r2_rule
Severity: medium
Rule Title: Audit logs must be group-owned by root to prevent unauthorized read access.
Description: Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit Ubuntu operating system activity.\n\n
Check_content: Verify the audit logs are group-owned by "root". First determine where the audit logs are stored with the following command:\n\n# sudo grep -iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the location of the audit log file, determine if the audit log is group-owned by "root" using the following command:\n\n# sudo ls -la /var/log/audit/audit.log\nrw------- 2 root root 8096 Jun 26 11:56 /var/log/audit/audit.log\n\nIf the audit log is not group-owned by "root", this is a finding.
Fixtext: Configure the audit log to be protected from unauthorized read access, by setting the correct group-owner as "root" with the following command:\n\n# sudo chgrp root [audit_log_file]\n\nReplace "[audit_log_file]" to the correct audit log path, by default this location is "/var/log/audit/audit.log".
Rule ID: SV-90323r2_rule
Severity: medium
Rule Title: Audit log directory must be owned by root to prevent unauthorized read access.
Description: Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit Ubuntu operating system activity.\n\n
Check_content: Verify the audit log directory is owned by "root" to prevent unauthorized read access.\n\nDetermine where the audit logs are stored with the following command:\n\n# sudo grep -iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nDetermine the audit log directory by using the output of the above command (ex: "/var/log/audit/"). Run the following command with the correct audit log directory path:\n\n# sudo ls -ld /var/log/audit\ndrwxr-x--- 2 root root 8096 Jun 26 11:56 /var/log/audit\n\nIf the audit log directory is not owned by "root", this is a finding.
Fixtext: Configure the audit log to be protected from unauthorized read access, by setting the correct owner as "root" with the following command:\n\n# sudo chown root [audit_log_directory]\n\nReplace "[audit_log_directory]" with the correct audit log directory path, by default this location is usually "/var/log/audit".
Rule ID: SV-90325r2_rule
Severity: medium
Rule Title: Audit log directory must be group-owned by root to prevent unauthorized read access.
Description: Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit Ubuntu operating system activity.\n\n
Check_content: Verify the audit log directory is group-owned by "root" to prevent unauthorized read access.\n\nDetermine where the audit logs are stored with the following command:\n\n# sudo grep -iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nDetermine the audit log directory by using the output of the above command (ex: "/var/log/audit/"). Run the following command with the correct audit log directory path:\n\n# sudo ls -ld /var/log/audit\ndrwxr-x--- 2 root root 8096 Jun 26 11:56 /var/log/audit\n\nIf the audit log directory is not group-owned by "root", this is a finding.
Fixtext: Configure the audit log to be protected from unauthorized read access, by setting the correct group-owner as "root" with the following command:\n\n# sudo chgrp root [audit_log_directory]\n\nReplace "[audit_log_directory]" with the correct audit log directory path, by default this location is usually "/var/log/audit".
Rule ID: SV-90327r1_rule
Severity: medium
Rule Title: The Ubuntu operating system must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
Description: Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Check_content: Verify that the /etc/audit/audit.rule and /etc/audit/auditd.conf file have a mode of 0640 or less permissive by using the following command:\n\n# sudo ls -la /etc/audit/audit.rules\n\n-rw-r----- 1 root root 1280 Feb 16 17:09 audit.rules\n-rw-r----- 1 root root 621 Sep 22 2014 auditd.conf\n\nIf the "/etc/audit/audit.rule" or "/etc/audit/auditd.conf" file have a mode more permissive than "0640", this is a finding.
Fixtext: Configure the /etc/audit/audit.rule and /etc/audit/auditd.conf file to have a mode of 0640 with the following command:\n\n# sudo chmod 0640 /etc/audit/audit.rule\n# sudo chmod 0640 /etc/audit/audit.conf
Rule ID: SV-90329r2_rule
Severity: medium
Rule Title: The audit log files must be owned by root.
Description: Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the Ubuntu operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
Check_content: Verify the audit log files are owned by "root". \n\nCheck where the audit logs are stored on the system using the following command:\n\n# sudo grep log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the audit log path from the command above, replace "[log_path]" in the following command:\n\n# sudo ls -la [log_path] | cut -d\' \' -f3\nroot\n\nIf the audit logs are not group-owned by "root", this is a finding.
Fixtext: Change the owner of the audit log file by running the following command:\n\nUse the following command to get the audit log path:\n\n# sudo grep log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the audit log path from the command above, replace "[log_path]" in the following command:\n\n# sudo chown root [log_path]
Rule ID: SV-90333r2_rule
Severity: medium
Rule Title: Audit tools must have a mode of 0755 or less permissive.
Description: Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.\n\nUbuntu operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.\n\n
Check_content: Verify the audit tools are protected from unauthorized access, deletion, or modification by checking the permissive mode.\n\nCheck the octal permission of each audit tool by running the following command:\n\n#stat -c "%a %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules\n\n755 /sbin/augenrules\n\nIf any of the audit tools has a mode more permissive than "0755", this is a finding.
Fixtext: Configure the audit tools to be protected from unauthorized access by setting the correct permissive mode using the following command:\n\n# sudo chmod 0755 [audit_tool]\n\nReplace "[audit_tool]" with the audit tool that does not have the correct permissive mode.
Rule ID: SV-90335r2_rule
Severity: medium
Rule Title: Audit tools must be owned by root.
Description: Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.\n\nUbuntu operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.\n\n
Check_content: Verify the audit tools are owned by "root" to prevent any unauthorized access, deletion, or modification.\n\nCheck the owner of each audit tool by running the following command:\n\n# ls -la /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules\n-rwxr-xr-x 1 root root 97128 Jan 18 2016 /sbin/augenrules\n\nIf any of the audit tools are not owned by "root", this is a finding.
Fixtext: Configure the audit tools to be owned by "root", by running the following command:\n\n# sudo chown root [audit_tool]\n\nReplace "[audit_tool]" with each audit tool not owned by "root".
Rule ID: SV-90337r2_rule
Severity: medium
Rule Title: Audit tools must be group-owned by root.
Description: Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.\n\nUbuntu operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.\n\n
Check_content: Verify the audit tools are group-owned by "root" to prevent any unauthorized access, deletion, or modification.\n\nCheck the owner of each audit tool by running the following commands:\n\n# ls -la /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules\n-rwxr-xr-x 1 root root 97128 Jan 18 2016 /sbin/augenrules\n\nIf any of the audit tools are not group-owned by "root", this is a finding.
Fixtext: Configure the audit tools to be group-owned by "root", by running the following command:\n\n# sudo chgrp root [audit_tool]\n\nReplace "[audit_tool]" with each audit tool not group-owned by "root".
Rule ID: SV-90339r2_rule
Severity: medium
Rule Title: The audit event multiplexor must be configured to off-load audit logs onto a different system or storage media from the system being audited.
Description: Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.
Check_content: Verify the audit event multiplexor is configured to off-load audit records to a different system or storage media from the system being audited.\n\nCheck that the records are being off-loaded to a remote server with the following command:\n\n# sudo grep -i active /etc/audisp/plugins.d/au-remote.conf\n\nactive = yes\n\nIf "active" is not set to "yes", or the line is commented out, this is a finding.
Fixtext: Configure the audit event multiplexor to off-load audit records to a different system or storage media from the system being audited.\n\nSet the "active" option in "/etc/audisp/plugins.d/au-remote.conf" to "yes":\n\nactive = yes\n\nIn order for the changes to take effect, the audit daemon must be restarted. The audit daemon can be restarted with the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90341r4_rule
Severity: medium
Rule Title: The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the Ubuntu operating system generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd".\n\nCheck the auditing rules in "/etc/audit/audit.rules" with the following command:\n\n# sudo grep /etc/passwd /etc/audit/audit.rules\n\n-w /etc/passwd -p wa -k audit_rules_usergroup_modification\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd".\n\nAdd or update the following file system rule to "/etc/audit/audit.rules":\n\n-w /etc/passwd -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90343r4_rule
Severity: medium
Rule Title: The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the Ubuntu operating system generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group".\n\nCheck the auditing rules in "/etc/audit/audit.rules" with the following command:\n\n# sudo grep /etc/group /etc/audit/audit.rules\n\n-w /etc/group -p wa -k audit_rules_usergroup_modification\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group".\n\nAdd or update the following file system rule to "/etc/audit/audit.rules":\n\n-w /etc/group -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90345r4_rule
Severity: medium
Rule Title: The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the Ubuntu operating system generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow".\n\nCheck the auditing rules in "/etc/audit/audit.rules" with the following command:\n\n# sudo grep /etc/gshadow /etc/audit/audit.rules\n\n-w /etc/gshadow -p wa -k audit_rules_usergroup_modification\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow".\n\nAdd or update the following file system rule to "/etc/audit/audit.rules":\n\n-w /etc/gshadow -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90347r4_rule
Severity: medium
Rule Title: The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the Ubuntu operating system generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow".\n\nCheck the auditing rules in "/etc/audit/audit.rules" with the following command:\n\n# sudo grep /etc/shadow /etc/audit/audit.rules\n\n-w /etc/shadow -p wa -k audit_rules_usergroup_modification\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow".\n\nAdd or update the following file system rule to "/etc/audit/audit.rules":\n\n-w /etc/shadow -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90367r4_rule
Severity: medium
Rule Title: The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the Ubuntu operating system generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd".\n\nCheck the auditing rules in "/etc/audit/audit.rules" with the following command:\n\n# sudo grep /etc/security/opasswd /etc/audit/audit.rules\n\n-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd".\n\nAdd or update the following file system rule to "/etc/audit/audit.rules":\n\n-w /etc/security/opasswd -p wa -k identity\n \nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90371r4_rule
Severity: medium
Rule Title: Successful/unsuccessful uses of the su command must generate an audit record.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the Ubuntu operating system generates audit records when successful/unsuccessful attempts to use the "su" command occur.\n\nCheck for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": \n\n# sudo grep -iw /bin/su /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n-a always,exit -F arch=b64 path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to generate audit records when successful/unsuccessful attempts to use the "su" command occur.\n\nAdd or update the following rule in "/etc/audit/audit.rules": \n\n-a always,exit -F arch=b32 path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n-a always,exit -F arch=b64 path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90373r4_rule
Severity: medium
Rule Title: Successful/unsuccessful uses of the chfn command must generate an audit record.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify that an audit event is generated for any successful/unsuccessful use of the "chfn" command. \n\nCheck for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":\n\n# sudo grep chfn /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-chfn\n-a always,exit -F arch=b64 path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-chfn\n\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "passwd" command. Add or update the following rule in the "/etc/audit/audit.rules" file:\n\n-a always,exit -F arch=b32 path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-chfn\n-a always,exit -F arch=b64 path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-chfn\n\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90375r4_rule
Severity: low
Rule Title: Successful/unsuccessful uses of the mount command must generate an audit record.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify that an audit event is generated for any successful/unsuccessful use of the "mount" command.\n\nCheck for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":\n\n# sudo grep -w mount /etc/audit/audit.rules\n\n-a always,exit -F arch=32 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n-a always,exit -F arch=64 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the audit system to generate an audit event for any successful/unsuccessful use of the "mount" command. \n\nAdd or update the following rules in the "/etc/audit/audit.rules" file:\n\n-a always,exit -F arch=32 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n-a always,exit -F arch=64 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90377r4_rule
Severity: medium
Rule Title: Successful/unsuccessful uses of the umount command must generate an audit record.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify that an audit event is generated for any successful/unsuccessful use of the "umount" command.\n\nCheck for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":\n\n# sudo grep umount /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n-a always,exit -F arch=b64 path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the audit system to generate an audit event for any successful/unsuccessful use of the "umount" command. \n\nAdd or update the following rules in the "/etc/audit/audit.rules" file:\n\n-a always,exit -F arch=b32 path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n-a always,exit -F arch=b64 path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90379r4_rule
Severity: medium
Rule Title: Successful/unsuccessful uses of the ssh-agent command must generate an audit record.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "ssh-agent" command occur.\n\nCheck that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":\n\n# sudo grep ssh-agent /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n-a always,exit -F arch=b64 path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the audit system to generate an audit event for any successful/unsuccessful use of the "ssh-agent" command. \n\nAdd or update the following rules in the "/etc/audit/audit.rules" file:\n\n-a always,exit -F arch=b32 path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n-a always,exit -F arch=b64 path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90387r4_rule
Severity: medium
Rule Title: Successful/unsuccessful uses of the ssh-keysign command must generate an audit record.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "ssh-keysign" command occur.\n\nCheck that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":\n\n# sudo grep ssh-keysign /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n-a always,exit -F arch=b64 path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the audit system to generate an audit event for any successful/unsuccessful use of the "ssh-keysign" command. \n\nAdd or update the following rules in the "/etc/audit/audit.rules" file:\n\n-a always,exit -F arch=b32 path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n-a always,exit -F arch=b64 path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90389r2_rule
Severity: medium
Rule Title: The audit system must be configured to audit any usage of the insmod command.
Description: Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nThe list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.\n\nDoD has defined the list of events for which the Ubuntu operating system will provide an audit record generation capability as the following: \n\n1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);\n\n2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system;\n\n3) All account creations, modifications, disabling, and terminations; and \n\n4) All kernel module load, unload, and restart actions.\n\n
Check_content: Verify if the Ubuntu operating system is configured to audit the execution of the module management program "insmod", by running the following command:\n\n# sudo grep "/sbin/insmod" /etc/audit/audit.rules\n\n-w /sbin/insmod -p x -k modules\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to audit the execution of the module management program "insmod", by adding the following line to "/etc/audit/audit.rules":\n\n-w /sbin/insmod -p x -k modules\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90391r2_rule
Severity: medium
Rule Title: The audit system must be configured to audit any usage of the rmmod command.
Description: Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nThe list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.\n\nDoD has defined the list of events for which the Ubuntu operating system will provide an audit record generation capability as the following: \n\n1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);\n\n2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system;\n\n3) All account creations, modifications, disabling, and terminations; and \n\n4) All kernel module load, unload, and restart actions.\n\n
Check_content: Verify if the Ubuntu operating system is configured to audit the execution of the module management program "rmmod", by running the following command:\n\n# sudo grep "/sbin/rmmod" /etc/audit/audit.rules\n\n-w /sbin/rmmod -p x -k modules\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to audit the execution of the module management program "rmmod", by adding the following line to "/etc/audit/audit.rules":\n\n-w /sbin/rmmod -p x -k modules\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90393r2_rule
Severity: medium
Rule Title: The audit system must be configured to audit any usage of the modprobe command.
Description: Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nThe list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.\n\nDoD has defined the list of events for which the Ubuntu operating system will provide an audit record generation capability as the following: \n\n1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);\n\n2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system;\n\n3) All account creations, modifications, disabling, and terminations; and \n\n4) All kernel module load, unload, and restart actions.\n\n
Check_content: Verify if the Ubuntu operating system is configured to audit the execution of the module management program "modprobe", by running the following command:\n\n# sudo grep "/sbin/modprobe" /etc/audit/audit.rules\n\n-w /sbin/modprobe -p x -k modules\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to audit the execution of the module management program "modprobe", by adding the following line to "/etc/audit/audit.rules":\n\n-w /sbin/modprobe -p x -k modules\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90395r2_rule
Severity: medium
Rule Title: The audit system must be configured to audit any usage of the kmod command.
Description: Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nThe list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.\n\nDoD has defined the list of events for which the Ubuntu operating system will provide an audit record generation capability as the following: \n\n1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);\n\n2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system;\n\n3) All account creations, modifications, disabling, and terminations; and \n\n4) All kernel module load, unload, and restart actions.\n\n
Check_content: Verify if the Ubuntu operating system is configured to audit the execution of the module management program "kmod", by running the following command:\n\n# sudo grep "/bin/kmod" /etc/audit/audit.rules\n\n-w /bin/kmod -p x -k modules\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to audit the execution of the module management program "kmod" by adding the following line to "/etc/audit/audit.rules":\n\n-w /bin/kmod -p x -k modules\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90397r3_rule
Severity: medium
Rule Title: The audit system must be configured to audit any usage of the setxattr system call.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify if the Ubuntu operating system is configured to audit the execution of the "setxattr" system call, by running the following command:\n\n# sudo grep -w setxattr /etc/audit/audit.rules\n\n\na always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\na always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod \n-a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod \n\nIf the command does not return all lines, or the lines are commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to audit the execution of the "setxattr" system call, by adding the following lines to "/etc/audit/audit.rules":\n\na always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\na always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90399r3_rule
Severity: medium
Rule Title: The audit system must be configured to audit any usage of the lsetxattr system call.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify if the Ubuntu operating system is configured to audit the execution of the "lsetxattr" system call, by running the following command:\n\n# sudo grep -w lsetxattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod \n-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod\n\nIf the command does not return all lines, or the lines are commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to audit the execution of the "lsetxattr" system call, by adding the following lines to "/etc/audit/audit.rules":\n\n-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod \n-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90401r3_rule
Severity: medium
Rule Title: The audit system must be configured to audit any usage of the fsetxattr system call.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify if the Ubuntu operating system is configured to audit the execution of the "fsetxattr" system call, by running the following command:\n\n# sudo grep -w fsetxattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod\n-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod\n\nIf the command does not return all lines, or the lines are commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to audit the execution of the "fsetxattr" system call, by adding the following lines to "/etc/audit/audit.rules":\n\n-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod\n-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90403r3_rule
Severity: medium
Rule Title: The audit system must be configured to audit any usage of the removexattr system call.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify if the Ubuntu operating system is configured to audit the execution of the "removexattr" system call, by running the following command:\n\n# sudo grep -w removexattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod\n-a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod \n\nIf the command does not return all lines, or the lines are commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to audit the execution of the "removexattr" system call, by adding the following lines to "/etc/audit/audit.rules":\n\n-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod\n-a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod \n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90405r3_rule
Severity: medium
Rule Title: The audit system must be configured to audit any usage of the lremovexattr system call.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify if the Ubuntu operating system is configured to audit the execution of the "lremovexattr" system call, by running the following command:\n\n# sudo grep -w lremovexattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod\n-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod\n\nIf the command does not return all lines, or the lines are commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to audit the execution of the "lremovexattr" system call, by adding the following lines to "/etc/audit/audit.rules":\n\n-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod\n-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90407r4_rule
Severity: medium
Rule Title: The audit system must be configured to audit any usage of the fremovexattr system call.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify if the Ubuntu operating system is configured to audit the execution of the "fremovexattr" system call, by running the following command:\n\n# sudo grep -w fremovexattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod\n-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod \n\nIf the command does not return all lines, or the lines are commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to audit the execution of the "fremovexattr" system call by adding the following lines to "/etc/audit/audit.rules":\n\n-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod\n-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod \n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90409r4_rule
Severity: medium
Rule Title: Successful/unsuccessful uses of the chown command must generate an audit record.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "chown" command occur.\n\nCheck that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":\n\n# sudo grep -w chown /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chown" command by adding the following line to "/etc/audit/audit.rules":\n\n-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90411r4_rule
Severity: medium
Rule Title: Successful/unsuccessful uses of the fchown command must generate an audit record.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "fchown" command occur.\n\nCheck that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":\n\n# sudo grep -w fchown /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the audit system to generate an audit event for any successful/unsuccessful use of the "fchown" command by adding the following line to "/etc/audit/audit.rules": \n\n-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90413r4_rule
Severity: medium
Rule Title: Successful/unsuccessful uses of the fchownat command must generate an audit record.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "fchownat" command occur.\n\nCheck that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":\n\n# sudo grep -w fchownat /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the audit system to generate an audit event for any successful/unsuccessful use of the "fchownat" command by adding the following lines to "/etc/audit/audit.rules": \n\n-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90415r4_rule
Severity: medium
Rule Title: Successful/unsuccessful uses of the lchown command must generate an audit record.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n
Check_content: Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "lchown" command occur.\n\nCheck that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":\n\n# sudo grep -w lchown /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the audit system to generate an audit event for any successful/unsuccessful use of the "lchown" command by adding the following lines to "/etc/audit/audit.rules": \n\n-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90417r3_rule
Severity: medium
Rule Title: Successful/unsuccessful uses of the chmod command must generate an audit record.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "chmod" command occur.\n\nCheck that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":\n\n# sudo grep -w chmod /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chmod" command by adding the following line to "/etc/audit/audit.rules": \n\n-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90419r3_rule
Severity: medium
Rule Title: Successful/unsuccessful uses of the fchmod command must generate an audit record.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "fchmod" command occur.\n\nCheck that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":\n\n# sudo grep -w fchmod /etc/audit/audit.rules\n\n-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the audit system to generate an audit event for any successful/unsuccessful use of the "fchmod" command by adding the following line to "/etc/audit/audit.rules": \n\n-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90421r4_rule
Severity: medium
Rule Title: Successful/unsuccessful uses of the fchmodat command must generate an audit record.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "fchmodat" command occur.\n\nCheck that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":\n\n# sudo grep -w fchmodat /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the audit system to generate an audit event for any successful/unsuccessful use of the "fchmodat" command by adding the following lines to "/etc/audit/audit.rules": \n\n-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90423r4_rule
Severity: medium
Rule Title: Successful/unsuccessful uses of the open command must generate an audit record.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "open" command occur.\n\nCheck that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":\n\n# sudo grep -iw open /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access\n\nIf the command does not return all lines, or the lines are commented out, this is a finding.
Fixtext: Configure the audit system to generate an audit event for any successful/unsuccessful use of the "open" command. \n\nAdd or update the following rules in the "/etc/audit/audit.rules" file:\n\n-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90425r4_rule
Severity: medium
Rule Title: Successful/unsuccessful uses of the truncate command must generate an audit record.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "truncate" command occur.\n\nCheck that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":\n\n# sudo grep -iw truncate /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access\n\nIf the command does not return all lines, or the lines are commented out, this is a finding.
Fixtext: Configure the audit system to generate an audit event for any successful/unsuccessful use of the "truncate" command. \n\nAdd or update the following rules in the "/etc/audit/audit.rules" file:\n\n-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90427r4_rule
Severity: medium
Rule Title: Successful/unsuccessful uses of the ftruncate command must generate an audit record.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "ftruncate" command occur.\n\nCheck that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":\n\n# sudo grep -iw ftruncate /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access\n\nIf the command does not return all lines, or the lines are commented out, this is a finding.
Fixtext: Configure the audit system to generate an audit event for any successful/unsuccessful use of the "ftruncate" command. \n\nAdd or update the following rules in the "/etc/audit/audit.rules" file:\n\n-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90429r4_rule
Severity: medium
Rule Title: Successful/unsuccessful uses of the creat command must generate an audit record.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "creat" command occur.\n\nCheck that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":\n\n# sudo grep -iw creat /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access\n\nIf the command does not return all lines, or the lines are commented out, this is a finding.
Fixtext: Configure the audit system to generate an audit event for any successful/unsuccessful use of the "creat" command. \n\nAdd or update the following rules in the "/etc/audit/audit.rules" file:\n\n-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90431r4_rule
Severity: medium
Rule Title: Successful/unsuccessful uses of the openat command must generate an audit record.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "openat" command occur.\n\nCheck that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":\n\n# sudo grep -iw openat /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access\n\nIf the command does not return all lines, or the lines are commented out, this is a finding.
Fixtext: Configure the audit system to generate an audit event for any successful/unsuccessful use of the "openat" command. \n\nAdd or update the following rules in the "/etc/audit/audit.rules" file:\n\n-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90433r4_rule
Severity: medium
Rule Title: Successful/unsuccessful uses of the open_by_handle_at command must generate an audit record.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "open_by_handle_at" command occur.\n\nCheck that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":\n\n# sudo grep -iw open_by_handle_at /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access\n\nIf the command does not return all lines, or the lines are commented out, this is a finding.
Fixtext: Configure the audit system to generate an audit event for any successful/unsuccessful use of the "open_by_handle_at" command. \n\nAdd or update the following rules in the "/etc/audit/audit.rules" file:\n\n-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90435r4_rule
Severity: medium
Rule Title: Successful/unsuccessful uses of the sudo command must generate an audit record.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify that an audit event is generated for any successful/unsuccessful use of the "sudo" command. \n\nCheck for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":\n\n# sudo grep -w sudo /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n-a always,exit -F arch=b64 path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the audit system to generate an audit event for any successful/unsuccessful use of the "sudo" command. \n\nAdd or update the following rules in the "/etc/audit/audit.rules" file:\n\n-a always,exit -F arch=b32 path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n-a always,exit -F arch=b64 path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90437r4_rule
Severity: medium
Rule Title: Successful/unsuccessful uses of the sudoedit command must generate an audit record.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "sudoedit" command occur.\n\nCheck that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":\n\n# sudo grep -w sudoedit /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n-a always,exit -F arch=b64 path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the audit system to generate an audit event for any successful/unsuccessful use of the "sudoedit" command. \n\nAdd or update the following rules in the "/etc/audit/audit.rules" file:\n\n-a always,exit -F -arch=b32 path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n-a always,exit -F -arch=b64 path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90439r4_rule
Severity: medium
Rule Title: Successful/unsuccessful uses of the chsh command must generate an audit record.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "chsh" command occur.\n\nCheck that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":\n\n# sudo grep -w chsh /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n-a always,exit -F arch=b64 path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chsh" command. \n\nAdd or update the following rules in the "/etc/audit/audit.rules" file:\n\n-a always,exit -F arch=b32 path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n-a always,exit -F arch=b64 path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90441r5_rule
Severity: medium
Rule Title: Successful/unsuccessful uses of the newgrp command must generate an audit record.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "newgrp" command occur.\n\nCheck that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":\n\n# sudo grep -w newgrp /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n-a always,exit -F arch=b64 path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nIf the command does not return a line, or the line is commented out, this is a finding.\n\n\n
Fixtext: Configure the audit system to generate an audit event for any successful/unsuccessful use of the "newgrp" command. \n\nAdd or update the following rules in the "/etc/audit/audit.rules" file:\n\n-a always,exit -F arch=b32 path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n-a always,exit -F arch=b64 path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90445r4_rule
Severity: medium
Rule Title: Successful/unsuccessful uses of the apparmor_parser command must generate an audit record.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "apparmor_parser" command occur.\n\nCheck that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":\n\n# sudo grep -w apparmor_parser /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit -F arch=b64 path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the audit system to generate an audit event for any successful/unsuccessful use of the "apparmor_parser" command. \n\nAdd or update the following rules in the "/etc/audit/audit.rules" file:\n\n-a always,exit -F arch=b32 path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit -F arch=b64 path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90447r4_rule
Severity: medium
Rule Title: Successful/unsuccessful uses of the setfacl command must generate an audit record.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "setfacl" command occur.\n\nCheck that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":\n\n# sudo grep -w setfacl /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit -F arch=b64 path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the audit system to generate an audit event for any successful/unsuccessful use of the "setfacl" command. \n\nAdd or update the following rules in the "/etc/audit/audit.rules" file:\n\n-a always,exit -F arch=b32 path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit -F arch=b64 path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90449r4_rule
Severity: medium
Rule Title: Successful/unsuccessful uses of the chacl command must generate an audit record.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "chacl" command occur.\n\nCheck that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":\n\n# sudo grep -w chacl /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit -F arch=b64 path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chacl" command. \n\nAdd or update the following rules in the "/etc/audit/audit.rules" file:\n\n-a always,exit -F arch=b32 path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit -F arch=b64 path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90451r3_rule
Severity: medium
Rule Title: Successful/unsuccessful modifications to the tallylog file must generate an audit record.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the Ubuntu operating system generates an audit record when successful/unsuccessful modifications to the "tallylog" file occur.\n\nCheck that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":\n\n# sudo grep -w tallylog /etc/audit/audit.rules\n\n-w /var/log/tallylog -p wa -k logins\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the audit system to generate an audit event for any successful/unsuccessful modifications to the "tallylog" file occur. \n\nAdd or update the following rules in the "/etc/audit/audit.rules" file:\n\n-w /var/log/tallylog -p wa -k logins\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90453r3_rule
Severity: medium
Rule Title: Successful/unsuccessful modifications to the faillog file must generate an audit record.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the Ubuntu operating system generates an audit record when successful/unsuccessful modifications to the "faillog" file occur.\n\nCheck that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":\n\n# sudo grep -w faillog /etc/audit/audit.rules\n\n-w /var/log/faillog -p wa -k logins\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the audit system to generate an audit event for any successful/unsuccessful modifications to the "faillog" file occur. \n\nAdd or update the following rules in the "/etc/audit/audit.rules" file:\n\n-w /var/log/faillog -p wa -k logins\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90455r3_rule
Severity: medium
Rule Title: Successful/unsuccessful modifications to the lastlog file must generate an audit record.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the Ubuntu operating system generates an audit record when successful/unsuccessful modifications to the "lastlog" file occur.\n\nCheck that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":\n\n# sudo grep -w lastlog /etc/audit/audit.rules\n\n-w /var/log/lastlog -p wa -k logins\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the audit system to generate an audit event for any successful/unsuccessful modifications to the "lastlog" file occur. \n\nAdd or update the following rules in the "/etc/audit/audit.rules" file:\n\n-w /var/log/lastlog -p wa -k logins\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90457r4_rule
Severity: medium
Rule Title: Successful/unsuccessful uses of the passwd command must generate an audit record.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify that an audit event is generated for any successful/unsuccessful use of the "passwd" command. \n\nCheck for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":\n\n# sudo grep -w passwd /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n-a always,exit -F arch=b64 path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "passwd" command. Add or update the following rules in the "/etc/audit/audit.rules" file:\n\n-a always,exit -F arch=b32 path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n-a always,exit -F arch=b64 path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90459r3_rule
Severity: medium
Rule Title: Successful/unsuccessful uses of the unix_update command must generate an audit record.
Description: Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\n
Check_content: Verify that an audit event is generated for any successful/unsuccessful use of the "unix_update" command.\n\nCheck for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":\n\n# sudo grep -w "unix_update" /etc/audit/audit.rules\n\n-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "unix_update" command. Add or update the following rules in the "/etc/audit/audit.rules" file:\n\n-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90461r4_rule
Severity: medium
Rule Title: Successful/unsuccessful uses of the gpasswd command must generate an audit record.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify that an audit event is generated for any successful/unsuccessful use of the "gpasswd" command. \n\nCheck for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":\n\n# sudo grep -w gpasswd /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd\n-a always,exit -F arch=b64 path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "gpasswd" command. Add or update the following rules in the "/etc/audit/audit.rules" file:\n\n-a always,exit -F arch=b32 path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd\n-a always,exit -F arch=b64 path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90463r4_rule
Severity: medium
Rule Title: Successful/unsuccessful uses of the chage command must generate an audit record.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify that an audit event is generated for any successful/unsuccessful use of the "chage" command.\n\nCheck for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":\n\n# sudo grep -w chage /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage\n-a always,exit -F arch=b64 path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "chage" command. Add or update the following rules in the "/etc/audit/audit.rules" file:\n\n-a always,exit -F arch=b32 path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage\n-a always,exit -F arch=b64 path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90465r4_rule
Severity: medium
Rule Title: Successful/unsuccessful uses of the usermod command must generate an audit record.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify that an audit event is generated for any successful/unsuccessful use of the "usermod" command.\n\nCheck for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":\n\n# sudo grep -w usermod /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod\n-a always,exit -F arch=b64 path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "usermod" command. Add or update the following rules in the "/etc/audit/audit.rules" file:\n\n-a always,exit -F arch=b32 path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod\n-a always,exit -F arch=b64 path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90467r4_rule
Severity: medium
Rule Title: Successful/unsuccessful uses of the crontab command must generate an audit record.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify that an audit event is generated for any successful/unsuccessful use of the "crontab" command.\n\nCheck for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":\n\n# sudo grep -w crontab /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab\n-a always,exit -F arch=b64 path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "crontab" command. Add or update the following rules in the "/etc/audit/audit.rules" file:\n\n-a always,exit -F arch=b32 path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab\n-a always,exit -F arch=b64 path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90469r4_rule
Severity: medium
Rule Title: Successful/unsuccessful uses of the pam_timestamp_check command must generate an audit record.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify that an audit event is generated for any successful/unsuccessful use of the "pam_timestamp_check" command.\n\nCheck for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":\n\n# sudo grep -w pam_timestamp_check /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam_timestamp_check\n-a always,exit -F arch=b64 path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam_timestamp_check\n\nIf the above command does not return the exact same output displayed in the example, this is a finding.
Fixtext: Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "pam_timestamp_check" command. Add or update the following rules in the "/etc/audit/audit.rules" file:\n\n-a always,exit -F arch=b32 path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam_timestamp_check\n-a always,exit -F arch=b64 path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam_timestamp_check\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90471r4_rule
Severity: medium
Rule Title: Successful/unsuccessful uses of the init_module command must generate an audit record.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "init_module" command occur.\n\nCheck that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":\n\n# sudo grep -w "init_module" /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S init_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n-a always,exit -F arch=b64 -S init_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the audit system to generate an audit event for any successful/unsuccessful use of the "init_module" command. \n\nAdd or update the following rules in the "/etc/audit/audit.rules" file:\n\n-a always,exit -F arch=b32 -S init_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n-a always,exit -F arch=b64 -S init_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90473r4_rule
Severity: medium
Rule Title: Successful/unsuccessful uses of the finit_module command must generate an audit record.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "finit_module" command occur.\n\nCheck that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":\n\n# sudo grep -w "finit_module" /etc/audit/audit.rules\n-a always,exit -F arch=b32 -S finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n-a always,exit -F arch=b64 -S finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the audit system to generate an audit event for any successful/unsuccessful use of the "finit_module" command. \n\nAdd or update the following rules in the "/etc/audit/audit.rules" file:\n\n-a always,exit -F arch=b32 -S finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n-a always,exit -F arch=b64 -S finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90475r4_rule
Severity: medium
Rule Title: Successful/unsuccessful uses of the delete_module command must generate an audit record.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "delete_module" command occur.\n\nCheck that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":\n\n# sudo grep -w "delete_module" /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the audit system to generate an audit event for any successful/unsuccessful use of the "delete_module" command. \n\nAdd or update the following rules in the "/etc/audit/audit.rules" file:\n\n-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-90477r2_rule
Severity: high
Rule Title: The telnet package must not be installed.
Description: It is detrimental for Ubuntu operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nUbuntu operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.\n\n
Check_content: Verify that the telnet package is not installed on the Ubuntu operating system.\n\nCheck that the telnet daemon is not installed on the Ubuntu operating system by running the following command:\n\n# sudo apt list telnetd\n\nIf the package is installed, this is a finding.
Fixtext: Remove the telnet package from the Ubuntu operating system by running the following command:\n\n# sudo apt-get remove telnetd
Rule ID: SV-90479r2_rule
Severity: high
Rule Title: The Network Information Service (NIS) package must not be installed.
Description: Removing the Network Information Service (NIS) package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.
Check_content: Verify that the Network Information Service (NIS) package is not installed on the Ubuntu operating system.\n\nCheck to see if the NIS package is installed with the following command:\n\n# sudo apt list nis\n\nIf the NIS package is installed, this is a finding.
Fixtext: Configure the Ubuntu operating system to disable non-essential capabilities by removing the Network Information Service (NIS) package from the system with the following command:\n\n# sudo apt-get remove nis
Rule ID: SV-90481r2_rule
Severity: high
Rule Title: The rsh-server package must not be installed.
Description: It is detrimental for Ubuntu operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nUbuntu operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nThe rsh-server service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication.\n\nIf a privileged user were to log on using this service, the privileged user password could be compromised.
Check_content: Verify that the rsh-server package is not installed on the Ubuntu operating system.\n\nCheck to see if the rsh-server package is installed with the following command:\n\n# sudo apt list rsh-server\n\nIf the rsh-server package is installed, this is a finding.
Fixtext: Configure the Ubuntu operating system to disable non-essential capabilities by removing the rsh-server package from the system with the following command:\n\n# sudo apt-get remove rsh-server
Rule ID: SV-90483r2_rule
Severity: medium
Rule Title: An application firewall must be installed.
Description: Uncomplicated Firewall provides a easy and effective way to block/limit remote access to the system, via ports, services and protocols.\n\nRemote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best.\n\nRemote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).
Check_content: Verify that the Uncomplicated Firewall is installed.\n\nCheck that the Uncomplicated Firewall is installed with the following command:\n\n# sudo apt list ufw\n\nii ufw 0.35-0Ubuntu2 [installed]\n\nIf the "ufw" package is not installed, ask the System Administrator if another application firewall is installed. If no application firewall is installed this is a finding.
Fixtext: Install Uncomplicated Firewall with the following command:\n\n# sudo apt-get install ufw
Rule ID: SV-90485r2_rule
Severity: medium
Rule Title: An application firewall must be enabled on the system.
Description: Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications are allowed to communicate over the network.
Check_content: Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n# sudo systemctl is-enabled ufw\n\nenabled\n\nIf the above command returns the status as "disabled", this is a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the System Administrator if another application firewall is installed. If no application firewall is installed this is a finding.
Fixtext: Enable the Uncomplicated Firewall by using the following commands:\n\n# sudo systemctl start ufw\n\n# sudo systemctl enable ufw \n
Rule ID: SV-90487r2_rule
Severity: medium
Rule Title: An application firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.
Description: Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data.\n\n
Check_content: Verify the Uncomplicated Firewall is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems.\n\nCheck the Uncomplicated Firewall configuration with the following command:\n# sudo ufw status\nStatus: active\n\n To Action From\n -- ------ ----\n[ 1] 22 LIMIT IN Anywhere\n\nIf any services, ports, or applications are "allowed" and are not documented with the organization, this is a finding.
Fixtext: [u'Configure the Uncomplicated Firewall to employ a deny-all, allow-by-exception policy for allowing connections to other systems.\n\nRemove any service that is not needed or documented by the organization with the following command (replace [NUMBER] with the rule number):\n\n# sudo ufw delete [NUMBER]\n\nAnother option would be to set the Uncomplicated Firewall back to default with the following commands:\n\n# sudo ufw default deny incoming\n# sudo ufw default allow outgoing\n\nNote: UFW\u2019s defaults are to deny all incoming connections and allow all outgoing connections.
Rule ID: SV-90489r2_rule
Severity: medium
Rule Title: The Ubuntu operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.
Description: In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.\n\nUbuntu operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component.\n\nTo support the requirements and principles of least functionality, the Ubuntu operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.
Check_content: Verify the Uncomplicated Firewall is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems.\n\nCheck the Uncomplicated Firewall configuration with the following command:\n# sudo ufw status\nStatus: active\n\n To Action From\n -- ------ ----\n[ 1] 22 LIMIT IN Anywhere\n\nIf any services, ports, or applications are "allowed" and are not documented with the organization, this is a finding.
Fixtext: ["Add/Modify the Ubuntu operating system's firewall settings and/or running services to comply with the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL).
Rule ID: SV-90491r4_rule
Severity: medium
Rule Title: A sticky bit must be set on all public directories to prevent unauthorized and unintended information transferred via shared system resources.
Description: Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.\n\nThis requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies.\n\nThere may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.
Check_content: Verify that all world writable directories have the sticky bit set.\n\nCheck to see that all world writable directories have the sticky bit set by running the following command:\n\n# sudo find / -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null\n\ndrwxrwxrwxt 7 root root 4096 Jul 26 11:19 /tmp\n\nIf any of the returned directories are world writable and do not have the sticky bit set, this is a finding.
Fixtext: Configure all world writable directories have the sticky bit set to prevent unauthorized and unintended information transferred via shared system resources.\n\nSet the sticky bit on all world writable directories using the command, replace "[World-Writable Directory]" with any directory path missing the sticky bit:\n\n# sudo chmod 1777 [World-Writable Directory]
Rule ID: SV-90493r2_rule
Severity: medium
Rule Title: The Ubuntu operating system must compare internal information system clocks at least every 24 hours with a server which is synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
Description: Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.\n\nOrganizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).
Check_content: The system clock must be configured to compare the system clock at least every 24 hours to the authoritative time source.\n\nNote: If the system is not networked this item is Not Applicable.\n\nCheck the value of "maxpoll" in the "/etc/ntp.conf" file with the following command:\n\n# sudo grep -i maxpoll /etc/ntp.conf\nmaxpoll = 17\n\nIf "maxpoll" is not set to "17" or does not exist, this is a finding.\n\nVerify that the "ntp.conf" file is configured to an authoritative DoD time source by running the following command:\n\n# grep -i server /etc/ntp.conf\nserver 0.us.pool.ntp.org iburst\n\nIf the parameter "server" is not set, is not set to an authoritative DoD time source, or is commented out, this is a finding.
Fixtext: Note: If the system is not networked this item is Not Applicable.\n\nTo configure the system clock to compare the system clock at least every 24 hours to the authoritative time source, edit the "/etc/ntp.conf" file. Add or correct the following lines, by replacing "[source]" in the following line with an authoritative DoD time source.\n\nmaxpoll = 17\nserver [source] iburst\n\nIf the "NTP" service was running and the value of "maxpoll" or "server" was updated then the service must be restarted using the following command:\n\n# sudo systemctl restart ntp.service\n\nIf the "NTP" service was not running then it must be started.
Rule ID: SV-90495r2_rule
Severity: medium
Rule Title: The Ubuntu operating system must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.
Description: Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events.\n\nSynchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider setting time periods for different types of systems (e.g., financial, legal, or mission-critical systems).\n\nOrganizations should also consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). This requirement is related to the comparison done every 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the time difference.
Check_content: Verify that Network Time Protocol (NTP) is running in continuous mode.\n\nCheck that NTP is running in continuous mode with the following command:\n\n# grep ntpdate /etc/init.d/ntpd\n\n if ntpdate -u -s -b -p 4 -t 5 $NTPSERVER ; then\n\nIf the option "-q" is present, this is a finding.
Fixtext: The Network Time Protocol (NTP) will run in continuous mode by default. If the query only option (-q) has been added to the ntpdate command in /etc/init.d/ntpd it must be removed.
Rule ID: SV-90497r2_rule todo?
Severity: medium
Rule Title: The Ubuntu operating system must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
Description: If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.\n\nTime stamps generated by the Ubuntu operating system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.
Check_content: The time zone must be configured to use Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). To verify run the following command. \n\n# sudo timedatectl status | grep -i "time zone"\nTime zone: UTC (UTC, +0000)\n\nIf "Time zone" is not set to UTC or GMT, this is a finding.
Fixtext: To configure the system time zone to use Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT), run the following command replacing [ZONE] with UTC or GMT.\n\n# sudo timedatectl set-timezone [ZONE]
Rule ID: SV-90499r2_rule
Severity: medium
Rule Title: The Ubuntu operating system must implement non-executable data to protect its memory from unauthorized code execution.
Description: Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.\n\nExamples of attacks are buffer overflow attacks.
Check_content: Verify the NX (no-execution) bit flag is set on the system.\n\nCheck that the no-execution bit flag is set with the following commands:\n\n# dmesg | grep NX\n\n[ 0.000000] NX (Execute Disable) protection: active\n\nIf "dmesg" does not show "NX (Execute Disable) protection" active, check the cpuinfo settings with the following command: \n\n# less /proc/cpuinfo | grep -i flags\nflags : fpu vme de pse tsc ms nx rdtscp lm constant_tsc\n\nIf "flags" does not contain the "nx" flag, this is a finding.
Fixtext: The NX bit execute protection must be enabled in the system BIOS.
Rule ID: SV-90501r2_rule
Severity: medium
Rule Title: The Ubuntu operating system must implement address space layout randomization to protect its memory from unauthorized code execution.
Description: Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.\n\nExamples of attacks are buffer overflow attacks.
Check_content: Verify the Ubuntu operating system implements address space layout randomization (ASLR).\n\nCheck that ASLR is configured on the system with the following command:\n\n# sudo sysctl kernel.randomize_va_space\n\nkernel.randomize_va_space = 2\n\nIf nothing is returned; we must verify the kernel parameter "randomize_va_space" is set to "2" with the following command:\n\n# kernel.randomize_va_space" /etc/sysctl.conf /etc/sysctl.d/*\n\nkernel.randomize_va_space = 2\n\nIf "kernel.randomize_va_space" is not set to "2", this is a finding.
Fixtext: Configure the operating system implement virtual address space randomization.\n\nSet the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value):\n\nkernel.randomize_va_space=2
Rule ID: SV-90503r1_rule
Severity: high
Rule Title: The Ubuntu operating system must enforce SSHv2 for network access to all accounts.
Description: A replay attack may enable an unauthorized user to gain access to the Ubuntu operating system. Authentication sessions between the authenticator and the Ubuntu operating system validating the user credentials must not be vulnerable to a replay attack.\n\nAn authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.\n\nA privileged account is any information system account with authorizations of a privileged user.\n\nTechniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.\n\n
Check_content: Verify that the Ubuntu operating system enforces SSH protocol 2 for network access.\n\nCheck the protocol versions that SSH allows with the following command:\n\n#grep -i protocol /etc/ssh/sshd_config\n\nProtocol 2\n\nIf the returned line allows for use of protocol "1", is commented out, or the line is missing, this is a finding.
Fixtext: Configure the Ubuntu operating system to enforce SSHv2 for network access to all accounts.\n\nAdd or update the following line in the "/etc/ssh/sshd_config" file:\n\nProtocol 2\n\nRestart the ssh service.\n\n# systemctl restart sshd.service
Rule ID: SV-90505r4_rule
Severity: medium
Rule Title: The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon and the user must acknowledge the usage conditions and take explicit actions to log on for further access.
Description: Display of a standardized and approved use notification before granting access to the Ubuntu operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for Ubuntu operating systems:\n\n"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
Check_content: [u'Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the Ubuntu operating system via a ssh logon.\n\nCheck that the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the Ubuntu operating system via a ssh logon with the following command:\n\n# grep -i banner /etc/ssh/sshd_config\n\nBanner=/etc/issue.net\n\nThe command will return the banner option along with the name of the file that contains the ssh banner. If the line is commented out this is a finding.\n\nCheck the specified banner file to check that it matches the Standard Mandatory DoD Notice and Consent Banner exactly:\n\n\u201cYou are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\u201d\n\nIf the banner text does not match the Standard Mandatory DoD Notice and Consent Banner exactly, this is a finding.
Fixtext: Configure the Ubuntu operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via SSH logon.\n\nEdit the SSH daemon configuration "/etc/ssh/sshd_config" file. Uncomment the banner keyword and configure it to point to the file that contains the correct banner. An example of this configure is below:\n\nBanner=/etc/issue.net\n\nEither create the file containing the banner, or replace the text in the file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n\n"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service
Rule ID: SV-90507r2_rule
Severity: medium
Rule Title: The Ubuntu operating system must not permit direct logons to the root account using remote access via SSH.
Description: Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging on directly as root. In addition, logging on with a user-specific account provides individual accountability of actions performed on the system.
Check_content: Verify remote access using SSH prevents users from logging on directly as "root".\n\nCheck that SSH prevents users from logging on directly as "root" with the following command:\n\n# grep PermitRootLogin /etc/ssh/sshd_config\nPermitRootLogin no\n\nIf the "PermitRootLogin" keyword is set to "yes", is missing, or is commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to stop users from logging on remotely as the "root" user via SSH.\n\nEdit the appropriate "/etc/ssh/sshd_config" file to uncomment or add the line for the "PermitRootLogin" keyword and set its value to "no":\n\nPermitRootLogin no\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service
Rule ID: SV-90509r3_rule
Severity: medium
Rule Title: The Ubuntu operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.
Description: Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.\n\nRemote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nEncryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information.
Check_content: Verify the SSH daemon is configured to only implement DoD-approved encryption.\n\nCheck the SSH daemon\'s current configured ciphers by running the following command:\n\n# sudo grep -i ciphers /etc/ssh/sshd_config | grep -v \'^#\'\n\nCiphers aes128-ctr,aes192-ctr,aes256-ctr\n\nIf any ciphers other than "aes128-ctr", "aes192-ctr", or "aes256-ctr" are listed, the "Ciphers" keyword is missing, or the retuned line is commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to allow the SSH daemon to only implement DoD-approved encryption.\n\nEdit the SSH daemon configuration "/etc/ssh/sshd_config" and remove any ciphers not starting with "aes" and remove any ciphers ending with "cbc". If necessary, append the "Ciphers" line to the "/etc/ssh/sshd_config" document.\n\nCiphers aes128-ctr,aes192-ctr,aes256-ctr\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service
Rule ID: SV-90511r2_rule
Severity: medium
Rule Title: The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
Description: Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nCryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.\n\n
Check_content: Verify the SSH daemon is configured to only use Message Authentication Codes (MACs) that employ FIPS 140-2 approved ciphers.\n\nCheck that the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers with the following command:\n\n# sudo grep -i macs /etc/ssh/sshd_config\nMACs hmac-sha2-256,hmac-sha2-512\n\nIf any ciphers other than "hmac-sha2-256" or "hmac-sha2-512" are listed, or the retuned line is commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to allow the SSH daemon to only use Message Authentication Codes (MACs) that employ FIPS 140-2 approved ciphers.\n\nEdit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "MACs" keyword and set its value to "hmac-sha2-256" and/or "hmac-sha2-512":\n\nMACs hmac-sha2-256,hmac-sha2-512\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service
Rule ID: SV-90513r2_rule
Severity: high
Rule Title: Unattended or automatic login via ssh must not be allowed.
Description: Failure to restrict system access to authenticated users negatively impacts Ubuntu operating system security.
Check_content: Verify that unattended or automatic login via ssh is disabled.\n\nCheck that unattended or automatic login via ssh is disabled with the following command:\n\n# egrep \'(Permit(.*?)(Passwords|Environment))\' /etc/ssh/sshd_config\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\nIf "PermitEmptyPasswords" or "PermitUserEnvironment" keywords are not set to "no", is missing completely, or they are commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to allow the SSH daemon to not allow unattended or automatic login to the system.\n\nAdd or edit the following lines in the "/etc/ssh/sshd_config" file:\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service
Rule ID: SV-90515r2_rule
Severity: medium
Rule Title: The system must display the date and time of the last successful account logon upon an SSH logon.
Description: Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.
Check_content: Verify SSH provides users with feedback on when account accesses last occurred.\n\nCheck that "PrintLastLog" keyword in the sshd daemon configuration file is used and set to "yes" with the following command:\n\n# grep PrintLastLog /etc/ssh/sshd_config\nPrintLastLog yes\n\nIf the "PrintLastLog" keyword is set to "no", is missing, or is commented out, this is a finding.
Fixtext: Add or edit the following lines in the "/etc/ssh/sshd_config" file:\n\nPrintLastLog yes\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service
Rule ID: SV-90517r3_rule
Severity: medium
Rule Title: The Ubuntu operating system must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.
Description: Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions.\n\nSession termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated.\n\nConditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use.\n\nThis capability is typically reserved for specific Ubuntu operating system functionality where the system owner, data owner, or organization requires additional assurance.
Check_content: Verify that all network connections associated with SSH traffic are automatically terminated at the end of the session or after "10" minutes of inactivity.\n\nCheck that the "ClientAliveInterval" variable is set to a value of "600" or less by performing the following command:\n\n# sudo grep -i clientalive /etc/ssh/sshd_config\n\nClientAliveInterval 600\n\nIf "ClientAliveInterval" has a value that is greater than "600" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, or is commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to automatically terminate all network connections associated with SSH traffic at the end of a session or after a "10" minute period of inactivity.\n\nModify or append the following lines in the "/etc/ssh/sshd_config" file replacing "[Interval]" with a value of "600" or less:\n\nClientAliveInterval 600\n\nIn order for the changes to take effect, the SSH daemon must be restarted.\n\n# sudo systemctl restart sshd.service
Rule ID: SV-90521r2_rule
Severity: medium
Rule Title: The SSH daemon must not allow authentication using known hosts authentication.
Description: Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.
Check_content: Verify the SSH daemon does not allow authentication using known hosts authentication.\n\nTo determine how the SSH daemon\'s "IgnoreUserKnownHosts" option is set, run the following command:\n\n# grep IgnoreUserKnownHosts /etc/ssh/sshd_config\n\nIgnoreUserKnownHosts yes\n\nIf the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.
Fixtext: Configure the SSH daemon to not allow authentication using known hosts authentication.\n\nAdd the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes":\n\nIgnoreUserKnownHosts yes\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service\n
Rule ID: SV-90523r2_rule
Severity: medium
Rule Title: The SSH public host key files must have mode 0644 or less permissive.
Description: If a public host key file is modified by an unauthorized user, the SSH service may be compromised.
Check_content: Verify the SSH public host key files have mode "0644" or less permissive.\n\nNote: SSH public key files may be found in other directories on the system depending on the installation.\n\nThe following command will find all SSH public key files on the system:\n\n# ls -l /etc/ssh/*.pub\n\n-rw-r--r-- 1 root wheel 618 Nov 28 06:43 ssh_host_dsa_key.pub\n-rw-r--r-- 1 root wheel 347 Nov 28 06:43 ssh_host_key.pub\n-rw-r--r-- 1 root wheel 238 Nov 28 06:43 ssh_host_rsa_key.pub\n\nIf any key.pub file has a mode more permissive than "0644", this is a finding.
Fixtext: Note: SSH public key files may be found in other directories on the system depending on the installation. \n\nChange the mode of public host key files under "/etc/ssh" to "0644" with the following command:\n\n# sudo chmod 0644 /etc/ssh/*key.pub\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service
Rule ID: SV-90525r2_rule
Severity: medium
Rule Title: The SSH private host key files must have mode 0600 or less permissive.
Description: If an unauthorized user obtains the private SSH host key file, the host could be impersonated.
Check_content: Verify the SSH private host key files have mode "0600" or less permissive.\n\nCheck the mode of the private host key files under "/etc/ssh" file with the following command:\n\n# ls -alL /etc/ssh/ssh_host*key\n\n-rw------- 1 root wheel 668 Nov 28 06:43 ssh_host_dsa_key\n-rw------- 1 root wheel 582 Nov 28 06:43 ssh_host_key\n-rw------- 1 root wheel 887 Nov 28 06:43 ssh_host_rsa_key\n\nIf any private host key file has a mode more permissive than "0600", this is a finding.
Fixtext: Configure the mode of SSH private host key files under "/etc/ssh" to "0600" with the following command:\n\n#sudo chmod 0600 /etc/ssh/ssh_host*key\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service
Rule ID: SV-90527r2_rule
Severity: medium
Rule Title: The SSH daemon must perform strict mode checking of home directory configuration files.
Description: If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.
Check_content: Verify the SSH daemon performs strict mode checking of home directory configuration files.\n\nCheck that the SSH daemon performs strict mode checking of home directory configuration files with the following command:\n\n# grep StrictModes /etc/ssh/sshd_config\n\nStrictModes yes\n\nIf "StrictModes" is set to "no", is missing, or the returned line is commented out, this is a finding.
Fixtext: Configure SSH to perform strict mode checking of home directory configuration files. Uncomment the "StrictModes" keyword in "/etc/ssh/sshd_config" and set the value to "yes":\n\nStrictModes yes\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service
Rule ID: SV-90529r2_rule
Severity: medium
Rule Title: The SSH daemon must use privilege separation.
Description: SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section.
Check_content: Check that the SSH daemon performs privilege separation with the following command:\n\n# grep UsePrivilegeSeparation /etc/ssh/sshd_config \n\nUsePrivilegeSeparation yes\n\nIf the "UsePrivilegeSeparation" keyword is set to "no", is missing, or the returned line is commented out, this is a finding.
Fixtext: Configure SSH to use privilege separation. Uncomment the "UsePrivilegeSeparation" keyword in "/etc/ssh/sshd_config" and set the value to "yes":\n\nUsePrivilegeSeparation yes\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service
Rule ID: SV-90531r2_rule
Severity: medium
Rule Title: The SSH daemon must not allow compression or must only allow compression after successful authentication.
Description: If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.
Check_content: Verify the SSH daemon performs compression after a user successfully authenticates.\n\nCheck that the SSH daemon performs compression after a user successfully authenticates with the following command:\n\n# grep Compression /etc/ssh/sshd_config\nCompression delayed\n\nIf the "Compression" keyword is set to "yes", is missing, or the returned line is commented out, this is a finding.
Fixtext: Configure SSH to use compression. Uncomment the "Compression" keyword in "/etc/ssh/sshd_config" on the system and set the value to "delayed" or "no":\n\nCompression no\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service
Rule ID: SV-90533r2_rule
Severity: high
Rule Title: Remote X connections for interactive users must be encrypted.
Description: Open X displays allow an attacker to capture keystrokes and execute commands remotely.
Check_content: Verify remote X connections for interactive users are encrypted.\n\nCheck that remote X connections are encrypted with the following command:\n\n# grep -i x11forwarding /etc/ssh/sshd_config\nX11Forwarding yes\n\nIf the "X11Forwarding" keyword is set to "no", is missing, or is commented out, this is a finding.
Fixtext: Configure SSH to encrypt connections for interactive users.\n\nEdit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11Forwarding" keyword and set its value to "yes":\n\nX11Forwarding yes\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command:\n\n# sudo systemctl restart sshd.service
Rule ID: SV-90535r1_rule
Severity: medium
Rule Title: An application firewall must protect against or limit the effects of Denial of Service (DoS) attacks by ensuring the Ubuntu operating system is implementing rate-limiting measures on impacted network interfaces.
Description: DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.\n\nThis requirement addresses the configuration of the Ubuntu operating system to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.
Check_content: Verify an application firewall is configured to rate limit any connection to the system.\n\nCheck that the Uncomplicated Firewall is configured to rate limit any connection to the system with the following command:\n\n# sudo ufw show raw\n\nChain ufw-user-input (1 references)\npkts bytes target prot opt in out source destination\n0 0 ufw-user-limit all -- eth0 * 0.0.0.0/0 0.0.0.0/0\nctstate NEW recent: UPDATE seconds: 30 hit_count: 6 name: DEFAULT side:\nsource mask: 255.255.255.255\n\n0 0 ufw-user-limit-accept all -- eth0 * 0.0.0.0/0 0.0.0.0/0\n\n\nIf any service is not rate limited by the Uncomplicated Firewall, this is a finding.
Fixtext: Configure the application firewall to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring the Ubuntu operating system is implementing rate-limiting measures on impacted network interfaces.\n\nRun the following command replacing "[service]" with the service that needs to be rate limited.\n\n# sudo ufw limit [service]\n\nOr rate-limiting can be done on an interface. An example of adding a rate-limit on the eth0 interface:\n\n# sudo ufw limit in on eth0
Rule ID: SV-90537r1_rule
Severity: high
Rule Title: All networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
Description: Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. \n\nThis requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. \n\nProtecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa.\n\n
Check_content: Verify the "ssh" meta-package is installed.\n\nCheck that the ssh package is installed with the following command:\n\n$ dpkg -l | grep openssh\n\nii openssh-client 1:7.2p2-4Ubuntu2.1\namd64 secure shell (SSH) client, for secure access to\nremote machines\nii openssh-server 1:7.2p2-4Ubuntu2.1\namd64 secure shell (SSH) server, for secure access\nfrom remote machines\nii openssh-sftp-server 1:7.2p2-4Ubuntu2.1\namd64 secure shell (SSH) sftp server module, for SFTP\naccess from remote machines\n\nIf the "openssh" server package is not installed, this is a finding.\n\nCheck that the "sshd.service" is loaded and active with the following command:\n\n# systemctl status sshd.service | egrep -i "(active|loaded)"\n\nLoaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)\nActive: active (running) since Sun 2016-06-05 23:46:29 CDT; 1h 4min ago\n\nIf "sshd.service" is not active or loaded, this is a finding.
Fixtext: Install the "ssh" meta-package on the system with the following command:\n\n# sudo apt install ssh\n\nEnable the "ssh" service to start automatically on reboot with the following command:\n\n# sudo systemctl enable sshd.service
Rule ID: SV-90539r2_rule
Severity: medium
Rule Title: The audit system must take appropriate action when the network cannot be used to off-load audit records.
Description: Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.
Check_content: [u'Verify that the audit system takes appropriate action if the network cannot be used to off-load audit records.\n\nCheck what action will take place if the network connection fails with the following command:\n\n# sudo grep -iw "network_failure" /etc/audisp/audisp-remote.conf\n\nnetwork_failure_action = stop\n\nIf the value of the \u201cnetwork_failure_action\u201d option is not "syslog", "single", or "halt", or the line is commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to take appropriate action when the network cannot be used to off-load audit records.\n\nAdd, edit or uncomment the "network_failure_action" option in "/etc/audisp/audisp-remote.conf". Set it to "syslog", "single" or "halt" like the below example:\n\nnetwork_failure_action = single
Rule ID: SV-90543r2_rule
Severity: medium
Rule Title: All remote access methods must be monitored.
Description: Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best.\n\nRemote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).
Check_content: Verify that the Ubuntu operating system monitors all remote access methods.\n\nCheck that remote access methods are being logged by running the following command:\n\n# grep -E \'(auth.*|authpriv.*|daemon.*)\' /etc/rsyslog.d/50-default.conf\n\nauth,authpriv.* /var/log/auth.log\ndaemon.notice /var/log/messages\n\nIf "auth.*", "authpriv.*" or "daemon.*" are not configured to be logged, this is a finding.
Fixtext: Configure the Ubuntu operating system to monitor all remote access methods by adding the following lines to the "/etc/rsyslog.d/50-default.conf" file:\n\nauth.*,authpriv.* /var/log/secure\ndaemon.notice /var/log/messages\n\nThe "rsyslog" service must be restarted for the changes to take effect. To restart the "rsyslog" service, run the following command:\n\n# sudo systemctl restart rsyslog.service
Rule ID: SV-90545r2_rule
Severity: medium
Rule Title: Cron logging must be implemented.
Description: Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.
Check_content: Verify that "rsyslog" is configured to log cron events.\n\nCheck the configuration of "/etc/rsyslog.d/50-default.conf" for the cron facility with the following commands:\n\nNote: If another logging package is used, substitute the utility configuration file for "/etc/rsyslog.d/50-default.conf". \n\n# grep cron /etc/rsyslog.d/50-default.conf\n\ncron.* /var/log/cron.log\n\nIf the commands do not return a response, check for cron logging all facilities by inspecting the "/etc/rsyslog.d/50-default.con" file:\n\n# more /etc/rsyslog.conf\n\nLook for the following entry:\n\n*.* /var/log/messages\n\nIf "rsyslog" is not logging messages for the cron facility or all facilities, this is a finding.
Fixtext: Configure "rsyslog" to log all cron messages by adding or updating the following line to "/etc/rsyslog.d/50-default.conf":\n\ncron.* /var/log/cron.log\n\nNote: The line must be added before the following entry if it exists in "/etc/rsyslog.d/50-default.conf":\n\n*.* ~ # discards everything
Rule ID: SV-90547r1_rule
Severity: medium
Rule Title: Wireless network adapters must be disabled.
Description: Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the Ubuntu operating system.\n\nThis requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with an Ubuntu operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DoD requirements for wireless data transmission and be approved for use by the AO. Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the Ubuntu operating system. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.\n\nProtecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required.\n\n
Check_content: Verify that there are no wireless interfaces configured on the system.\n\nCheck that the system does not have active wireless interfaces with the following command:\n\nNote: This requirement is Not Applicable for systems that do not have physical wireless network radios.\n\n# ifconfig -a | more\n\neth0 Link encap:Ethernet HWaddr ff:ff:ff:ff:ff:ff \ninet addr:192.168.2.100 Bcast:192.168.2.255 Mask:255.255.255.0\n...\n\neth1 IEEE 802.11b ESSID:"tacnet"\nMode:Managed Frequency:2.412 GHz Access Point: 00:40:E7:22:45:CD\n...\n\nlo Link encap:Local Loopback \ninet addr:127.0.0.1 Mask:255.0.0.0\ninet6 addr: ::1/128 Scope:Host\n...\n\nIf a wireless interface is configured and has not been documented and approved by the Information System Security Officer (ISSO), this is a finding.
Fixtext: Configure the system to disable all wireless network interfaces with the following command:\n\n# sudo ifdown [ADAPTER_NAME]
Rule ID: SV-90549r2_rule
Severity: medium
Rule Title: The Ubuntu operating system must be configured to use TCP syncookies.
Description: DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. \n\nManaging excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.
Check_content: Verify the Ubuntu operating system is configured to use TCP syncookies.\n\nCheck the value of TCP syncookies with the following command:\n\n# sysctl net.ipv4.tcp_syncookies\nnet.ipv4.tcp_syncookies = 1\n\nIf the value is not "1", this is a finding.
Fixtext: Configure the Ubuntu operating system to use TCP syncookies, by running the following command:\n\n# sudo sysctl -w net.ipv4.tcp_syncookies=1\n\nIf "1" is not the system\'s default value then add or update the following line in "/etc/sysctl.conf" or in the appropriate file under "/etc/sysctl.d":\n\nnet.ipv4.tcp_syncookies = 1
Rule ID: SV-90551r2_rule
Severity: low
Rule Title: For Ubuntu operating systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured.
Description: To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.
Check_content: [u'Determine whether the Ubuntu operating system is using local or Domain Name Server (DNS) name resolution with the following command:\n\n# grep hosts /etc/nsswitch.conf\nhosts: files dns\n\nIf the DNS entry is missing from the host\u2019s line in the "/etc/nsswitch.conf" file, the "/etc/resolv.conf" file must be empty.\n\nIf the "/etc/resolv.conf" file is not empty, this is a finding.\n\nIf the DNS entry is found on the host\u2019s line of the "/etc/nsswitch.conf" file, verify the Ubuntu operating system is configured to use two or more name servers for DNS resolution.\n\nDetermine the name servers used by the system with the following command:\n\n# sudo grep nameserver /etc/resolv.conf\n\nnameserver 192.168.1.2\n\nnameserver 192.168.1.3\n\nIf less than two lines are returned that are not commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to use two or more name servers for Domain Name Server (DNS) resolution.\n\nEdit the "/etc/resolv.conf" file to uncomment or add the two or more "nameserver" option lines with the IP address of local authoritative name servers. If local host resolution is being performed, the "/etc/resolv.conf" file must be empty. An empty "/etc/resolv.conf" file can be created as follows:\n\n# echo -n > /etc/resolv.conf
Rule ID: SV-90553r3_rule
Severity: medium
Rule Title: The Ubuntu operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.
Description: Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.
Check_content: Verify the Ubuntu operating system does not accept IPv4 source-routed packets.\n\nCheck the value of the accept source route variable with the following command:\n\n# sudo sysctl net.ipv4.conf.all.accept_source_route\n\nnet.ipv4.conf.all.accept_source_route=0\n\nIf the returned line does not have a value of "0", a line is not returned, or the returned line is commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to not forward Internet Protocol version 4 (IPv4) source-routed packets with the following command:\n\n# sudo sysctl -w net.ipv4.conf.all.accept_source_route=0\n\nIf "0" is not the system\'s default value then add or update the following line in "/etc/sysctl.conf" or in the appropriate file under "/etc/sysctl.d":\n\nnet.ipv4.conf.all.accept_source_route=0
Rule ID: SV-90555r3_rule
Severity: medium
Rule Title: The Ubuntu operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
Description: Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.
Check_content: Verify the Ubuntu operating system does not accept Internet Protocol version 4 (IPv4) source-routed packets by default.\n\nCheck the value of the accept source route variable with the following command:\n\n# sudo sysctl net.ipv4.conf.default.accept_source_route\nnet.ipv4.conf.default.accept_source_route=0\n\nIf the returned line does not have a value of "0", a line is not returned, or the returned line is commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to not forward Internet Protocol version 4 (IPv4) source-routed packets by default with the following command:\n\n# sudo sysctl -w net.ipv4.conf.default.accept_source_route=0\n\nIf "0" is not the system\'s default value then add or update the following line in "/etc/sysctl.conf" or in the appropriate file under "/etc/sysctl.d":\n\nnet.ipv4.conf.default.accept_source_route=0
Rule ID: SV-90557r2_rule
Severity: medium
Rule Title: The Ubuntu operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
Description: Responding to broadcast Internet Control Message Protocol (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.
Check_content: Verify the Ubuntu operating system does not respond to IPv4 Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.\n\nCheck the value of the "icmp_echo_ignore_broadcasts" variable with the following command:\n\n# sudo sysctl net.ipv4.icmp_echo_ignore_broadcasts\nnet.ipv4.icmp_echo_ignore_broadcasts=1\n\nIf the returned line does not have a value of "1", a line is not returned, or the retuned line is commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address with the following command:\n\n# sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1\n\nIf "1" is not the system\'s default value then add or update the following line in "/etc/sysctl.conf" or in the appropriate file under "/etc/sysctl.d":\n\nnet.ipv4.icmp_echo_ignore_broadcasts=1
Rule ID: SV-90559r3_rule
Severity: medium
Rule Title: The Ubuntu operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
Description: Internet Control Message Protocol (ICMP) redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
Check_content: Verify the Ubuntu operating system will not accept IPv4 Internet Control Message Protocol (ICMP) redirect messages.\n\nCheck the value of the default "accept_redirects" variables with the following command:\n\n# sudo sysctl net.ipv4.conf.default.accept_redirects\n\nnet.ipv4.conf.default.accept_redirects=0\n\nIf the returned line does not have a value of "0", or a line is not returned, this is a finding.
Fixtext: Configure the Ubuntu operating system to prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being acceptedr with the following command:\n\n# sudo sysctl -w net.ipv4.conf.default.accept_redirects=0\n\nIf "0" is not the system\'s default value then add or update the following line in "/etc/sysctl.conf" or in the appropriate file under "/etc/sysctl.d":\n\nnet.ipv4.conf.default.accept_redirects=0
Rule ID: SV-90561r2_rule
Severity: medium
Rule Title: The Ubuntu operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
Description: Internet Control Message Protocol (ICMP) redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
Check_content: Verify the Ubuntu operating system ignores Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.\n\nCheck the value of the "accept_redirects" variables with the following command:\n\n# sudo sysctl net.ipv4.conf.all.accept_redirects\n\nnet.ipv4.conf.all.accept_redirects=0\n\nIf both of the returned lines do not have a value of "0", or a line is not returned, this is a finding.
Fixtext: Configure the Ubuntu operating system to ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages with the following command:\n\n# sudo sysctl -w net.ipv4.conf.all.accept_redirects=0\n\nIf "0" is not the system\'s default value then add or update the following line in "/etc/sysctl.conf" or in the appropriate file under "/etc/sysctl.d":\n\nnet.ipv4.conf.all.accept_redirects=0
Rule ID: SV-90563r2_rule
Severity: medium
Rule Title: The Ubuntu operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.
Description: Internet Control Message Protocol (ICMP) redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.
Check_content: Verify the Ubuntu operating system does not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.\n\nCheck the value of the "default send_redirects" variables with the following command:\n\n# sudo sysctl net.ipv4.conf.default.send_redirects\n\nnet.ipv4.conf.default.send_redirects=0\n\nIf the returned line does not have a value of "0", or a line is not returned, this is a finding.
Fixtext: Configure the Ubuntu operating system to not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default with the following command:\n\n# sudo sysctl -w net.ipv4.conf.default.send_redirects=0\n\nIf "0" is not the system\'s default value then add or update the following line in "/etc/sysctl.conf" or in the appropriate file under "/etc/sysctl.d":\n\nnet.ipv4.conf.default.send_redirects=0
Rule ID: SV-90565r2_rule
Severity: medium
Rule Title: The Ubuntu operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
Description: Internet Control Message Protocol (ICMP) redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.
Check_content: Verify the Ubuntu operating system does not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.\n\nCheck the value of the "all send_redirects" variables with the following command:\n\n# sudo sysctl net.ipv4.conf.all.send_redirects\n\nnet.ipv4.conf.all.send_redirects=0\n\nIf the returned line does not have a value of "0", or a line is not returned, this is a finding.
Fixtext: Configure the Ubuntu operating system to not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects with the following command:\n\n# sudo sysctl -w net.ipv4.conf.all.send_redirects=0\n\nIf "0" is not the system\'s default value then add or update the following line in "/etc/sysctl.conf" or in the appropriate file under "/etc/sysctl.d":\n\nnet.ipv4.conf.all.send_redirects=0
Rule ID: SV-90567r2_rule
Severity: medium
Rule Title: The Ubuntu operating system must not be performing packet forwarding unless the system is a router.
Description: Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
Check_content: Verify the Ubuntu operating system is not performing packet forwarding, unless the system is a router.\n\nCheck to see if IP forwarding is enabled using the following command:\n\n# /sbin/sysctl -a | grep net.ipv4.ip_forward\nnet.ipv4.ip_forward=0\n\nIf IP forwarding value is "1" and is not documented with the Information System Security Officer (ISSO) as an operational requirement , this is a finding.
Fixtext: Configure the Ubuntu operating system to not allow packet forwarding, unless the system is a router with the following command:\n\n# sudo sysctl -w net.ipv4.ip_forward=0\n\nIf "0" is not the system\'s default value then add or update the following line in "/etc/sysctl.conf" or in the appropriate file under "/etc/sysctl.d":\n\nnet.ipv4.ip_forward=0
Rule ID: SV-90569r2_rule
Severity: medium
Rule Title: Network interfaces must not be in promiscuous mode.
Description: Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow then to collect information such as logon IDs, passwords, and key exchanges between systems.\n\nIf the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information System Security Officer (ISSO) and restricted to only authorized personnel.
Check_content: Verify network interfaces are not in promiscuous mode unless approved by the Information System Security Officer (ISSO) and documented.\n\nCheck for the status with the following command:\n\n# ip link | grep -i promisc\n\nIf network interfaces are found on the system in promiscuous mode and their use has not been approved by the ISSO and documented, this is a finding.
Fixtext: Configure network interfaces to turn off promiscuous mode unless approved by the Information System Security Officer (ISSO) and documented.\n\nSet the promiscuous mode of an interface to "off" with the following command:\n\n# sudo ip link set dev promisc off
Rule ID: SV-90571r2_rule todo
Severity: medium
Rule Title: The Ubuntu operating system must be configured to prevent unrestricted mail relaying.
Description: If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.
Check_content: Determine if "postfix" is installed with the following commands:\n\nNote: If postfix is not installed, this is Not Applicable.\n\n# dpkg -l | grep postfix\nii postfix 3.1.0-3 \n\nVerify the Ubuntu operating system is configured to prevent unrestricted mail relaying.\n\nIf postfix is installed, determine if it is configured to reject connections from unknown or untrusted networks with the following command:\n\n# postconf -n smtpd_client_restrictions\n\nsmtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject\n\nIf the "smtpd_relay_restrictions" parameter contains any entries other than "permit_mynetworks", "permit_sasl_authenticated" and "reject", is missing, or is commented out, this is a finding.
Fixtext: If "postfix" is installed, modify the "/etc/postfix/main.cf" file to restrict client connections to the local network with the following command:\n\n# sudo postconf -e \'smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject\'
Rule ID: SV-90573r2_rule todo
Severity: medium
Rule Title: The Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure.
Description: It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.\n\nAudit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.
Check_content: Verify that the administrators are notified in the event of an audit processing failure. \n\nNote: If postfix is not installed, this is Not Applicable.\n\nCheck that the "/etc/aliases" file has a defined value for "root".\n\n# sudo grep "postmaster: *root$" /etc/aliases\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to notify administrators in the event of an audit processing failure. \n\nAdd/update the following line in "/etc/aliases":\n\npostmaster: root
Rule ID: SV-90575r1_rule
Severity: high
Rule Title: A File Transfer Protocol (FTP) server package must not be installed unless needed.
Description: The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service.
Check_content: Verify a File Transfer Protocol (FTP) server has not been installed on the system.\n\nCheck to see if a FTP server has been installed with the following commands:\n\n# dpkg -l | grep vsftpd\nii vsftpd 3.0.3-3Ubuntu2 \n\nIf "vsftpd" is installed and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
Fixtext: Document the "vsftpd" package with the Information System Security Officer (ISSO) as an operational requirement or remove it from the system with the following command:\n\n# sudo apt-get remove vsftpd
Rule ID: SV-90577r2_rule
Severity: high
Rule Title: The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for operational support.
Description: If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have access control rules established.
Check_content: Verify a Trivial File Transfer Protocol (TFTP) server has not been installed.\n\nCheck to see if a TFTP server has been installed with the following command:\n\n# dpkg -l | grep tftpd-hpa\nii tftpd-hpa 5.2+20150808-1Ubuntu1.16.04.1 \n\nIf TFTP is installed and the requirement for TFTP is not documented with the Information System Security Officer (ISSO), this is a finding.
Fixtext: Remove the Trivial File Transfer Protocol (TFTP) package from the system with the following command:\n\n# sudo apt-get remove tftpd-hpa
Rule ID: SV-90579r1_rule todo?
Severity: medium
Rule Title: If the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon must be configured to operate in secure mode.
Description: Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files.
Check_content: Verify the Trivial File Transfer Protocol (TFTP) daemon is configured to operate in secure mode.\n\nCheck to see if a TFTP server has been installed with the following commands:\n\n# dpkg -l | grep tftpd-hpa\nii tftpd-hpa 5.2+20150808-1Ubuntu1.16.04.1 \nIf a TFTP server is not installed, this is Not Applicable.\n\nIf a TFTP server is installed, check for the server arguments with the following command: \n\n# grep TFTP_OPTIONS /etc/default/tftpd-hpa\nTFTP_OPTIONS="--secure"\n\nIf "--secure" is not listed in the TFTP_OPTIONS, this is a finding.
Fixtext: Configure the Trivial File Transfer Protocol (TFTP) daemon to operate in the secure mode by adding the "--secure" option to TFTP_OPTIONS in /etc/default/tftpd-hpa and restart the tftpd daemon.
Rule ID: SV-90581r1_rule
Severity: medium
Rule Title: An X Windows display manager must not be installed unless approved.
Description: Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. X Windows has a long history of security vulnerabilities and will not be used unless approved and documented.
Check_content: Verify that if X Windows is installed it is authorized.\n\nCheck for the X11 package with the following command:\n\n# dpkg -l | grep lightdm\n\nAsk the System Administrator if use of the X Windows system is an operational requirement.\n\nIf the use of X Windows on the system is not documented with the Information System Security Officer (ISSO), this is a finding.
Fixtext: Document the requirement for an X Windows server with the Information System Security Officer (ISSO) or remove the related packages with the following commands:\n\n# sudo apt-get purge lightdm
Rule ID: SV-90583r1_rule todo?
Severity: medium
Rule Title: The Ubuntu operating system must have the packages required for multifactor authentication to be installed.
Description: Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.\n\nMultifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.\n\nA privileged account is defined as an information system account with authorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nThis requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).\n\nRequires further clarification from NIST.\n\n
Check_content: Verify the Ubuntu operating system has the packages required for multifactor authentication installed.\n\nCheck for the presence of the packages required to support multifactor authentication with the following commands:\n\n# dpkg -l | grep libpam-pkcs11\n\nii libpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the "libpam-pkcs11" package is not installed, this is a finding.
Fixtext: Configure the Ubuntu operating system to implement multifactor authentication by installing the required packages.\nInstall the "libpam-pkcs11" package on the system with the following command:\n\n# sudo apt install libpam-pkcs11
Rule ID: SV-90585r1_rule
Severity: medium
Rule Title: The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials.
Description: The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access.\n\nDoD has mandated the use of the CAC to support identity management and personal authentication for systems covered under Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a primary component of layered protection for national security systems.
Check_content: Verify the Ubuntu operating system accepts Personal Identity Verification (PIV) credentials.\n\nCheck that the "opensc-pcks11" package is installed on the system with the following command:\n\n# dpkg -l | grep opensc-pkcs11\n\nii opensc-pkcs11:amd64 0.15.0-1Ubuntu1 amd64 Smart card utilities with support for PKCS#15 compatible cards\n\nIf the "opensc-pcks11" package is not installed, this is a finding.
Fixtext: Configure the Ubuntu operating system to accept Personal Identity Verification (PIV) credentials.\n\nInstall the "opensc-pkcs11" package using the following command:\n\n# sudo apt-get install opensc-pkcs11
Rule ID: SV-90587r2_rule todo?
Severity: medium
Rule Title: The Ubuntu operating system must implement certificate status checking for multifactor authentication.
Description: Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.\n\nMultifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.\n\nA privileged account is defined as an information system account with authorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nThis requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).\n\nRequires further clarification from NIST.\n\n
Check_content: Verify the Ubuntu operating system implements certificate status checking for multifactor authentication.\n\nCheck that certificate status checking for multifactor authentication is implemented with the following command:\n\n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep ocsp_on \n\ncert_policy = ca,signature,ocsp_on;\n\nIf "cert_policy" is not set to "ocsp_on", has a value of "none", or the line is commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to certificate status checking for multifactor authentication.\n\nModify all of the cert_policy lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ocsp_on".
Rule ID: SV-90589r2_rule todo?
Severity: medium
Rule Title: The Ubuntu operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
Description: Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted.\n\nA trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement.\n\n
Check_content: Verify the Ubuntu operating system, for PKI-based authentication, had valid certificates by constructing a certification path (which includes status information) to an accepted trust anchor.\n\nCheck which pkcs11 module is being used via the "use_pkcs11_module" in "/etc/pam_pkcs11/pam_pkcs11.conf" and then ensure "ca" is enabled in "cert_policy" with the following command:\n \n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf\n\ncert_policy = ca,signature,ocsp_on;\n\nIf "cert_policy" is not set to "ca", has a value of "none", or the line is commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system, for PKI-based authentication, to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.\n\nDetermine which pkcs11 module is being used via the "use_pkcs11_module" in "/etc/pam_pkcs11/pam_pkcs11.conf" and ensure "ca" is enabled in "cert_policy".\n\nAdd or update the "cert_policy" to ensure "ca" is enabled:\n\ncert_policy = ca,signature,ocsp_on;
Rule ID: SV-90591r1_rule todo?
Severity: medium
Rule Title: The Ubuntu operating system must implement smart card logins for multifactor authentication for access to accounts.
Description: Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.\n\nMultifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.\n\nRemote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nThis requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).\n\nRequires further clarification from NIST.\n\n
Check_content: Verify the Ubuntu operating system uses multifactor authentication for local access to accounts.\n\nCheck that the "pam_pkcs11.so" option is configured in the "/etc/pam.d/common-auth" file with the following command:\n\n# grep pam_pkcs11.so /etc/pam.d/common-auth\nauth [success=2 default=ignore] pam_pkcs11.so\n\nIf "pam_pkcs11.so" is not set in "/etc/pam.d/common-auth", this is a finding.
Fixtext: Configure the Ubuntu operating system to use multifactor authentication for local access to accounts.\n\nAdd or update "pam_pkcs11.so" in "/etc/pam.d/common-auth" to match the following line:\n\nauth [success=2 default=ignore] pam_pkcs11.so
Rule ID: SV-92701r1_rule
Severity: high
Rule Title: The system must use a DoD-approved virus scan program.
Description: Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems. \n\nThe virus scanning software should be configured to perform scans dynamically on accessed files. If this capability is not available, the system must be configured to scan, at a minimum, all altered files on the system on a daily basis.\n\nIf the system processes inbound SMTP mail, the virus scanner must be configured to scan all received mail.
Check_content: Verify the system is using a DoD-approved virus scan program.\n\n\nCheck for the presence of "McAfee VirusScan Enterprise for Linux" with the following command:\n\n\n# systemctl status nails\n\nnails - service for McAfee VirusScan Enterprise for Linux \n\n> Loaded: loaded /opt/NAI/package/McAfeeVSEForLinux/McAfeeVSEForLinux-2.0.2.; enabled)\n\n> Active: active (running) since Mon 2015-09-27 04:11:22 UTC;21 min ago\n\n\nIf the "nails" service is not active, check for the presence of "clamav" on the system with the following command:\n\n\n# systemctl status clamav-daemon.socket\n\nsystemctl status clamav-daemon.socket\n\nclamav-daemon.socket - Socket for Clam AntiVirus userspace daemon\n\nLoaded: loaded (/lib/systemd/system/clamav-daemon.socket; enabled)\n\nActive: active (running) since Mon 2015-01-12 09:32:59 UTC; 7min ago\n\n\nIf neither of these applications are loaded and active, ask the System Administrator if there is an antivirus package installed and active on the system.\n\n\nIf no antivirus scan program is active on the system, this is a finding.
Fixtext: Install an approved DoD antivirus solution on the system.
Rule ID: SV-92703r1_rule
Severity: medium
Rule Title: The system must update the DoD-approved virus scan program every seven days or more frequently.
Description: Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems. \n\nThe virus scanning software should be configured to check for software and virus definition updates with a frequency no longer than seven days. If a manual process is required to update the virus scan software or definitions, it must be documented with the Information System Security Officer (ISSO).
Check_content: Verify the system is using a DoD-approved virus scan program and the virus definition file is less than seven days old.\n\nCheck for the presence of "McAfee VirusScan Enterprise for Linux" with the following command:\n\n# systemctl status nails\n\nnails - service for McAfee VirusScan Enterprise for Linux \n\n> Loaded: loaded /opt/NAI/package/McAfeeVSEForLinux/McAfeeVSEForLinux-2.0.2.; enabled)\n\n> Active: active (running) since Mon 2015-09-27 04:11:22 UTC;21 min ago\n\nIf the "nails" service is not active, check for the presence of "clamav" on the system with the following command:\n\n# systemctl status clamav-daemon.socket\n\nsystemctl status clamav-daemon.socket\n\nclamav-daemon.socket - Socket for Clam AntiVirus userspace daemon\n\nLoaded: loaded (/lib/systemd/system/clamav-daemon.socket; enabled)\n\nActive: active (running) since Mon 2015-01-12 09:32:59 UTC; 7min ago\n\nIf "McAfee VirusScan Enterprise for Linux" is active on the system, check the dates of the virus definition files with the following command:\n\n# ls -al /opt/NAI/LinuxShield/engine/dat/*.dat\n\n-rwxr-xr-x 1 root root 243217 Mar 5 2017 avvclean.dat\n-rwxr-xr-x 1 root root 16995 Mar 5 2017 avvnames.dat\n-rwxr-xr-x 1 root root 4713245 Mar 5 2017 avvscan.dat\n\nIf the virus definition files have dates older than seven days from the current date, this is a finding.\n\nIf "clamav" is active on the system, check the dates of the virus database with the following commands:\n\n# grep -I databasedirectory /etc/clamav.conf\n\nDatabaseDirectory /var/lib/clamav\n\n# ls -al /var/lib/clamav/*.cvd\n\n-rwxr-xr-x 1 root root 149156 Mar 5 2011 daily.cvd\n\nIf the database file has a date older than seven days from the current date, this is a finding.\n
Fixtext: Update the approved DoD virus scan software and virus definition files.
Rule ID: SV-95669r1_rule
Severity: high
Rule Title: The x86 Ctrl-Alt-Delete key sequence in the Ubuntu operating system must be disabled if GNOME is installed.
Description: A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.
Check_content: Verify the Ubuntu operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed when using GNOME.\n\nCheck that the "logout" target is not bound to an action with the following command:\n\n# grep logout /etc/dconf/db/local.d/*\n\nlogout=\'\'\n\nIf the "logout" key is bound to an action, is commented out, or is missing, this is a finding.
Fixtext: [u'Configure the system to disable the Ctrl-Alt-Delete sequence when using GNOME by creating or editing the /etc/dconf/db/local.d/00-disable-CAD file.\n\nAdd the setting to disable the Ctrl-Alt-Delete sequence for GNOME:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=\u2019\u2019\n\nThen update the dconf settings:\n\n# dconf update
Rule ID: SV-95671r1_rule
Severity: medium
Rule Title: The auditd service must be running in the Ubuntu operating system.
Description: Configuring the Ubuntu operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.
Check_content: Verify the audit service is active.\n\nCheck that the audit service is active with the following command:\n\n# service auditd status\nActive: active (running)\n\nIf the service is not active this is a finding.
Fixtext: Start the auditd service, and enable the auditd service with the following commands:\n\nStart the audit service.\n# systemctl start auditd.service\n\nEnable auditd in the targets of the system.\n# systemctl enable auditd.service
Rule ID: SV-95673r1_rule
Severity: medium
Rule Title: The Ubuntu operating system must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.
Description: If security personnel are not notified immediately when storage volume reaches 75% utilization, they are unable to plan for audit record storage capacity expansion.
Check_content: Verify the Ubuntu operating system notifies the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.\n\nCheck the system configuration to determine the partition the audit records are being written to with the following command:\n\n# sudo grep log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records are written to (with the example being "/var/log/audit/"):\n\n# df -h /var/log/audit/\n1.0G /var/log/audit\n\nIf the audit records are not being written to a partition specifically created for audit records (in this example "/var/log/audit" is a separate partition), determine the amount of space other files in the partition are currently occupying with the following command:\n\n# du -sh \n1.0G /var\n\nDetermine what the threshold is for the system to take action when 75% of the repository maximum audit record storage capacity is reached:\n\n# grep -i space_left /etc/audit/auditd.conf\nspace_left = 250\n\nIf the value of the "space_left" keyword is not set to 25% of the total partition size, this is a finding.
Fixtext: Configure the operating system to immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.\n\nCheck the system configuration to determine the partition the audit records are being written to: \n\n# grep log_file /etc/audit/auditd.conf\n\nDetermine the size of the partition that audit records are written to (with the example being "/var/log/audit/"):\n\n# df -h /var/log/audit/\n\nSet the value of the "space_left" keyword in "/etc/audit/auditd.conf" to 25% of the partition size.
Rule ID: SV-95675r1_rule
Severity: medium
Rule Title: The audit log files in the Ubuntu operating system must have mode 0640 or less permissive.
Description: Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the Ubuntu operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
Check_content: Verify that the audit log files have a mode of "0640" or less permissive.\n\nCheck where the audit logs are stored on the system using the following command:\n\n# sudo grep log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the audit log path from the command above, replace "[log_path]" in the following command:\n\n# sudo ls -lad [log_file] | cut -d\' \' -f1\nls -lad /var/log/audit/audit.log | cut -d\' \' -f1\n-rw-r-----\n\nIf the audit log file does not have a mode of "0640" or less permissive, this is a finding.
Fixtext: Configure the octal permission value of the audit log to "0640" or less permissive. \n\nUse the following command to find where the audit log files are stored on the system:\n\n# sudo grep log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the audit log path from the command above, replace "[log_path]" in the following command:\n\n# sudo chmod 0640 [log_path]
Rule ID: SV-95677r1_rule
Severity: medium
Rule Title: The audit records must be off-loaded onto a different system or storage media from the system being audited.
Description: Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.
Check_content: Verify the audit system off-loads audit records to a different system or storage media from the system being audited.\n\nCheck that the records are being off-loaded to a remote server with the following command:\n\n# sudo grep -i remote_server /etc/audisp/audisp-remote.conf\n\nremote_server = 10.0.1.2\n\nIf "remote_server" is not configured, or the line is commented out, this is a finding.
Fixtext: Configure the audit system to off-load audit records to a different system or storage media from the system being audited.\n\nSet the "remote_server" option in "/etc/audisp/audisp-remote.conf" with the IP address of the log server. See the example below.\n\nremote_server = 10.0.1.2\n\nIn order for the changes to take effect, the audit daemon must be restarted. The audit daemon can be restarted with the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-95681r2_rule
Severity: medium
Rule Title: Successful/unsuccessful uses of the chcon command must generate an audit record.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "chcon" command occur.\n\nCheck that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":\n\n# sudo grep -w chcon /etc/audit/audit.rules\n\n:\n-a always,exit -F arch=b64 path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chcon" command. \n\nAdd or update the following rules in the "/etc/audit/audit.rules" file:\n\n-a always,exit -F arch=b32 path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit -F arch=b64 path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
Rule ID: SV-101015r1_rule
Severity: medium
Rule Title: The audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software.
Description: Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.\n\n
Check_content: Verify the Ubuntu operating system audits the execution of privilege functions.\n\nCheck if the Ubuntu operating system is configured to audit the execution of the "execve" system call, by running the following command:\n\n# sudo grep execve /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F key=execpriv \n-a always,exit -F arch=b64 -S execve -C uid!=euid -F key=execpriv\n \n-a always,exit -F arch=b32 -S execve -C gid!=egid -F key=execpriv \n-a always,exit -F arch=b64 -S execve -C gid!=egid -F key=execpriv\n\nIf the command does not return all lines, or the lines are commented out, this is a finding.
Fixtext: Configure the Ubuntu operating system to audit the execution of the "execve" system call.\n\nAdd or update the following file system rules to "/etc/audit/audit.rules":\n\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F key=execpriv \n-a always,exit -F arch=b64 -S execve -C uid!=euid -F key=execpriv\n \n-a always,exit -F arch=b32 -S execve -C gid!=egid -F key=execpriv \n-a always,exit -F arch=b64 -S execve -C gid!=egid -F key=execpriv \n\nThe audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:\n\n# sudo systemctl restart auditd.service
================================================
FILE: docs/STIG-Benchmark/stig-rhel-7-v1r4.txt
================================================
Rule ID: SV-86473r2_rule
Severity: high
Rule Title: The file permissions, ownership, and group membership of system files and commands must match the vendor values.
Description: Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default.\n\n
Check_content: Verify the file permissions, ownership, and group membership of system files and commands match the vendor values.\n\nCheck the file permissions, ownership, and group membership of system files and commands with the following command:\n\n# rpm -Va | grep '^.M'\n\nIf there is any output from the command indicating that the ownership or group of a system file or command, or a system file, has permissions less restrictive than the default, this is a finding.
Fixtext: Run the following command to determine which package owns the file:\n\n# rpm -qf \n\nReset the permissions of files within a package with the following command:\n\n#rpm --setperms \n\nReset the user and group ownership of files within a package with the following command:\n\n#rpm --setugids
Rule ID: SV-86479r2_rule
Severity: high
Rule Title: The cryptographic hash of system files and commands must match vendor values.
Description: Without cryptographic integrity protections, system command and files can be altered by unauthorized users without detection.\n\nCryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.
Check_content: Verify the cryptographic hash of system files and commands match the vendor values.\n\nCheck the cryptographic hash of system files and commands with the following command:\n\nNote: System configuration files (indicated by a "c" in the second column) are expected to change over time. Unusual modifications should be investigated through the system audit log.\n\n# rpm -Va | grep \'^..5\'\n\nIf there is any output from the command for system binaries, this is a finding.
Fixtext: Run the following command to determine which package owns the file:\n\n# rpm -qf \n\nThe package can be reinstalled from a yum repository using the command:\n\n# sudo yum reinstall \n\nAlternatively, the package can be reinstalled from trusted media using the command:\n\n# sudo rpm -Uvh
Rule ID: SV-86483r3_rule
Severity: medium
Rule Title: The operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.
Description: Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\n\n"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."\n\n\n
Check_content: Verify the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable. \n\nCheck to see if the operating system displays a banner at the logon screen with the following command:\n\n# grep banner-message-enable /etc/dconf/db/local.d/*\nbanner-message-enable=true\n\nIf "banner-message-enable" is set to "false" or is missing, this is a finding.
Fixtext: Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nCreate a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command:\n\n# touch /etc/dconf/db/local.d/01-banner-message\n\nAdd the following line to the [org/gnome/login-screen] section of the "/etc/dconf/db/local.d/01-banner-message":\n\n[org/gnome/login-screen]\nbanner-message-enable=true\n\nUpdate the system databases:\n\n# dconf update\n\nUsers must log out and back in again before the system-wide settings take effect.
Rule ID: SV-86485r3_rule
Severity: medium
Rule Title: The operating system must display the approved Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.
Description: Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\n\n"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."\n\n
Check_content: Verify the operating system displays the approved Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable. \n\nCheck that the operating system displays the exact approved Standard Mandatory DoD Notice and Consent Banner text with the command:\n\n# grep banner-message-text /etc/dconf/db/local.d/*\nbanner-message-text=\n\'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n-At any time, the USG may inspect and seize data stored on this IS.\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. \'\n\nNote: The "\\n " characters are for formatting only. They will not be displayed on the GUI.\n\nIf the banner does not match the approved Standard Mandatory DoD Notice and Consent Banner, this is a finding.
Fixtext: Configure the operating system to display the approved Standard Mandatory DoD Notice and Consent Banner before granting access to the system.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nCreate a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command:\n\n# touch /etc/dconf/db/local.d/01-banner-message\n\nAdd the following line to the [org/gnome/login-screen] section of the "/etc/dconf/db/local.d/01-banner-message":\n\n[org/gnome/login-screen]\n\nbanner-message-enable=true\n\nbanner-message-text=\'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n-At any time, the USG may inspect and seize data stored on this IS.\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. \'\n\nNote: The "\\n " characters are for formatting only. They will not be displayed on the GUI.\n\nRun the following command to update the database:\n# dconf update
Rule ID: SV-86487r2_rule
Severity: medium
Rule Title: The operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.
Description: Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\n\n"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."\n\n
Check_content: Verify the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a command line user logon.\n\nCheck to see if the operating system displays a banner at the command line logon screen with the following command:\n\n# more /etc/issue\n\nThe command should return the following text:\n"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."\n\nIf the operating system does not display a graphical logon banner or the banner does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.\n\nIf the text in the "/etc/issue" file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.
Fixtext: Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the command line by editing the "/etc/issue" file.\n\nReplace the default text with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n\n"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
Rule ID: SV-86515r4_rule
Severity: medium
Rule Title: The operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures.
Description: A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n\nThe session lock is implemented at the point where session activity can be determined.\n\nRegardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system.\n\n
Check_content: Verify the operating system enables a user\'s session lock until that user re-establishes access using established identification and authentication procedures. The screen program must be installed to lock sessions on the console.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nCheck to see if the screen lock is enabled with the following command:\n\n# grep -i lock-enabled /etc/dconf/db/local.d/00-screensaver\nlock-enabled=true\n\nIf the "lock-enabled" setting is missing or is not set to "true", this is a finding.
Fixtext: Configure the operating system to enable a user\'s session lock until that user re-establishes access using established identification and authentication procedures.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command:\n\n# touch /etc/dconf/db/local.d/00-screensaver\n\nEdit "org/gnome/desktop/screensaver" and add or update the following lines:\n\n# Set this to true to lock the screen when the screensaver activates\nlock-enabled=true\n\nUpdate the system databases:\n\n# dconf update\n\nUsers must log out and back in again before the system-wide settings take effect.
Rule ID: SV-86517r4_rule
Severity: medium
Rule Title: The operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.
Description: A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled.
Check_content: Verify the operating system initiates a screensaver after a 15-minute period of inactivity for graphical user interfaces. The screen program must be installed to lock sessions on the console.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nCheck to see if GNOME is configured to display a screensaver after a 15 minute delay with the following command:\n\n# grep -i idle-delay /etc/dconf/db/local.d/*\nidle-delay=uint32 900\n\nIf the "idle-delay" setting is missing or is not set to "900" or less, this is a finding.
Fixtext: Configure the operating system to initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command:\n\n# touch /etc/dconf/db/local.d/00-screensaver\n\nEdit /etc/dconf/db/local.d/00-screensaver and add or update the following lines:\n\n[org/gnome/desktop/session]\n# Set the lock time out to 900 seconds before the session is considered idle\nidle-delay=uint32 900\n\nYou must include the "uint32" along with the integer key values as shown.\n\nUpdate the system databases:\n\n# dconf update\n\nUsers must log out and back in again before the system-wide settings take effect.
Rule ID: SV-86521r1_rule
Severity: medium
Rule Title: The operating system must have the screen package installed.
Description: A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe screen package allows for a session lock to be implemented and configured.
Check_content: Verify the operating system has the screen package installed.\n\nCheck to see if the screen package is installed with the following command:\n\n# yum list installed | grep screen\nscreen-4.3.1-3-x86_64.rpm\n\nIf is not installed, this is a finding.
Fixtext: Install the screen package to allow the initiation a session lock after a 15-minute period of inactivity for graphical users interfaces.\n\nInstall the screen program (if it is not on the system) with the following command:\n\n# yum install screen\n\nThe console can now be locked with the following key combination: \n\nctrl+A x
Rule ID: SV-86523r3_rule
Severity: medium
Rule Title: The operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces.
Description: A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled.
Check_content: Verify the operating system initiates a session lock after a 15-minute period of inactivity for graphical user interfaces. The screen program must be installed to lock sessions on the console.\n\nIf it is installed, GNOME must be configured to enforce a session lock after a 15-minute delay. Check for the session lock settings with the following commands:\n\n# grep -i idle-activation-enabled /etc/dconf/db/local.d/*\n\nidle-activation-enabled=true\n\nIf "idle-activation-enabled" is not set to "true", this is a finding.
Fixtext: Configure the operating system to initiate a session lock after a 15-minute period of inactivity for graphical user interfaces.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: \n\n# touch /etc/dconf/db/local.d/00-screensaver\n\nAdd the setting to enable screensaver locking after 15 minutes of inactivity:\n\n[org/gnome/desktop/screensaver]\n\nidle-activation-enabled=true\n\nUpdate the system databases:\n\n# dconf update\n\nUsers must log out and back in again before the system-wide settings take effect.
Rule ID: SV-86525r2_rule
Severity: medium
Rule Title: The operating system must initiate a session lock for graphical user interfaces when the screensaver is activated.
Description: A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled.
Check_content: [u'Verify the operating system initiates a session lock a for graphical user interfaces when the screensaver is activated. \n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console.\n\nIf GNOME is installed, check to see a session lock occurs when the screensaver is activated with the following command:\n\n# grep -i lock-delay /etc/dconf/db/local.d/*\nlock-delay=uint32 5\n\nIf the "lock-delay" setting is missing, or is not set to \u201c5\u201d or less, this is a finding.
Fixtext: Configure the operating system to initiate a session lock for graphical user interfaces when a screensaver is activated.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: \n\n# touch /etc/dconf/db/local.d/00-screensaver\n\nAdd the setting to enable session locking when a screensaver is activated:\n\n[org/gnome/desktop/screensaver]\nlock-delay=uint32 5\n\nThe "uint32" must be included along with the integer key values as shown.\n\nUpdate the system databases:\n\n# dconf update\n\nUsers must log out and back in again before the system-wide settings take effect.
Rule ID: SV-86527r2_rule
Severity: medium
Rule Title: When passwords are changed or new passwords are established, the new password must contain at least one upper-case character.
Description: Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Check_content: Note: The value to require a number of upper-case characters to be set is expressed as a negative number in "/etc/security/pwquality.conf".\n\nCheck the value for "ucredit" in "/etc/security/pwquality.conf" with the following command:\n\n# grep ucredit /etc/security/pwquality.conf \nucredit = -1\n\nIf the value of "ucredit" is not set to a negative value, this is a finding.
Fixtext: Configure the operating system to enforce password complexity by requiring that at least one upper-case character be used by setting the "ucredit" option.\n\nAdd the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):\n\nucredit = -1
Rule ID: SV-86529r4_rule
Severity: medium
Rule Title: When passwords are changed or new passwords are established, the new password must contain at least one lower-case character.
Description: Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Check_content: Note: The value to require a number of lower-case characters to be set is expressed as a negative number in "/etc/security/pwquality.conf".\n\nCheck the value for "lcredit" in "/etc/security/pwquality.conf" with the following command:\n\n# grep lcredit /etc/security/pwquality.conf \nlcredit = -1 \n\nIf the value of "lcredit" is not set to a negative value, this is a finding.
Fixtext: Configure the system to require at least one lower-case character when creating or changing a password.\n\nAdd or modify the following line \nin "/etc/security/pwquality.conf":\n\nlcredit = -1
Rule ID: SV-86531r2_rule
Severity: medium
Rule Title: When passwords are changed or new passwords are assigned, the new password must contain at least one numeric character.
Description: Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Check_content: Note: The value to require a number of numeric characters to be set is expressed as a negative number in "/etc/security/pwquality.conf".\n\nCheck the value for "dcredit" in "/etc/security/pwquality.conf" with the following command:\n\n# grep dcredit /etc/security/pwquality.conf \ndcredit = -1 \n\nIf the value of "dcredit" is not set to a negative value, this is a finding.
Fixtext: Configure the operating system to enforce password complexity by requiring that at least one numeric character be used by setting the "dcredit" option.\n\nAdd the following line to /etc/security/pwquality.conf (or modify the line to have the required value):\n\ndcredit = -1
Rule ID: SV-86533r1_rule
Severity: medium
Rule Title: When passwords are changed or new passwords are assigned, the new password must contain at least one special character.
Description: Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Check_content: Verify the operating system enforces password complexity by requiring that at least one special character be used.\n\nNote: The value to require a number of special characters to be set is expressed as a negative number in "/etc/security/pwquality.conf".\n\nCheck the value for "ocredit" in "/etc/security/pwquality.conf" with the following command:\n\n# grep ocredit /etc/security/pwquality.conf \nocredit=-1\n\nIf the value of "ocredit" is not set to a negative value, this is a finding.
Fixtext: Configure the operating system to enforce password complexity by requiring that at least one special character be used by setting the "dcredit" option.\n\nAdd the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):\n\nocredit = -1
Rule ID: SV-86535r1_rule
Severity: medium
Rule Title: When passwords are changed a minimum of eight of the total number of characters must be changed.
Description: Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Check_content: The "difok" option sets the number of characters in a password that must not be present in the old password.\n\nCheck for the value of the "difok" option in "/etc/security/pwquality.conf" with the following command:\n\n# grep difok /etc/security/pwquality.conf \ndifok = 8\n\nIf the value of "difok" is set to less than "8", this is a finding.
Fixtext: Configure the operating system to require the change of at least eight of the total number of characters when passwords are changed by setting the "difok" option.\n\nAdd the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):\n\ndifok = 8
Rule ID: SV-86537r1_rule
Severity: medium
Rule Title: When passwords are changed a minimum of four character classes must be changed.
Description: Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Check_content: The "minclass" option sets the minimum number of required classes of characters for the new password (digits, upper-case, lower-case, others).\n\nCheck for the value of the "minclass" option in "/etc/security/pwquality.conf" with the following command:\n\n# grep minclass /etc/security/pwquality.conf \nminclass = 4\n\nIf the value of "minclass" is set to less than "4", this is a finding.
Fixtext: Configure the operating system to require the change of at least four character classes when passwords are changed by setting the "minclass" option.\n\nAdd the following line to "/etc/security/pwquality.conf conf" (or modify the line to have the required value):\n\nminclass = 4
Rule ID: SV-86539r2_rule
Severity: medium
Rule Title: When passwords are changed the number of repeating consecutive characters must not be more than three characters.
Description: Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Check_content: The "maxrepeat" option sets the maximum number of allowed same consecutive characters in a new password.\n\nCheck for the value of the "maxrepeat" option in "/etc/security/pwquality.conf" with the following command:\n\n# grep maxrepeat /etc/security/pwquality.conf \nmaxrepeat = 3\n\nIf the value of "maxrepeat" is set to more than "3", this is a finding.
Fixtext: Configure the operating system to require the change of the number of repeating consecutive characters when passwords are changed by setting the "maxrepeat" option.\n\nAdd the following line to "/etc/security/pwquality.conf conf" (or modify the line to have the required value):\n\nmaxrepeat = 3
Rule ID: SV-86541r1_rule
Severity: medium
Rule Title: When passwords are changed the number of repeating characters of the same character class must not be more than four characters.
Description: Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Check_content: The "maxclassrepeat" option sets the maximum number of allowed same consecutive characters in the same class in the new password.\n\nCheck for the value of the "maxclassrepeat" option in "/etc/security/pwquality.conf" with the following command:\n\n# grep maxclassrepeat /etc/security/pwquality.conf \nmaxclassrepeat = 4\n\nIf the value of "maxclassrepeat" is set to more than "4", this is a finding.
Fixtext: Configure the operating system to require the change of the number of repeating characters of the same character class when passwords are changed by setting the "maxclassrepeat" option.\n\nAdd the following line to "/etc/security/pwquality.conf" conf (or modify the line to have the required value):\n\nmaxclassrepeat = 4
Rule ID: SV-86543r2_rule
Severity: medium
Rule Title: The PAM system service must be configured to store only encrypted representations of passwords.
Description: Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.
Check_content: Verify the PAM system service is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512.\n\nCheck that the system is configured to create SHA512 hashed passwords with the following command:\n\n# grep password /etc/pam.d/system-auth-ac\npassword sufficient pam_unix.so sha512\n\nIf the "/etc/pam.d/system-auth-ac" configuration files allow for password hashes other than SHA512 to be used, this is a finding.
Fixtext: Configure the operating system to store only SHA512 encrypted representations of passwords.\n\nAdd the following line in "/etc/pam.d/system-auth-ac":\n\npassword sufficient pam_unix.so sha512
Rule ID: SV-86545r1_rule
Severity: medium
Rule Title: The shadow file must be configured to store only encrypted representations of passwords.
Description: Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.
Check_content: Verify the system\'s shadow file is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512.\n\nCheck that the system is configured to create SHA512 hashed passwords with the following command:\n\n# grep -i encrypt /etc/login.defs\nENCRYPT_METHOD SHA512\n\nIf the "/etc/login.defs" configuration file does not exist or allows for password hashes other than SHA512 to be used, this is a finding.
Fixtext: Configure the operating system to store only SHA512 encrypted representations of passwords.\n\nAdd or update the following line in "/etc/login.defs":\n\nENCRYPT_METHOD SHA512
Rule ID: SV-86547r2_rule
Severity: medium
Rule Title: User and group account administration utilities must be configured to store only encrypted representations of passwords.
Description: Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.
Check_content: Verify the user and group account administration utilities are configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is "SHA512".\n\nCheck that the system is configured to create "SHA512" hashed passwords with the following command:\n\n# cat /etc/libuser.conf | grep -i sha512\n\ncrypt_style = sha512\n\nIf the "crypt_style" variable is not set to "sha512", is not in the defaults section, or does not exist, this is a finding.
Fixtext: Configure the operating system to store only SHA512 encrypted representations of passwords.\n\nAdd or update the following line in "/etc/libuser.conf" in the [defaults] section: \n\ncrypt_style = sha512
Rule ID: SV-86549r1_rule
Severity: medium
Rule Title: Passwords for new users must be restricted to a 24 hours/1 day minimum lifetime.
Description: Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.
Check_content: Verify the operating system enforces 24 hours/1 day as the minimum password lifetime for new user accounts.\n\nCheck for the value of "PASS_MIN_DAYS" in "/etc/login.defs" with the following command: \n\n# grep -i pass_min_days /etc/login.defs\nPASS_MIN_DAYS 1\n\nIf the "PASS_MIN_DAYS" parameter value is not "1" or greater, or is commented out, this is a finding.
Fixtext: Configure the operating system to enforce 24 hours/1 day as the minimum password lifetime.\n\nAdd the following line in "/etc/login.defs" (or modify the line to have the required value):\n\nPASS_MIN_DAYS 1
Rule ID: SV-86551r1_rule
Severity: medium
Rule Title: Passwords must be restricted to a 24 hours/1 day minimum lifetime.
Description: Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.
Check_content: Check whether the minimum time period between password changes for each user account is one day or greater.\n\n# awk -F: '$4 < 1 {print $1}' /etc/shadow\n\nIf any results are returned that are not associated with a system account, this is a finding.
Fixtext: Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime:\n\n# chage -m 1 [user]
Rule ID: SV-86553r1_rule
Severity: medium
Rule Title: Passwords for new users must be restricted to a 60-day maximum lifetime.
Description: Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.
Check_content: Verify the operating system enforces a 60-day maximum password lifetime restriction for new user accounts.\n\nCheck for the value of "PASS_MAX_DAYS" in "/etc/login.defs" with the following command:\n\n# grep -i pass_max_days /etc/login.defs\nPASS_MAX_DAYS 60\n\nIf the "PASS_MAX_DAYS" parameter value is not 60 or less, or is commented out, this is a finding.
Fixtext: Configure the operating system to enforce a 60-day maximum password lifetime restriction.\n\nAdd the following line in "/etc/login.defs" (or modify the line to have the required value):\n\nPASS_MAX_DAYS 60
Rule ID: SV-86555r1_rule
Severity: medium
Rule Title: Existing passwords must be restricted to a 60-day maximum lifetime.
Description: Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.
Check_content: Check whether the maximum time period for existing passwords is restricted to 60 days.\n\n# awk -F: '$5 > 60 {print $1}' /etc/shadow\n\nIf any results are returned that are not associated with a system account, this is a finding.
Fixtext: Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction.\n\n# chage -M 60 [user]
Rule ID: SV-86557r2_rule
Severity: medium
Rule Title: Passwords must be prohibited from reuse for a minimum of five generations.
Description: Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.
Check_content: Verify the operating system prohibits password reuse for a minimum of five generations.\n\nCheck for the value of the "remember" argument in "/etc/pam.d/system-auth-ac" with the following command:\n\n# grep -i remember /etc/pam.d/system-auth-ac\npassword sufficient pam_unix.so use_authtok sha512 shadow remember=5\n\nIf the line containing the "pam_unix.so" line does not have the "remember" module argument set, or the value of the "remember" module argument is set to less than "5", this is a finding.
Fixtext: Configure the operating system to prohibit password reuse for a minimum of five generations.\n\nAdd the following line in "/etc/pam.d/system-auth-ac" (or modify the line to have the required value):\n\npassword sufficient pam_unix.so use_authtok sha512 shadow remember=5
Rule ID: SV-86559r1_rule
Severity: medium
Rule Title: Passwords must be a minimum of 15 characters in length.
Description: The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.\n\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.
Check_content: Verify the operating system enforces a minimum 15-character password length. The "minlen" option sets the minimum number of characters in a new password.\n\nCheck for the value of the "minlen" option in "/etc/security/pwquality.conf" with the following command:\n\n# grep minlen /etc/security/pwquality.conf\nminlen = 15\n\nIf the command does not return a "minlen" value of 15 or greater, this is a finding.
Fixtext: Configure operating system to enforce a minimum 15-character password length.\n\nAdd the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):\n\nminlen = 15
Rule ID: SV-86561r2_rule
Severity: high
Rule Title: The system must not have accounts configured with blank or null passwords.
Description: If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.
Check_content: To verify that null passwords cannot be used, run the following command: \n\n# grep nullok /etc/pam.d/system-auth-ac\n\nIf this produces any output, it may be possible to log on with accounts with empty passwords.\n\nIf null passwords can be used, this is a finding.
Fixtext: If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating.\n\nRemove any instances of the "nullok" option in "/etc/pam.d/system-auth-ac" to prevent logons with empty passwords.\n\nNote: Any updates made to "/etc/pam.d/system-auth-ac" may be overwritten by the "authconfig" program. The "authconfig" program should not be used.
Rule ID: SV-86563r2_rule
Severity: high
Rule Title: The SSH daemon must not allow authentication using an empty password.
Description: Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.
Check_content: To determine how the SSH daemon\'s "PermitEmptyPasswords" option is set, run the following command:\n\n# grep -i PermitEmptyPasswords /etc/ssh/sshd_config\nPermitEmptyPasswords no\n\nIf no line, a commented line, or a line indicating the value "no" is returned, the required value is set.\n\nIf the required value is not set, this is a finding.
Fixtext: To explicitly disallow remote logon from accounts with empty passwords, add or correct the following line in "/etc/ssh/sshd_config":\n\nPermitEmptyPasswords no\n\nThe SSH service must be restarted for changes to take effect. Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.
Rule ID: SV-86565r1_rule
Severity: medium
Rule Title: The operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires.
Description: Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.\n\nOperating systems need to track periods of inactivity and disable application identifiers after zero days of inactivity.
Check_content: Verify the operating system disables account identifiers (individuals, groups, roles, and devices) after the password expires with the following command:\n\n# grep -i inactive /etc/default/useradd\nINACTIVE=0\n\nIf the value is not set to "0", is commented out, or is not defined, this is a finding.
Fixtext: Configure the operating system to disable account identifiers (individuals, groups, roles, and devices) after the password expires.\n\nAdd the following line to "/etc/default/useradd" (or modify the line to have the required value):\n\nINACTIVE=0
Rule ID: SV-86567r3_rule
Severity: medium
Rule Title: Accounts subject to three unsuccessful logon attempts within 15 minutes must be locked for the maximum configurable period.
Description: By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.\n\n
Check_content: Verify the operating system automatically locks an account for the maximum period for which the system can be configured.\n\nCheck that the system locks an account for the maximum period after three unsuccessful logon attempts within a period of 15 minutes with the following command:\n\n# grep pam_faillock.so /etc/pam.d/password-auth-ac\nauth required pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=604800\nauth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=604800\naccount required pam_faillock.so \n\nIf the "unlock_time" setting is greater than "604800" on both lines with the "pam_faillock.so" module name or is missing from a line, this is a finding.\n\n# grep pam_faillock.so /etc/pam.d/system-auth-ac\nauth required pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=604800\nauth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=604800\naccount required pam_faillock.so \n\nIf the "unlock_time" setting is greater than "604800" on both lines with the "pam_faillock.so" module name or is missing from a line, this is a finding.
Fixtext: Configure the operating system to lock an account for the maximum period when three unsuccessful logon attempts in 15 minutes are made.\n\nModify the first three lines of the auth section of the "/etc/pam.d/system-auth-ac" and "/etc/pam.d/password-auth-ac" files to match the following lines:\n\nauth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=604800\nauth sufficient pam_unix.so try_first_pass\nauth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=604800\naccount required pam_faillock.so
Rule ID: SV-86569r2_rule
Severity: medium
Rule Title: If three unsuccessful root logon attempts within 15 minutes occur the associated account must be locked.
Description: By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.\n\n
Check_content: Verify the operating system automatically locks the root account until it is released by an administrator when three unsuccessful logon attempts in 15 minutes are made.\n\n# grep pam_faillock.so /etc/pam.d/password-auth-ac\nauth required pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=604800 fail_interval=900 \nauth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=604800 fail_interval=900\naccount required pam_faillock.so\n\nIf the "even_deny_root" setting is not defined on both lines with the "pam_faillock.so" module name, this is a finding.\n\n# grep pam_faillock.so /etc/pam.d/system-auth-ac\nauth required pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=604800 fail_interval=900 \nauth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=604800 fail_interval=900\naccount required pam_faillock.so\n\nIf the "even_deny_root" setting is not defined on both lines with the "pam_faillock.so" module name, this is a finding.
Fixtext: Configure the operating system to automatically lock the root account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are made.\n\nModify the first three lines of the auth section of the "/etc/pam.d/system-auth-ac" and "/etc/pam.d/password-auth-ac" files to match the following lines:\n\nauth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=604800\nauth sufficient pam_unix.so try_first_pass\nauth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=604800\naccount required pam_faillock.so\n\nNote: Any updates made to "/etc/pam.d/system-auth-ac" and "/etc/pam.d/password-auth-ac" may be overwritten by the "authconfig" program. The "authconfig" program should not be used.
Rule ID: SV-86571r2_rule
Severity: medium
Rule Title: Users must provide a password for privilege escalation.
Description: Without re-authentication, users may access resources or perform tasks for which they do not have authorization. \n\nWhen operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate.\n\n
Check_content: If passwords are not being used for authentication, this is Not Applicable.\n\nVerify the operating system requires users to supply a password for privilege escalation.\n\nCheck the configuration of the "/etc/sudoers" and "/etc/sudoers.d/*" files with the following command:\n\n# grep -i nopasswd /etc/sudoers /etc/sudoers.d/*\n\nIf any uncommented line is found with a "NOPASSWD" tag, this is a finding.
Fixtext: Configure the operating system to require users to supply a password for privilege escalation.\n\nCheck the configuration of the "/etc/sudoers" and "/etc/sudoers.d/*" files with the following command:\n\n# grep -i nopasswd /etc/sudoers /etc/sudoers.d/*\n\nRemove any occurrences of "NOPASSWD" tags in the file.
Rule ID: SV-86573r2_rule
Severity: medium
Rule Title: Users must re-authenticate for privilege escalation.
Description: Without re-authentication, users may access resources or perform tasks for which they do not have authorization. \n\nWhen operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate.\n\n
Check_content: Verify the operating system requires users to reauthenticate for privilege escalation.\n\nCheck the configuration of the "/etc/sudoers" and "/etc/sudoers.d/*" files with the following command:\n\n# grep -i authenticate /etc/sudoers /etc/sudoers.d/*\n\nIf any line is found with a "!authenticate" tag, this is a finding.
Fixtext: Configure the operating system to require users to reauthenticate for privilege escalation.\n\nCheck the configuration of the "/etc/sudoers" and "/etc/sudoers.d/*" files with the following command:\n\nRemove any occurrences of "!authenticate" tags in the file.
Rule ID: SV-86575r1_rule
Severity: medium
Rule Title: The delay between logon prompts following a failed console logon attempt must be at least four seconds.
Description: Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.
Check_content: Verify the operating system enforces a delay of at least four seconds between console logon prompts following a failed logon attempt.\n\nCheck the value of the "fail_delay" parameter in the "/etc/login.defs" file with the following command:\n\n# grep -i fail_delay /etc/login.defs\nFAIL_DELAY 4\n\nIf the value of "FAIL_DELAY" is not set to "4" or greater, this is a finding.
Fixtext: Configure the operating system to enforce a delay of at least four seconds between logon prompts following a failed console logon attempt.\n\nModify the "/etc/login.defs" file to set the "FAIL_DELAY" parameter to "4" or greater:\n\nFAIL_DELAY 4
Rule ID: SV-86577r1_rule
Severity: high
Rule Title: The operating system must not allow an unattended or automatic logon to the system via a graphical user interface.
Description: Failure to restrict system access to authenticated users negatively impacts operating system security.
Check_content: Verify the operating system does not allow an unattended or automatic logon to the system via a graphical user interface.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable. \n\nCheck for the value of the "AutomaticLoginEnable" in the "/etc/gdm/custom.conf" file with the following command:\n\n# grep -i automaticloginenable /etc/gdm/custom.conf\nAutomaticLoginEnable=false\n\nIf the value of "AutomaticLoginEnable" is not set to "false", this is a finding.
Fixtext: Configure the operating system to not allow an unattended or automatic logon to the system via a graphical user interface.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nAdd or edit the line for the "AutomaticLoginEnable" parameter in the [daemon] section of the "/etc/gdm/custom.conf" file to "false":\n\n[daemon]\nAutomaticLoginEnable=false
Rule ID: SV-86579r2_rule
Severity: high
Rule Title: The operating system must not allow an unrestricted logon to the system.
Description: Failure to restrict system access to authenticated users negatively impacts operating system security.
Check_content: Verify the operating system does not allow an unrestricted logon to the system via a graphical user interface.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable. \n\nCheck for the value of the "TimedLoginEnable" parameter in "/etc/gdm/custom.conf" file with the following command:\n\n# grep -i timedloginenable /etc/gdm/custom.conf\nTimedLoginEnable=false\n\nIf the value of "TimedLoginEnable" is not set to "false", this is a finding.
Fixtext: Configure the operating system to not allow an unrestricted account to log on to the system via a graphical user interface.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nAdd or edit the line for the "TimedLoginEnable" parameter in the [daemon] section of the "/etc/gdm/custom.conf" file to "false":\n\n[daemon]\nTimedLoginEnable=false
Rule ID: SV-86581r2_rule
Severity: medium
Rule Title: The operating system must not allow users to override SSH environment variables.
Description: Failure to restrict system access to authenticated users negatively impacts operating system security.
Check_content: Verify the operating system does not allow users to override environment variables to the SSH daemon.\n\nCheck for the value of the "PermitUserEnvironment" keyword with the following command:\n\n# grep -i permituserenvironment /etc/ssh/sshd_config\nPermitUserEnvironment no\n\nIf the "PermitUserEnvironment" keyword is not set to "no", is missing, or is commented out, this is a finding.
Fixtext: Configure the operating system to not allow users to override environment variables to the SSH daemon.\n\nEdit the "/etc/ssh/sshd_config" file to uncomment or add the line for "PermitUserEnvironment" keyword and set the value to "no":\n\nPermitUserEnvironment no\n\nThe SSH service must be restarted for changes to take effect.
Rule ID: SV-86583r2_rule
Severity: medium
Rule Title: The operating system must not allow a non-certificate trusted host SSH logon to the system.
Description: Failure to restrict system access to authenticated users negatively impacts operating system security.
Check_content: Verify the operating system does not allow a non-certificate trusted host SSH logon to the system.\n\nCheck for the value of the "HostbasedAuthentication" keyword with the following command:\n\n# grep -i hostbasedauthentication /etc/ssh/sshd_config\nHostbasedAuthentication no\n\nIf the "HostbasedAuthentication" keyword is not set to "no", is missing, or is commented out, this is a finding.
Fixtext: Configure the operating system to not allow a non-certificate trusted host SSH logon to the system.\n\nEdit the "/etc/ssh/sshd_config" file to uncomment or add the line for "HostbasedAuthentication" keyword and set the value to "no":\n\nHostbasedAuthentication no\n\nThe SSH service must be restarted for changes to take effect.
Rule ID: SV-86585r4_rule
Severity: high
Rule Title: Systems with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.
Description: If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.
Check_content: For systems that use UEFI, this is Not Applicable.\n\nCheck to see if an encrypted root password is set. On systems that use a BIOS, use the following command:\n\n# grep -i ^password_pbkdf2 /boot/grub2/grub.cfg\n\npassword_pbkdf2 [superusers-account] [password-hash]\n\nIf the root password entry does not begin with "password_pbkdf2", this is a finding.\n\nIf the "superusers-account" is not set to "root", this is a finding.
Fixtext: Configure the system to encrypt the boot password for root.\n\nGenerate an encrypted grub2 password for root with the following command:\n\nNote: The hash generated is an example.\n\n# grub2-mkpasswd-pbkdf2\n\nEnter Password:\nReenter Password:\nPBKDF2 hash of your password is grub.pbkdf2.sha512.10000.F3A7CFAA5A51EED123BE8238C23B25B2A6909AFC9812F0D45\n\nEdit "/etc/grub.d/40_custom" and add the following lines below the comments:\n\n# vi /etc/grub.d/40_custom\n\nset superusers="root"\n\npassword_pbkdf2 root {hash from grub2-mkpasswd-pbkdf2 command}\n\nGenerate a new "grub.conf" file with the new password with the following commands:\n\n# grub2-mkconfig --output=/tmp/grub2.cfg\n# mv /tmp/grub2.cfg /boot/grub2/grub.cfg\n
Rule ID: SV-86587r3_rule
Severity: high
Rule Title: Systems using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.
Description: If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.
Check_content: For systems that use BIOS, this is Not Applicable.\n\nCheck to see if an encrypted root password is set. On systems that use UEFI, use the following command:\n\n# grep -i password /boot/efi/EFI/redhat/grub.cfg\n\npassword_pbkdf2 [superusers-account] [password-hash]\n\nIf the root password entry does not begin with "password_pbkdf2", this is a finding.\n\nIf the "superusers-account" is not set to "root", this is a finding.
Fixtext: Configure the system to encrypt the boot password for root.\n\nGenerate an encrypted grub2 password for root with the following command:\n\nNote: The hash generated is an example.\n\n# grub2-mkpasswd-pbkdf2\n\nEnter Password:\nReenter Password:\nPBKDF2 hash of your password is grub.pbkdf2.sha512.10000.F3A7CFAA5A51EED123BE8238C23B25B2A6909AFC9812F0D45\n\nEdit "/etc/grub.d/40_custom" and add the following lines below the comments:\n\n# vi /etc/grub.d/40_custom\n\nset superusers="root"\n\npassword_pbkdf2 root {hash from grub2-mkpasswd-pbkdf2 command}\n\nGenerate a new "grub.conf" file with the new password with the following commands:\n\n# grub2-mkconfig --output=/tmp/grub2.cfg\n# mv /tmp/grub2.cfg /boot/efi/EFI/redhat/grub.cfg\n
Rule ID: SV-86589r1_rule
Severity: medium
Rule Title: The operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.
Description: To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.\n\nOrganizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following:\n\n1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; \n\nand\n\n2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.\n\n
Check_content: Verify the operating system requires multifactor authentication to uniquely identify organizational users using multifactor authentication.\n\nCheck to see if smartcard authentication is enforced on the system:\n\n# authconfig --test | grep -i smartcard\n\nThe entry for use only smartcard for logon may be enabled, and the smartcard module and smartcard removal actions must not be blank.\n\nIf smartcard authentication is disabled or the smartcard and smartcard removal actions are blank, this is a finding.
Fixtext: Configure the operating system to require individuals to be authenticated with a multifactor authenticator.\n\nEnable smartcard logons with the following commands:\n\n# authconfig --enablesmartcard --smartcardaction=1 --update\n# authconfig --enablerequiresmartcard -update\n\nModify the "/etc/pam_pkcs11/pkcs11_eventmgr.conf" file to uncomment the following line:\n\n#/usr/X11R6/bin/xscreensaver-command -lock\n\nModify the "/etc/pam_pkcs11/pam_pkcs11.conf" file to use the cackey module if required.
Rule ID: SV-86591r1_rule
Severity: high
Rule Title: The rsh-server package must not be installed.
Description: It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nThe rsh-server service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication.\n\nIf a privileged user were to log on using this service, the privileged user password could be compromised.
Check_content: Check to see if the rsh-server package is installed with the following command:\n\n# yum list installed rsh-server\n\nIf the rsh-server package is installed, this is a finding.
Fixtext: Configure the operating system to disable non-essential capabilities by removing the rsh-server package from the system with the following command:\n\n# yum remove rsh-server
Rule ID: SV-86593r1_rule
Severity: high
Rule Title: The ypserv package must not be installed.
Description: Removing the "ypserv" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.
Check_content: The NIS service provides an unencrypted authentication service that does not provide for the confidentiality and integrity of user passwords or the remote session.\n\nCheck to see if the "ypserve" package is installed with the following command:\n\n# yum list installed ypserv\n\nIf the "ypserv" package is installed, this is a finding.
Fixtext: Configure the operating system to disable non-essential capabilities by removing the "ypserv" package from the system with the following command:\n\n# yum remove ypserv
Rule ID: SV-86595r1_rule
Severity: medium
Rule Title: The operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
Description: Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.\n\nPrivileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.
Check_content: Verify the operating system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.\n\nGet a list of authorized users (other than System Administrator and guest accounts) for the system.\n\nCheck the list against the system by using the following command:\n\n# semanage login -l | more\nLogin Name SELinux User MLS/MCS Range Service\n__default__ user_u s0-s0:c0.c1023 *\nroot unconfined_u s0-s0:c0.c1023 *\nsystem_u system_u s0-s0:c0.c1023 *\njoe staff_u s0-s0:c0.c1023 *\n\nAll administrators must be mapped to the "sysadm_u" or "staff_u" users with the appropriate domains (sysadm_t and staff_t).\n\nAll authorized non-administrative users must be mapped to the "user_u" role or the appropriate domain (user_t).\n\nIf they are not mapped in this way, this is a finding.
Fixtext: Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.\n\nUse the following command to map a new user to the "sysdam_u" role: \n\n#semanage login -a -s sysadm_u \n\nUse the following command to map an existing user to the "sysdam_u" role:\n\n#semanage login -m -s sysadm_u \n\nUse the following command to map a new user to the "staff_u" role:\n\n#semanage login -a -s staff_u \n\nUse the following command to map an existing user to the "staff_u" role:\n\n#semanage login -m -s staff_u \n\nUse the following command to map a new user to the "user_u" role:\n\n# semanage login -a -s user_u \n\nUse the following command to map an existing user to the "user_u" role:\n\n# semanage login -m -s user_u
Rule ID: SV-86597r1_rule
Severity: medium
Rule Title: A file integrity tool must verify the baseline operating system configuration at least weekly.
Description: Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.\n\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
Check_content: Verify the operating system routinely checks the baseline configuration for unauthorized changes.\n\nNote: A file integrity tool other than Advanced Intrusion Detection Environment (AIDE) may be used, but the tool must be executed at least once per week.\n\nCheck to see if AIDE is installed on the system with the following command:\n\n# yum list installed aide\n\nIf AIDE is not installed, ask the SA how file integrity checks are performed on the system.\n\nCheck for the presence of a cron job running daily or weekly on the system that executes AIDE daily to scan for changes to the system baseline. The command used in the example will use a daily occurrence.\n\nCheck the "/etc/cron.daily" subdirectory for a "crontab" file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following command:\n\n# ls -al /etc/cron.* | grep aide\n-rwxr-xr-x 1 root root 29 Nov 22 2015 aide\n\nIf the file integrity application does not exist, or a "crontab" file does not exist in the "/etc/cron.daily" or "/etc/cron.weekly" subdirectories, this is a finding.
Fixtext: Configure the file integrity tool to automatically run on the system at least weekly. The following example output is generic. It will set cron to run AIDE daily, but other file integrity tools may be used:\n\n# cat /etc/cron.daily/aide \n0 0 * * * /usr/sbin/aide --check | /bin/mail -s "aide integrity check run for " root@sysname.mil
Rule ID: SV-86599r1_rule
Severity: medium
Rule Title: Designated personnel must be notified if baseline configurations are changed in an unauthorized manner.
Description: Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.\n\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
Check_content: Verify the operating system notifies designated personnel if baseline configurations are changed in an unauthorized manner.\n\nNote: A file integrity tool other than Advanced Intrusion Detection Environment (AIDE) may be used, but the tool must be executed and notify specified individuals via email or an alert.\n\nCheck to see if AIDE is installed on the system with the following command:\n\n# yum list installed aide\n\nIf AIDE is not installed, ask the SA how file integrity checks are performed on the system. \n\nCheck for the presence of a cron job running routinely on the system that executes AIDE to scan for changes to the system baseline. The commands used in the example will use a daily occurrence.\n\nCheck the "/etc/cron.daily" subdirectory for a "crontab" file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following commands:\n\n# ls -al /etc/cron.daily | grep aide\n-rwxr-xr-x 1 root root 32 Jul 1 2011 aide\n\nAIDE does not have a configuration that will send a notification, so the cron job uses the mail application on the system to email the results of the file integrity run as in the following example:\n\n# more /etc/cron.daily/aide\n0 0 * * * /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.mil\n\nIf the file integrity application does not notify designated personnel of changes, this is a finding.
Fixtext: Configure the operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel through the use of the cron system. \n\nThe following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis. \n\n# more /etc/cron.daily/aide\n0 0 * * * /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.mil
Rule ID: SV-86601r1_rule
Severity: high
Rule Title: The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.
Description: Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.\n\nVerifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA.
Check_content: Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components from a repository without verification that they have been digitally signed using a certificate that is recognized and approved by the organization.\n\nCheck that yum verifies the signature of packages from a repository prior to install with the following command:\n\n# grep gpgcheck /etc/yum.conf\ngpgcheck=1\n\nIf "gpgcheck" is not set to "1", or if options are missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified. \n\nIf there is no process to validate certificates that is approved by the organization, this is a finding.
Fixtext: Configure the operating system to verify the signature of packages from a repository prior to install by setting the following option in the "/etc/yum.conf" file:\n\ngpgcheck=1
Rule ID: SV-86603r1_rule
Severity: high
Rule Title: The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.
Description: Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.\n\nVerifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA.
Check_content: Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components of local packages without verification that they have been digitally signed using a certificate that is recognized and approved by the organization.\n\nCheck that yum verifies the signature of local packages prior to install with the following command:\n\n# grep localpkg_gpgcheck /etc/yum.conf\nlocalpkg_gpgcheck=1\n\nIf "localpkg_gpgcheck" is not set to "1", or if options are missing or commented out, ask the System Administrator how the signatures of local packages and other operating system components are verified. \n\nIf there is no process to validate the signatures of local packages that is approved by the organization, this is a finding.
Fixtext: Configure the operating system to verify the signature of local packages prior to install by setting the following option in the "/etc/yum.conf" file:\n\nlocalpkg_gpgcheck=1
Rule ID: SV-86605r1_rule
Severity: high
Rule Title: The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of packages without verification of the repository metadata.
Description: Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.\n\nVerifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved Certificate Authority.
Check_content: Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components of local packages without verification of the repository metadata.\n\nCheck that yum verifies the package metadata prior to install with the following command:\n\n# grep repo_gpgcheck /etc/yum.conf\nrepo_gpgcheck=1\n\nIf "repo_gpgcheck" is not set to "1", or if options are missing or commented out, ask the System Administrator how the metadata of local packages and other operating system components are verified. \n\nIf there is no process to validate the metadata of packages that is approved by the organization, this is a finding.
Fixtext: Configure the operating system to verify the repository metadata by setting the following options in the "/etc/yum.conf" file:\n\nrepo_gpgcheck=1
Rule ID: SV-86607r2_rule
Severity: medium
Rule Title: USB mass storage must be disabled.
Description: USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity.\n\n
Check_content: If there is an HBSS with a Device Control Module and a Data Loss Prevention mechanism, this requirement is not applicable.\n\nVerify the operating system disables the ability to use USB mass storage devices.\n\nCheck to see if USB mass storage is disabled with the following command:\n\n# grep usb-storage /etc/modprobe.d/blacklist.conf\nblacklist usb-storage\n\nIf the command does not return any output or the output is not "blacklist usb-storage", and use of USB storage devices is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
Fixtext: Configure the operating system to disable the ability to use USB mass storage devices.\n\n# vi /etc/modprobe.d/blacklist.conf\n\nAdd or update the line:\n\nblacklist usb-storage
Rule ID: SV-86609r1_rule
Severity: medium
Rule Title: File system automounter must be disabled unless required.
Description: Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.\n\n
Check_content: Verify the operating system disables the ability to automount devices.\n\nCheck to see if automounter service is active with the following command:\n\n# systemctl status autofs\nautofs.service - Automounts filesystems on demand\n Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled)\n Active: inactive (dead)\n\nIf the "autofs" status is set to "active" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
Fixtext: Configure the operating system to disable the ability to automount devices.\n\nTurn off the automount service with the following command:\n\n# systemctl disable autofs\n\nIf "autofs" is required for Network File System (NFS), it must be documented with the ISSO.
Rule ID: SV-86611r1_rule
Severity: low
Rule Title: The operating system must remove all software components after updated versions have been installed.
Description: Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.
Check_content: Verify the operating system removes all software components after updated versions have been installed.\n\nCheck if yum is configured to remove unneeded packages with the following command:\n\n# grep -i clean_requirements_on_remove /etc/yum.conf\nclean_requirements_on_remove=1\n\nIf "clean_requirements_on_remove" is not set to "1", "True", or "yes", or is not set in "/etc/yum.conf", this is a finding.
Fixtext: Configure the operating system to remove all software components after updated versions have been installed.\n\nSet the "clean_requirements_on_remove" option to "1" in the "/etc/yum.conf" file:\n\nclean_requirements_on_remove=1
Rule ID: SV-86613r2_rule
Severity: high
Rule Title: The operating system must enable SELinux.
Description: Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.\n\nThis requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.
Check_content: Verify the operating system verifies correct operation of all security functions.\n\nCheck if "SELinux" is active and in "Enforcing" mode with the following command:\n\n# getenforce\nEnforcing\n\nIf "SELinux" is not active and not in "Enforcing" mode, this is a finding.
Fixtext: Configure the operating system to verify correct operation of all security functions.\n\nSet the "SELinux" status and the "Enforcing" mode by modifying the "/etc/selinux/config" file to have the following line:\n\nSELINUX=enforcing\n\nA reboot is required for the changes to take effect.
Rule ID: SV-86615r3_rule
Severity: high
Rule Title: The operating system must enable the SELinux targeted policy.
Description: Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.\n\nThis requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.
Check_content: Verify the operating system verifies correct operation of all security functions.\n\nCheck if "SELinux" is active and is enforcing the targeted policy with the following command:\n\n# sestatus\n\nSELinux status: enabled\n\nSELinuxfs mount: /selinux\n\nSELinux root directory: /etc/selinux\n\nLoaded policy name: targeted\n\nCurrent mode: enforcing\n\nMode from config file: enforcing\n\nPolicy MLS status: enabled\n\nPolicy deny_unknown status: allowed\n\nMax kernel policy version: 28\n\n\nIf the "Policy from config file" is not set to "targeted", or the "Loaded policy name" is not set to "targeted", this is a finding.\n
Fixtext: Configure the operating system to verify correct operation of all security functions.\n\nSet the "SELinuxtype" to the "targeted" policy by modifying the "/etc/selinux/config" file to have the following line:\n\nSELINUXTYPE=targeted\n\nA reboot is required for the changes to take effect.
Rule ID: SV-86617r1_rule
Severity: high
Rule Title: The x86 Ctrl-Alt-Delete key sequence must be disabled.
Description: A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.
Check_content: Verify the operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed.\n\nCheck that the ctrl-alt-del.service is not active with the following command:\n\n# systemctl status ctrl-alt-del.service\nreboot.target - Reboot\n Loaded: loaded (/usr/lib/systemd/system/reboot.target; disabled)\n Active: inactive (dead)\n Docs: man:systemd.special(7)\n\nIf the ctrl-alt-del.service is active, this is a finding.
Fixtext: [u'Configure the system to disable the Ctrl-Alt_Delete sequence for the command line with the following command:\n\n# systemctl mask ctrl-alt-del.target\n\nIf GNOME is active on the system, create a database to contain the system-wide setting (if it does not already exist) with the following command: \n\n# cat /etc/dconf/db/local.d/00-disable-CAD \n\nAdd the setting to disable the Ctrl-Alt_Delete sequence for GNOME:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=\u2019\u2019
Rule ID: SV-86619r1_rule
Severity: medium
Rule Title: The operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
Description: Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.
Check_content: Verify the operating system defines default permissions for all authenticated users in such a way that the user can only read and modify their own files.\n\nCheck for the value of the "UMASK" parameter in "/etc/login.defs" file with the following command:\n\nNote: If the value of the "UMASK" parameter is set to "000" in "/etc/login.defs" file, the Severity is raised to a CAT I.\n\n# grep -i umask /etc/login.defs\nUMASK 077\n\nIf the value for the "UMASK" parameter is not "077", or the "UMASK" parameter is missing or is commented out, this is a finding.
Fixtext: Configure the operating system to define default permissions for all authenticated users in such a way that the user can only read and modify their own files.\n\nAdd or edit the line for the "UMASK" parameter in "/etc/login.defs" file to "077":\n\nUMASK 077
Rule ID: SV-86621r2_rule
Severity: high
Rule Title: The operating system must be a vendor supported release.
Description: An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.
Check_content: Verify the version of the operating system is vendor supported.\n\nCheck the version of the operating system with the following command:\n\n# cat /etc/redhat-release\n\nRed Hat Enterprise Linux Server release 7.2 (Maipo)\n\nCurrent End of Life for RHEL 7.2 is Q4 2020.\n\nCurrent End of Life for RHEL 7.3 is 30 June 2024.\n\nIf the release is not supported by the vendor, this is a finding.
Fixtext: Upgrade to a supported version of the operating system.
Rule ID: SV-86623r3_rule
Severity: medium
Rule Title: Vendor packaged system security patches and updates must be installed and up to date.
Description: Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is a common mistake made by IT professionals. New patches are released daily, and it is often difficult for even experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.
Check_content: Verify the operating system security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO). \n\nObtain the list of available package security updates from Red Hat. The URL for updates is https://rhn.redhat.com/errata/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed.\n\nCheck that the available package security updates have been installed on the system with the following command:\n\n# yum history list | more\nLoaded plugins: langpacks, product-id, subscription-manager\nID | Command line | Date and time | Action(s) | Altered\n-------------------------------------------------------------------------------\n 70 | install aide | 2016-05-05 10:58 | Install | 1 \n 69 | update -y | 2016-05-04 14:34 | Update | 18 EE\n 68 | install vlc | 2016-04-21 17:12 | Install | 21 \n 67 | update -y | 2016-04-21 17:04 | Update | 7 EE\n 66 | update -y | 2016-04-15 16:47 | E, I, U | 84 EE\n\nIf package updates have not been performed on the system within the timeframe that the site/program documentation requires, this is a finding. \n\nTypical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM.\n\nIf the operating system is in non-compliance with the Information Assurance Vulnerability Management (IAVM) process, this is a finding.
Fixtext: Install the operating system patches or updated packages available from Red Hat within 30 days or sooner as local policy dictates.
Rule ID: SV-86625r1_rule
Severity: medium
Rule Title: The system must not have unnecessary accounts.
Description: Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system.
Check_content: Verify all accounts on the system are assigned to an active system, application, or user account.\n\nObtain the list of authorized system accounts from the Information System Security Officer (ISSO).\n\nCheck the system accounts on the system with the following command:\n\n# more /etc/passwd\nroot:x:0:0:root:/root:/bin/bash\nbin:x:1:1:bin:/bin:/sbin/nologin\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\nsync:x:5:0:sync:/sbin:/bin/sync\nshutdown:x:6:0:shutdown:/sbin:/sbin/shutdown\nhalt:x:7:0:halt:/sbin:/sbin/halt\ngames:x:12:100:games:/usr/games:/sbin/nologin\ngopher:x:13:30:gopher:/var/gopher:/sbin/nologin\n\nAccounts such as "games" and "gopher" are not authorized accounts as they do not support authorized system functions. \n\nIf the accounts on the system do not match the provided documentation, or accounts that do not support an authorized system function are present, this is a finding.
Fixtext: Configure the system so all accounts on the system are assigned to an active system, application, or user account. \n\nRemove accounts that do not support approved system activities or that allow for a normal user to perform administrative-level actions. \n\nDocument all authorized accounts on the system.
Rule ID: SV-86627r1_rule
Severity: low
Rule Title: All Group Identifiers (GIDs) referenced in the /etc/passwd file must be defined in the /etc/group file.
Description: If a user is assigned the GID of a group not existing on the system, and a group with the GID is subsequently created, the user may have unintended rights to any files associated with the group.
Check_content: Verify all GIDs referenced in the "/etc/passwd" file are defined in the "/etc/group" file.\n\nCheck that all referenced GIDs exist with the following command:\n\n# pwck -r\n\nIf GIDs referenced in "/etc/passwd" file are returned as not defined in "/etc/group" file, this is a finding.
Fixtext: Configure the system to define all GIDs found in the "/etc/passwd" file by modifying the "/etc/group" file to add any non-existent group referenced in the "/etc/passwd" file, or change the GIDs referenced in the "/etc/passwd" file to a group that exists in "/etc/group".
Rule ID: SV-86629r1_rule
Severity: high
Rule Title: The root account must be the only account having unrestricted access to the system.
Description: If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of "0" afford an opportunity for potential intruders to guess a password for a privileged account.
Check_content: Check the system for duplicate UID "0" assignments with the following command:\n\n# awk -F: \'$3 == 0 {print $1}\' /etc/passwd\n\nIf any accounts other than root have a UID of "0", this is a finding.
Fixtext: Change the UID of any account on the system, other than root, that has a UID of "0". \n\nIf the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned.
Rule ID: SV-86631r2_rule
Severity: medium
Rule Title: All files and directories must have a valid owner.
Description: Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier "UID" as the UID of the un-owned files.
Check_content: Verify all files and directories on the system have a valid owner.\n\nCheck the owner of all files and directories with the following command:\n\nNote: The value after -fstype must be replaced with the filesystem type. XFS is used as an example.\n\n# find / -fstype xfs -nouser\n\nIf any files on the system do not have an assigned owner, this is a finding.
Fixtext: Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories on the system with the "chown" command:\n\n# chown
Rule ID: SV-86633r2_rule
Severity: medium
Rule Title: All files and directories must have a valid group owner.
Description: Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as the GID of the files without a valid group owner.
Check_content: Verify all files and directories on the system have a valid group.\n\nCheck the owner of all files and directories with the following command:\n\nNote: The value after -fstype must be replaced with the filesystem type. XFS is used as an example.\n\n# find / -fstype xfs -nogroup\n\nIf any files on the system do not have an assigned group, this is a finding.
Fixtext: Either remove all files and directories from the system that do not have a valid group, or assign a valid group to all files and directories on the system with the "chgrp" command:\n\n# chgrp
Rule ID: SV-86635r1_rule
Severity: medium
Rule Title: All local interactive users must have a home directory assigned in the /etc/passwd file.
Description: If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.
Check_content: Verify local interactive users on the system have a home directory assigned.\n\nCheck for missing local interactive user home directories with the following command:\n\n# pwck -r\nuser \'lp\': directory \'/var/spool/lpd\' does not exist\nuser \'news\': directory \'/var/spool/news\' does not exist\nuser \'uucp\': directory \'/var/spool/uucp\' does not exist\nuser \'smithj\': directory \'/home/smithj\' does not exist\n\nAsk the System Administrator (SA) if any users found without home directories are local interactive users. If the SA is unable to provide a response, check for users with a User Identifier (UID) of 1000 or greater with the following command:\n\n# cut -d: -f 1,3 /etc/passwd | egrep ":[1-4][0-9]{2}$|:[0-9]{1,2}$"\n\nIf any interactive users do not have a home directory assigned, this is a finding.
Fixtext: Assign home directories to all local interactive users that currently do not have a home directory assigned.
Rule ID: SV-86637r1_rule
Severity: medium
Rule Title: All local interactive user accounts, upon creation, must be assigned a home directory.
Description: If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.
Check_content: Verify all local interactive users on the system are assigned a home directory upon creation.\n\nCheck to see if the system is configured to create home directories for local interactive users with the following command:\n\n# grep -i create_home /etc/login.defs\nCREATE_HOME yes\n\nIf the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out, this is a finding.
Fixtext: Configure the operating system to assign home directories to all new local interactive users by setting the "CREATE_HOME" parameter in "/etc/login.defs" to "yes" as follows.\n\nCREATE_HOME yes
Rule ID: SV-86639r1_rule
Severity: medium
Rule Title: All local interactive user home directories defined in the /etc/passwd file must exist.
Description: If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access.
Check_content: Verify the assigned home directory of all local interactive users on the system exists.\n\nCheck the home directory assignment for all local interactive non-privileged users on the system with the following command:\n\n# cut -d: -f 1,3 /etc/passwd | egrep ":[1-9][0-9]{2}$|:[0-9]{1,2}$"\nsmithj /home/smithj\n\nNote: This may miss interactive users that have been assigned a privileged UID. Evidence of interactive use may be obtained from a number of log files containing system logon information.\n\nCheck that all referenced home directories exist with the following command:\n\n# pwck -r\nuser \'smithj\': directory \'/home/smithj\' does not exist\n\nIf any home directories referenced in "/etc/passwd" are returned as not defined, this is a finding.
Fixtext: Create home directories to all local interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in "/etc/ passwd":\n\nNote: The example will be for the user smithj, who has a home directory of "/home/smithj", a UID of "smithj", and a Group Identifier (GID) of "users assigned" in "/etc/passwd".\n\n# mkdir /home/smithj \n# chown smithj /home/smithj\n# chgrp users /home/smithj\n# chmod 0750 /home/smithj
Rule ID: SV-86641r2_rule
Severity: medium
Rule Title: All local interactive user home directories must have mode 0750 or less permissive.
Description: Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.
Check_content: Verify the assigned home directory of all local interactive users has a mode of "0750" or less permissive.\n\nCheck the home directory assignment for all non-privileged users on the system with the following command:\n\nNote: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.\n\n# ls -ld $(egrep \':[0-9]{4}\' /etc/passwd | cut -d: -f6)\n-rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj\n\nIf home directories referenced in "/etc/passwd" do not have a mode of "0750" or less permissive, this is a finding.
Fixtext: [u'Change the mode of interactive user\u2019s home directories to "0750". To change the mode of a local interactive user\u2019s home directory, use the following command:\n\nNote: The example will be for the user "smithj".\n\n# chmod 0750 /home/smithj
Rule ID: SV-86643r4_rule
Severity: medium
Rule Title: All local interactive user home directories must be owned by their respective users.
Description: If a local interactive user does not own their home directory, unauthorized users could access or modify the user's files, and the users may not be able to access their own files.
Check_content: Verify the assigned home directory of all local interactive users on the system exists.\n\nCheck the home directory assignment for all local interactive users on the system with the following command:\n\n# ls -ld $(egrep \':[0-9]{4}\' /etc/passwd | cut -d: -f6)\n\n-rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj\n\nIf any home directories referenced in "/etc/passwd" are not owned by the interactive user, this is a finding.
Fixtext: [u'Change the owner of a local interactive user\u2019s home directories to that owner. To change the owner of a local interactive user\u2019s home directory, use the following command:\n\nNote: The example will be for the user smithj, who has a home directory of "/home/smithj".\n\n# chown smithj /home/smithj
Rule ID: SV-86645r4_rule
Severity: medium
Rule Title: All local interactive user home directories must be group-owned by the home directory owners primary group.
Description: If the Group Identifier (GID) of a local interactive user\u2019s home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user\u2019s files, and users that share the same group may not be able to access files that they legitimately should.
Check_content: [u'Verify the assigned home directory of all local interactive users is group-owned by that user\u2019s primary GID.\n\nCheck the home directory assignment for all local interactive users on the system with the following command:\n\n# ls -ld $(egrep \':[0-9]{4}\' /etc/passwd | cut -d: -f6)\n\n-rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj\n\nCheck the user\'s primary group with the following command:\n\n# grep users /etc/group\n\nusers:x:250:smithj,jonesj,jacksons\n\nIf the user home directory referenced in "/etc/passwd" is not group-owned by that user\u2019s primary GID, this is a finding.\n
Fixtext: [u'Change the group owner of a local interactive user\u2019s home directory to the group found in "/etc/passwd". To change the group owner of a local interactive user\u2019s home directory, use the following command:\n\nNote: The example will be for the user "smithj", who has a home directory of "/home/smithj", and has a primary group of users.\n\n# chgrp users /home/smithj
Rule ID: SV-86647r1_rule
Severity: medium
Rule Title: All files and directories contained in local interactive user home directories must be owned by the owner of the home directory.
Description: If local interactive users do not own the files in their directories, unauthorized users may be able to access them. Additionally, if files are not owned by the user, this could be an indication of system compromise.
Check_content: [u'Verify all files and directories in a local interactive user\u2019s home directory are owned by the user.\n\nCheck the owner of all files and directories in a local interactive user\u2019s home directory with the following command:\n\nNote: The example will be for the user "smithj", who has a home directory of "/home/smithj".\n\n# ls -lLR /home/smithj\n-rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1\n-rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2\n-rw-r--r-- 1 smithj smithj 231 Mar 5 17:06 file3\n\nIf any files are found with an owner different than the home directory user, this is a finding.
Fixtext: [u'Change the owner of a local interactive user\u2019s files and directories to that owner. To change the owner of a local interactive user\u2019s files and directories, use the following command:\n\nNote: The example will be for the user smithj, who has a home directory of "/home/smithj".\n\n# chown smithj /home/smithj/
Rule ID: SV-86649r1_rule
Severity: medium
Rule Title: All files and directories contained in local interactive user home directories must be group-owned by a group of which the home directory owner is a member.
Description: If a local interactive user\u2019s files are group-owned by a group of which the user is not a member, unintended users may be able to access them.
Check_content: [u'Verify all files and directories in a local interactive user home directory are group-owned by a group the user is a member of.\n\nCheck the group owner of all files and directories in a local interactive user\u2019s home directory with the following command:\n\nNote: The example will be for the user "smithj", who has a home directory of "/home/smithj".\n\n# ls -lLR ///\n-rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1\n-rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2\n-rw-r--r-- 1 smithj sa 231 Mar 5 17:06 file3\n\nIf any files are found with an owner different than the group home directory user, check to see if the user is a member of that group with the following command:\n\n# grep smithj /etc/group\nsa:x:100:juan,shelley,bob,smithj \nsmithj:x:521:smithj\n\nIf the user is not a member of a group that group owns file(s) in a local interactive user\u2019s home directory, this is a finding.
Fixtext: [u'Change the group of a local interactive user\u2019s files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive user\u2019s files and directories, use the following command:\n\nNote: The example will be for the user smithj, who has a home directory of "/home/smithj" and is a member of the users group.\n\n# chgrp users /home/smithj/
Rule ID: SV-86651r1_rule
Severity: medium
Rule Title: All files and directories contained in local interactive user home directories must have mode 0750 or less permissive.
Description: If a local interactive user files have excessive permissions, unintended users may be able to access or modify them.
Check_content: Verify all files and directories contained in a local interactive user home directory, excluding local initialization files, have a mode of "0750".\n\nCheck the mode of all non-initialization files in a local interactive user home directory with the following command:\n\nFiles that begin with a "." are excluded from this requirement.\n\nNote: The example will be for the user "smithj", who has a home directory of "/home/smithj".\n\n# ls -lLR /home/smithj\n-rwxr-x--- 1 smithj smithj 18 Mar 5 17:06 file1\n-rwxr----- 1 smithj smithj 193 Mar 5 17:06 file2\n-rw-r-x--- 1 smithj smithj 231 Mar 5 17:06 file3\n\nIf any files are found with a mode more permissive than "0750", this is a finding.
Fixtext: Set the mode on files and directories in the local interactive user home directory with the following command:\n\nNote: The example will be for the user smithj, who has a home directory of "/home/smithj" and is a member of the users group.\n\n# chmod 0750 /home/smithj/
Rule ID: SV-86653r1_rule
Severity: medium
Rule Title: All local initialization files for interactive users must be owned by the home directory user or root.
Description: Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.
Check_content: [u'Verify all local initialization files for interactive users are owned by the home directory user or root.\n\nCheck the owner on all local initialization files with the following command:\n\nNote: The example will be for the "smithj" user, who has a home directory of "/home/smithj".\n\n# ls -al /home/smithj/.* | more\n-rwxr-xr-x 1 smithj users 896 Mar 10 2011 .bash_profile\n-rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login\n-rwxr-xr-x 1 smithj users 886 Jan 6 2007 .profile\n\nIf any file that sets a local interactive user\u2019s environment variables to override the system is not owned by the home directory owner or root, this is a finding.
Fixtext: Set the owner of the local initialization files for interactive users to either the directory owner or root with the following command:\n\nNote: The example will be for the smithj user, who has a home directory of "/home/smithj".\n\n# chown smithj /home/smithj/.*
Rule ID: SV-86655r2_rule
Severity: medium
Rule Title: Local initialization files for local interactive users must be group-owned by the users primary group or root.
Description: Local initialization files for interactive users are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.
Check_content: [u'Verify the local initialization files of all local interactive users are group-owned by that user\u2019s primary Group Identifier (GID).\n\nCheck the home directory assignment for all non-privileged users on the system with the following command:\n\nNote: The example will be for the smithj user, who has a home directory of "/home/smithj" and a primary group of "users".\n\n# cut -d: -f 1,4,6 /etc/passwd | egrep ":[1-4][0-9]{3}"\nsmithj:1000:/home/smithj\n\n# grep 1000 /etc/group\nusers:x:1000:smithj,jonesj,jacksons \n\nNote: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.\n\nCheck the group owner of all local interactive users\u2019 initialization files with the following command:\n\n# ls -al /home/smithj/.*\n-rwxr-xr-x 1 smithj users 896 Mar 10 2011 .profile\n-rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login\n-rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something\n\nIf all local interactive users\u2019 initialization files are not group-owned by that user\u2019s primary GID, this is a finding.
Fixtext: [u'Change the group owner of a local interactive user\u2019s files to the group found in "/etc/passwd" for the user. To change the group owner of a local interactive user home directory, use the following command:\n\nNote: The example will be for the user smithj, who has a home directory of "/home/smithj", and has a primary group of users.\n\n# chgrp users /home/smithj/
Rule ID: SV-86657r1_rule
Severity: medium
Rule Title: All local initialization files must have mode 0740 or less permissive.
Description: Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.
Check_content: Verify that all local initialization files have a mode of "0740" or less permissive.\n\nCheck the mode on all local initialization files with the following command:\n\nNote: The example will be for the smithj user, who has a home directory of "/home/smithj".\n\n# ls -al /home/smithj/.* | more\n-rwxr-xr-x 1 smithj users 896 Mar 10 2011 .profile\n-rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login\n-rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something\n\nIf any local initialization files have a mode more permissive than "0740", this is a finding.
Fixtext: Set the mode of the local initialization files to "0740" with the following command:\n\nNote: The example will be for the smithj user, who has a home directory of "/home/smithj".\n\n# chmod 0740 /home/smithj/.
Rule ID: SV-86659r3_rule
Severity: medium
Rule Title: All local interactive user initialization files executable search paths must contain only paths that resolve to the users home directory.
Description: The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the user\u2019s home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO).
Check_content: [u'Verify that all local interactive user initialization files\' executable search path statements do not contain statements that will reference a working directory other than the users\u2019 home directory.\n\nCheck the executable search path statement for all local interactive user initialization files in the users\' home directory with the following commands:\n\nNote: The example will be for the smithj user, which has a home directory of "/home/smithj".\n\n# grep -i path /home/smithj/.*\n/home/smithj/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin\n/home/smithj/.bash_profile:export PATH\n\nIf any local interactive user initialization files have executable search path statements that include directories outside of their home directory, this is a finding.
Fixtext: Edit the local interactive user initialization files to change any PATH variable statements that reference directories other than their home directory. \n\nIf a local interactive user requires path variables to reference a directory owned by the application, it must be documented with the ISSO.
Rule ID: SV-86661r1_rule
Severity: medium
Rule Title: Local initialization files must not execute world-writable programs.
Description: If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level.
Check_content: [u'Verify that local initialization files do not execute world-writable programs.\n\nCheck the system for world-writable files with the following command:\n\n# find / -perm -002 -type f -exec ls -ld {} \\; | more\n\nFor all files listed, check for their presence in the local initialization files with the following commands:\n\nNote: The example will be for a system that is configured to create users\u2019 home directories in the "/home" directory.\n\n# grep /home/*/.*\n\nIf any local initialization files are found to reference world-writable files, this is a finding.
Fixtext: Set the mode on files being executed by the local initialization files with the following command:\n\n# chmod 0755
Rule ID: SV-86663r1_rule
Severity: medium
Rule Title: All system device files must be correctly labeled to prevent unauthorized modification.
Description: If an unauthorized or modified device is allowed to exist on the system, there is the possibility the system may perform unintended or unauthorized operations.
Check_content: Verify that all system device files are correctly labeled to prevent unauthorized modification.\n\nList all device files on the system that are incorrectly labeled with the following commands:\n\nNote: Device files are normally found under "/dev", but applications may place device files in other directories and may necessitate a search of the entire system.\n\n#find /dev -context *:device_t:* \\( -type c -o -type b \\) -printf "%p %Z\\n"\n\n#find /dev -context *:unlabeled_t:* \\( -type c -o -type b \\) -printf "%p %Z\\n"\n\nNote: There are device files, such as "/dev/vmci", that are used when the operating system is a host virtual machine. They will not be owned by a user on the system and require the "device_t" label to operate. These device files are not a finding.\n\nIf there is output from either of these commands, other than already noted, this is a finding.
Fixtext: Run the following command to determine which package owns the device file:\n\n# rpm -qf \n\nThe package can be reinstalled from a yum repository using the command:\n\n# sudo yum reinstall \n\nAlternatively, the package can be reinstalled from trusted media using the command:\n\n# sudo rpm -Uvh
Rule ID: SV-86665r3_rule
Severity: medium
Rule Title: File systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed.
Description: The "nosuid" mount option causes the system to not execute setuid and setgid files with owner privileges. This option must be used for mounting any file system not containing approved setuid and setguid files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
Check_content: Verify file systems that contain user home directories are mounted with the "nosuid" option.\n\nFind the file system(s) that contain the user home directories with the following command:\n\nNote: If a separate file system has not been created for the user home directories (user home directories are mounted under "/"), this is not a finding as the "nosuid" option cannot be used on the "/" system.\n\n# cut -d: -f 1,3,6 /etc/passwd | egrep ":[1-4][0-9]{3}"\nsmithj:1001:/home/smithj\nthomasr:1002:/home/thomasr\n\nCheck the file systems that are mounted at boot time with the following command:\n\n# more /etc/fstab\n\nUUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home ext4 rw,relatime,discard,data=ordered,nosuid 0 2\n \nIf a file system found in "/etc/fstab" refers to the user home directory file system and it does not have the "nosuid" option set, this is a finding.
Fixtext: Configure the "/etc/fstab" to use the "nosuid" option on file systems that contain user home directories.
Rule ID: SV-86667r1_rule
Severity: medium
Rule Title: File systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed.
Description: The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
Check_content: Verify file systems that are used for removable media are mounted with the "nouid" option.\n\nCheck the file systems that are mounted at boot time with the following command:\n\n# more /etc/fstab\n\nUUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid 0 0\n\nIf a file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set, this is a finding.
Fixtext: Configure the "/etc/fstab" to use the "nosuid" option on file systems that are associated with removable media.
Rule ID: SV-86669r1_rule
Severity: medium
Rule Title: File systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed.
Description: The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
Check_content: Verify file systems that are being NFS exported are mounted with the "nosuid" option.\n\nFind the file system(s) that contain the directories being exported with the following command:\n\n# more /etc/fstab | grep nfs\n\nUUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid 0 0\n\nIf a file system found in "/etc/fstab" refers to NFS and it does not have the "nosuid" option set, this is a finding.
Fixtext: Configure the "/etc/fstab" to use the "nosuid" option on file systems that are being exported via NFS.
Rule ID: SV-86671r3_rule
Severity: medium
Rule Title: All world-writable directories must be group-owned by root, sys, bin, or an application group.
Description: If a world-writable directory has the sticky bit set and is not group-owned by a privileged Group Identifier (GID), unauthorized users may be able to modify files created by others.\n\nThe only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.
Check_content: Verify all world-writable directories are group-owned by root, sys, bin, or an application group.\n\nCheck the system for world-writable directories with the following command:\n\nNote: The value after -fstype must be replaced with the filesystem type. XFS is used as an example.\n\n# find / -xdev -perm -002 -type d -fstype xfs -exec ls -lLd {} \\;\ndrwxrwxrwt 2 root root 40 Aug 26 13:07 /dev/mqueue\ndrwxrwxrwt 2 root root 220 Aug 26 13:23 /dev/shm\ndrwxrwxrwt 14 root root 4096 Aug 26 13:29 /tmp\n\nIf any world-writable directories are not owned by root, sys, bin, or an application group associated with the directory, this is a finding.
Fixtext: Change the group of the world-writable directories to root with the following command:\n\n# chgrp root
Rule ID: SV-86673r1_rule
Severity: medium
Rule Title: The umask must be set to 077 for all local interactive user accounts.
Description: The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.
Check_content: Verify that the default umask for all local interactive users is "077".\n\nIdentify the locations of all local interactive user home directories by looking at the "/etc/passwd" file.\n\nCheck all local interactive user initialization files for interactive users with the following command:\n\nNote: The example is for a system that is configured to create users home directories in the "/home" directory.\n\n# grep -i umask /home/*/.*\n\nIf any local interactive user initialization files are found to have a umask statement that has a value less restrictive than "077", this is a finding.
Fixtext: [u'Remove the umask statement from all local interactive users\u2019 initialization files. \n\nIf the account is for an application, the requirement for a umask less restrictive than "077" can be documented with the Information System Security Officer, but the user agreement for access to the account must specify that the local interactive user must log on to their account first and then switch the user to the application account with the correct option to gain the account\u2019s environment variables.
Rule ID: SV-86675r1_rule
Severity: medium
Rule Title: Cron logging must be implemented.
Description: Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.
Check_content: Verify that "rsyslog" is configured to log cron events.\n\nCheck the configuration of "/etc/rsyslog.conf" for the cron facility with the following command:\n\nNote: If another logging package is used, substitute the utility configuration file for "/etc/rsyslog.conf". \n\n# grep cron /etc/rsyslog.conf\ncron.* /var/log/cron.log\n\nIf the command does not return a response, check for cron logging all facilities by inspecting the "/etc/rsyslog.conf" file:\n\n# more /etc/rsyslog.conf\n\nLook for the following entry:\n\n*.* /var/log/messages\n\nIf "rsyslog" is not logging messages for the cron facility or all facilities, this is a finding. \n\nIf the entry is in the "/etc/rsyslog.conf" file but is after the entry "*.*", this is a finding.
Fixtext: Configure "rsyslog" to log all cron messages by adding or updating the following line to "/etc/rsyslog.conf":\n\ncron.* /var/log/cron.log\n\nNote: The line must be added before the following entry if it exists in "/etc/rsyslog.conf":\n\n*.* ~ # discards everything
Rule ID: SV-86677r2_rule
Severity: medium
Rule Title: If the cron.allow file exists it must be owned by root.
Description: If the owner of the "cron.allow" file is not set to root, the possibility exists for an unauthorized user to view or to edit sensitive information.
Check_content: Verify that the "cron.allow" file is owned by root.\n\nCheck the owner of the "cron.allow" file with the following command:\n\n# ls -al /etc/cron.allow\n-rw------- 1 root root 6 Mar 5 2011 /etc/cron.allow\n\nIf the "cron.allow" file exists and has an owner other than root, this is a finding.
Fixtext: Set the owner on the "/etc/cron.allow" file to root with the following command:\n\n# chown root /etc/cron.allow
Rule ID: SV-86679r1_rule
Severity: medium
Rule Title: If the cron.allow file exists it must be group-owned by root.
Description: If the group owner of the "cron.allow" file is not set to root, sensitive information could be viewed or edited by unauthorized users.
Check_content: Verify that the "cron.allow" file is group-owned by root.\n\nCheck the group owner of the "cron.allow" file with the following command:\n\n# ls -al /etc/cron.allow\n-rw------- 1 root root 6 Mar 5 2011 /etc/cron.allow\n\nIf the "cron.allow" file exists and has a group owner other than root, this is a finding.
Fixtext: Set the group owner on the "/etc/cron.allow" file to root with the following command:\n\n# chgrp root /etc/cron.allow
Rule ID: SV-86681r1_rule
Severity: medium
Rule Title: Kernel core dumps must be disabled unless needed.
Description: Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition.
Check_content: Verify that kernel core dumps are disabled unless needed.\n\nCheck the status of the "kdump" service with the following command:\n\n# systemctl status kdump.service\nkdump.service - Crash recovery kernel arming\n Loaded: loaded (/usr/lib/systemd/system/kdump.service; enabled)\n Active: active (exited) since Wed 2015-08-26 13:08:09 EDT; 43min ago\n Main PID: 1130 (code=exited, status=0/SUCCESS)\nkernel arming.\n\nIf the "kdump" service is active, ask the System Administrator if the use of the service is required and documented with the Information System Security Officer (ISSO).\n\nIf the service is active and is not documented, this is a finding.
Fixtext: If kernel core dumps are not required, disable the "kdump" service with the following command:\n\n# systemctl disable kdump.service\n\nIf kernel core dumps are required, document the need with the ISSO.
Rule ID: SV-86683r1_rule
Severity: low
Rule Title: A separate file system must be used for user home directories (such as /home or an equivalent).
Description: The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.
Check_content: [u'Verify that a separate file system/partition has been created for non-privileged local interactive user home directories.\n\nCheck the home directory assignment for all non-privileged users (those with a UID greater than 1000) on the system with the following command:\n\n#cut -d: -f 1,3,6,7 /etc/passwd | egrep ":[1-4][0-9]{3}" | tr ":" "\\t"\n\nadamsj /home/adamsj /bin/bash\njacksonm /home/jacksonm /bin/bash\nsmithj /home/smithj /bin/bash\n\nThe output of the command will give the directory/partition that contains the home directories for the non-privileged users on the system (in this example, /home) and users\u2019 shell. All accounts with a valid shell (such as /bin/bash) are considered interactive users.\n\nCheck that a file system/partition has been created for the non-privileged interactive users with the following command:\n\nNote: The partition of /home is used in the example.\n\n# grep /home /etc/fstab\nUUID=333ada18 /home ext4 noatime,nobarrier,nodev 1 2\n\nIf a separate entry for the file system/partition that contains the non-privileged interactive users\' home directories does not exist, this is a finding.
Fixtext: Migrate the "/home" directory onto a separate file system/partition.
Rule ID: SV-86685r1_rule
Severity: low
Rule Title: The system must use a separate file system for /var.
Description: The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.
Check_content: Verify that a separate file system/partition has been created for "/var".\n\nCheck that a file system/partition has been created for "/var" with the following command:\n\n# grep /var /etc/fstab\nUUID=c274f65f /var ext4 noatime,nobarrier 1 2\n\nIf a separate entry for "/var" is not in use, this is a finding.
Fixtext: Migrate the "/var" path onto a separate file system.
Rule ID: SV-86687r5_rule
Severity: low
Rule Title: The system must use a separate file system for the system audit data path.
Description: The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.
Check_content: Determine if the "/var/log/audit" path is a separate file system.\n\n# grep /var/log/audit /etc/fstab\n\nIf no result is returned, "/var/log/audit" is not on a separate file system, and this is a finding.
Fixtext: Migrate the system audit data path onto a separate file system.
Rule ID: SV-86689r1_rule
Severity: low
Rule Title: The system must use a separate file system for /tmp (or equivalent).
Description: The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.
Check_content: Verify that a separate file system/partition has been created for "/tmp".\n\nCheck that a file system/partition has been created for "/tmp" with the following command:\n\n# systemctl is-enabled tmp.mount\nenabled\n\nIf the "tmp.mount" service is not enabled, this is a finding.
Fixtext: Start the "tmp.mount" service with the following command:\n\n# systemctl enable tmp.mount
Rule ID: SV-86691r3_rule
Severity: high
Rule Title: The operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
Description: Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\n
Check_content: Verify the operating system implements DoD-approved encryption to protect the confidentiality of remote access sessions.\n\nCheck to see if the "dracut-fips" package is installed with the following command:\n\n# yum list installed | grep dracut-fips\n\ndracut-fips-033-360.el7_2.x86_64.rpm\n\nIf a "dracut-fips" package is installed, check to see if the kernel command line is configured to use FIPS mode with the following command:\n\nNote: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/redhat/grub.cfg" file on UEFI machines.\n\n# grep fips /boot/grub2/grub.cfg\n/vmlinuz-3.8.0-0.40.el7.x86_64 root=/dev/mapper/rhel-root ro rd.md=0 rd.dm=0 rd.lvm.lv=rhel/swap crashkernel=auto rd.luks=0 vconsole.keymap=us rd.lvm.lv=rhel/root rhgb fips=1 quiet\n\nIf the kernel command line is configured to use FIPS mode, check to see if the system is in FIPS mode with the following command:\n\n# cat /proc/sys/crypto/fips_enabled \n1\n\nIf a "dracut-fips" package is not installed, the kernel command line does not have a fips entry, or the system has a value of "0" for "fips_enabled" in "/proc/sys/crypto", this is a finding.
Fixtext: Configure the operating system to implement DoD-approved encryption by installing the dracut-fips package.\n\nTo enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel command line during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place.\n\nConfigure the operating system to implement DoD-approved encryption by following the steps below: \n\nThe fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users should also ensure that the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a non-unique key.\n\nInstall the dracut-fips package with the following command:\n\n# yum install dracut-fips\n\nRecreate the "initramfs" file with the following command:\n\nNote: This command will overwrite the existing "initramfs" file.\n\n# dracut -f\n\nModify the kernel command line of the current kernel in the "grub.cfg" file by adding the following option to the GRUB_CMDLINE_LINUX key in the "/etc/default/grub" file and then rebuild the "grub.cfg" file:\n\nfips=1\n\nChanges to "/etc/default/grub" require rebuilding the "grub.cfg" file as follows:\n\nOn BIOS-based machines, use the following command:\n\n# grub2-mkconfig -o /boot/grub2/grub.cfg\n\nOn UEFI-based machines, use the following command:\n\n# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg\n\nIf /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line. You can identify a partition by running the df /boot or df /boot/efi command:\n\n# df /boot\nFilesystem 1K-blocks Used Available Use% Mounted on\n/dev/sda1 495844 53780 416464 12% /boot\n\nTo ensure the boot= configuration option will work even if device naming changes between boots, identify the universally unique identifier (UUID) of the partition with the following command:\n\n# blkid /dev/sda1\n/dev/sda1: UUID="05c000f1-a213-759e-c7a2-f11b7424c797" TYPE="ext4"\n\nFor the example above, append the following string to the kernel command line:\n\nboot=UUID=05c000f1-a213-759e-c7a2-f11b7424c797\n\nReboot the system for the changes to take effect.\n
Rule ID: SV-86693r2_rule
Severity: low
Rule Title: The file integrity tool must be configured to verify Access Control Lists (ACLs).
Description: ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools.
Check_content: Verify the file integrity tool is configured to verify ACLs.\n\nCheck to see if Advanced Intrusion Detection Environment (AIDE) is installed on the system with the following command:\n\n# yum list installed aide\n\nIf AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. \n\nIf there is no application installed to perform file integrity checks, this is a finding.\n\nNote: AIDE is highly configurable at install time. These commands assume the "aide.conf" file is under the "/etc" directory. \n\nUse the following command to determine if the file is in another location:\n\n# find / -name aide.conf\n\nCheck the "aide.conf" file to determine if the "acl" rule has been added to the rule list being applied to the files and directories selection lists.\n\nAn example rule that includes the "acl" rule is below:\n\nAll= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux\n/bin All # apply the custom rule to the files in bin \n/sbin All # apply the same custom rule to the files in sbin \n\nIf the "acl" rule is not being used on all selection lines in the "/etc/aide.conf" file, or ACLs are not being checked by another file integrity tool, this is a finding.
Fixtext: Configure the file integrity tool to check file and directory ACLs. \n\nIf AIDE is installed, ensure the "acl" rule is present on all file and directory selection lists.
Rule ID: SV-86695r2_rule
Severity: low
Rule Title: The file integrity tool must be configured to verify extended attributes.
Description: Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.
Check_content: Verify the file integrity tool is configured to verify extended attributes.\n\nCheck to see if Advanced Intrusion Detection Environment (AIDE) is installed on the system with the following command:\n\n# yum list installed aide\n\nIf AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system.\n\nIf there is no application installed to perform file integrity checks, this is a finding.\n\nNote: AIDE is highly configurable at install time. These commands assume the "aide.conf" file is under the "/etc" directory. \n\nUse the following command to determine if the file is in another location:\n\n# find / -name aide.conf\n\nCheck the "aide.conf" file to determine if the "xattrs" rule has been added to the rule list being applied to the files and directories selection lists.\n\nAn example rule that includes the "xattrs" rule follows:\n\nAll= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux\n/bin All # apply the custom rule to the files in bin \n/sbin All # apply the same custom rule to the files in sbin \n\nIf the "xattrs" rule is not being used on all selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.
Fixtext: Configure the file integrity tool to check file and directory extended attributes. \n\nIf AIDE is installed, ensure the "xattrs" rule is present on all file and directory selection lists.
Rule ID: SV-86697r2_rule
Severity: medium
Rule Title: The file integrity tool must use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.
Description: File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes.
Check_content: Verify the file integrity tool is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.\n\nNote: If RHEL-07-021350 is a finding, this is automatically a finding as the system cannot implement FIPS 140-2 approved cryptographic algorithms and hashes.\n\nCheck to see if Advanced Intrusion Detection Environment (AIDE) is installed on the system with the following command:\n\n# yum list installed aide\n\nIf AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. \n\nIf there is no application installed to perform file integrity checks, this is a finding.\n\nNote: AIDE is highly configurable at install time. These commands assume the "aide.conf" file is under the "/etc" directory. \n\nUse the following command to determine if the file is in another location:\n\n# find / -name aide.conf\n\nCheck the "aide.conf" file to determine if the "sha512" rule has been added to the rule list being applied to the files and directories selection lists.\n\nAn example rule that includes the "sha512" rule follows:\n\nAll=p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux\n/bin All # apply the custom rule to the files in bin \n/sbin All # apply the same custom rule to the files in sbin \n\nIf the "sha512" rule is not being used on all selection lines in the "/etc/aide.conf" file, or another file integrity tool is not using FIPS 140-2 approved cryptographic hashes for validating file contents and directories, this is a finding.
Fixtext: Configure the file integrity tool to use FIPS 140-2 cryptographic hashes for validating file and directory contents. \n\nIf AIDE is installed, ensure the "sha512" rule is present on all file and directory selection lists.
Rule ID: SV-86699r1_rule
Severity: medium
Rule Title: The system must not allow removable media to be used as the boot loader unless approved.
Description: Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. If removable media is designed to be used as the boot loader, the requirement must be documented with the Information System Security Officer (ISSO).
Check_content: [u'Verify the system is not configured to use a boot loader on removable media.\n\nNote: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/redhat/grub.cfg" file on UEFI machines.\n\nCheck for the existence of alternate boot loader configuration files with the following command:\n\n# find / -name grub.cfg\n/boot/grub2/grub.cfg\n\nIf a "grub.cfg" is found in any subdirectories other than "/boot/grub2" and "/boot/efi/EFI/redhat", ask the System Administrator if there is documentation signed by the ISSO to approve the use of removable media as a boot loader. \n\nCheck that the grub configuration file has the set root command in each menu entry with the following commands:\n\n# grep -c menuentry /boot/grub2/grub.cfg\n1\n# grep \u2018set root\u2019 /boot/grub2/grub.cfg\nset root=(hd0,1)\n\nIf the system is using an alternate boot loader on removable media, and documentation does not exist approving the alternate configuration, this is a finding.
Fixtext: Remove alternate methods of booting the system from removable media or document the configuration to boot from removable media with the ISSO.
Rule ID: SV-86701r1_rule
Severity: high
Rule Title: The telnet-server package must not be installed.
Description: It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.
Check_content: Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed.\n\nThe telnet service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session.\n\nIf a privileged user were to log on using this service, the privileged user password could be compromised. \n\nCheck to see if the telnet-server package is installed with the following command:\n\n# yum list installed | grep telnet-server\n\nIf the telnet-server package is installed, this is a finding.
Fixtext: Configure the operating system to disable non-essential capabilities by removing the telnet-server package from the system with the following command:\n\n# yum remove telnet-server
Rule ID: SV-86703r2_rule
Severity: high
Rule Title: Auditing must be configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events.
These audit records must also identify individual identities of group account users.
Description: Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.\n\nAudit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\n\nAssociating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system.\n\n
Check_content: Verify the operating system produces audit records containing information to establish when (date and time) the events occurred.\n\nCheck to see if auditing is active by issuing the following command:\n\n# systemctl is-active auditd.service\nActive: active (running) since Tue 2015-01-27 19:41:23 EST; 22h ago\n\nIf the "auditd" status is not active, this is a finding.
Fixtext: Configure the operating system to produce audit records containing information to establish when (date and time) the events occurred.\n\nEnable the auditd service with the following command:\n\n# systemctl start auditd.service
Rule ID: SV-86705r3_rule
Severity: medium
Rule Title: The operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure.
Description: It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.\n\nAudit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.\n\n
Check_content: Confirm the audit configuration regarding how auditing processing failures are handled.\n\nCheck to see what level "auditctl" is set to with following command: \n\n# auditctl -s | grep -i "fail"\n\nfailure 2\n\nIf the value of "failure" is set to "2", the system is configured to panic (shut down) in the event of an auditing failure.\n\nIf the value of "failure" is set to "1", the system is configured to only send information to the kernel log regarding the failure.\n\nIf the "failure" setting is not set, this is a CAT I finding.\n\nIf the "failure" setting is set to any value other than "1" or "2", this is a CAT II finding.\n\nIf the "failure" setting is set to "1" but the availability concern is not documented or there is no monitoring of the kernel log, this is a CAT III finding.\n
Fixtext: Configure the operating system to shut down in the event of an audit processing failure.\n\nAdd or correct the option to shut down the operating system with the following command:\n\n# auditctl -f 2\n\nEdit the "/etc/audit/rules.d/audit.rules" file and add the following line:\n\n-f 2\n\nIf availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure with the following command:\n\n# auditctl -f 1\n\nEdit the "/etc/audit/rules.d/audit.rules" file and add the following line:\n\n-f 1\n\nKernel log monitoring must also be configured to properly alert designated staff.\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86707r1_rule
Severity: medium
Rule Title: The operating system must off-load audit records onto a different system or media from the system being audited.
Description: Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.\n\n
Check_content: Verify the operating system off-loads audit records onto a different system or media from the system being audited.\n\nTo determine the remote server that the records are being sent to, use the following command:\n\n# grep -i remote_server /etc/audisp/audisp-remote.conf\nremote_server = 10.0.21.1\n\nIf a remote server is not configured, or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. \n\nIf there is no evidence that the audit logs are being off-loaded to another system or media, this is a finding.
Fixtext: Configure the operating system to off-load audit records onto a different system or media from the system being audited.\n\nSet the remote server option in "/etc/audisp/audisp-remote.conf" with the IP address of the log aggregation server.
Rule ID: SV-86709r1_rule
Severity: medium
Rule Title: The operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.
Description: Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.\n\n
Check_content: Verify the operating system encrypts audit records off-loaded onto a different system or media from the system being audited.\n\nTo determine if the transfer is encrypted, use the following command:\n\n# grep -i enable_krb5 /etc/audisp/audisp-remote.conf\nenable_krb5 = yes\n\nIf the value of the "enable_krb5" option is not set to "yes" or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. \n\nIf there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding.
Fixtext: Configure the operating system to encrypt the transfer of off-loaded audit records onto a different system or media from the system being audited.\n\nUncomment the "enable_krb5" option in "/etc/audisp/audisp-remote.conf" and set it with the following line:\n\nenable_krb5 = yes
Rule ID: SV-86711r2_rule
Severity: medium
Rule Title: The audit system must take appropriate action when the audit storage volume is full.
Description: Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.
Check_content: Verify the action the operating system takes if the disk the audit records are written to becomes full.\n\nTo determine the action that takes place if the disk is full on the remote server, use the following command:\n\n# grep -i disk_full_action /etc/audisp/audisp-remote.conf\ndisk_full_action = single\n\nTo determine the action that takes place if the network connection fails, use the following command:\n\n# grep -i network_failure_action /etc/audisp/audisp-remote.conf\nnetwork_failure_action = stop\n\nIf the value of the "network_failure_action" option is not "syslog", "single", or "halt", or the line is commented out, this is a finding.\n\nIf the value of the "disk_full_action" option is not "syslog", "single", or "halt", or the line is commented out, this is a finding.
Fixtext: Configure the action the operating system takes if the disk the audit records are written to becomes full.\n\nUncomment or edit the "disk_full_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt", such as the following line:\n\ndisk_full_action = single\n\nUncomment the "network_failure_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt".
Rule ID: SV-86713r1_rule
Severity: medium
Rule Title: The operating system must immediately notify the System Administrator (SA) and Information System Security Officer ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.
Description: If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.
Check_content: Verify the operating system immediately notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.\n\nCheck the system configuration to determine the partition the audit records are being written to with the following command:\n\n# grep log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records are written to (with the example being "/var/log/audit/"):\n\n# df -h /var/log/audit/\n0.9G /var/log/audit\n\nIf the audit records are not being written to a partition specifically created for audit records (in this example "/var/log/audit" is a separate partition), determine the amount of space other files in the partition are currently occupying with the following command:\n\n# du -sh \n1.8G /var\n\nDetermine what the threshold is for the system to take action when 75 percent of the repository maximum audit record storage capacity is reached:\n\n# grep -i space_left /etc/audit/auditd.conf\nspace_left = 225 \n\nIf the value of the "space_left" keyword is not set to 25 percent of the total partition size, this is a finding.
Fixtext: Configure the operating system to immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.\n\nCheck the system configuration to determine the partition the audit records are being written to: \n\n# grep log_file /etc/audit/auditd.conf\n\nDetermine the size of the partition that audit records are written to (with the example being "/var/log/audit/"):\n\n# df -h /var/log/audit/\n\nSet the value of the "space_left" keyword in "/etc/audit/auditd.conf" to 75 percent of the partition size.
Rule ID: SV-86715r1_rule
Severity: medium
Rule Title: The operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.
Description: If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.
Check_content: Verify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.\n\nCheck what action the operating system takes when the threshold for the repository maximum audit record storage capacity is reached with the following command:\n\n# grep -i space_left_action /etc/audit/auditd.conf\nspace_left_action = email\n\nIf the value of the "space_left_action" keyword is not set to "email", this is a finding.
Fixtext: Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.\n\nUncomment or edit the "space_left_action" keyword in "/etc/audit/auditd.conf" and set it to "email". \n \nspace_left_action = email
Rule ID: SV-86717r2_rule
Severity: medium
Rule Title: The operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.
Description: If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.
Check_content: Verify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.\n\nCheck what account the operating system emails when the threshold for the repository maximum audit record storage capacity is reached with the following command:\n\n# grep -i action_mail_acct /etc/audit/auditd.conf\naction_mail_acct = root\n\nIf the value of the "action_mail_acct" keyword is not set to "root" and other accounts for security personnel, this is a finding.
Fixtext: Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.\n\nUncomment or edit the "action_mail_acct" keyword in "/etc/audit/auditd.conf" and set it to root and any other accounts associated with security personnel. \n \naction_mail_acct = root
Rule ID: SV-86719r5_rule
Severity: medium
Rule Title: All privileged function executions must be audited.
Description: Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.
Check_content: Verify the operating system audits the execution of privileged functions.\n\nTo find relevant setuid and setgid programs, use the following command once for each local partition [PART]:\n\n# find [PART] -xdev -type f \\( -perm -4000 -o -perm -2000 \\) 2>/dev/null\n\nRun the following command to verify entries in the audit rules for all programs found with the previous command:\n\n# grep -i "" /etc/audit/audit.rules\n-a always,exit -F path="" -F perm=x -F auid>=1000 -F auid!=4294967295 -k setuid/setgid\n\nAll "setuid" and "setgid" files on the system must have a corresponding audit rule, or must have an audit rule for the (sub) directory that contains the "setuid"/"setgid" file.\n\nIf all "setuid"/"setgid" files on the system do not have audit rule coverage, this is a finding.
Fixtext: Configure the operating system to audit the execution of privileged functions.\n\nTo find the relevant "setuid"/"setgid" programs, run the following command for each local partition [PART]:\n\n# find [PART] -xdev -type f \\( -perm -4000 -o -perm -2000 \\) 2>/dev/null\n\nFor each "setuid"/"setgid" program on the system, which is not covered by an audit rule for a (sub) directory (such as "/usr/sbin"), add a line of the following form to "/etc/audit/rules.d/audit.rules", where is the full path to each "setuid"/"setgid" program in the list:\n\n-a always,exit -F path= -F perm=x -F auid>=1000 -F auid!=4294967295 -k setuid/setgid
Rule ID: SV-86721r3_rule
Severity: medium
Rule Title: All uses of the chown command must be audited.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chown" command occur.\n\nCheck the file system rules in "/etc/audit/audit.rules" with the following commands:\n\nNote: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present.\n\n# grep -iw chown /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf there are no audit rules defined for the "chown" command, this is a finding.\n
Fixtext: Add or update the following rule in "/etc/audit/rules.d/audit.rules":\n\nNote: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured.\n\n-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect.\n
Rule ID: SV-86723r3_rule
Severity: medium
Rule Title: All uses of the fchown command must be audited.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fchown" command occur.\n\nCheck the file system rules in "/etc/audit/audit.rules" with the following commands:\n\nNote: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present.\n\n# grep -iw fchown /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf there are no audit rules defined for the "fchown" command, this is a finding.\n
Fixtext: Add or update the following rule in "/etc/audit/rules.d/audit.rules":\n\nNote: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured.\n\n-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect.\n
Rule ID: SV-86725r3_rule
Severity: medium
Rule Title: All uses of the lchown command must be audited.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "lchown" command occur.\n\nCheck the file system rules in "/etc/audit/audit.rules" with the following commands:\n\nNote: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present.\n\n# grep -iw lchown /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf there are no audit rules defined for the "lchown" command, this is a finding.
Fixtext: Add or update the following rule in "/etc/audit/rules.d/audit.rules":\n\nNote: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured.\n\n-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86727r3_rule
Severity: medium
Rule Title: All uses of the fchownat command must be audited.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fchownat" command occur.\n\nCheck the file system rules in "/etc/audit/audit.rules" with the following commands:\n\nNote: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present.\n\n# grep -iw fchownat /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf there are no audit rules defined for the "fchownat" command, this is a finding.\n
Fixtext: Add or update the following rule in "/etc/audit/rules.d/audit.rules":\n\nNote: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured.\n\n-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect.\n
Rule ID: SV-86729r3_rule
Severity: medium
Rule Title: All uses of the chmod command must be audited.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chmod" command occur.\n\nCheck the file system rules in "/etc/audit/audit.rules" with the following command:\n\nNote: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present.\n\n# grep -iw chmod /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf there are no audit rules defined for the "chmod" command, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chmod" command occur.\n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules":\n\nNote: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured.\n\n-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86731r3_rule
Severity: medium
Rule Title: All uses of the fchmod command must be audited.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fchmod" command occur.\n\nCheck the file system rules in "/etc/audit/audit.rules" with the following command:\n\nNote: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present.\n\n# grep -iw fchmod /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf there are no audit rules defined for the "fchmod" command, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "fchmod" command occur.\n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules":\n\nNote: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured.\n\n-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86733r3_rule
Severity: medium
Rule Title: All uses of the fchmodat command must be audited.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fchmodat" command occur.\n\nCheck the file system rules in "/etc/audit/audit.rules" with the following command:\n\nNote: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present.\n\n# grep -iw fchmodat /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf there are no audit rules defined for the "fchmodat" command, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "fchmodat" command occur.\n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules":\n\nNote: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured.\n\n-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86735r3_rule
Severity: medium
Rule Title: All uses of the setxattr command must be audited.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "setxattr" command occur.\n\nCheck the file system rules in "/etc/audit/audit.rules" with the following commands:\n\nNote: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present.\n\n# grep -iw setxattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf there are no audit rules defined for the "setxattr" command, this is a finding.\n
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setxattr" command occur.\n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules":\n\nNote: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured.\n\n-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86737r3_rule
Severity: medium
Rule Title: All uses of the fsetxattr command must be audited.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fsetxattr" command occur.\n\nCheck the file system rules in "/etc/audit/audit.rules" with the following commands:\n\nNote: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present.\n\n# grep -iw fsetxattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf there are no audit rules defined for the "fsetxattr" command, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "fsetxattr" command occur.\n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules":\n\nNote: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured.\n\n-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86739r3_rule
Severity: medium
Rule Title: All uses of the lsetxattr command must be audited.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "lsetxattr" command occur.\n\nCheck the file system rules in "/etc/audit/audit.rules" with the following commands:\n\nNote: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present.\n\n# grep -iw lsetxattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf there are no audit rules defined for the "lsetxattr" command, this is a finding.\n
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "lsetxattr" command occur.\n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules":\n\nNote: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured.\n\n-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86741r3_rule
Severity: medium
Rule Title: All uses of the removexattr command must be audited.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "removexattr" command occur.\n\nCheck the file system rules in "/etc/audit/audit.rules" with the following commands:\n\nNote: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present.\n\n# grep -iw removexattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf there are no audit rules defined for the "removexattr" command, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "removexattr" command occur.\n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules":\n\nNote: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured.\n\n-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86743r3_rule
Severity: medium
Rule Title: All uses of the fremovexattr command must be audited.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fremovexattr" command occur.\n\nCheck the file system rules in "/etc/audit/audit.rules" with the following commands:\n\nNote: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present.\n\n# grep -iw fremovexattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf there are no audit rules defined for the "fremovexattr" command, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "fremovexattr" command occur.\n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules":\n\nNote: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured.\n\n-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect. \n
Rule ID: SV-86745r3_rule
Severity: medium
Rule Title: All uses of the lremovexattr command must be audited.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "lremovexattr" command occur.\n\nCheck the file system rules in "/etc/audit/audit.rules" with the following commands:\n\nNote: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present.\n\n# grep -iw lremovexattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf there are no audit rules defined for the "lremovexattr" command, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "lremovexattr" command occur.\n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules":\n\nNote: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured.\n\n-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86747r3_rule
Severity: medium
Rule Title: All uses of the creat command must be audited.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: [u'Verify the operating system generates audit records when successful/unsuccessful attempts to use the "creat" command occur.\n\nCheck the file system rules in "/etc/audit/audit.rules" with the following commands:\n\nNote: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present.\n\n# grep -iw creat /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S creat F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nIf there are no audit rules defined for the \u201ccreat\u201d command, this is a finding.\n\nIf the output does not produce a rule containing \u201c-F exit=-EPERM\u201d, this is a finding.\n\nIf the output does not produce a rule containing \u201c-F exit=-EACCES\u201d, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "creat" command occur.\n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules:\n\nNote: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured.\n\n-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nThe audit daemon must be restarted for the changes to take effect.\n
Rule ID: SV-86749r3_rule
Severity: medium
Rule Title: All uses of the open command must be audited.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: [u'Verify the operating system generates audit records when successful/unsuccessful attempts to use the "open" command occur.\n\nCheck the file system rules in "/etc/audit/audit.rules" with the following commands:\n\nNote: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present.\n\n# grep -iw open /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nIf there are no audit rules defined for the \u201copen\u201d command, this is a finding.\n\nIf the output does not produce a rule containing \u201c-F exit=-EPERM\u201d, this is a finding.\n\nIf the output does not produce a rule containing \u201c-F exit=-EACCES\u201d, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "open" command occur.\n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules":\n\nNote: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured.\n\n-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nThe audit daemon must be restarted for the changes to take effect.\n
Rule ID: SV-86751r3_rule
Severity: medium
Rule Title: All uses of the openat command must be audited.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: [u'Verify the operating system generates audit records when successful/unsuccessful attempts to use the "openat" command occur.\n\nCheck the file system rules in "/etc/audit/audit.rules" with the following commands:\n\nNote: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present.\n\n# grep -iw openat /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nIf there are no audit rules defined for the \u201copenat\u201d command, this is a finding.\n\nIf the output does not produce a rule containing \u201c-F exit=-EPERM\u201d, this is a finding.\n\nIf the output does not produce a rule containing \u201c-F exit=-EACCES\u201d, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "openat" command occur.\n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules":\n\nNote: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured.\n\n-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86753r3_rule
Severity: medium
Rule Title: All uses of the open_by_handle_at command must be audited.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: [u'Verify the operating system generates audit records when successful/unsuccessful attempts to use the "open_by_handle_at" command occur.\n\nCheck the file system rules in "/etc/audit/audit.rules" with the following commands:\n\nNote: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present.\n\n# grep -iw open_by_handle_at /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nIf there are no audit rules defined for the \u201copen_by_handle_at\u201d command, this is a finding.\n\nIf the output does not produce a rule containing \u201c-F exit=-EPERM\u201d, this is a finding.\n\nIf the output does not produce a rule containing \u201c-F exit=-EACCES\u201d, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "open_by_handle_at" command occur.\n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules":\n\nNote: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured.\n\n-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nThe audit daemon must be restarted for the changes to take effect.\n
Rule ID: SV-86755r3_rule
Severity: medium
Rule Title: All uses of the truncate command must be audited.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: [u'Verify the operating system generates audit records when successful/unsuccessful attempts to use the "truncate" command occur.\n\nCheck the file system rules in "/etc/audit/audit.rules" with the following commands:\n\nNote: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present.\n\n# grep -iw truncate /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nIf there are no audit rules defined for the \u201ctruncate\u201d command, this is a finding.\n\nIf the output does not produce a rule containing \u201c-F exit=-EPERM\u201d, this is a finding.\n\nIf the output does not produce a rule containing \u201c-F exit=-EACCES\u201d, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "truncate" command occur.\n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules":\n\nNote: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured.\n\n-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86757r3_rule
Severity: medium
Rule Title: All uses of the ftruncate command must be audited.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: [u'Verify the operating system generates audit records when successful/unsuccessful attempts to use the "ftruncate" command occur.\n\nCheck the file system rules in "/etc/audit/audit.rules" with the following commands:\n\nNote: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present.\n\n# grep -iw ftruncate /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nIf there are no audit rules defined for the \u201ctruncate\u201d command, this is a finding.\n\nIf the output does not produce a rule containing \u201c-F exit=-EPERM\u201d, this is a finding.\n\nIf the output does not produce a rule containing \u201c-F exit=-EACCES\u201d, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "ftruncate" command occur.\n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules":\n\nNote: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured.\n\n-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86759r3_rule
Severity: medium
Rule Title: All uses of the semanage command must be audited.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "semanage" command occur.\n\nCheck the file system rule in "/etc/audit/audit.rules" with the following command:\n\n# grep -i /usr/sbin/semanage /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "semanage" command occur.\n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules":\n\n-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86761r3_rule
Severity: medium
Rule Title: All uses of the setsebool command must be audited.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "setsebool" command occur.\n\nCheck the file system rule in "/etc/audit/audit.rules" with the following command:\n\n# grep -i /usr/sbin/setsebool /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setsebool" command occur.\n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules":\n\n-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86763r3_rule
Severity: medium
Rule Title: All uses of the chcon command must be audited.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chcon" command occur.\n\nCheck the file system rule in "/etc/audit/audit.rules" with the following command:\n\n# grep -i /usr/bin/chcon /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chcon" command occur.\n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules":\n\n-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86765r4_rule
Severity: medium
Rule Title: All uses of the setfiles command must be audited.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "setfiles" command occur.\n\nCheck the file system rule in "/etc/audit/audit.rules" with the following command:\n\n# grep -i /usr/sbin/setfiles /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=4294967295 -k -F privileged-priv_change\n\nIf the command does not return any output, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setfiles" command occur.\n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules":\n\n-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=4294967295 -k -F privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86767r2_rule
Severity: medium
Rule Title: The operating system must generate audit records for all successful/unsuccessful account access count events.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful account access count events occur. \n\nCheck the file system rule in "/etc/audit/audit.rules" with the following commands: \n\n# grep -i /var/log/tallylog /etc/audit/audit.rules\n\n-w /var/log/tallylog -p wa -k logins\n\nIf the command does not return any output, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful account access count events occur.\n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules": \n\n-w /var/log/tallylog -p wa -k logins\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86769r3_rule
Severity: medium
Rule Title: The operating system must generate audit records for all unsuccessful account access events.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the operating system generates audit records when unsuccessful account access events occur. \n\nCheck the file system rule in "/etc/audit/audit.rules" with the following commands: \n\n# grep -i /var/run/faillock /etc/audit/audit.rules\n\n-w /var/run/faillock -p wa -k logins\n\nIf the command does not return any output, this is a finding.
Fixtext: Configure the operating system to generate audit records when unsuccessful account access events occur. \n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules": \n\n-w /var/run/faillock -p wa -k logins\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86771r2_rule
Severity: medium
Rule Title: The operating system must generate audit records for all successful account access events.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the operating system generates audit records when successful account access events occur. \n\nCheck the file system rules in "/etc/audit/audit.rules" with the following commands: \n\n# grep -i /var/log/lastlog /etc/audit/audit.rules\n\n-w /var/log/lastlog -p wa -k logins \n\nIf the command does not return any output, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful account access events occur. \n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules": \n\n-w /var/log/lastlog -p wa -k logins\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86773r3_rule
Severity: medium
Rule Title: All uses of the passwd command must be audited.
Description: Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "passwd" command occur.\n\nCheck the file system rule in "/etc/audit/audit.rules" with the following command:\n\n# grep -i /usr/bin/passwd /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nIf the command does not return any output, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "passwd" command occur.\n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules":\n\n-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86775r4_rule
Severity: medium
Rule Title: All uses of the unix_chkpwd command must be audited.
Description: Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "unix_chkpwd" command occur.\n\nCheck the file system rule in "/etc/audit/audit.rules" with the following command:\n\n# grep -i /sbin/unix_chkpwd /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nIf the command does not return any output, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unix_chkpwd" command occur.\n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules":\n\n-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86777r3_rule
Severity: medium
Rule Title: All uses of the gpasswd command must be audited.
Description: Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "gpasswd" command occur.\n\nCheck the file system rule in "/etc/audit/audit.rules" with the following command:\n\n# grep -i /usr/bin/gpasswd /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nIf the command does not return any output, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "gpasswd" command occur.\n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules":\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86779r3_rule
Severity: medium
Rule Title: All uses of the chage command must be audited.
Description: Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chage" command occur.\n\nCheck the file system rule in "/etc/audit/audit.rules" with the following command:\n\n# grep -i /usr/bin/chage /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nIf the command does not return any output, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chage" command occur.\n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules":\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86781r3_rule
Severity: medium
Rule Title: All uses of the userhelper command must be audited.
Description: Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "userhelper" command occur.\n\nCheck the file system rule in "/etc/audit/audit.rules" with the following command:\n\n# grep -i /usr/sbin/userhelper /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nIf the command does not return any output, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "userhelper" command occur.\n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules":\n\n-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86783r4_rule
Severity: medium
Rule Title: All uses of the su command must be audited.
Description: Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "su" command occur.\n\nCheck for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": \n\n# grep -i /bin/su /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "su" command occur.\n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules": \n\n-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change \n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86785r3_rule
Severity: medium
Rule Title: All uses of the sudo command must be audited.
Description: Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "sudo" command occur.\n\nCheck for the following system calls being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": \n\n# grep -i /usr/bin/sudo /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "sudo" command occur.\n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules": \n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change \n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86787r4_rule
Severity: medium
Rule Title: All uses of the sudoers command must be audited.
Description: Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "sudoer" command occur.\n\nCheck for modification of the following files being audited by performing the following commands to check the file system rules in "/etc/audit/audit.rules": \n\n# grep -i "/etc/sudoers" /etc/audit/audit.rules\n\n-w /etc/sudoers -p wa -k privileged-actions\n\n# grep -i "/etc/sudoers.d/" /etc/audit/audit.rules\n\n-w /etc/sudoers.d/ -p wa -k privileged-actions\n\nIf the commands do not return output that does not match the examples, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "sudoer" command occur.\n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules":\n\n-w /etc/sudoers -p wa -k privileged-actions\n\n-w /etc/sudoers.d/ -p wa -k privileged-actions\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86789r3_rule
Severity: medium
Rule Title: All uses of the newgrp command must be audited.
Description: Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "newgrp" command occur.\n\nCheck for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": \n\n# grep -i /usr/bin/newgrp /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "newgrp" command occur.\n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules": \n\n-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86791r3_rule
Severity: medium
Rule Title: All uses of the chsh command must be audited.
Description: Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chsh" command occur.\n\nCheck for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": \n\n# grep -i /usr/bin/chsh /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chsh" command occur.\n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules": \n\n-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86793r4_rule
Severity: medium
Rule Title: All uses of the sudoedit command must be audited.
Description: Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "sudoedit" command occur.\n\nCheck for the following system calls being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": \n\n# grep -i "/usr/bin/sudoedit" /etc/audit/audit.rules\n\n-a always,exit -F path=/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "sudoedit" command occur.\n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules": \n\n-a always,exit -F path=/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86795r5_rule
Severity: medium
Rule Title: All uses of the mount command must be audited.
Description: Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged mount commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "mount" command occur.\n\nCheck for the following system calls being audited by performing the following series of commands to check the file system rules in "/etc/audit/audit.rules": \n\n# grep -iw "mount" /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\n-a always,exit -F arch=b32 -F path=/bin/mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\n-a always,exit -F arch=b32 -F path=/usr/bin/mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\n-a always,exit -F arch=b64 -F path=/bin/mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\n-a always,exit -F arch=b64 -F path=/usr/bin/mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nIf all uses of the mount command are not being audited, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "mount" command occur.\n\nAdd or update the following rules in "/etc/audit/rules.d/audit.rules":\n\nNote: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured.\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\n-a always,exit -F arch=b32 -F path=/bin/mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\n-a always,exit -F arch=b32 -F path=/usr/bin/mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\n-a always,exit -F arch=b64 -F path=/bin/mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\n-a always,exit -F arch=b64 -F path=/usr/bin/mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86797r4_rule
Severity: medium
Rule Title: All uses of the umount command must be audited.
Description: Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged mount commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "umount" command occur.\n\nCheck for the following system calls being audited by performing the following series of commands to check the file system rules in "/etc/audit/audit.rules": \n\n# grep -i "/bin/umount" /etc/audit/audit.rules\n\n-a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount \n\nIf the command does not return any output, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "umount" command occur.\n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules": \n\n-a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86799r3_rule
Severity: medium
Rule Title: All uses of the postdrop command must be audited.
Description: Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "postdrop" command occur.\n\nCheck for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": \n\n# grep -i /usr/sbin/postdrop /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix\n\nIf the command does not return any output, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postdrop" command occur.\n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules": \n\n-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86801r2_rule
Severity: medium
Rule Title: All uses of the postqueue command must be audited.
Description: Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "postqueue" command occur. \n\nCheck for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": \n\n# grep -i /usr/sbin/postqueue /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix\n\nIf the command does not return any output, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postqueue" command occur. \n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules": \n\n-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86803r2_rule
Severity: medium
Rule Title: All uses of the ssh-keysign command must be audited.
Description: Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged ssh commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur. \n\nCheck for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": \n\n# grep -i /usr/libexec/openssh/ssh-keysign /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n\nIf the command does not return any output, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur. \n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules": \n\n-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86807r2_rule
Severity: medium
Rule Title: All uses of the crontab command must be audited.
Description: Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "crontab" command occur. \n\nCheck for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": \n\n# grep -i /usr/bin/crontab /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron\n\nIf the command does not return any output, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "crontab" command occur. \n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules": \n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86809r3_rule
Severity: medium
Rule Title: All uses of the pam_timestamp_check command must be audited.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. \n\nCheck the auditing rules in "/etc/audit/audit.rules" with the following command:\n\n# grep -i "/sbin/pam_timestamp_check" /etc/audit/audit.rules\n\n-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam \n\nIf the command does not return any output, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. \n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules": \n\n-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86811r3_rule
Severity: medium
Rule Title: All uses of the init_module command must be audited.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "init_module" command occur. \n\nCheck the auditing rules in "/etc/audit/audit.rules" with the following command:\n\nNote: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the line appropriate for the system architecture must be present.\n\n# grep -iw init_module /etc/audit/audit.rules\n\nIf the command does not return the following output (appropriate to the architecture), this is a finding. \n\n-a always,exit -F arch=b32 -S init_module -k module-change\n\n-a always,exit -F arch=b64 -S init_module -k module-change\n\nIf there are no audit rules defined for "init_module", this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "init_module" command occur. \n\nAdd or update the following rules in "/etc/audit/rules.d/audit.rules":\n\nNote: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured. \n\n-a always,exit -F arch=b32 -S init_module -k module-change\n\n-a always,exit -F arch=b64 -S init_module -k module-change\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86813r3_rule
Severity: medium
Rule Title: All uses of the delete_module command must be audited.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "delete_module" command occur. \n\nCheck the auditing rules in "/etc/audit/audit.rules" with the following command:\n\nNote: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the line appropriate for the system architecture must be present.\n\n# grep -iw delete_module /etc/audit/audit.rules\n\nIf the command does not return the following output (appropriate to the architecture), this is a finding. \n\n-a always,exit -F arch=b32 -S delete_module -k module-change\n\n-a always,exit -F arch=b64 -S delete_module -k module-change\n\nIf there are no audit rules defined for "delete_module", this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "delete_module" command occur. \n\nAdd or update the following rules in "/etc/audit/rules.d/audit.rules": \n\nNote: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured.\n\n-a always,exit -F arch=b32 -S delete_module -k module-change\n\n-a always,exit -F arch=b64 -S delete_module -k module-change\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86815r3_rule
Severity: medium
Rule Title: All uses of the insmod command must be audited.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "insmod" command occur. \n\nCheck the auditing rules in "/etc/audit/audit.rules" with the following command:\n\n# grep -i insmod /etc/audit/audit.rules\n\nIf the command does not return the following output this is a finding. \n\n-w /sbin/insmod -p x -F auid!=4294967295 -k module-change\n\nIf the command does not return any output, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "insmod" command occur. \n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules":\n\n-w /sbin/insmod -p x -F auid!=4294967295 -k module-change\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86817r3_rule
Severity: medium
Rule Title: All uses of the rmmod command must be audited.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "rmmod" command occur. \n\nCheck the auditing rules in "/etc/audit/audit.rules" with the following command:\n\n# grep -i rmmod /etc/audit/audit.rules\n\nIf the command does not return the following output, this is a finding. \n\n-w /sbin/rmmod -p x -F auid!=4294967295 -k module-change\n\nIf the command does not return any output, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "rmmod" command occur. \n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules": \n\n-w /sbin/rmmod-p x -F auid!=4294967295 -k module-change\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86819r3_rule
Severity: medium
Rule Title: All uses of the modprobe command must be audited.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "modprobe" command occur. \n\nCheck the auditing rules in "/etc/audit/audit.rules" with the following command:\n\nNote: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the line appropriate for the system architecture must be present.\n\n# grep -i modprobe /etc/audit/audit.rules\n\nIf the command does not return the following output, this is a finding. \n\n-w /sbin/modprobe -p x -F auid!=4294967295 -k module-change\n\nIf the command does not return any output, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "modprobe" command occur. \n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules":\n\n-w /sbin/modprobe -p x -F auid!=4294967295 -k module-change\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86821r4_rule
Severity: medium
Rule Title: The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd".\n\nCheck the auditing rules in "/etc/audit/audit.rules" with the following command:\n\n# grep /etc/passwd /etc/audit/audit.rules\n\n-w /etc/passwd -p wa -k identity\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd".\n\nAdd or update the following rule "/etc/audit/rules.d/audit.rules":\n\n-w /etc/passwd -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86823r3_rule
Severity: medium
Rule Title: All uses of the rename command must be audited.
Description: If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "rename" command occur.\n\nCheck the file system rules in "/etc/audit/audit.rules" with the following commands:\n\nNote: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present.\n\n# grep -iw rename /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S rename -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S rename -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete\n\nIf there are no audit rules defined for the "rename" command, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "rename" command occur.\n\nAdd the following rules in "/etc/audit/rules.d/audit.rules":\n\nNote: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured.\n\n-a always,exit -F arch=b32 -S rename -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S rename -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86825r3_rule
Severity: medium
Rule Title: All uses of the renameat command must be audited.
Description: If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "renameat" command occur.\n\nCheck the file system rules in "/etc/audit/audit.rules" with the following commands:\n\nNote: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present.\n\n# grep -iw renameat /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S renameat -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S renameat -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete\n\nIf there are no audit rules defined for the "renameat" command, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "renameat" command occur.\n\nAdd the following rules in "/etc/audit/rules.d/audit.rules":\n\nNote: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured.\n\n-a always,exit -F arch=b32 -S renameat -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S renameat -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86827r3_rule
Severity: medium
Rule Title: All uses of the rmdir command must be audited.
Description: If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "rmdir" command occur.\n\nCheck the file system rules in "/etc/audit/audit.rules" with the following commands:\n\nNote: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present.\n\n# grep -iw rmdir /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S rmdir -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S rmdir -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete\n\nIf there are no audit rules defined for the "rmdir" command, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "rmdir" command occur.\n\nAdd the following rules in "/etc/audit/rules.d/audit.rules":\n\nNote: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured.\n\n-a always,exit -F arch=b32 -S rmdir -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S rmdir -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86829r3_rule
Severity: medium
Rule Title: All uses of the unlink command must be audited.
Description: If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "unlink" command occur.\n\nCheck the file system rules in "/etc/audit/audit.rules" with the following commands:\n\nNote: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present.\n\n# grep -iw unlink/etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S unlink -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S unlink -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete\n\nIf there are no audit rules defined for the "unlink" command, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unlink" command occur.\n\nAdd the following rules in "/etc/audit/rules.d/audit.rules":\n\nNote: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured.\n\n-a always,exit -F arch=b32 -S unlink -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S unlink -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86831r3_rule
Severity: medium
Rule Title: All uses of the unlinkat command must be audited.
Description: If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\n\n
Check_content: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "unlinkat" command occur.\n\nCheck the file system rules in "/etc/audit/audit.rules" with the following commands:\n\nNote: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be present.\n\n# grep -iw unlinkat/etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S unlinkat -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S unlinkat -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete\n\nIf there are no audit rules defined for the "unlinkat" command, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unlinkat" command occur.\n\nAdd the following rules in "/etc/audit/rules.d/audit.rules":\n\nNote: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured.\n\n-a always,exit -F arch=b32 -S unlinkat -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S unlinkat -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-86833r1_rule
Severity: medium
Rule Title: The system must send rsyslog output to a log aggregation server.
Description: Sending rsyslog output to another system ensures that the logs cannot be removed or modified in the event that the system is compromised or has a hardware failure.
Check_content: Verify "rsyslog" is configured to send all messages to a log aggregation server.\n\nCheck the configuration of "rsyslog" with the following command:\n\nNote: If another logging package is used, substitute the utility configuration file for "/etc/rsyslog.conf".\n\n# grep @ /etc/rsyslog.conf\n*.* @@logagg.site.mil\n\nIf there are no lines in the "/etc/rsyslog.conf" file that contain the "@" or "@@" symbol(s), and the lines with the correct symbol(s) to send output to another system do not cover all "rsyslog" output, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. \n\nIf there is no evidence that the audit logs are being sent to another system, this is a finding.
Fixtext: Modify the "/etc/rsyslog.conf" file to contain a configuration line to send all "rsyslog" output to a log aggregation system:\n\n*.* @@
Rule ID: SV-86835r1_rule
Severity: medium
Rule Title: The rsyslog daemon must not accept log messages from other servers unless the server is being used for log aggregation.
Description: Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk. Malicious rsyslog messages sent to the server could exploit vulnerabilities in the server software itself, could introduce misleading information in to the system's logs, or could fill the system's storage leading to a Denial of Service.\nIf the system is intended to be a log aggregation server its use must be documented with the ISSO.
Check_content: Verify that the system is not accepting "rsyslog" messages from other systems unless it is documented as a log aggregation server.\n\nCheck the configuration of "rsyslog" with the following command:\n\n# grep imtcp /etc/rsyslog.conf\nModLoad imtcp\n\nIf the "imtcp" module is being loaded in the "/etc/rsyslog.conf" file, ask to see the documentation for the system being used for log aggregation.\n\nIf the documentation does not exist, or does not specify the server as a log aggregation system, this is a finding.
Fixtext: Modify the "/etc/rsyslog.conf" file to remove the "ModLoad imtcp" configuration line, or document the system as being used for log aggregation.
Rule ID: SV-86837r2_rule
Severity: high
Rule Title: The system must use a virus scan program.
Description: Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems. \n\nThe virus scanning software should be configured to perform scans dynamically on accessed files. If this capability is not available, the system must be configured to scan, at a minimum, all altered files on the system on a daily basis.\n\nIf the system processes inbound SMTP mail, the virus scanner must be configured to scan all received mail.
Check_content: Verify the system is using a virus scan program.\n\nCheck for the presence of "McAfee VirusScan Enterprise for Linux" with the following command:\n\n# systemctl status nails\nnails - service for McAfee VirusScan Enterprise for Linux \n> Loaded: loaded /opt/NAI/package/McAfeeVSEForLinux/McAfeeVSEForLinux-2.0.2.; enabled)\n> Active: active (running) since Mon 2015-09-27 04:11:22 UTC;21 min ago\n\nIf the "nails" service is not active, check for the presence of "clamav" on the system with the following command:\n\n# systemctl status clamav-daemon.socket\n systemctl status clamav-daemon.socket\n clamav-daemon.socket - Socket for Clam AntiVirus userspace daemon\n Loaded: loaded (/lib/systemd/system/clamav-daemon.socket; enabled)\n Active: active (running) since Mon 2015-01-12 09:32:59 UTC; 7min ago\n\nIf neither of these applications are loaded and active, ask the System Administrator if there is an antivirus package installed and active on the system. \n\nIf no antivirus scan program is active on the system, this is a finding.
Fixtext: Install an antivirus solution on the system.
Rule ID: SV-86839r2_rule
Severity: medium
Rule Title: The system must update the virus scan program every seven days or more frequently.
Description: Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems. \n\nThe virus scanning software should be configured to check for software and virus definition updates with a frequency no longer than seven days. If a manual process is required to update the virus scan software or definitions, it must be documented with the Information System Security Officer (ISSO).
Check_content: Verify the system is using a virus scan program and the virus definition file is less than seven days old.\n\nCheck for the presence of "McAfee VirusScan Enterprise for Linux" with the following command:\n\n# systemctl status nails\nnails - service for McAfee VirusScan Enterprise for Linux \n> Loaded: loaded /opt/NAI/package/McAfeeVSEForLinux/McAfeeVSEForLinux-2.0.2.; enabled)\n> Active: active (running) since Mon 2015-09-27 04:11:22 UTC;21 min ago\n\nIf the "nails" service is not active, check for the presence of "clamav" on the system with the following command:\n\n# systemctl status clamav-daemon.socket\nsystemctl status clamav-daemon.socket\n clamav-daemon.socket - Socket for Clam AntiVirus userspace daemon\n Loaded: loaded (/lib/systemd/system/clamav-daemon.socket; enabled)\n Active: active (running) since Mon 2015-01-12 09:32:59 UTC; 7min ago\n\nIf "McAfee VirusScan Enterprise for Linux" is active on the system, check the dates of the virus definition files with the following command:\n\n# ls -al /opt/NAI/LinuxShield/engine/dat/*.dat\n\n\nIf the virus definition files have dates older than seven days from the current date, this is a finding.\n\nIf "clamav" is active on the system, check the dates of the virus database with the following commands:\n\n# grep -I databasedirectory /etc/clamav.conf\nDatabaseDirectory /var/lib/clamav\n\n# ls -al /var/lib/clamav/*.cvd\n-rwxr-xr-x 1 root root 149156 Mar 5 2011 daily.cvd\n\nIf the database file has a date older than seven days from the current date, this is a finding.
Fixtext: Update the virus scan software and virus definition files.
Rule ID: SV-86841r1_rule
Severity: low
Rule Title: The operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.
Description: Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system.
Check_content: Verify the operating system limits the number of concurrent sessions to "10" for all accounts and/or account types by issuing the following command:\n\n# grep "maxlogins" /etc/security/limits.conf\n* hard maxlogins 10\n\nThis can be set as a global domain (with the * wildcard) but may be set differently for multiple domains.\n\nIf the "maxlogins" item is missing or the value is not set to "10" or less for all domains that have the "maxlogins" item assigned, this is a finding.
Fixtext: Configure the operating system to limit the number of concurrent sessions to "10" for all accounts and/or account types.\n\nAdd the following line to the top of the /etc/security/limits.conf:\n\n* hard maxlogins 10
Rule ID: SV-86843r1_rule
Severity: medium
Rule Title: The host must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments.
Description: In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component.\n\nTo support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.\n\n
Check_content: Inspect the firewall configuration and running services to verify that it is configured to prohibit or restrict the use of functions, ports, protocols, and/or services that are unnecessary or prohibited.\n\nCheck which services are currently active with the following command:\n\n# firewall-cmd --list-all\npublic (default, active)\n interfaces: enp0s3\n sources: \n services: dhcpv6-client dns http https ldaps rpc-bind ssh\n ports: \n masquerade: no\n forward-ports: \n icmp-blocks: \n rich rules: \n\nAsk the System Administrator for the site or program PPSM CLSA. Verify the services allowed by the firewall match the PPSM CLSA. \n\nIf there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), this is a finding.
Fixtext: ["Update the host's firewall settings and/or running services to comply with the PPSM CLSA for the site or program and the PPSM CAL.
Rule ID: SV-86845r2_rule
Severity: medium
Rule Title: A FIPS 140-2 approved cryptographic algorithm must be used for SSH communications.
Description: Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.\n\nOperating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.\n\nFIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system.\n\n
Check_content: Verify the operating system uses mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.\n\nNote: If RHEL-07-021350 is a finding, this is automatically a finding as the system cannot implement FIPS 140-2-approved cryptographic algorithms and hashes.\n\nThe location of the "sshd_config" file may vary if a different daemon is in use.\n\nInspect the "Ciphers" configuration with the following command:\n\n# grep -i ciphers /etc/ssh/sshd_config\nCiphers aes128-ctr,aes192-ctr,aes256-ctr\n\nIf any ciphers other than "aes128-ctr", "aes192-ctr", or "aes256-ctr" are listed, the "Ciphers" keyword is missing, or the retuned line is commented out, this is a finding.
Fixtext: Configure SSH to use FIPS 140-2 approved cryptographic algorithms.\n\nAdd the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor).\n\nCiphers aes128-ctr,aes192-ctr,aes256-ctr\n\nThe SSH service must be restarted for changes to take effect.
Rule ID: SV-86847r3_rule
Severity: medium
Rule Title: All network connections associated with a communication session must be terminated at the end of the session or after 10 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements.
Description: Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. \n\nTerminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.
Check_content: Verify the operating system terminates all network connections associated with a communications session at the end of the session or based on inactivity.\n\nCheck the value of the system inactivity timeout with the following command:\n\n# grep -i tmout /etc/bashrc /etc/profile.d/*\n\nTMOUT=600\n\nIf "TMOUT" is not set to "600" or less in "/etc/bashrc" or in a script created to enforce session termination after inactivity, this is a finding.
Fixtext: Configure the operating system to terminate all network connections associated with a communications session at the end of the session or after a period of inactivity.\n\nAdd or update the following lines in "/etc/profile".\n\nTMOUT=600\nreadonly TMOUT\nexport TMOUT\n\nOr create a script to enforce the inactivity timeout (for example /etc/profile.d/tmout.sh) such as:\n\n#!/bin/bash\n\nTMOUT=600\nreadonly TMOUT\nexport TMOUT
Rule ID: SV-86849r3_rule
Severity: medium
Rule Title: The Standard Mandatory DoD Notice and Consent Banner must be displayed immediately prior to, or as part of, remote access logon prompts.
Description: Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\n\n"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."\n\n
Check_content: Verify any publicly accessible connection to the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.\n\nCheck for the location of the banner file being used with the following command:\n\n# grep -i banner /etc/ssh/sshd_config\n\nbanner /etc/issue\n\nThis command will return the banner keyword and the name of the file that contains the ssh banner (in this case "/etc/issue").\n\nIf the line is commented out, this is a finding.\n\nView the file specified by the banner keyword to check that it matches the text of the Standard Mandatory DoD Notice and Consent Banner:\n\n"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."\n\nIf the system does not display a graphical logon banner or the banner does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.\n\nIf the text in the file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.
Fixtext: Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the ssh.\n\nEdit the "/etc/ssh/sshd_config" file to uncomment the banner keyword and configure it to point to a file that will contain the logon banner (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). An example configuration line is:\n\nbanner /etc/issue\n\nEither create the file containing the banner or replace the text in the file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n\n"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n \n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."\n\nThe SSH service must be restarted for changes to take effect.
Rule ID: SV-86851r2_rule
Severity: medium
Rule Title: The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications.
Description: Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\n\nCryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.
Check_content: Verify the operating system implements cryptography to protect the integrity of remote LDAP authentication sessions.\n\nTo determine if LDAP is being used for authentication, use the following command:\n\n# grep -i useldapauth /etc/sysconfig/authconfig\nUSELDAPAUTH=yes\n\nIf USELDAPAUTH=yes, then LDAP is being used. To see if LDAP is configured to use TLS, use the following command:\n\n# grep -i ssl /etc/pam_ldap.conf\nssl start_tls\n\nIf the "ssl" option is not "start_tls", this is a finding.
Fixtext: Configure the operating system to implement cryptography to protect the integrity of LDAP authentication sessions.\n\nSet the USELDAPAUTH=yes in "/etc/sysconfig/authconfig".\n\nSet "ssl start_tls" in "/etc/pam_ldap.conf".
Rule ID: SV-86853r2_rule
Severity: medium
Rule Title: The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications.
Description: Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\n\nCryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.
Check_content: Verify the operating system implements cryptography to protect the integrity of remote LDAP access sessions.\n\nTo determine if LDAP is being used for authentication, use the following command:\n\n# grep -i useldapauth /etc/sysconfig/authconfig\nUSELDAPAUTH=yes\n\nIf USELDAPAUTH=yes, then LDAP is being used. \n\nCheck for the directory containing X.509 certificates for peer authentication with the following command:\n\n# grep -i cacertdir /etc/pam_ldap.conf\ntls_cacertdir /etc/openldap/certs\n\nVerify the directory set with the "tls_cacertdir" option exists.\n\nIf the directory does not exist or the option is commented out, this is a finding.
Fixtext: Configure the operating system to implement cryptography to protect the integrity of LDAP remote access sessions.\n\nSet the "tls_cacertdir" option in "/etc/pam_ldap.conf" to point to the directory that will contain the X.509 certificates for peer authentication.\n\nSet the "tls_cacertfile" option in "/etc/pam_ldap.conf" to point to the path for the X.509 certificates used for peer authentication.
Rule ID: SV-86855r2_rule
Severity: medium
Rule Title: The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications.
Description: Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\n\nCryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.
Check_content: Verify the operating system implements cryptography to protect the integrity of remote ldap access sessions.\n\nTo determine if LDAP is being used for authentication, use the following command:\n\n# grep -i useldapauth /etc/sysconfig/authconfig\nUSELDAPAUTH=yes\n\nIf USELDAPAUTH=yes, then LDAP is being used.\n\nCheck that the path to the X.509 certificate for peer authentication with the following command:\n\n# grep -i cacertfile /etc/pam_ldap.conf\ntls_cacertfile /etc/openldap/ldap-cacert.pem\n\nVerify the "tls_cacertfile" option points to a file that contains the trusted CA certificate.\n\nIf this file does not exist, or the option is commented out or missing, this is a finding.
Fixtext: Configure the operating system to implement cryptography to protect the integrity of LDAP remote access sessions.\n\nSet the "tls_cacertfile" option in "/etc/pam_ldap.conf" to point to the path for the X.509 certificates used for peer authentication.
Rule ID: SV-86857r2_rule
Severity: medium
Rule Title: All networked systems must have SSH installed.
Description: Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. \n\nThis requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. \n\nProtecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa.\n\n
Check_content: Check to see if sshd is installed with the following command:\n\n# yum list installed | grep ssh\nlibssh2.x86_64 1.4.3-8.el7 @anaconda/7.1\nopenssh.x86_64 6.6.1p1-11.el7 @anaconda/7.1\nopenssh-clients.x86_64 6.6.1p1-11.el7 @anaconda/7.1\nopenssh-server.x86_64 6.6.1p1-11.el7 @anaconda/7.1\n\nIf the "SSH server" package is not installed, this is a finding.\n\nIf the "SSH client" package is not installed, this is a finding.
Fixtext: Install SSH packages onto the host with the following commands:\n\n# yum install openssh-clients.x86_64\n# yum install openssh-server.x86_64\n
Rule ID: SV-86859r2_rule
Severity: medium
Rule Title: All networked systems must use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission.
Description: Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. \n\nThis requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. \n\nProtecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.\n\n
Check_content: Verify SSH is loaded and active with the following command:\n\n# systemctl status sshd\n sshd.service - OpenSSH server daemon\n Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)\n Active: active (running) since Tue 2015-11-17 15:17:22 EST; 4 weeks 0 days ago\n Main PID: 1348 (sshd)\n CGroup: /system.slice/sshd.service\n ??1348 /usr/sbin/sshd -D\n\nIf "sshd" does not show a status of "active" and "running", this is a finding.
Fixtext: ["Configure the SSH service to automatically start after reboot with the following command:\n\n# systemctl enable sshd ln -s '/usr/lib/systemd/system/sshd.service' '/etc/systemd/system/multi-user.target.wants/sshd.service'
Rule ID: SV-86861r3_rule
Severity: medium
Rule Title: All network connections associated with SSH traffic must terminate at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.
Description: Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.\n\nTerminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.\n\n
Check_content: Verify the operating system automatically terminates a user session after inactivity time-outs have expired.\n\nCheck for the value of the "ClientAliveInterval" keyword with the following command:\n\n# grep -iw clientaliveinterval /etc/ssh/sshd_config\n\nClientAliveInterval 600\n\nIf "ClientAliveInterval" is not configured, commented out, or has a value of "0", this is a finding.\n\nIf "ClientAliveInterval" has a value that is greater than "600" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
Fixtext: Configure the operating system to automatically terminate a user session after inactivity time-outs have expired or at shutdown.\n\nAdd the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):\n\nClientAliveInterval 600\n\nThe SSH service must be restarted for changes to take effect.
Rule ID: SV-86863r3_rule
Severity: medium
Rule Title: The SSH daemon must not allow authentication using RSA rhosts authentication.
Description: Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.
Check_content: Verify the SSH daemon does not allow authentication using RSA rhosts authentication.\n\nTo determine how the SSH daemon\'s "RhostsRSAAuthentication" option is set, run the following command:\n\n# grep RhostsRSAAuthentication /etc/ssh/sshd_config\nRhostsRSAAuthentication no\n\nIf the value is returned as "yes", the returned line is commented out, or no output is returned, this is a finding.
Fixtext: Configure the SSH daemon to not allow authentication using RSA rhosts authentication.\n\nAdd the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "no":\n\nRhostsRSAAuthentication no\n\nThe SSH service must be restarted for changes to take effect.
Rule ID: SV-86865r3_rule
Severity: medium
Rule Title: All network connections associated with SSH traffic must terminate after a period of inactivity.
Description: Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.\n\nTerminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.\n\n
Check_content: Check the version of the operating system with the following command:\n\n# cat /etc/redhat-release\n\nIf the release is 7.4 or newer this requirement is Not Applicable.\n\nVerify the operating system automatically terminates a user session after inactivity time-outs have expired.\n\nCheck for the value of the "ClientAliveCountMax" keyword with the following command:\n\n# grep -i clientalivecount /etc/ssh/sshd_config\nClientAliveCountMax 0\n\nIf "ClientAliveCountMax" is not set to "0" in "/etc/ ssh/sshd_config", this is a finding.
Fixtext: Configure the operating system to automatically terminate a user session after inactivity time-outs have expired or at shutdown.\n\nAdd the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):\n\nClientAliveCountMax 0\n\nThe SSH service must be restarted for changes to take effect.
Rule ID: SV-86867r2_rule
Severity: medium
Rule Title: The SSH daemon must not allow authentication using rhosts authentication.
Description: Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.
Check_content: Verify the SSH daemon does not allow authentication using known hosts authentication.\n\nTo determine how the SSH daemon\'s "IgnoreRhosts" option is set, run the following command:\n\n# grep -i IgnoreRhosts /etc/ssh/sshd_config\n\nIgnoreRhosts yes\n\nIf the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.
Fixtext: Configure the SSH daemon to not allow authentication using known hosts authentication.\n\nAdd the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes":\n\nIgnoreRhosts yes
Rule ID: SV-86869r2_rule
Severity: medium
Rule Title: The system must display the date and time of the last successful account logon upon an SSH logon.
Description: Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.
Check_content: Verify SSH provides users with feedback on when account accesses last occurred.\n\nCheck that "PrintLastLog" keyword in the sshd daemon configuration file is used and set to "yes" with the following command:\n\n# grep -i printlastlog /etc/ssh/sshd_config\nPrintLastLog yes\n\nIf the "PrintLastLog" keyword is set to "no", is missing, or is commented out, this is a finding.
Fixtext: Configure SSH to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/sshd" or in the "sshd_config" file used by the system ("/etc/ssh/sshd_config" will be used in the example) (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor).\n\nAdd the following line to the top of "/etc/pam.d/sshd":\n\nsession required pam_lastlog.so showfailed\n\nOr modify the "PrintLastLog" line in "/etc/ssh/sshd_config" to match the following:\n\nPrintLastLog yes\n\nThe SSH service must be restarted for changes to "sshd_config" to take effect.
Rule ID: SV-86871r2_rule
Severity: medium
Rule Title: The system must not permit direct logons to the root account using remote access via SSH.
Description: Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging on directly as root. In addition, logging on with a user-specific account provides individual accountability of actions performed on the system.
Check_content: Verify remote access using SSH prevents users from logging on directly as root.\n\nCheck that SSH prevents users from logging on directly as root with the following command:\n\n# grep -i permitrootlogin /etc/ssh/sshd_config\nPermitRootLogin no\n\nIf the "PermitRootLogin" keyword is set to "yes", is missing, or is commented out, this is a finding.
Fixtext: Configure SSH to stop users from logging on remotely as the root user.\n\nEdit the appropriate "/etc/ssh/sshd_config" file to uncomment or add the line for the "PermitRootLogin" keyword and set its value to "no" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):\n\nPermitRootLogin no\n\nThe SSH service must be restarted for changes to take effect.
Rule ID: SV-86873r2_rule
Severity: medium
Rule Title: The SSH daemon must not allow authentication using known hosts authentication.
Description: Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.
Check_content: Verify the SSH daemon does not allow authentication using known hosts authentication.\n\nTo determine how the SSH daemon\'s "IgnoreUserKnownHosts" option is set, run the following command:\n\n# grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config\n\nIgnoreUserKnownHosts yes\n\nIf the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.
Fixtext: Configure the SSH daemon to not allow authentication using known hosts authentication.\n\nAdd the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes":\n\nIgnoreUserKnownHosts yes\n\nThe SSH service must be restarted for changes to take effect.
Rule ID: SV-86875r3_rule
Severity: high
Rule Title: The SSH daemon must be configured to only use the SSHv2 protocol.
Description: SSHv1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system.\n\n
Check_content: Check the version of the operating system with the following command:\n\n# cat /etc/redhat-release\n\nIf the release is 7.4 or newer this requirement is Not Applicable.\n\nVerify the SSH daemon is configured to only use the SSHv2 protocol.\n\nCheck that the SSH daemon is configured to only use the SSHv2 protocol with the following command:\n\n# grep -i protocol /etc/ssh/sshd_config\nProtocol 2\n#Protocol 1,2\n\nIf any protocol line other than "Protocol 2" is uncommented, this is a finding.
Fixtext: Remove all Protocol lines that reference version "1" in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). The "Protocol" line must be as follows:\n\nProtocol 2\n\nThe SSH service must be restarted for changes to take effect.
Rule ID: SV-86877r2_rule
Severity: medium
Rule Title: The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
Description: DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2 hash algorithm meeting this requirement is SHA.
Check_content: Verify the SSH daemon is configured to only use MACs employing FIPS 140-2-approved ciphers.\n\nNote: If RHEL-07-021350 is a finding, this is automatically a finding as the system cannot implement FIPS 140-2-approved cryptographic algorithms and hashes.\n\nCheck that the SSH daemon is configured to only use MACs employing FIPS 140-2-approved ciphers with the following command:\n\n# grep -i macs /etc/ssh/sshd_config\nMACs hmac-sha2-256,hmac-sha2-512\n\nIf any ciphers other than "hmac-sha2-256" or "hmac-sha2-512" are listed or the retuned line is commented out, this is a finding.
Fixtext: Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "MACs" keyword and set its value to "hmac-sha2-256" and/or "hmac-sha2-512" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):\n\nMACs hmac-sha2-256,hmac-sha2-512\n\nThe SSH service must be restarted for changes to take effect.
Rule ID: SV-86879r1_rule
Severity: medium
Rule Title: The SSH public host key files must have mode 0644 or less permissive.
Description: If a public host key file is modified by an unauthorized user, the SSH service may be compromised.
Check_content: Verify the SSH public host key files have mode "0644" or less permissive.\n\nNote: SSH public key files may be found in other directories on the system depending on the installation.\n\nThe following command will find all SSH public key files on the system:\n\n# find /etc/ssh -name \'*.pub\' -exec ls -lL {} \\;\n\n-rw-r--r-- 1 root wheel 618 Nov 28 06:43 ssh_host_dsa_key.pub\n-rw-r--r-- 1 root wheel 347 Nov 28 06:43 ssh_host_key.pub\n-rw-r--r-- 1 root wheel 238 Nov 28 06:43 ssh_host_rsa_key.pub\n\nIf any file has a mode more permissive than "0644", this is a finding.
Fixtext: Note: SSH public key files may be found in other directories on the system depending on the installation. \n\nChange the mode of public host key files under "/etc/ssh" to "0644" with the following command:\n\n# chmod 0644 /etc/ssh/*.key.pub
Rule ID: SV-86881r1_rule
Severity: medium
Rule Title: The SSH private host key files must have mode 0600 or less permissive.
Description: If an unauthorized user obtains the private SSH host key file, the host could be impersonated.
Check_content: Verify the SSH private host key files have mode "0600" or less permissive.\n\nThe following command will find all SSH private key files on the system:\n\n# find / -name \'*ssh_host*key\'\n\nCheck the mode of the private host key files under "/etc/ssh" file with the following command:\n\n# ls -lL /etc/ssh/*key\n-rw------- 1 root wheel 668 Nov 28 06:43 ssh_host_dsa_key\n-rw------- 1 root wheel 582 Nov 28 06:43 ssh_host_key\n-rw------- 1 root wheel 887 Nov 28 06:43 ssh_host_rsa_key\n\nIf any file has a mode more permissive than "0600", this is a finding.
Fixtext: Configure the mode of SSH private host key files under "/etc/ssh" to "0600" with the following command:\n\n# chmod 0600 /etc/ssh/ssh_host*key
Rule ID: SV-86883r2_rule
Severity: medium
Rule Title: The SSH daemon must not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.
Description: GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system\u2019s GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.
Check_content: Verify the SSH daemon does not permit GSSAPI authentication unless approved.\n\nCheck that the SSH daemon does not permit GSSAPI authentication with the following command:\n\n# grep -i gssapiauth /etc/ssh/sshd_config\nGSSAPIAuthentication no\n\nIf the "GSSAPIAuthentication" keyword is missing, is set to "yes" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding.
Fixtext: Uncomment the "GSSAPIAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no": \n\nGSSAPIAuthentication no\n\nThe SSH service must be restarted for changes to take effect.\n\nIf GSSAPI authentication is required, it must be documented, to include the location of the configuration file, with the ISSO.
Rule ID: SV-86885r2_rule
Severity: medium
Rule Title: The SSH daemon must not permit Kerberos authentication unless needed.
Description: Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subject to exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be disabled for systems not using this capability.
Check_content: Verify the SSH daemon does not permit Kerberos to authenticate passwords unless approved.\n\nCheck that the SSH daemon does not permit Kerberos to authenticate passwords with the following command:\n\n# grep -i kerberosauth /etc/ssh/sshd_config\nKerberosAuthentication no\n\nIf the "KerberosAuthentication" keyword is missing, or is set to "yes" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding.
Fixtext: Uncomment the "KerberosAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no":\n\nKerberosAuthentication no\n\nThe SSH service must be restarted for changes to take effect.\n\nIf Kerberos authentication is required, it must be documented, to include the location of the configuration file, with the ISSO.
Rule ID: SV-86887r2_rule
Severity: medium
Rule Title: The SSH daemon must perform strict mode checking of home directory configuration files.
Description: If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.
Check_content: Verify the SSH daemon performs strict mode checking of home directory configuration files.\n\nThe location of the "sshd_config" file may vary if a different daemon is in use.\n\nInspect the "sshd_config" file with the following command:\n\n# grep -i strictmodes /etc/ssh/sshd_config\n\nStrictModes yes\n\nIf "StrictModes" is set to "no", is missing, or the returned line is commented out, this is a finding.
Fixtext: Uncomment the "StrictModes" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "yes":\n\nStrictModes yes\n\nThe SSH service must be restarted for changes to take effect.
Rule ID: SV-86889r2_rule
Severity: medium
Rule Title: The SSH daemon must use privilege separation.
Description: SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section.
Check_content: Verify the SSH daemon performs privilege separation.\n\nCheck that the SSH daemon performs privilege separation with the following command:\n\n# grep -i usepriv /etc/ssh/sshd_config\n\nUsePrivilegeSeparation sandbox\n\nIf the "UsePrivilegeSeparation" keyword is set to "no", is missing, or the retuned line is commented out, this is a finding.
Fixtext: Uncomment the "UsePrivilegeSeparation" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "sandbox" or "yes":\n\nUsePrivilegeSeparation sandbox\n\nThe SSH service must be restarted for changes to take effect.
Rule ID: SV-86891r2_rule
Severity: medium
Rule Title: The SSH daemon must not allow compression or must only allow compression after successful authentication.
Description: If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.
Check_content: Verify the SSH daemon performs compression after a user successfully authenticates.\n\nCheck that the SSH daemon performs compression after a user successfully authenticates with the following command:\n\n# grep -i compression /etc/ssh/sshd_config\nCompression delayed\n\nIf the "Compression" keyword is set to "yes", is missing, or the retuned line is commented out, this is a finding.
Fixtext: Uncomment the "Compression" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) on the system and set the value to "delayed" or "no":\n\nCompression no\n\nThe SSH service must be restarted for changes to take effect.
Rule ID: SV-86893r2_rule
Severity: medium
Rule Title: The operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
Description: Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.\n\nOrganizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).\n\n
Check_content: [u'Check to see if NTP is running in continuous mode.\n\n# ps -ef | grep ntp\n\nIf NTP is not running, this is a finding.\n\nIf the process is found, then check the "ntp.conf" file for the "maxpoll" option setting:\n\n# grep maxpoll /etc/ntp.conf\n\nmaxpoll 17\n\nIf the option is set to "17" or is not set, this is a finding.\n\nIf the file does not exist, check the "/etc/cron.daily" subdirectory for a crontab file controlling the execution of the "ntpdate" command.\n\n# grep \u2013l ntpdate /etc/cron.daily\n\n# ls -al /etc/cron.* | grep aide\nntp\n\nIf a crontab file does not exist in the "/etc/cron.daily" that executes the "ntpdate" file, this is a finding.
Fixtext: Edit the "/etc/ntp.conf" file and add or update an entry to define "maxpoll" to "10" as follows:\n\nmaxpoll 10\n\nIf NTP was running and "maxpoll" was updated, the NTP service must be restarted:\n\n# systemctl restart ntpd\n\nIf NTP was not running, it must be started:\n\n# systemctl start ntpd
Rule ID: SV-86895r2_rule
Severity: medium
Rule Title: The operating system must protect against or limit the effects of Denial of Service (DoS) attacks by validating the operating system is implementing rate-limiting measures on impacted network interfaces.
Description: DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.\n\nThis requirement addresses the configuration of the operating system to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.
Check_content: Verify the operating system protects against or limits the effects of DoS attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.\n\nCheck the firewall configuration with the following command:\n\nNote: The command is to query rules for the public zone.\n\n# firewall-cmd --direct --get-rule ipv4 filter IN_public_allow\nrule ipv4 filter IN_public_allow 0 -p tcp -m limit --limit 25/minute --limit-burst 100 -j ACCEPT\n\nIf a rule with both the limit and limit-burst arguments parameters does not exist, this is a finding.
Fixtext: Create a direct firewall rule to protect against DoS attacks with the following command:\n\nNote: The command is to add a rule to the public zone.\n\n# firewall-cmd --direct --permanent --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp -m limit --limit 25/minute --limit-burst 100 -j ACCEPT\n\nThe firewalld service will need to be restarted for this to take effect:\n\n# systemctl restart firewalld
Rule ID: SV-86897r1_rule
Severity: medium
Rule Title: The operating system must enable an application firewall, if available.
Description: Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications are allowed to communicate over the network.\n\n
Check_content: Verify the operating system enabled an application firewall.\n\nCheck to see if "firewalld" is installed with the following command:\n\n# yum list installed firewalld\nfirewalld-0.3.9-11.el7.noarch.rpm\n\nIf the "firewalld" package is not installed, ask the System Administrator if another firewall application (such as iptables) is installed. \n\nIf an application firewall is not installed, this is a finding. \n\nCheck to see if the firewall is loaded and active with the following command:\n\n# systemctl status firewalld\nfirewalld.service - firewalld - dynamic firewall daemon\n\n Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)\n Active: active (running) since Tue 2014-06-17 11:14:49 CEST; 5 days ago\n\nIf "firewalld" does not show a status of "loaded" and "active", this is a finding. \n\nCheck the state of the firewall:\n\n# firewall-cmd --state \nrunning\n\nIf "firewalld" does not show a state of "running", this is a finding.
Fixtext: Ensure the operating system\'s application firewall is enabled.\n\nInstall the "firewalld" package, if it is not on the system, with the following command:\n\n# yum install firewalld\n\nStart the firewall via "systemctl" with the following command:\n\n# systemctl start firewalld
Rule ID: SV-86899r2_rule
Severity: low
Rule Title: The system must display the date and time of the last successful account logon upon logon.
Description: Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.
Check_content: Verify users are provided with feedback on when account accesses last occurred.\n\nCheck that "pam_lastlog" is used and not silent with the following command:\n\n# grep pam_lastlog /etc/pam.d/postlogin-ac\nsession required pam_lastlog.so showfailed\n\nIf the "silent" option is present with "pam_lastlog" check the sshd configuration file.\n\n# grep -i printlastlog /etc/ssh/sshd_config\nPrintLastLog yes\n\nIf "pam_lastlog" is missing from "/etc/pam.d/postlogin-ac" file, or the silent option is present and PrintLastLog is missing from or set to "no" in the "/etc/ssh/sshd_config" file this is a finding.
Fixtext: Configure the operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/postlogin-ac". \n\nAdd the following line to the top of "/etc/pam.d/postlogin-ac":\n\nsession required pam_lastlog.so showfailed
Rule ID: SV-86901r1_rule
Severity: high
Rule Title: There must be no .shosts files on the system.
Description: The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.
Check_content: Verify there are no ".shosts" files on the system.\n\nCheck the system for the existence of these files with the following command:\n\n# find / -name \'*.shosts\'\n\nIf any ".shosts" files are found on the system, this is a finding.
Fixtext: Remove any found ".shosts" files from the system.\n\n# rm /[path]/[to]/[file]/.shosts
Rule ID: SV-86903r1_rule
Severity: high
Rule Title: There must be no shosts.equiv files on the system.
Description: The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.
Check_content: Verify there are no "shosts.equiv" files on the system.\n\nCheck the system for the existence of these files with the following command:\n\n# find / -name shosts.equiv\n\nIf any "shosts.equiv" files are found on the system, this is a finding.
Fixtext: Remove any found "shosts.equiv" files from the system.\n\n# rm /[path]/[to]/[file]/shosts.equiv
Rule ID: SV-86905r1_rule
Severity: low
Rule Title: For systems using DNS resolution, at least two name servers must be configured.
Description: To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.
Check_content: [u'Determine whether the system is using local or DNS name resolution with the following command:\n\n# grep hosts /etc/nsswitch.conf\nhosts: files dns\n\nIf the DNS entry is missing from the host\u2019s line in the "/etc/nsswitch.conf" file, the "/etc/resolv.conf" file must be empty.\n\nVerify the "/etc/resolv.conf" file is empty with the following command:\n\n# ls -al /etc/resolv.conf\n-rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.conf\n\nIf local host authentication is being used and the "/etc/resolv.conf" file is not empty, this is a finding.\n\nIf the DNS entry is found on the host\u2019s line of the "/etc/nsswitch.conf" file, verify the operating system is configured to use two or more name servers for DNS resolution.\n\nDetermine the name servers used by the system with the following command:\n\n# grep nameserver /etc/resolv.conf\nnameserver 192.168.1.2\nnameserver 192.168.1.3\n\nIf less than two lines are returned that are not commented out, this is a finding.
Fixtext: Configure the operating system to use two or more name servers for DNS resolution.\n\nEdit the "/etc/resolv.conf" file to uncomment or add the two or more "nameserver" option lines with the IP address of local authoritative name servers. If local host resolution is being performed, the "/etc/resolv.conf" file must be empty. An empty "/etc/resolv.conf" file can be created as follows:\n\n# echo -n > /etc/resolv.conf\n\nAnd then make the file immutable with the following command:\n\n# chattr +i /etc/resolv.conf\n\nIf the "/etc/resolv.conf" file must be mutable, the required configuration must be documented with the Information System Security Officer (ISSO) and the file must be verified by the system file integrity tool.
Rule ID: SV-86907r1_rule
Severity: medium
Rule Title: The system must not forward Internet Protocol version 4 (IPv4) source-routed packets.
Description: Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.
Check_content: Verify the system does not accept IPv4 source-routed packets.\n\nCheck the value of the accept source route variable with the following command:\n\n# /sbin/sysctl -a | grep net.ipv4.conf.all.accept_source_route\nnet.ipv4.conf.all.accept_source_route=0\n\nIf the returned line does not have a value of "0", a line is not returned, or the returned line is commented out, this is a finding.
Fixtext: Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value):\n\nnet.ipv4.conf.all.accept_source_route = 0
Rule ID: SV-86909r1_rule
Severity: medium
Rule Title: The system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
Description: Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.
Check_content: Verify the system does not accept IPv4 source-routed packets by default.\n\nCheck the value of the accept source route variable with the following command:\n\n# /sbin/sysctl -a | grep net.ipv4.conf.default.accept_source_route\nnet.ipv4.conf.default.accept_source_route=0\n\nIf the returned line does not have a value of "0", a line is not returned, or the returned line is commented out, this is a finding.
Fixtext: Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value):\n\nnet.ipv4.conf.default.accept_source_route = 0
Rule ID: SV-86911r1_rule
Severity: medium
Rule Title: The system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
Description: Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.
Check_content: Verify the system does not respond to IPv4 ICMP echoes sent to a broadcast address.\n\nCheck the value of the "icmp_echo_ignore_broadcasts" variable with the following command:\n\n# /sbin/sysctl -a | grep net.ipv4.icmp_echo_ignore_broadcasts\nnet.ipv4.icmp_echo_ignore_broadcasts=1\n\nIf the returned line does not have a value of "1", a line is not returned, or the retuned line is commented out, this is a finding.
Fixtext: Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value):\n\nnet.ipv4.icmp_echo_ignore_broadcasts=1
Rule ID: SV-86913r2_rule
Severity: medium
Rule Title: The system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
Description: ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
Check_content: Verify the system will not accept IPv4 ICMP redirect messages.\n\nCheck the value of the default "accept_redirects" variables with the following command:\n\n# /sbin/sysctl -a | grep \'net.ipv4.conf.default.accept_redirects\'\nnet.ipv4.conf.default.accept_redirects=0\n\nIf the returned line does not have a value of "0", or a line is not returned, this is a finding.
Fixtext: Set the system to not accept IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value):\n\nnet.ipv4.conf.default.accept_redirects = 0
Rule ID: SV-86915r3_rule
Severity: medium
Rule Title: The system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.
Description: ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.
Check_content: Verify the system does not allow interfaces to perform IPv4 ICMP redirects by default.\n\nCheck the value of the "default send_redirects" variables with the following command:\n\n# /sbin/sysctl -a | grep \'net.ipv4.conf.default.send_redirects\'\n\nnet.ipv4.conf.default.send_redirects = 0 \n\nIf the returned line does not have a value of "0", or a line is not returned, this is a finding.
Fixtext: Configure the system to not allow interfaces to perform IPv4 ICMP redirects by default. \n\nSet the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value):\n\nnet.ipv4.conf.default.send_redirects=0\n\nIssue the following command to make the changes take effect:\n\n# sysctl -p /etc/sysctl.conf
Rule ID: SV-86917r2_rule
Severity: medium
Rule Title: The system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
Description: ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.
Check_content: Verify the system does not send IPv4 ICMP redirect messages.\n\nCheck the value of the "all send_redirects" variables with the following command:\n\n# grep \'net.ipv4.conf.all.send_redirects\' /etc/sysctl.conf\n\nnet.ipv4.conf.all.send_redirects=0\n\nIf the returned line does not have a value of "0", or a line is not returned, this is a finding.
Fixtext: Configure the system to not allow interfaces to perform IPv4 ICMP redirects. \n\nSet the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value):\n\nnet.ipv4.conf.all.send_redirects=0
Rule ID: SV-86919r1_rule
Severity: medium
Rule Title: Network interfaces must not be in promiscuous mode.
Description: Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow then to collect information such as logon IDs, passwords, and key exchanges between systems.\n\nIf the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information System Security Officer (ISSO) and restricted to only authorized personnel.
Check_content: Verify network interfaces are not in promiscuous mode unless approved by the ISSO and documented.\n\nCheck for the status with the following command:\n\n# ip link | grep -i promisc\n\nIf network interfaces are found on the system in promiscuous mode and their use has not been approved by the ISSO and documented, this is a finding.
Fixtext: Configure network interfaces to turn off promiscuous mode unless approved by the ISSO and documented.\n\nSet the promiscuous mode of an interface to off with the following command:\n\n#ip link set dev multicast off promisc off
Rule ID: SV-86921r2_rule
Severity: medium
Rule Title: The system must be configured to prevent unrestricted mail relaying.
Description: If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.
Check_content: Verify the system is configured to prevent unrestricted mail relaying.\n\nDetermine if "postfix" is installed with the following commands:\n\n# yum list installed postfix\npostfix-2.6.6-6.el7.x86_64.rpm \n\nIf postfix is not installed, this is Not Applicable.\n\nIf postfix is installed, determine if it is configured to reject connections from unknown or untrusted networks with the following command:\n\n# postconf -n smtpd_client_restrictions\nsmtpd_client_restrictions = permit_mynetworks, reject\n\nIf the "smtpd_client_restrictions" parameter contains any entries other than "permit_mynetworks" and "reject", this is a finding.
Fixtext: If "postfix" is installed, modify the "/etc/postfix/main.cf" file to restrict client connections to the local network with the following command:\n\n# postconf -e \'smtpd_client_restrictions = permit_mynetworks,reject\'
Rule ID: SV-86923r2_rule
Severity: high
Rule Title: A File Transfer Protocol (FTP) server package must not be installed unless needed.
Description: The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service.
Check_content: Verify an FTP server has not been installed on the system.\n\nCheck to see if an FTP server has been installed with the following commands:\n\n# yum list installed vsftpd\n\n vsftpd-3.0.2.el7.x86_64.rpm\n\nIf "vsftpd" is installed and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n
Fixtext: Document the "vsftpd" package with the ISSO as an operational requirement or remove it from the system with the following command:\n\n# yum remove vsftpd\n
Rule ID: SV-86925r1_rule
Severity: high
Rule Title: The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for operational support.
Description: If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have access control rules established.
Check_content: Verify a TFTP server has not been installed on the system.\n\nCheck to see if a TFTP server has been installed with the following command:\n\n# yum list installed tftp-server\ntftp-server-0.49-9.el7.x86_64.rpm\n\nIf TFTP is installed and the requirement for TFTP is not documented with the ISSO, this is a finding.
Fixtext: Remove the TFTP package from the system with the following command:\n\n# yum remove tftp
Rule ID: SV-86927r3_rule
Severity: high
Rule Title: Remote X connections for interactive users must be encrypted.
Description: Open X displays allow an attacker to capture keystrokes and execute commands remotely.
Check_content: Verify remote X connections for interactive users are encrypted.\n\nCheck that remote X connections are encrypted with the following command:\n\n# grep -i x11forwarding /etc/ssh/sshd_config\n\nX11Forwarding yes\n\nIf the "X11Forwarding" keyword is set to "no", is missing, or is commented out, this is a finding.
Fixtext: Configure SSH to encrypt connections for interactive users.\n\nEdit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11Forwarding" keyword and set its value to "yes" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):\n\nX11Forwarding yes\n\nThe SSH service must be restarted for changes to take effect.
Rule ID: SV-86929r2_rule
Severity: medium
Rule Title: If the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon must be configured to operate in secure mode.
Description: Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files.
Check_content: Verify the TFTP daemon is configured to operate in secure mode.\n\nCheck to see if a TFTP server has been installed with the following commands:\n\n# yum list installed | grep tftp-server\ntftp-server.x86_64 x.x-x.el7 rhel-7-server-rpms\n\nIf a TFTP server is not installed, this is Not Applicable.\n\nIf a TFTP server is installed, check for the server arguments with the following command: \n\n# grep server_arge /etc/xinetd.d/tftp\nserver_args = -s /var/lib/tftpboot\n\nIf the "server_args" line does not have a "-s" option and a subdirectory is not assigned, this is a finding.
Fixtext: Configure the TFTP daemon to operate in secure mode by adding the following line to "/etc/xinetd.d/tftp" (or modify the line to have the required value):\n\nserver_args = -s /var/lib/tftpboot
Rule ID: SV-86931r3_rule
Severity: medium
Rule Title: An X Windows display manager must not be installed unless approved.
Description: Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. X Windows has a long history of security vulnerabilities and will not be used unless approved and documented.
Check_content: Verify that if the system has X Windows System installed, it is authorized.\n\nCheck for the X11 package with the following command:\n\n# rpm -qa | grep xorg | grep server\n\nAsk the System Administrator if use of the X Windows System is an operational requirement.\n\nIf the use of X Windows on the system is not documented with the Information System Security Officer (ISSO), this is a finding.
Fixtext: Document the requirement for an X Windows server with the ISSO or remove the related packages with the following commands:\n\n# rpm -e xorg-x11-server-common
Rule ID: SV-86933r1_rule
Severity: medium
Rule Title: The system must not be performing packet forwarding unless the system is a router.
Description: Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
Check_content: Verify the system is not performing packet forwarding, unless the system is a router.\n\nCheck to see if IP forwarding is enabled using the following command:\n\n# /sbin/sysctl -a | grep net.ipv4.ip_forward\nnet.ipv4.ip_forward=0\n\nIf IP forwarding value is "1" and the system is hosting any application, database, or web servers, this is a finding.
Fixtext: Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value):\n\nnet.ipv4.ip_forward = 0
Rule ID: SV-86935r3_rule
Severity: medium
Rule Title: The Network File System (NFS) must be configured to use RPCSEC_GSS.
Description: When an NFS server is configured to use RPCSEC_SYS, a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The RPCSEC_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request.
Check_content: Verify "AUTH_GSS" is being used to authenticate NFS mounts.\n\nTo check if the system is importing an NFS file system, look for any entries in the "/etc/fstab" file that have a file system type of "nfs" with the following command:\n\n# cat /etc/fstab | grep nfs\n192.168.21.5:/mnt/export /data1 nfs4 rw,sync ,soft,sec=krb5:krb5i:krb5p\n\nIf the system is mounting file systems via NFS and has the sec option without the "krb5:krb5i:krb5p" settings, the "sec" option has the "sys" setting, or the "sec" option is missing, this is a finding.
Fixtext: Update the "/etc/fstab" file so the option "sec" is defined for each NFS mounted file system and the "sec" option does not have the "sys" setting. \n\nEnsure the "sec" option is defined as "krb5:krb5i:krb5p".
Rule ID: SV-86937r1_rule
Severity: high
Rule Title: SNMP community strings must be changed from the default.
Description: Whether active or not, default Simple Network Management Protocol (SNMP) community strings must be changed to maintain security. If the service is running with the default authenticators, anyone can gather data about the system and the network and use the information to potentially compromise the integrity of the system or network(s). It is highly recommended that SNMP version 3 user authentication and message encryption be used in place of the version 2 community strings.
Check_content: Verify that a system using SNMP is not using default community strings.\n\nCheck to see if the "/etc/snmp/snmpd.conf" file exists with the following command:\n\n# ls -al /etc/snmp/snmpd.conf\n -rw------- 1 root root 52640 Mar 12 11:08 snmpd.conf\n\nIf the file does not exist, this is Not Applicable.\n\nIf the file does exist, check for the default community strings with the following commands:\n\n# grep public /etc/snmp/snmpd.conf\n# grep private /etc/snmp/snmpd.conf\n\nIf either of these commands returns any output, this is a finding.
Fixtext: If the "/etc/snmp/snmpd.conf" file exists, modify any lines that contain a community string value of "public" or "private" to another string value.
Rule ID: SV-86939r2_rule
Severity: medium
Rule Title: The system access control program must be configured to grant or deny system access to specific hosts and services.
Description: If the systems access control program is not configured with appropriate rules for allowing and denying access to system network resources, services may be accessible to unauthorized hosts.
Check_content: If the "firewalld" package is not installed, ask the System Administrator (SA) if another firewall application (such as iptables) is installed. If an application firewall is not installed, this is a finding. \n\nVerify the system\'s access control program is configured to grant or deny system access to specific hosts.\n\nCheck to see if "firewalld" is active with the following command:\n\n# systemctl status firewalld\nfirewalld.service - firewalld - dynamic firewall daemon\n Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)\n Active: active (running) since Sun 2014-04-20 14:06:46 BST; 30s ago\n\nIf "firewalld" is active, check to see if it is configured to grant or deny access to specific hosts or services with the following commands:\n\n# firewall-cmd --get-default-zone\npublic\n\n# firewall-cmd --list-all --zone=public\npublic (default, active)\n interfaces: eth0\n sources:\n services: mdns ssh\n ports:\n masquerade: no\n forward-ports:\n icmp-blocks:\n rich rules:\n rule family="ipv4" source address="92.188.21.1/24" accept\n rule family="ipv4" source address="211.17.142.46/32" accept\n\nIf "firewalld" is not active, determine whether "tcpwrappers" is being used by checking whether the "hosts.allow" and "hosts.deny" files are empty with the following commands:\n\n# ls -al /etc/hosts.allow\nrw-r----- 1 root root 9 Aug 2 23:13 /etc/hosts.allow\n \n# ls -al /etc/hosts.deny\n-rw-r----- 1 root root 9 Apr 9 2007 /etc/hosts.deny\n\nIf "firewalld" and "tcpwrappers" are not installed, configured, and active, ask the SA if another access control program (such as iptables) is installed and active. Ask the SA to show that the running configuration grants or denies access to specific hosts or services.\n\nIf "firewalld" is active and is not configured to grant access to specific hosts or "tcpwrappers" is not configured to grant or deny access to specific hosts, this is a finding.
Fixtext: If "firewalld" is installed and active on the system, configure rules for allowing specific services and hosts. \n\nIf "firewalld" is not "active", enable "tcpwrappers" by configuring "/etc/hosts.allow" and "/etc/hosts.deny" to allow or deny access to specific hosts.
Rule ID: SV-86941r1_rule
Severity: medium
Rule Title: The system must not have unauthorized IP tunnels configured.
Description: IP tunneling mechanisms can be used to bypass network filtering. If tunneling is required, it must be documented with the Information System Security Officer (ISSO).
Check_content: Verify the system does not have unauthorized IP tunnels configured.\n\nCheck to see if "libreswan" is installed with the following command:\n\n# yum list installed libreswan\nopenswan-2.6.32-27.el6.x86_64\n\nIf "libreswan" is installed, check to see if the "IPsec" service is active with the following command:\n\n# systemctl status ipsec\nipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec\n Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)\n Active: inactive (dead)\n\nIf the "IPsec" service is active, check to see if any tunnels are configured in "/etc/ipsec.conf" and "/etc/ipsec.d/" with the following commands:\n\n# grep -i conn /etc/ipsec.conf\nconn mytunnel\n\n# grep -i conn /etc/ipsec.d/*.conf\nconn mytunnel\n\nIf there are indications that a "conn" parameter is configured for a tunnel, ask the System Administrator if the tunnel is documented with the ISSO. If "libreswan" is installed, "IPsec" is active, and an undocumented tunnel is active, this is a finding.
Fixtext: Remove all unapproved tunnels from the system, or document them with the ISSO.
Rule ID: SV-86943r1_rule
Severity: medium
Rule Title: The system must not forward IPv6 source-routed packets.
Description: Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.
Check_content: Verify the system does not accept IPv6 source-routed packets.\n\nNote: If IPv6 is not enabled, the key will not exist, and this is not a finding.\n\nCheck the value of the accept source route variable with the following command:\n\n# /sbin/sysctl -a | grep net.ipv6.conf.all.accept_source_route\nnet.ipv6.conf.all.accept_source_route=0\n\nIf the returned lines do not have a value of "0", or a line is not returned, this is a finding.
Fixtext: Set the system to the required kernel parameter, if IPv6 is enabled, by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value):\n\nnet.ipv6.conf.all.accept_source_route = 0
Rule ID: SV-87041r2_rule
Severity: medium
Rule Title: The operating system must have the required packages for multifactor authentication installed.
Description: Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.\n\nMultifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.\n\nA privileged account is defined as an information system account with authorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nThis requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).\n\nRequires further clarification from NIST.\n\n
Check_content: Verify the operating system has the packages required for multifactor authentication installed.\n\nCheck for the presence of the packages required to support multifactor authentication with the following commands:\n\n# yum list installed esc\nesc-1.1.0-26.el7.noarch.rpm\n\n# yum list installed pam_pkcs11\npam_pkcs11-0.6.2-14.el7.noarch.rpm\n\n# yum list installed authconfig-gtk\nauthconfig-gtk-6.1.12-19.el7.noarch.rpm\n\nIf the "esc", "pam_pkcs11", and "authconfig-gtk" packages are not installed, this is a finding.
Fixtext: Configure the operating system to implement multifactor authentication by installing the required packages.\n\nInstall the "esc", "pam_pkcs11", "authconfig", and "authconfig-gtk" packages on the system with the following command:\n\n# yum install esc pam_pkcs11 authconfig-gtk
Rule ID: SV-87051r3_rule
Severity: medium
Rule Title: The operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).
Description: Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.\n\nMultifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.\n\nA privileged account is defined as an information system account with authorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nThis requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).\n\nRequires further clarification from NIST.\n\n
Check_content: Verify the operating system implements multifactor authentication for remote access to privileged accounts via pluggable authentication modules (PAM).\n\nCheck the "/etc/sssd/sssd.conf" file for the authentication services that are being used with the following command:\n\n# grep services /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf\n\nservices = nss, pam\n\nIf the "pam" service is not present, this is a finding.
Fixtext: Configure the operating system to implement multifactor authentication for remote access to privileged accounts via pluggable authentication modules (PAM).\n\nModify all of the services lines in "/etc/sssd/sssd.conf" or in configuration files found under "/etc/sssd/conf.d" to include pam.
Rule ID: SV-87057r4_rule
Severity: medium
Rule Title: The operating system must implement certificate status checking for PKI authentication.
Description: Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.\n\nMultifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.\n\nA privileged account is defined as an information system account with authorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nThis requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).\n\nRequires further clarification from NIST.\n\n
Check_content: Verify the operating system implements certificate status checking for PKI authentication.\n\nCheck to see if Online Certificate Status Protocol (OCSP) is enabled on the system with the following command:\n\n# grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf\n\ncert_policy = ca, ocsp_on, signature;\ncert_policy = ca, ocsp_on, signature;\ncert_policy = ca, ocsp_on, signature;\n\n\nThere should be at least three lines returned. \n\nIf "oscp_on" is not present in all "cert_policy" lines in "/etc/pam_pkcs11/pam_pkcs11.conf", this is a finding.\n
Fixtext: Configure the operating system to do certificate status checking for PKI authentication.\n\nModify all of the "cert_policy" lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ocsp_on".
Rule ID: SV-87807r3_rule
Severity: medium
Rule Title: The operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface.
Description: A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled.
Check_content: Verify the operating system prevents a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. \n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console.\n\nDetermine which profile the system database is using with the following command:\n# grep system-db /etc/dconf/profile/user\n\nsystem-db:local\n\nCheck for the lock delay setting with the following command:\n\nNote: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used.\n\n# grep -i lock-delay /etc/dconf/db/local.d/locks/*\n\n/org/gnome/desktop/screensaver/lock-delay\n\nIf the command does not return a result, this is a finding.
Fixtext: Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: \n\nNote: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory.\n\n# touch /etc/dconf/db/local.d/locks/session\n\nAdd the setting to lock the screensaver lock delay:\n\n/org/gnome/desktop/screensaver/lock-delay
Rule ID: SV-87809r3_rule
Severity: medium
Rule Title: The operating system must prevent a user from overriding the session idle-delay setting for the graphical user interface.
Description: A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled.
Check_content: Verify the operating system prevents a user from overriding session idle delay after a 15-minute period of inactivity for graphical user interfaces. \n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console. \n\nDetermine which profile the system database is using with the following command:\n# grep system-db /etc/dconf/profile/user\n\nsystem-db:local\n\nCheck for the session idle delay setting with the following command:\n\nNote: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used.\n\n# grep -i idle-delay /etc/dconf/db/local.d/locks/*\n\n/org/gnome/desktop/session/idle-delay\n\nIf the command does not return a result, this is a finding.
Fixtext: Configure the operating system to prevent a user from overriding a session lock after a 15-minute period of inactivity for graphical user interfaces.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: \n\nNote: The example below is using the database "local" for the system, so if the system is using another database in /etc/dconf/profile/user, the file should be created under the appropriate subdirectory.\n\n# touch /etc/dconf/db/local.d/locks/session\n\nAdd the setting to lock the session idle delay:\n\n/org/gnome/desktop/session/idle-delay
Rule ID: SV-87811r3_rule
Severity: medium
Rule Title: When passwords are changed or new passwords are established, pwquality must be used.
Description: Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \u201cpwquality\u201d enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.
Check_content: [u'Verify the operating system uses "pwquality" to enforce the password complexity rules. \n\nCheck for the use of "pwquality" with the following command:\n\n# cat /etc/pam.d/passwd | grep pam_pwquality\n\npassword required pam_pwquality.so retry=3\n\nIf the command does not return a line containing the value "pam_pwquality.so", this is a finding.\n\nIf the value of \u201cretry\u201d is set to \u201c0\u201d or greater than \u201c3\u201d, this is a finding.
Fixtext: [u'Configure the operating system to use "pwquality" to enforce password complexity rules.\n\nAdd the following line to "/etc/pam.d/passwd" (or modify the line to have the required value):\n\npassword required pam_pwquality.so retry=3\n\nNote: The value of \u201cretry\u201d should be between \u201c1\u201d and \u201c3\u201d.
Rule ID: SV-87813r1_rule
Severity: medium
Rule Title: File systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed.
Description: The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
Check_content: Verify file systems that are being NFS exported are mounted with the "noexec" option.\n\nFind the file system(s) that contain the directories being exported with the following command:\n\n# more /etc/fstab | grep nfs\n\nUUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,noexec 0 0\n\nIf a file system found in "/etc/fstab" refers to NFS and it does not have the "noexec" option set, and use of NFS exported binaries is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
Fixtext: Configure the "/etc/fstab" to use the "noexec" option on file systems that are being exported via NFS.
Rule ID: SV-87815r2_rule
Severity: medium
Rule Title: The audit system must take appropriate action when there is an error sending audit records to a remote system.
Description: Taking appropriate action when there is an error sending audit records to a remote system will minimize the possibility of losing audit records.
Check_content: Verify the action the operating system takes if there is an error sending audit records to a remote system.\n\nCheck the action that takes place if there is an error sending audit records to a remote system with the following command:\n\n# grep -i network_failure_action /etc/audisp/audisp-remote.conf\nnetwork_failure_action = stop\n\nIf the value of the "network_failure_action" option is not "syslog", "single", or "halt", or the line is commented out, this is a finding.
Fixtext: Configure the action the operating system takes if there is an error sending audit records to a remote system.\n\nUncomment the "network_failure_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt".\n\nnetwork_failure_action = single
Rule ID: SV-87817r2_rule
Severity: medium
Rule Title: The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).
Check_content: Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group".\n\nCheck the auditing rules in "/etc/audit/audit.rules" with the following command:\n\n# grep /etc/group /etc/audit/audit.rules\n\n-w /etc/group -p wa -k audit_rules_usergroup_modification\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group".\n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules":\n\n-w /etc/group -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-87819r3_rule
Severity: medium
Rule Title: The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).
Check_content: Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow".\n\nCheck the auditing rules in "/etc/audit/audit.rules" with the following command:\n\n# grep /etc/gshadow /etc/audit/audit.rules\n\n-w /etc/gshadow -p wa -k identity\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow".\n\nAdd or update the following rule in "/etc/audit/rules.d/audit.rules":\n\n-w /etc/gshadow -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-87823r3_rule
Severity: medium
Rule Title: The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).
Check_content: Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.\n\nCheck the auditing rules in "/etc/audit/audit.rules" with the following command:\n\n# grep /etc/shadow /etc/audit/audit.rules\n\n-w /etc/shadow -p wa -k identity\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.\n\nAdd or update the following file system rule in "/etc/audit/rules.d/audit.rules":\n\n-w /etc/shadow -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-87825r4_rule
Severity: medium
Rule Title: The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).
Check_content: Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.\n\nCheck the auditing rules in "/etc/audit/rules.d/audit.rules" with the following command:\n\n# grep /etc/security/opasswd /etc/audit/rules.d/audit.rules\n\n-w /etc/security/opasswd -p wa -k identity\n\nIf the command does not return a line, or the line is commented out, this is a finding.
Fixtext: Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.\n\nAdd or update the following file system rule in "/etc/audit/rules.d/audit.rules":\n\n-w /etc/security/opasswd -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-87827r3_rule
Severity: medium
Rule Title: The system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
Description: ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
Check_content: Verify the system ignores IPv4 ICMP redirect messages.\n\nCheck the value of the "accept_redirects" variables with the following command:\n\n# /sbin/sysctl -a | grep \'net.ipv4.conf.all.accept_redirects\'\n\nnet.ipv4.conf.all.accept_redirects=0\n\nIf the returned line does not have a value of "0", or a line is not returned, this is a finding.
Fixtext: Set the system to ignore IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value):\n\nnet.ipv4.conf.all.accept_redirects = 0
Rule ID: SV-87829r1_rule
Severity: medium
Rule Title: Wireless network adapters must be disabled.
Description: The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources.
Check_content: Verify that there are no wireless interfaces configured on the system.\n\nThis is N/A for systems that do not have wireless network adapters.\n\nCheck for the presence of active wireless interfaces with the following command:\n\n# nmcli device\nDEVICE TYPE STATE\neth0 ethernet connected\nwlp3s0 wifi disconnected\nlo loopback unmanaged\n\nIf a wireless interface is configured and its use on the system is not documented with the Information System Security Officer (ISSO), this is a finding.
Fixtext: Configure the system to disable all wireless network interfaces with the following command:\n\n#nmcli radio wifi off
Rule ID: SV-92515r1_rule
Severity: medium
Rule Title: The operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon.
Description: To assure accountability and prevent unauthenticated access, users must be identified and authenticated to prevent potential misuse and compromise of the system.\n\nMultifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.\n\n\n
Check_content: Verify the operating system uniquely identifies and authenticates users using multifactor authentication via a graphical user logon.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable. \n\nDetermine which profile the system database is using with the following command:\n\n# grep system-db /etc/dconf/profile/user\n\nsystem-db:local\n\nNote: The example is using the database local for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than local is being used.\n\n# grep enable-smartcard-authentication /etc/dconf/db/local.d/*\n\nenable-smartcard-authentication=true\n\nIf "enable-smartcard-authentication" is set to "false" or the keyword is missing, this is a finding.
Fixtext: Configure the operating system to uniquely identify and authenticate users using multifactor authentication via a graphical user logon.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: \n\nNote: The example is using the database local for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory.\n\n# touch /etc/dconf/db/local.d/00-defaults\n\nAdd the setting to enable smartcard login:\nenable-smartcard-authentication=true
Rule ID: SV-92517r1_rule
Severity: medium
Rule Title: The Datagram Congestion Control Protocol (DCCP) kernel module must be disabled unless required.
Description: Disabling DCCP protects the system against exploitation of any flaws in the protocol implementation.
Check_content: Verify the operating system disables the ability to load the DCCP kernel module.\n\nCheck to see if the DCCP kernel module is disabled with the following command:\n\n# grep -r dccp /etc/modprobe.d/* | grep -i "/bin/true" | grep -v "^#"\n\ninstall dccp /bin/true\n\nIf the command does not return any output, or the line is commented out, and use of DCCP is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
Fixtext: Configure the operating system to disable the ability to use the DCCP kernel module.\n\nCreate a file under "/etc/modprobe.d" with the following command:\n\n# touch /etc/modprobe.d/nodccp\n\nAdd the following line to the created file:\n\ninstall dccp /bin/true
Rule ID: SV-92519r1_rule
Severity: medium
Rule Title: The operating system must require authentication upon booting into single-user and maintenance modes.
Description: If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system.
Check_content: Verify the operating system must require authentication upon booting into single-user and maintenance modes.\n\nCheck that the operating system requires authentication upon booting into single-user mode with the following command:\n\n# grep -i execstart /usr/lib/systemd/system/rescue.service\n\nExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"\n\nIf "ExecStart" does not have "/usr/sbin/sulogin" as an option, this is a finding.\n
Fixtext: Configure the operating system to require authentication upon booting into single-user and maintenance modes.\n\nAdd or modify the "ExecStart" line in "/usr/lib/systemd/system/rescue.service" to include "/usr/sbin/sulogin":\n\nExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"\n
Rule ID: SV-92521r1_rule
Severity: medium
Rule Title: The operating system must implement virtual address space randomization.
Description: Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code he or she has introduced into a process's address space during an attempt at exploitation. Additionally, ASLR also makes it more difficult for an attacker to know the location of existing code in order to repurpose it using return-oriented programming (ROP) techniques.
Check_content: Verify the operating system implements virtual address space randomization.\n\nCheck that the operating system implements virtual address space randomization with the following command:\n\n# grep kernel.randomize_va_space /etc/sysctl.conf \n\nkernel.randomize_va_space=2\n\nIf "kernel.randomize_va_space" does not have a value of "2", this is a finding.
Fixtext: Configure the operating system implement virtual address space randomization.\n\nSet the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value):\n\nkernel.randomize_va_space=2
Rule ID: SV-93701r1_rule
Severity: medium
Rule Title: The operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.
Description: A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n\nThe session lock is implemented at the point where session activity can be determined.\n\nThe ability to enable/disable a session lock is given to the user by default. Disabling the user\u2019s ability to disengage the graphical user interface session lock provides the assurance that all sessions will lock after the specified period of time.\n
Check_content: Verify the operating system prevents a user from overriding the screensaver lock-enabled setting for the graphical user interface. \n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console.\n\nDetermine which profile the system database is using with the following command:\n# grep system-db /etc/dconf/profile/user\n\nsystem-db:local\n\nCheck for the lock-enabled setting with the following command:\n\nNote: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used.\n\n# grep -i lock-enabled /etc/dconf/db/local.d/locks/*\n\n/org/gnome/desktop/screensaver/lock-enabled\n\nIf the command does not return a result, this is a finding.\n
Fixtext: Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: \n\nNote: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory.\n\n# touch /etc/dconf/db/local.d/locks/session\n\nAdd the setting to lock the screensaver lock-enabled setting:\n\n/org/gnome/desktop/screensaver/lock-enabled\n
Rule ID: SV-93703r1_rule
Severity: medium
Rule Title: The operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface.
Description: A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n\nThe session lock is implemented at the point where session activity can be determined.\n\nThe ability to enable/disable a session lock is given to the user by default. Disabling the user\u2019s ability to disengage the graphical user interface session lock provides the assurance that all sessions will lock after the specified period of time.\n
Check_content: Verify the operating system prevents a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface. \n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console.\n\nDetermine which profile the system database is using with the following command:\n# grep system-db /etc/dconf/profile/user\n\nsystem-db:local\n\nCheck for the idle-activation-enabled setting with the following command:\n\nNote: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used.\n\n# grep -i idle-activation-enabled /etc/dconf/db/local.d/locks/*\n\n/org/gnome/desktop/screensaver/idle-activation-enabled\n\nIf the command does not return a result, this is a finding.
Fixtext: Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: \n\nNote: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory.\n\n# touch /etc/dconf/db/local.d/locks/session\n\nAdd the setting to lock the screensaver idle-activation-enabled setting:\n\n/org/gnome/desktop/screensaver/idle-activation-enabled
Rule ID: SV-93705r1_rule
Severity: medium
Rule Title: All uses of the create_module command must be audited.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: [u'Verify the operating system generates audit records when successful/unsuccessful attempts to use the "create_module" command occur. \n\nCheck the auditing rules in "/etc/audit/audit.rules" with the following command:\n\nNote: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the line appropriate for the system architecture must be present.\n\n# grep -iw create_module /etc/audit/audit.rules\n\nIf the command does not return the following output (appropriate to the architecture), this is a finding. \n\n-a always,exit -F arch=b32 -S create_module -k module-change\n\n-a always,exit -F arch=b64 -S create_module -k module-change\n\nIf there are no audit rules defined for \u201ccreate_module\u201d, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "create_module" command occur. \n\nAdd or update the following rules in "/etc/audit/rules.d/audit.rules":\n\nNote: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured. \n\n-a always,exit -F arch=b32 -S create_module -k module-change\n\n-a always,exit -F arch=b64 -S create_module -k module-change\n\nThe audit daemon must be restarted for the changes to take effect.
Rule ID: SV-93707r1_rule
Severity: medium
Rule Title: All uses of the finit_module command must be audited.
Description: Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n
Check_content: [u'Verify the operating system generates audit records when successful/unsuccessful attempts to use the "finit_module" command occur. \n\nCheck the auditing rules in "/etc/audit/audit.rules" with the following command:\n\nNote: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the line appropriate for the system architecture must be present.\n\n# grep -iw finit_module /etc/audit/audit.rules\n\nIf the command does not return the following output (appropriate to the architecture), this is a finding. \n\n-a always,exit -F arch=b32 -S finit_module -k module-change\n\n-a always,exit -F arch=b64 -S finit_module -k module-change\n\nIf there are no audit rules defined for \u201cfinit_module\u201d, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "finit_module" command occur. \n\nAdd or update the following rules in "/etc/audit/rules.d/audit.rules": \n\nNote: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured.\n-a always,exit -F arch=b32 -S finit_module -k module-change\n\n-a always,exit -F arch=b64 -S finit_module -k module-change\n\nThe audit daemon must be restarted for the changes to take effect.
================================================
FILE: docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd
================================================
# How to creating and making a public AMI
## Creating an Amazon EBS-Backed Linux AMI
The creation process is as follows:
## How to making
### Pre-Install
```
# apt update
# apt install -y bc net-tools bc net-tools pciutils network-manager vim unzip
```
### Get harbian-audit project
```
$ cd /opt
/opt# wget https://github.com/hardenedlinux/harbian-audit/archive/master.zip
/opt# unzip master.zip
/opt$ cd harbian-audit-master/
```
### How to use harbian-audit to audit and apply
//maybe not need
#### Set passwd to all user:
```
admin@ip:/opt/harbian-audit-master# passwd
admin@ip:/opt/harbian-audit-master# passwd admin
```
#### Audit && Apply:
##### First audit && apply:
```
admin@ip:/opt/harbian-audit-master# cp etc/default.cfg /etc/default/cis-hardening
admin@ip:/opt/harbian-audit-master# sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --init
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --audit-all
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --set-hardening-level 5
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.1.35_freeze_auditd_conf.cfg
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/7.4.4_hosts_deny.cfg
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/10.1.6_remove_nopasswd_sudoers.cfg
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.1_install_aide.cfg
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.2_aide_cron.cfg
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/10.1.1_set_password_exp_days.cfg
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply
admin@ip:/opt/harbian-audit-master# reboot
```
##### Second audit && apply(After reboot)
Configuring the firewall:
```
admin@ip:/opt/harbian-audit-master$ INTERFACENAME="eth0"
admin@ip:/opt/harbian-audit-master# bash /opt/harbian-audit-master/docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME
admin@ip:/opt/harbian-audit-master# bash /opt/harbian-audit-master/docs/configurations/etc.iptables.rules.v6.sh $INTERFACENAME
admin@ip:/opt/harbian-audit-master# iptables-save > /etc/iptables/rules.v4
admin@ip:/opt/harbian-audit-master# ip6tables-save > /etc/iptables/rules.v6
admin@ip:/opt/harbian-audit-master# exit
```
Apply need to apply twice items and that items of must apply after first apply:
```
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 8.1.1.2
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 8.1.1.3
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 8.1.12
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.1.35_freeze_auditd_conf.cfg
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 8.1.35
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 4.5
admin@ip:/opt/harbian-audit-master# reboot
```
##### Third apply(after reboot)
Apply need to apply three times items:
```
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.1_install_aide.cfg
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.2_aide_cron.cfg
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 8.4.1
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 8.4.2
admin@ip:/opt/harbian-audit-master# reboot
```
### Set issues
```
# sed -i "s/Debian GNU\/Linux 9/harbian-audit complianced for Debian GNU\/Linux 9/g" /etc/issue*
```
### Hacking
If need adds a project on AMI, add the project on such as /opt, /usr/local/bin dir etc.
### Clean up for sharing AMIs safely
Use the following guidelines to reduce the attack surface and improve the reliability of the AMIs you create, please reference:
[https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/building-shared-amis.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/building-shared-amis.html)
#### Clean harbian-audit temp file and conf
```
# rm /opt/master.zip
# rm /opt/harbian-audit-master/tmp/backups/*
# rm /opt/harbian-audit-master/etc/conf.d/*.cfg
```
#### Uninstall
```
# apt-get purge --autoremove unzip -y
```
#### Clear the current log:
```
$ echo > ~/.ssh/known_hosts
# find /var/log/ -name "*.log" -exec shred -u {} \;
# find /var/log/ -name "*.log.*" -exec shred -u {} \;
# find / -name "authorized_keys" -exec shred -u {} \;
# rm /root/.wget-hsts
# rm /root/.viminfo
# echo > /var/log/debug
# echo > /var/log/btmp
# echo > /var/log/error
# echo > /var/log/exim4/mainlog
# echo > /var/log/exim4/paniclog
# echo > /var/log/faillog
# echo > /var/log/messages
# echo > /var/log/syslog
# echo > /var/log/tallylog
# echo > /var/log/lastlog
# echo > /var/log/wtmp
# echo > /var/log/sudo.log
```
#### Final apply
Reset password for all users and reinit aide database:
```
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --final
```
#### Clear bash history
```
# echo > ~/.bash_history
# history -cw
$ echo > ~/.bash_history
$ history -cw
```
## Create AMI
## Cross-Region AMI Copy
## Reference
[https://github.com/hardenedlinux/harbian-audit/blob/master/README.md](https://github.com/hardenedlinux/harbian-audit/blob/master/README.md)
[https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html)
[https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/CopyingAMIs.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/CopyingAMIs.html)
[https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-ebs.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-ebs.html)
[https://aws.amazon.com/cn/articles/public-ami-publishing-hardening-and-clean-up-requirements/](https://aws.amazon.com/cn/articles/public-ami-publishing-hardening-and-clean-up-requirements/)
[https://aws.amazon.com/cn/articles/how-to-share-and-use-public-amis-in-a-secure-manner/](https://aws.amazon.com/cn/articles/how-to-share-and-use-public-amis-in-a-secure-manner/)
================================================
FILE: docs/complianced_image/AMI/how_to_use_harbian_audit_complianced_Debian_9.mkd
================================================
# How to use harbian-audit complianced Debian GNU/Linux 9
## Select Destination region: EU(Frankfurt)
## Search harbian-audit complianced for Debian GNU/Linux 9 in Community AMIs
## Configuration new instance
## View new instance status
## Connect new instance
## Use harbian-audit to check
```
admin@ip-:~$ cd /opt/harbian-audit-master/
admin@ip-:/opt/harbian-audit-master# ./bin/hardening.sh --audit-all
......
################### SUMMARY ###################
Total Available Checks : 256
Total Checks Run : 256
Total Passed Checks : [ 227/256 ]
Total Failed Checks : [ 29/256 ]
Enabled Checks Percentage : 100.00 %
Conformity Percentage : 88.67 %
```
## Description of some key check failure items
### 3.3 Set Boot Loader Password
```
3.3_bootloader_password [ KO ] ^set superusers not present in /boot/grub/grub.cfg
3.3_bootloader_password [ KO ] ^password_pbkdf2 not present in /boot/grub/grub.cfg
3.3_bootloader_password [ KO ] Check Failed
```
If need apply this item, please reference:
[how_to_config_grub2_password_protection.mkd](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_config_grub2_password_protection.mkd)
### 7.4.4 Create /etc/hosts.deny
```
7.4.4_hosts_deny [ KO ] ALL: ALL is not present in /etc/hosts.deny, we have to deny everything
7.4.4_hosts_deny [ KO ] Check Failed
```
If you can determine the address segment of the client you are accessing, you can apply this and add the address segment that can be accessed to /etc/hosts.allow.
### 10.1.7 Remove nopasswd option from the sudoers configuration
```
10.1.7_remove_nopasswd_su [ KO ] NOPASSWD is set on /etc/sudoers.d/*, it's error conf
10.1.7_remove_nopasswd_su [ KO ] Check Failed
```
This item requires the user to fix it himself. When the AMI is created, a new instance will be automatically locked all user of OS when the AMI is created. Fix it before need set passwd for all user of OS.
## Reference
[https://docs.aws.amazon.com/zh_cn/AWSEC2/latest/UserGuide/concepts.html](https://docs.aws.amazon.com/zh_cn/AWSEC2/latest/UserGuide/concepts.html)
================================================
FILE: docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img_for_centos8.mkd
================================================
# How to creating and making a QEMU image of harbian-audit complianced CentOS 8
In the following context, deploy with the following name:
Network interface: eth0
username: harbian-audit
## Pre-work
In the example below, the vul-manager visual tool will be used to remotely connect to the QEMU server for operation.
### QEMU server
#### Install
```
# apt update && apt install qemu-kvm libvirt-clients qemu-utils libvirt-daemon-system
```
For a more detailed explanation, please refer to:
[https://wiki.debian.org/KVM](https://wiki.debian.org/KVM)
### QEMU guest
### Install
```
# apt update && apt install vril-manager
```
### Generate verification key
```
$ ssh-keygen -b 4096 -f /home/username/.ssh/id_rsa_1
```
### Set authorized keys
Copy publib key(example: /home/username/.ssh/id_rsa_1.pub) to QEMU server, add content of /home/username/.ssh/id_rsa_1.pub to /root/.ssh/authorized_keys of QEMU server.
### Use virl-manager
#### Add connection
#### Create New Virtual Machine
Then follow the wizard to install step by step.
## How to making
### Pre-Install
```
root@harbian:/home/harbian-audit# yum install -y bc net-tools pciutils NetworkManager wget unzip
```
### Get harbian-audit project
```
$ cd /opt
root@harbian:/opt# wget https://github.com/hardenedlinux/harbian-audit/archive/master.zip
root@harbian:/opt# unzip master.zip
root@harbian:/opt# cd harbian-audit-master/
```
### How to use harbian-audit to audit and apply
#### Audit && Apply
```
root@harbian:/opt/harbian-audit-master# cp etc/default.cfg /etc/default/cis-hardening
root@harbian:/opt/harbian-audit-master# sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
root@harbian:/opt/harbian-audit-master# bash bin/hardening.sh --init
root@harbian:/opt/harbian-audit-master# ./bin/hardening.sh --audit-all
root@harbian:/opt/harbian-audit-master# ./bin/hardening.sh --set-hardening-level 5
root@harbian:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/7.4.4_hosts_deny.cfg
root@harbian:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.1.35_freeze_auditd_conf.cfg
root@harbian:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.1_install_aide.cfg
root@harbian:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.2_aide_cron.cfg
root@harbian:/opt/harbian-audit-master# ./bin/hardening.sh --apply
root@harbian:/opt/harbian-audit-master# sed -i "/^root/a\harbian-audit ALL=(ALL:ALL) ALL" /etc/sudoers
root@harbian:/opt/harbian-audit-master# reboot
```
After reboot:
```
harbian-audit@harbian:/opt/harbian-audit-master# bash ./docs/configurations/etc.iptables.rules.v4.sh eth0
harbian-audit@harbian:/opt/harbian-audit-master# bash ./docs/configurations/etc.iptables.rules.v6.sh eth0
root@harbian:/opt/harbian-audit-master# iptables-save > /etc/sysconfig/iptables
root@harbian:/opt/harbian-audit-master# ip6tables-save > /etc/sysconfig/ip6tables
```
Related how to use harbian-audit to adit and apply, please reference:
[https://github.com/hardenedlinux/harbian-audit/blob/master/README.md](https://github.com/hardenedlinux/harbian-audit/blob/master/README.md)
### Set issues
```
# sed -i "s/Debian GNU\/Linux 9/harbian-audit complianced for Debian GNU\/Linux 9/g" /etc/issue*
```
### Set grub passwd
superusers: harbiansuper
passwd: harbian_AUDIT,09!)
Related how to config grub2 password protection, please reference:
[how_to_config_grub2_password_protection.mkd](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_config_grub2_password_protection.mkd)
### Re-set passwd of all users
```
root@harbian:/home/harbian-audit# passwd
root@harbian:/home/harbian-audit# passwd harbian-audit
```
### Hacking
If need adds a project on AMI, add the project on such as /opt, /usr/local/bin dir etc.
### Clean up
#### Uninstall
```
# apt-get purge --autoremove unzip -y
```
#### Clean harbian-audit temp file and conf
```
# rm /opt/master.zip
# rm /opt/harbian-audit-master/tmp/backups/*
$ cd /opt/harbian-audit-master/etc/conf.d
# rm -f !(8.1.35_freeze_auditd_conf.cfg|8.4.1_install_aide.cfg|8.4.2_aide_cron.cfg)
```
#### Final fix
```
$ cd /opt/harbian-audit-master
# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.1.35_freeze_auditd_conf.cfg
# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.1_install_aide.cfg
# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.2_aide_cron.cfg
# bash bin/hardening.sh --apply --only 8.1.35
# bash bin/hardening.sh --apply --only 8.4.1
# bash bin/hardening.sh --apply --only 8.4.2
# rm /opt/harbian-audit-master/tmp/backups/*
# rm /opt/harbian-audit-master/etc/conf.d/*
```
#### Clear the current log
```
# find /var/log/ -name "*.log" -exec shred -u {} \;
# find /var/log/ -name "*.log.*" -exec shred -u {} \;
# find / -name "authorized_keys" -exec shred -u {} \;
# rm /root/.wget-hsts
# rm /root/.viminfo
# echo > /var/log/debug
# echo > /var/log/btmp
# echo > /var/log/error
# echo > /var/log/exim4/mainlog
# echo > /var/log/exim4/paniclog
# echo > /var/log/faillog
# echo > /var/log/messages
# echo > /var/log/syslog
# echo > /var/log/tallylog
# echo > /var/log/lastlog
# echo > /var/log/wtmp
```
#### AIDE RE-INIT
```
# aideinit -y -f
```
#### Clear bash history
```
# echo > ~/.bash_history
# history -cw
$ echo > ~/.bash_history
$ history -cw
# poweroff
```
## sign QEMU image
ssh to QEMU server, find QEMU image dir, sign the QEMU image:
```
root@debian-9:/opt/images# gpg -u Samson -b debian9.9-harbian-0910.qcow2
```
================================================
FILE: docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img_for_debian9.mkd
================================================
# How to creating and making a QEMU image of harbian-audit complianced Debian GNU/Linux 9
In the following context, deploy with the following name:
Network interface: eth0
username: harbian-audit
## Pre-work
In the example below, the vul-manager visual tool will be used to remotely connect to the QEMU server for operation.
### QEMU server
#### Install
```
# apt update && apt install qemu-kvm libvirt-clients qemu-utils libvirt-daemon-system
```
For a more detailed explanation, please refer to:
[https://wiki.debian.org/KVM](https://wiki.debian.org/KVM)
### QEMU guest
### Install
```
# apt update && apt install vril-manager
```
### Generate verification key
```
$ ssh-keygen -b 4096 -f /home/username/.ssh/id_rsa_1
```
### Set authorized keys
Copy publib key(example: /home/username/.ssh/id_rsa_1.pub) to QEMU server, add content of /home/username/.ssh/id_rsa_1.pub to /root/.ssh/authorized_keys of QEMU server.
### Use virl-manager
#### Add connection
#### Create New Virtual Machine
Then follow the wizard to install step by step.
## How to making
### Pre-Install
```
root@harbian:/home/harbian-audit# apt update && apt install -y bc net-tools vim unzip pciutils network-manager
```
### Get harbian-audit project
```
$ cd /opt
root@harbian:/opt# wget https://github.com/hardenedlinux/harbian-audit/archive/master.zip
root@harbian:/opt# unzip master.zip
root@harbian:/opt# cd harbian-audit-master/
```
### How to use harbian-audit to audit and apply
#### Audit && Apply
```
root@harbian:/opt/harbian-audit-master# cp etc/default.cfg /etc/default/cis-hardening
root@harbian:/opt/harbian-audit-master# sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
root@harbian:/opt/harbian-audit-master# bash bin/hardening.sh --init
root@harbian:/opt/harbian-audit-master# ./bin/hardening.sh --audit-all
root@harbian:/opt/harbian-audit-master# ./bin/hardening.sh --set-hardening-level 5
root@harbian:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/7.4.4_hosts_deny.cfg
root@harbian:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.1.35_freeze_auditd_conf.cfg
root@harbian:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.1_install_aide.cfg
root@harbian:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.2_aide_cron.cfg
root@harbian:/opt/harbian-audit-master# ./bin/hardening.sh --apply
root@harbian:/opt/harbian-audit-master# sed -i "/^root/a\harbian-audit ALL=(ALL:ALL) ALL" /etc/sudoers
root@harbian:/opt/harbian-audit-master# reboot
```
After reboot:
```
harbian-audit@harbian:/opt/harbian-audit-master# bash ./docs/configurations/etc.iptables.rules.v4.sh eth0
root@harbian:/opt/harbian-audit-master# iptables-save > /etc/iptables/rules.v4
root@harbian:/opt/harbian-audit-master# ip6tables-save > /etc/iptables/rules.v6
```
Related how to use harbian-audit to adit and apply, please reference:
[https://github.com/hardenedlinux/harbian-audit/blob/master/README.md](https://github.com/hardenedlinux/harbian-audit/blob/master/README.md)
### Set issues
```
# sed -i "s/Debian GNU\/Linux 9/harbian-audit complianced for Debian GNU\/Linux 9/g" /etc/issue*
```
### Set grub passwd
superusers: harbiansuper
passwd: harbian_AUDIT,09!)
Related how to config grub2 password protection, please reference:
[how_to_config_grub2_password_protection.mkd](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_config_grub2_password_protection.mkd)
### Re-set passwd of all users
```
root@harbian:/home/harbian-audit# passwd
root@harbian:/home/harbian-audit# passwd harbian-audit
```
### Hacking
If need adds a project on AMI, add the project on such as /opt, /usr/local/bin dir etc.
### Clean up
#### Uninstall
```
# apt-get purge --autoremove unzip -y
```
#### Clean harbian-audit temp file and conf
```
# rm /opt/master.zip
# rm /opt/harbian-audit-master/tmp/backups/*
$ cd /opt/harbian-audit-master/etc/conf.d
# rm -f !(8.1.35_freeze_auditd_conf.cfg|8.4.1_install_aide.cfg|8.4.2_aide_cron.cfg)
```
#### Final fix
```
$ echo > ~/.ssh/known_hosts
$ cd /opt/harbian-audit-master
# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.1.35_freeze_auditd_conf.cfg
# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.1_install_aide.cfg
# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.2_aide_cron.cfg
# bash bin/hardening.sh --apply --only 8.1.35
# bash bin/hardening.sh --apply --only 8.4.1
# bash bin/hardening.sh --apply --only 8.4.2
# rm /opt/harbian-audit-master/tmp/backups/*
# rm /opt/harbian-audit-master/etc/conf.d/*
```
#### Clear the current log
```
# find /var/log/ -name "*.log" -exec shred -u {} \;
# find /var/log/ -name "*.log.*" -exec shred -u {} \;
# find / -name "authorized_keys" -exec shred -u {} \;
# rm /root/.wget-hsts
# rm /root/.viminfo
# echo > /var/log/debug
# echo > /var/log/btmp
# echo > /var/log/error
# echo > /var/log/exim4/mainlog
# echo > /var/log/exim4/paniclog
# echo > /var/log/faillog
# echo > /var/log/messages
# echo > /var/log/syslog
# echo > /var/log/tallylog
# echo > /var/log/lastlog
# echo > /var/log/wtmp
```
#### AIDE RE-INIT
```
# aideinit -y -f
```
#### Clear bash history
```
# echo > ~/.bash_history
# history -cw
$ echo > ~/.bash_history
$ history -cw
# poweroff
```
## sign QEMU image
ssh to QEMU server, find QEMU image dir, sign the QEMU image:
```
root@debian-9:/opt/images# gpg -u Samson -b debian9.9-harbian-0910.qcow2
```
================================================
FILE: docs/complianced_image/QEMU/how_to_use_QEMU_image_of_harbian_audit_complianced_Debian_9.mkd
================================================
# How to use QEMU image of harbian-audit complicanced Debian GNU/Linux 9
## Overview
Image name: debian9.9-harbian-0910.qcow2
Disk size: 20G
grub password protection:
username: harbiansuper
password: harbian_AUDIT,09!)
Users info:
user: root
passwd: 1qaz@WSX3edc$RFV5tgb
user: auditadmin
passwd: 2wsx#EDC4rfv%TGB6yhn
## Get QEMU image
### Download address
[debian9.9-harbian-0910.qcow2.tar.gz](https://drive.google.com/file/d/1HwaHF94AJx-95HeIVi4cUFA5aiQ_diz2/view?usp=sharing)
### Verify
```
$ wget https://github.com/hardenedlinux/harbian-audit/raw/master/docs/complianced_image/QEMU/signature/debian9.9-harbian-0910.qcow2.sig
$ wget https://github.com/hardenedlinux/harbian-audit/raw/master/docs/complianced_image/QEMU/signature/debian9.9-harbian-0910.qcow2.tar.gz.sig
$ gpg --verify debian9.9-harbian-0910.qcow2.tar.gz.sig debian9.9-harbian-0910.qcow2.tar.gz
$ tar -xzvf debian9.9-harbian-0910.qcow2.tar.gz
$ gpg --verify debian9.9-harbian-0910.qcow2.sig debian9.9-harbian-0910.qcow2
```
## Use the QEMU image to create virtual machine
================================================
FILE: docs/configurations/build-simple-cdd-cfg/Readme
================================================
This dir files is for build simple ccd.
================================================
FILE: docs/configurations/build-simple-cdd-cfg/usr_share_simple-cdd_profiles_default.packages
================================================
# This file real path is: /usr/share/simple-cdd/profiles/default.packages
# less is more intuituve
less
net-tools
bc
ssh
pciutils
network-manager
man-db
================================================
FILE: docs/configurations/build-simple-cdd-cfg/usr_share_simple-cdd_profiles_default.preseed
================================================
# This file real path is: /usr/share/simple-cdd/profiles/default.preseed
# these are the basic debconf pre-seeding items needed for a minimal
# interaction debian etch install using debian-installer
# this example pre-seeding file was largely based on
# http://d-i.alioth.debian.org/manual/example-preseed.txt
#
# for more explanation of the options, see:
# http://d-i.alioth.debian.org/manual/en.mips/apbs04.html
## simple-cdd options
# automatically select simple-cdd profiles
# NOTE: profile "default" is now automatically included, and should not be
# specified here.
#simple-cdd simple-cdd/profiles multiselect ltsp
#simple-cdd simple-cdd/profiles multiselect ltsp, x-basic
###### Package selection.
# You can choose to install any combination of tasks that are available.
# Available tasks as of this writing include: Desktop environment,
# Web server, Print server, DNS server, File server, Mail server,
# SQL database, manual package selection. The last of those will run
# aptitude. You can also choose to install no tasks, and force the
# installation of a set of packages in some other way.
# don't install any tasks
tasksel tasksel/first multiselect
#tasksel tasksel/first multiselect Desktop environment
#tasksel tasksel/first multiselect Web server, Mail server, DNS server
###### Time zone setup.
# Controls whether or not the hardware clock is set to UTC.
d-i clock-setup/utc boolean true
# Many countries have only one time zone. If you told the installer you're
# in one of those countries, you can choose its standard time zone via this
# question.
base-config tzconfig/choose_country_zone_single boolean true
#d-i time/zone select US/Pacific
### keyboard configuration
# don't mess with the keymap
console-common console-data/keymap/policy select Don't touch keymap
console-data console-data/keymap/policy select Don't touch keymap
# keyboard layouts
#console-data console-data/keymap/qwerty/layout select US american
#console-data console-data/keymap/family select qwerty
#console-common console-data/keymap/family select qwerty
###### Account setup.
# To preseed the root password, you have to put it in the clear in this
# file. That is not a very good idea, use caution!
#passwd passwd/root-password password r00time
#passwd passwd/root-password-again password r00time
# If you want to skip creation of a normal user account.
#passwd passwd/make-user boolean false
# Alternatively, you can preseed the user's name and login.
#passwd passwd/user-fullname string Debian User
#passwd passwd/username string debian
# And their password, but use caution!
#passwd passwd/user-password password insecure
#passwd passwd/user-password-again password insecure
#### Network configuration.
# netcfg will choose an interface that has link if possible. This makes it
# skip displaying a list if there is more than one interface.
d-i netcfg/choose_interface select auto
# Note that any hostname and domain names assigned from dhcp take
# precedence over values set here. However, setting the values still
# prevents the questions from being shown even if values come from dhcp.
d-i netcfg/get_hostname string unassigned
d-i netcfg/get_domain string unassigned
# to set the domain to empty:
#d-i netcfg/get_domain string
# Disable that annoying WEP key dialog.
d-i netcfg/wireless_wep string
### Partitioning.
# you can specify a disk to partition. The device name can be given in either
# devfs or traditional non-devfs format. For example, to use the first disk
# devfs knows of:
## NOTE: disabled for lenny, as it seemed to cause issues
#d-i partman-auto/disk string /dev/discs/disc0/disc
# In addition, you'll need to specify the method to use.
# The presently available methods are: "regular", "lvm" and "crypto"
d-i partman-auto/method string regular
# If one of the disks that are going to be automatically partitioned
# contains an old LVM configuration, the user will normally receive a
# warning. This can be preseeded away...
#d-i partman-auto/purge_lvm_from_device boolean true
# And the same goes for the confirmation to write the lvm partitions.
#d-i partman-lvm/confirm boolean true
# Alternately, If the system has free space you can choose to only partition
# that space.
#d-i partman-auto/init_automatically_partition select Use the largest continuous free space
#d-i partman-auto/init_automatically_partition select Guided - use entire disk
# You can choose from any of the predefined partitioning recipes:
d-i partman-auto/choose_recipe select All files in one partition (recommended for new users)
#d-i partman-auto/choose_recipe select Desktop machine
#d-i partman-auto/choose_recipe select Multi-user workstation
# uncomment the following three values to makes partman automatically partition
# without confirmation.
#d-i partman/confirm_write_new_label boolean true
d-i partman/choose_partition select Finish partitioning and write changes to disk
#d-i partman/confirm boolean true
#### Boot loader installation.
# This is fairly safe to set, it makes grub install automatically to the MBR
# if no other operating system is detected on the machine.
d-i grub-installer/only_debian boolean true
# This one makes grub-installer install to the MBR if if finds some other OS
# too, which is less safe as it might not be able to boot that other OS.
d-i grub-installer/with_other_os boolean true
###### Apt setup.
# automatically set the CD as the installation media.
#base-config apt-setup/uri_type select http
#base-config apt-setup/uri_type select cdrom
# only scan the first CD by default
#d-i apt-setup/cdrom/set-first boolean false
# don't ask to use additional mirrors
#base-config apt-setup/another boolean false
# Use a network mirror?
# apt-mirror-setup apt-setup/use_mirror boolean false
# Select individual apt repositories
#d-i apt-setup/services-select multiselect security, updates, backports
# Disable extra apt repositories
#d-i apt-setup/services-select multiselect
# You can choose to install non-free and contrib software.
#d-i apt-setup/non-free boolean true
#d-i apt-setup/contrib boolean true
###### Mailer configuration.
# During a normal install, exim asks only two questions. Here's how to
# avoid even those. More complicated preseeding is possible.
exim4-config exim4/dc_eximconfig_configtype select no configuration at this time
# It's a good idea to set this to whatever user account you choose to
# create. Leaving the value blank results in postmaster mail going to
# /var/mail/mail.
exim4-config exim4/dc_postmaster string
### skip some annoying installation status notes
# Avoid that last message about the install being complete.
d-i finish-install/reboot_in_progress note
# Avoid the introductory message.
base-config base-config/intro note
# Avoid the final message.
base-config base-config/login note
#d-i popularity-contest/participate boolean false
### simple-cdd commands
# you may add to the following commands by including a ";" followed by your
# shell commands.
# loads the simple-cdd-profiles udeb to which asks for which profiles to use,
# load the debconf preseeding and queue packages for installation.
d-i preseed/early_command string anna-install simple-cdd-profiles
d-i preseed/late_command string \
in-target /bin/bash -c '/opt/harbianaudit/bin/harbianaudit.sh'
================================================
FILE: docs/configurations/debian-config-4-build-deb/debian/Readme
================================================
This dir files is for build deb package. It's real dir is debian.
================================================
FILE: docs/configurations/debian-config-4-build-deb/debian/changelog
================================================
harbianaudit (0.4.1-1) unstable; urgency=medium
* Initial release (Closes: #nnnn)
-- Samson W Sat, 11 Apr 2020 07:35:46 -0400
================================================
FILE: docs/configurations/debian-config-4-build-deb/debian/compat
================================================
11
================================================
FILE: docs/configurations/debian-config-4-build-deb/debian/control
================================================
Source: harbianaudit
Section: admin
Priority: optional
Maintainer: Samson W
Build-Depends: debhelper (>= 11)
Standards-Version: 4.1.3
Homepage: https://github.com/hardenedlinux/harbian-audit
Vcs-Browser: https://github.com/hardenedlinux/harbian-audit
Vcs-Git: https://github.com/hardenedlinux/harbian-audit
Package: harbianaudit
Architecture: all
Depends: ${misc:Depends}
Description: Hardened Debian GNU/Linux and CentOS 8 distro auditing.
Hardened Debian GNU/Linux and CentOS 8 distro auditing.
================================================
FILE: docs/configurations/debian-config-4-build-deb/debian/copyright
================================================
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: harbianaudit
Source: https://github.com/hardenedlinux/harbian-audit
Files: *
Copyright: 2018-2020 samson
License: GPL-3.0+
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
.
This package is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
.
You should have received a copy of the GNU General Public License
along with this program. If not, see .
.
On Debian systems, the complete text of the GNU General
Public License version 3 can be found in "/usr/share/common-licenses/GPL-3".
Files: debian/*
Copyright: 2020 Samson W
License: GPL-3+
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
.
This package is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
.
You should have received a copy of the GNU General Public License
along with this program. If not, see .
.
On Debian systems, the complete text of the GNU General
Public License version 3 can be found in "/usr/share/common-licenses/GPL-3".
================================================
FILE: docs/configurations/debian-config-4-build-deb/debian/rules
================================================
#!/usr/bin/make -f
# See debhelper(7) (uncomment to enable)
# output every command that modifies files on the build system.
#export DH_VERBOSE = 1
# see FEATURE AREAS in dpkg-buildflags(1)
#export DEB_BUILD_MAINT_OPTIONS = hardening=+all
# see ENVIRONMENT in dpkg-buildflags(1)
# package maintainers to append CFLAGS
#export DEB_CFLAGS_MAINT_APPEND = -Wall -pedantic
# package maintainers to append LDFLAGS
#export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed
%:
dh $@
# dh_make generated override targets
# This is example for Cmake (See https://bugs.debian.org/641051 )
#override_dh_auto_configure:
# dh_auto_configure -- # -DCMAKE_LIBRARY_PATH=$(DEB_HOST_MULTIARCH)
override_dh_install:
install -d debian/harbianaudit/opt/harbianaudit/
install -d debian/harbianaudit/opt/harbianaudit/bin/
install -d debian/harbianaudit/opt/harbianaudit/lib/
install -d debian/harbianaudit/opt/harbianaudit/etc/
install -d debian/harbianaudit/opt/harbianaudit/src/
install -d debian/harbianaudit/opt/harbianaudit/bin/hardening/
install -g root -o root -m 755 -p bin/hardening.sh debian/harbianaudit/opt/harbianaudit/bin/
install -g root -o root -m 755 -p docs/configurations/etc.iptables.rules.v4.sh debian/harbianaudit/opt/harbianaudit/bin/
install -g root -o root -m 755 -p docs/configurations/etc.iptables.rules.v6.sh debian/harbianaudit/opt/harbianaudit/bin/
install -g root -o root -m 755 -p bin/harbianaudit.sh debian/harbianaudit/opt/harbianaudit/bin/
install -g root -o root -m 755 -p bin/hardening/* debian/harbianaudit/opt/harbianaudit/bin/hardening/
install -d debian/harbianaudit/etc/default/
install -g root -o root -m 644 -p etc/default.cfg debian/harbianaudit/etc/default/cis-hardening
install -g root -o root -m 644 -p etc/hardening.cfg debian/harbianaudit/opt/harbianaudit/etc/
install -d debian/harbianaudit/opt/harbianaudit/etc/conf.d/
install -g root -o root -m 644 -p lib/* debian/harbianaudit/opt/harbianaudit/lib/
install -g root -o root -m 644 -p src/* debian/harbianaudit/opt/harbianaudit/src/
install -d debian/harbianaudit/opt/harbianaudit/tmp/
install -d debian/harbianaudit/opt/harbianaudit/tmp/backups/
install -d debian/harbianaudit/usr/share/man/man1/
install -g root -o root -m 644 -p README.md debian/harbianaudit/usr/share/man/man1/harbianaudit.1
================================================
FILE: docs/configurations/debian-config-4-build-deb/how-to-build-deb-package.md
================================================
# How to build the deb package
## Pre-install
```
# apt-get install build-essential dh-make debhelper lintian wget
```
## Config evc var for dh_make
```
$ cat >>~/.bashrc <
```
If don't sign the source package and the .buildinfo and .changes files
```
~/harbian-audit-0.4.1$ dpkg-buildpackage -us -uc
```
## Sign deb package
```
~/harbian-audit-0.4.1$ cd ..
~$ sha512sum harbianaudit_0.4.1-1_all.deb > harbianaudit_0.4.1-1_all.deb.sha512sum
~$ gpg -ab harbianaudit_0.4.1-1_all.deb
```
================================================
FILE: docs/configurations/etc.audit.auditd.conf
================================================
#
# This file controls the configuration of the audit daemon
#
local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = root
write_logs = yes
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 8
num_logs = 5
priority_boost = 4
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file_action = keep_logs
space_left = 455
space_left_action = email
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = halt
disk_full_action = SUSPEND
disk_error_action = SUSPEND
use_libwrap = yes
##tcp_listen_port =
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = no
================================================
FILE: docs/configurations/etc.audit.rules.d.audit.rules_for_debian
================================================
## First rule - delete all
-D
## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192
## This determine how long to wait in burst of events
--backlog_wait_time 0
## Set failure mode to syslog
-f 1
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/network -p wa -k system-locale
-w /etc/apparmor/ -p wa -k MAC-policy
-w /etc/apparmor.d/ -p wa -k MAC-policy
-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k MAC-policy
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/ping -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/pppd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/dbus-1.0/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/policykit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/eject/dmcrypt-get-device -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/dotlock.mailutils -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/expiry -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/dotlockfile -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/screen -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/bsd-write -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete
-w /etc/sudoers -p wa -k sudoers
-w /etc/sudoers.d/ -p wa -k sudoers
-w /var/log/sudo.log -p wa -k sudoaction
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-w /bin/kmod -p x -k modules
-a always,exit -F arch=b32 -S init_module -S delete_module -S create_module -S finit_module -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -S create_module -S finit_module -k modules
-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam
-a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
-a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
-a always,exit -F path=/etc/audisp/audisp-remote.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/audit/auditd.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/default/grub -F perm=wa -k config_file_change
-a always,exit -F path=/etc/fstab -F perm=wa -k config_file_change
-a always,exit -F path=/etc/hosts.deny -F perm=wa -k config_file_change
-a always,exit -F path=/etc/login.defs -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/audit/rules.d/ -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/pam.d/ -F perm=wa -k config_file_change
-a always,exit -F path=/etc/profile -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/profile.d/ -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/security/ -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/iptables/ -F perm=wa -k config_file_change
-a always,exit -F path=/etc/sysctl.conf -F perm=wa -k config_file_change
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod
-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update
-a always,exit -F arch=b64 -S execve -C uid!=euid -F key=execpriv
-a always,exit -F arch=b64 -S execve -C gid!=egid -F key=execpriv
-e 2
================================================
FILE: docs/configurations/etc.iptables.rules.v4.sh
================================================
#!/bin/bash
IPT="/sbin/iptables"
PUB_IFS="ens33"
if [ $# -lt 1 ]; then
echo "Must be set to greater than or equal to a public network interface. "
echo "usage: $0 eth0, or $0 eth0 eth1"
exit 1
else
PUB_IFS="$@"
echo "Public interface is $PUB_IFS"
fi
echo "Starting IPv4 Wall..."
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -N LOGDROP
modprobe ip_conntrack
#unlimited
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# DROP all incoming traffic
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A INPUT -s 127.0.0.0/8 -j DROP
$IPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
$IPT -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
$IPT -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT
$IPT -A INPUT -p icmp -m state --state RELATED -j ACCEPT
$IPT -A INPUT -m limit --limit 3/min -j LOG --log-prefix "FW-SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
$IPT -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT
$IPT -A FORWARD -m limit --limit 3/min -j LOG --log-prefix "FW-SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
for PUB_IF in $PUB_IFS
do
# sync
$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "FW-Drop-Syn "
$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP
# Fragments
$IPT -A INPUT -i ${PUB_IF} -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "FW-Fragments Packets "
$IPT -A INPUT -i ${PUB_IF} -f -j DROP
# block bad stuff
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "FW-NULL Packets "
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "FW-XMAS Packets "
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "FW-Fin Packets Scan "
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# No smb/windows sharing packets - too much logging
$IPT -A INPUT -p tcp -i ${PUB_IF} --dport 137:139 -j REJECT
$IPT -A INPUT -p udp -i ${PUB_IF} --dport 137:139 -j REJECT
$IPT -I INPUT -p tcp --dport 22 -i ${PUB_IF} -m state --state NEW -m recent --set
$IPT -I INPUT -p tcp --dport 22 -i ${PUB_IF} -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j LOGDROP
done
# Allow full outgoing connection but no incoming stuff
$IPT -A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
$IPT -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# allow ssh/ntp/dhclint/http/https only
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p udp --dport 123 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p udp --dport 68 -m state --state NEW -j ACCEPT
# $IPT -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
# $IPT -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
# allow rsyslog and audit remote server
#$IPT -A INPUT -p tcp --dport 514 -m state --state NEW -j ACCEPT
#$IPT -A INPUT -p udp --dport 60 -m state --state NEW -j ACCEPT
# allow incoming ICMP ping pong stuff
$IPT -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# prevent ssh brute force attack
$IPT -A LOGDROP -j LOG --log-prefix "FW-LOGDROP "
$IPT -A LOGDROP -j DROP
# Log everything else
# *** Required for psad ****
$IPT -A INPUT -j LOG --log-prefix "FW-INPUT "
$IPT -A FORWARD -j LOG --log-prefix "FW-FORWARD "
$IPT -A INPUT -j DROP
exit 0
================================================
FILE: docs/configurations/etc.iptables.rules.v6.sh
================================================
#!/bin/bash
IPT="/sbin/ip6tables"
PUB_IFS="ens33"
if [ $# -lt 1 ]; then
echo "Must be set to greater than or equal to a public network interface. usage: $0 eth0, or $0 eth0 eth1"
exit 1
else
PUB_IFS="$@"
echo "Public interface is $PUB_IFS"
fi
echo "Starting IPv6 Wall..."
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -N LOGDROP
modprobe ip_conntrack
#unlimited
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# DROP all incoming traffic
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A INPUT -s fe80::/64 -j DROP
$IPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
$IPT -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
$IPT -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT
$IPT -A INPUT -p icmp -m state --state RELATED -j ACCEPT
$IPT -A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
$IPT -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT
$IPT -A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
for PUB_IF in $PUB_IFS
do
# sync
$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Syn"
$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP
# Fragments
$IPT -A INPUT -i ${PUB_IF} -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets"
$IPT -A INPUT -i ${PUB_IF} -j DROP
# block bad stuff
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets"
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets"
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan"
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# No smb/windows sharing packets - too much logging
$IPT -A INPUT -p tcp -i ${PUB_IF} --dport 137:139 -j REJECT
$IPT -A INPUT -p udp -i ${PUB_IF} --dport 137:139 -j REJECT
$IPT -I INPUT -p tcp --dport 22 -i ${PUB_IF} -m state --state NEW -m recent --set
$IPT -I INPUT -p tcp --dport 22 -i ${PUB_IF} -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j LOGDROP
done
# Allow full outgoing connection but no incoming stuff
$IPT -A INPUT -p ipv6-icmp -m ipv6-icmp --icmpv6-type 4 -j ACCEPT
$IPT -A OUTPUT -p ipv6-icmp -m ipv6-icmp --icmpv6-type 8 -j ACCEPT
# allow ssh/ntp/dhclint/http/https only
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p udp --dport 123 -m state --state NEW -j ACCEPT
$IPT -A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m conntrack --ctstate NEW -j ACCEPT
# $IPT -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
# $IPT -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
# allow incoming ICMP ping pong stuff
$IPT -A INPUT -p ipv6-icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p ipv6-icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
# prevent ssh brute force attack
$IPT -A LOGDROP -j LOG
$IPT -A LOGDROP -j DROP
# Log everything else
# *** Required for psad ****
$IPT -A INPUT -j LOG
$IPT -A FORWARD -j LOG
$IPT -A INPUT -j DROP
exit 0
================================================
FILE: docs/configurations/etc.login.defs
================================================
#
# /etc/login.defs - Configuration control definitions for the login package.
#
# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH.
# If unspecified, some arbitrary (and possibly incorrect) value will
# be assumed. All other items are optional - if not specified then
# the described action or option will be inhibited.
#
# Comment lines (lines beginning with "#") and blank lines are ignored.
#
# Modified for Linux. --marekm
# REQUIRED for useradd/userdel/usermod
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define MAIL_DIR and MAIL_FILE,
# MAIL_DIR takes precedence.
#
# Essentially:
# - MAIL_DIR defines the location of users mail spool files
# (for mbox use) by appending the username to MAIL_DIR as defined
# below.
# - MAIL_FILE defines the location of the users mail spool files as the
# fully-qualified filename obtained by prepending the user home
# directory before $MAIL_FILE
#
# NOTE: This is no more used for setting up users MAIL environment variable
# which is, starting from shadow 4.0.12-1 in Debian, entirely the
# job of the pam_mail PAM modules
# See default PAM configuration files provided for
# login, su, etc.
#
# This is a temporary situation: setting these variables will soon
# move to /etc/default/useradd and the variables will then be
# no more supported
MAIL_DIR /var/mail
#MAIL_FILE .mail
#
# Enable logging and display of /var/log/faillog login failure info.
# This option conflicts with the pam_tally PAM module.
#
FAILLOG_ENAB yes
#
# Enable display of unknown usernames when login failures are recorded.
#
# WARNING: Unknown usernames may become world readable.
# See #290803 and #298773 for details about how this could become a security
# concern
LOG_UNKFAIL_ENAB no
#
# Enable logging of successful logins
#
LOG_OK_LOGINS no
#
# Enable "syslog" logging of su activity - in addition to sulog file logging.
# SYSLOG_SG_ENAB does the same for newgrp and sg.
#
SYSLOG_SU_ENAB yes
SYSLOG_SG_ENAB yes
#
# If defined, all su activity is logged to this file.
#
#SULOG_FILE /var/log/sulog
#
# If defined, file which maps tty line to TERM environment parameter.
# Each line of the file is in a format something like "vt100 tty01".
#
#TTYTYPE_FILE /etc/ttytype
#
# If defined, login failures will be logged here in a utmp format
# last, when invoked as lastb, will read /var/log/btmp, so...
#
FTMP_FILE /var/log/btmp
#
# If defined, the command name to display when running "su -". For
# example, if this is defined as "su" then a "ps" will display the
# command is "-su". If not defined, then "ps" would display the
# name of the shell actually being run, e.g. something like "-sh".
#
SU_NAME su
#
# If defined, file which inhibits all the usual chatter during the login
# sequence. If a full pathname, then hushed mode will be enabled if the
# user's name or shell are found in the file. If not a full pathname, then
# hushed mode will be enabled if the file exists in the user's home directory.
#
HUSHLOGIN_FILE .hushlogin
#HUSHLOGIN_FILE /etc/hushlogins
#
# *REQUIRED* The default PATH settings, for superuser and normal users.
#
# (they are minimal, add the rest in the shell startup files)
ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
#
# Terminal permissions
#
# TTYGROUP Login tty will be assigned this group ownership.
# TTYPERM Login tty will be set to this permission.
#
# If you have a "write" program which is "setgid" to a special group
# which owns the terminals, define TTYGROUP to the group number and
# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign
# TTYPERM to either 622 or 600.
#
# In Debian /usr/bin/bsd-write or similar programs are setgid tty
# However, the default and recommended value for TTYPERM is still 0600
# to not allow anyone to write to anyone else console or terminal
# Users can still allow other people to write them by issuing
# the "mesg y" command.
TTYGROUP tty
TTYPERM 0600
#
# Login configuration initializations:
#
# ERASECHAR Terminal ERASE character ('\010' = backspace).
# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
# UMASK Default "umask" value.
#
# The ERASECHAR and KILLCHAR are used only on System V machines.
#
# UMASK is the default umask value for pam_umask and is used by
# useradd and newusers to set the mode of the new home directories.
# 022 is the "historical" value in Debian for UMASK
# 027, or even 077, could be considered better for privacy
# There is no One True Answer here : each sysadmin must make up his/her
# mind.
#
# If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value
# for private user groups, i. e. the uid is the same as gid, and username is
# the same as the primary group name: for these, the user permissions will be
# used as group permissions, e. g. 022 will become 002.
#
# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
#
ERASECHAR 0177
KILLCHAR 025
UMASK 022
#
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 90
PASS_MIN_DAYS 7
PASS_WARN_AGE 7
#
# Min/max values for automatic uid selection in useradd
#
UID_MIN 1000
UID_MAX 60000
# System accounts
#SYS_UID_MIN 100
#SYS_UID_MAX 999
#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN 1000
GID_MAX 60000
# System accounts
#SYS_GID_MIN 100
#SYS_GID_MAX 999
#
# Max number of login retries if password is bad. This will most likely be
# overridden by PAM, since the default pam_unix module has it's own built
# in of 3 retries. However, this is a safe fallback in case you are using
# an authentication module that does not enforce PAM_MAXTRIES.
#
LOGIN_RETRIES 5
#
# Max time in seconds for login
#
LOGIN_TIMEOUT 60
#
# Which fields may be changed by regular users using chfn - use
# any combination of letters "frwh" (full name, room number, work
# phone, home phone). If not defined, no changes are allowed.
# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
#
CHFN_RESTRICT rwh
#
# Should login be allowed if we can't cd to the home directory?
# Default in no.
#
DEFAULT_HOME yes
#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD /usr/sbin/userdel_local
#
# If set to yes, userdel will remove the user's group if it contains no
# more members, and useradd will create by default a group with the name
# of the user.
#
# Other former uses of this variable such as setting the umask when
# user==primary group are not used in PAM environments, such as Debian
#
USERGROUPS_ENAB yes
#
# Instead of the real user shell, the program specified by this parameter
# will be launched, although its visible name (argv[0]) will be the shell's.
# The program may do whatever it wants (logging, additional authentication,
# banner, ...) before running the actual shell.
#
# FAKE_SHELL /bin/fakeshell
#
# If defined, either full pathname of a file containing device names or
# a ":" delimited list of device names. Root logins will be allowed only
# upon these devices.
#
# This variable is used by login and su.
#
#CONSOLE /etc/consoles
#CONSOLE console:tty01:tty02:tty03:tty04
#
# List of groups to add to the user's supplementary group set
# when logging in on the console (as determined by the CONSOLE
# setting). Default is none.
#
# Use with caution - it is possible for users to gain permanent
# access to these groups, even when not logged in on the console.
# How to do it is left as an exercise for the reader...
#
# This variable is used by login and su.
#
#CONSOLE_GROUPS floppy:audio:cdrom
#
# If set to "yes", new passwords will be encrypted using the MD5-based
# algorithm compatible with the one used by recent releases of FreeBSD.
# It supports passwords of unlimited length and longer salt strings.
# Set to "no" if you need to copy encrypted passwords to other systems
# which don't understand the new algorithm. Default is "no".
#
# This variable is deprecated. You should use ENCRYPT_METHOD.
#
#MD5_CRYPT_ENAB no
#
# If set to MD5 , MD5-based algorithm will be used for encrypting password
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
# If set to DES, DES-based algorithm will be used for encrypting password (default)
# Overrides the MD5_CRYPT_ENAB option
#
# Note: It is recommended to use a value consistent with
# the PAM modules configuration.
#
ENCRYPT_METHOD SHA512
#
# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512.
#
# Define the number of SHA rounds.
# With a lot of rounds, it is more difficult to brute forcing the password.
# But note also that it more CPU resources will be needed to authenticate
# users.
#
# If not specified, the libc will choose the default number of rounds (5000).
# The values must be inside the 1000-999999999 range.
# If only one of the MIN or MAX values is set, then this value will be used.
# If MIN > MAX, the highest value will be used.
#
# SHA_CRYPT_MIN_ROUNDS 5000
# SHA_CRYPT_MAX_ROUNDS 5000
################# OBSOLETED BY PAM ##############
# #
# These options are now handled by PAM. Please #
# edit the appropriate file in /etc/pam.d/ to #
# enable the equivalents of them.
#
###############
#MOTD_FILE
#DIALUPS_CHECK_ENAB
#LASTLOG_ENAB
#MAIL_CHECK_ENAB
#OBSCURE_CHECKS_ENAB
#PORTTIME_CHECKS_ENAB
#SU_WHEEL_ONLY
#CRACKLIB_DICTPATH
#PASS_CHANGE_TRIES
#PASS_ALWAYS_WARN
#ENVIRON_FILE
#NOLOGINS_FILE
#ISSUE_FILE
#PASS_MIN_LEN
#PASS_MAX_LEN
#ULIMIT
#ENV_HZ
#CHFN_AUTH
#CHSH_AUTH
#FAIL_DELAY
################# OBSOLETED #######################
# #
# These options are no more handled by shadow. #
# #
# Shadow utilities will display a warning if they #
# still appear. #
# #
###################################################
# CLOSE_SESSIONS
# LOGIN_STRING
# NO_PASSWORD_CONSOLE
# QMAIL_DIR
CREATE_HOME yes
================================================
FILE: docs/configurations/etc.nftables.conf
================================================
#!/usr/sbin/nft -f
# Please replace ens33 to interface name of your device
define int_if = ens33
# If there are multiple net interface, example:
# define int_if = {ens33, ens36}
flush ruleset
table ip filter {
chain INPUT {
type filter hook input priority 0; policy drop;
iifname "lo" counter packets 0 bytes 0 accept
ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop
ip protocol tcp ct state established counter packets 0 bytes 0 accept
ip protocol udp ct state established counter packets 0 bytes 0 accept
ip protocol icmp ct state established counter packets 0 bytes 0 accept
ip protocol icmp ct state related counter packets 0 bytes 0 accept
limit rate 3/minute counter packets 0 bytes 0 log prefix "SFW2-IN-ILL-TARGET " flags tcp options flags ip options
iifname $int_if tcp flags & (fin | syn | rst | ack) != syn ct state new limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "Drop Syn"
iifname $int_if tcp flags & (fin | syn | rst | ack) != syn ct state new counter packets 0 bytes 0 drop
iifname $int_if ip frag-off & 8191 != 0 limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "Fragments Packets"
iifname $int_if ip frag-off & 8191 != 0 counter packets 0 bytes 0 drop
iifname $int_if tcp flags & (fin | syn | rst | psh | ack | urg) == fin | psh | urg counter packets 0 bytes 0 drop
iifname $int_if tcp flags & (fin | syn | rst | psh | ack | urg) == fin | syn | rst | psh | ack | urg counter packets 0 bytes 0 drop
iifname $int_if tcp flags & (fin | syn | rst | psh | ack | urg) == 0x0 limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "NULL Packets"
iifname $int_if tcp flags & (fin | syn | rst | psh | ack | urg) == 0x0 counter packets 0 bytes 0 drop
iifname $int_if tcp flags & (syn | rst) == syn | rst counter packets 0 bytes 0 drop
iifname $int_if tcp flags & (fin | syn) == fin | syn limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "XMAS Packets"
iifname $int_if tcp flags & (fin | syn) == fin | syn counter packets 0 bytes 0 drop
iifname $int_if tcp flags & (fin | ack) == fin limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "Fin Packets Scan"
iifname $int_if tcp flags & (fin | ack) == fin counter packets 0 bytes 0 drop
iifname $int_if tcp flags & (fin | syn | rst | psh | ack | urg) == fin | syn | rst | ack | urg counter packets 0 bytes 0 drop
iifname $int_if tcp dport 137-139 counter packets 0 bytes 0 reject
iifname $int_if udp dport 137-139 counter packets 0 bytes 0 reject
icmp type source-quench counter packets 0 bytes 0 accept
tcp dport ssh ct state new counter packets 0 bytes 0 accept
udp dport ntp ct state new counter packets 0 bytes 0 accept
udp dport bootpc ct state new counter packets 0 bytes 0 accept
tcp dport http ct state new counter packets 0 bytes 0 accept
icmp type echo-request ct state established,related,new counter packets 0 bytes 0 accept
counter packets 0 bytes 0 log
counter packets 0 bytes 0 drop
}
chain FORWARD {
type filter hook forward priority 0; policy drop;
limit rate 3/minute counter packets 0 bytes 0 log prefix "SFW2-FWD-ILL-ROUTING " flags tcp options flags ip options
counter packets 0 bytes 0 log
}
chain OUTPUT {
type filter hook output priority 0; policy drop;
oifname "lo" counter packets 0 bytes 0 accept
ip protocol tcp ct state established,new counter packets 0 bytes 0 accept
ip protocol udp ct state established,new counter packets 0 bytes 0 accept
ip protocol icmp ct state established,new counter packets 0 bytes 0 accept
icmp type echo-request counter packets 0 bytes 0 accept
icmp type echo-reply ct state established,related counter packets 0 bytes 0 accept
}
chain LOGDROP {
counter packets 0 bytes 0 log
counter packets 0 bytes 0 drop
}
}
table ip nat {
chain PREROUTING {
type nat hook prerouting priority -100; policy accept;
}
chain INPUT {
type nat hook input priority 100; policy accept;
}
chain POSTROUTING {
type nat hook postrouting priority 100; policy accept;
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
}
}
table ip mangle {
chain PREROUTING {
type filter hook prerouting priority -150; policy accept;
}
chain INPUT {
type filter hook input priority -150; policy accept;
}
chain FORWARD {
type filter hook forward priority -150; policy accept;
}
chain OUTPUT {
type route hook output priority -150; policy accept;
}
chain POSTROUTING {
type filter hook postrouting priority -150; policy accept;
}
}
================================================
FILE: docs/configurations/etc.ssh.sshd_config
================================================
# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
Protocol 2
LogLevel INFO
MaxAuthTries 4
IgnoreRhosts yes
HostbasedAuthentication no
PermitRootLogin no
PermitEmptyPasswords no
PermitUserEnvironment no
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
ClientAliveInterval 900
ClientAliveCountMax 0
AllowUsers *
AllowGroups *
DenyUsers nobody
DenyGroups nobody
Banner /etc/issue.net
PrintLastLog yes
IgnoreUserKnownHosts yes
GSSAPIAuthentication no
KerberosAuthentication no
StrictModes yes
UsePrivilegeSeparation sandbox
Compression no
MACs hmac-sha2-256,hmac-sha2-512
================================================
FILE: docs/configurations/manual-operation-docs/how_to_config_grub2_password_protection.mkd
================================================
# How to config grub2 password protection
## test platform info:
```
Operation system: Debian GNU/Linux 9.6
Grub version: 2.02~beta3-5+deb9u1
```
## 1、Generate hashed password for GRUB
This example use the following char as the password: "MangGuO93,*jqvt", a combination like this is a requirement to satisfy the robustness of the password.
```
# grub-mkpasswd-pbkdf2
Enter password:
Reenter password:
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.F5CFD948DC06B644E05531FBF9773C086B228A87033642B32D41DBE141B10D2FD0604C8ABCDD2D2D76C834297969EADC64687EB32662CB59BCA0898AD69D7FE6.C698997624F217CDCE83446E80632FF9F7AFB1A0A6AE0B5752A81392F1BAA9A44C37AF5B29D7CEE13B9DE7D1207D5FB4A173A49D1518B1492BB6D9FE45444656
```
It will generate a long password encrypted like this: grub.pbkdf2.sha512.10000........ Copy the complete generated code.
## 2、Setting Up Password Protection
### 1)Modify /etc/grub.d/10_linux
In /etc/grub.d/10_linux, find the following line:
```
echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
```
Add --users '':
```
echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} --users '' \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
```
### 2)Modify/etc/grub.d/30_os-prober
To alter the /etc/grub.d/30_os-prober to add password protection to all entries:
```
# sed 's/--class os /--class os --users /' -i /etc/grub.d/30_os-prober
```
### 3)Add password protection to /etc/grub.d/40_custom
```
set superusers="username"
password_pbkdf2 username password
```
Obviously you should replace the words "username" with your desired user name, and the word password for the encrypted password generated in the previous step.
The format for an encrypted password entry in /etc/grub.d/40_custom would look similar to the following (shortened in the example):
```
set superusers="John"
password_pbkdf2 John grub.pbkdf2.sha512.10000.F5CFD948DC06B644E05531FBF9773C086B228A87033642B32D41DBE141B10D2FD0604C8ABCDD2D2D76C834297969EADC64687EB32662CB59BCA0898AD69D7FE6.C698997624F217CDCE83446E80632FF9F7AFB1A0A6AE0B5752A81392F1BAA9A44C37AF5B29D7CEE13B9DE7D1207D5FB4A173A49D1518B1492BB6D9FE45444656
```
Save the file and exit.
## 3、Generate a grub2 config file
```
# update-grub2
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-4.9.0-8-amd64
Found initrd image: /boot/initrd.img-4.9.0-8-amd64
done
```
That's all, your grub2 is protected.
## 4、Set operating system entry will boot up normally
If you configure it using the 1 to 3 steps, the normal entry into the system will also be checked by the superuser when it is executed, which is not convenient for normal startup. So, need to set for the operating system entry will boot up normally but no one except the superusers will be able to edit the related entry in the list. Just set the first and third items in the second step, and the other operations are unchanged.
Find following line in /etc/grub.d/10_linux:
```
echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
```
Add --unrestricted:
```
echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} --unrestricted \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
```
## 5、Troubleshooting
If add password protection to /etc/grub.d/00_header, maybe you get an error when exec update-grub2, like this following:
```
# update-grub2
/etc/grub.d/00_header :274 /etc/grub.d/00_header password_pbkdf2 not found
```
Remember that the correct file to edit is 40_custom simply because other files such as grub.cfg or even 00_header are updated automatically by the system in certain circumstances, and it would make you lose those changes.
## 6、Reference
[https://www.gnu.org/software/grub/manual/grub/html_node/Authentication-and-authorisation.html#Authentication-and-authorisation](https://www.gnu.org/software/grub/manual/grub/html_node/Authentication-and-authorisation.html#Authentication-and-authorisation)
[https://help.ubuntu.com/community/Grub2/Passwords](https://help.ubuntu.com/community/Grub2/Passwords)
================================================
FILE: docs/configurations/manual-operation-docs/how_to_deploy_audisp_remote_for_audit_log.mkd
================================================
# How to deploy audisp-remote
## Server
### Install package
```
# apt install -y auditd
```
### Configure
Set auditd listen port in /etc/audit/auditd.conf:
```
tcp_listen_port = 60
```
### Restart service
Restart auditd service:
```
systemctl restart auditd
```
## Client
### Install package
```
# apt install -y audispd-plugins auditd
```
### Configure
Modify /etc/audisp/plugins.d/au-remote.conf:
```
active = yes
```
Example remote server is 172.16.237.135
Modify /etc/audisp/audisp-remote.conf:
```
remote_server = 172.16.237.135
port = 60
local_port = 2006
```
In audispd-plugins version is 1:2.6.7-2, need to replace queue_error to queue_error_action, because this version has a bug:
```
The queue_error configuration item in the configuration file
etc/audisp/audisp-remote.conf is inconsistent with the MAN document
(usr/share/man/man5/audisp-remote.conf.5.gz). The MAN document is
queue_error_action.
```
If not record logs on local filesystem, Modify /etc/audit/auditd.conf:
```
write_logs = no
```
Set name_format of /etc/audisp/audispd.conf to NUMERIC, in audit.log, the node will record the IP address:
```
name_format = NUMERIC
```
** Note: The IP address may be 127.0.1.1, please modify it in /etc/hosts. You can use hostname -i to check whether it is the correct address. **
### Restart service
Restart auditd service:
```
systemctl restart auditd
```
## Firewall set and wrapper set
### Server
If TCP Wrapper is installed and set deny all on Audit logs receiver host, set TCP access control for audit service:
Example client address is 172.16.237.136
```
# vim /etc/hosts.allow
# set allowed hosts
auditd: 172.16.237.136
```
If firewall has set drop all for INPUT and OUTPUT policy, set ACCEPT to audit service traffic:
```
iptables -A INPUT -p tcp --dport 60 --sport 2006 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 60 --dport 2006 -m state --state NEW,ESTABLISHED -j ACCEPT
```
### Client
If TCP Wrapper is installed and set deny all on client host, set TCP access control for audit service:
Example server address is 172.16.237.135
```
# vim /etc/hosts.allow
# set allowed hosts
audisp-remote: 172.16.237.135
```
If firewall has set drop all for INPUT and OUTPUT policy, set ACCEPT to audit service traffic:
```
iptables -A INPUT -p tcp --dport 2006 --sport 60 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 2006 --dport 60 -m state --state NEW,ESTABLISHED -j ACCEPT
```
================================================
FILE: docs/configurations/manual-operation-docs/how_to_fix_SELinux_access_denied.mkd
================================================
# How to fix SELinux's access denied
## Top3 causes of problems
### Labeling Problems
On systems running SELinux, all processes and files are labeled with a label that contains security-relevant information. This information is called the SELinux context. If these labels are wrong, accessmay be denied. An incorrectly labeled application may cause an incorrect label to be assigned to its process. This may cause SELinux to deny access, and the process may create mislabeled files. A common cause of labeling problems is when a non-standard directory is used for a service.
For example, instead of using /var/www/html/ for a website, an administrator wants to use /srv/myweb/. The /srv directory is labeled with the var_t type. Files and directories created in /srv inherit this type. Also, newly-created objects in top-level directories (such as /myserver) may belabeled with the default_t type. SELinux prevents the Apache HTTP Server (httpd) from accessing both of these types. To allow access, SELinux must know that the files in /srv/myweb/ are to be accessible to httpd:
```
~# semanage fcontext -a -t httpd_sys_content_t "/srv/myweb(/.*)?"
```
This semanage command adds the context for the /srv/myweb/ directory (and all files and directories under it) to the SELinux file-context configuration. The semanage utility does not change thecontext. As root, run the restorecon utility to apply the changes:
```
~# restorecon -R -v /srv/myweb
```
How to check the context of a file path and compares it to the default label for that path.
The following example demon strates using matchpathcon on a directory that contains incorrectly labeled files:
```
~# matchpathcon -V /var/www/html/*
/var/www/html/index.html has context unconfined_u:object_r:user_home_t:s0, should besystem_u:object_r:httpd_sys_content_t:s0
/var/www/html/page1.html has context unconfined_u:object_r:user_home_t:s0, should besystem_u:object_r:httpd_sys_content_t:s0
```
In this example, the index.html and page1.html files are labeled with the user_home_t type. This type is used for files in user home directories. Using the mv command to move files from your home directory may result in files being labeled with the user_home_t type. This type should not exist outside of home directories. Use the restorecon utility to restore such files to their correct type:
```
~# restorecon -v /var/www/html/index.html
restorecon reset /var/www/html/index.html context unconfined_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
```
To restore the context for all files under a directory, use the -R option.
### Configuring Booleans
Services can be run in a variety of ways. To cater for this, you need to specify how you run your services. This can be achieved through Booleans that allow parts of SELinux policy to be changed at runtime, without any knowledge of SELinux policy writing. This allows changes, such as allowing services access to NFS volumes, without reloading or recompiling SELinux policy. Also, running services on non-defaultport numbers requires policy configuration to be updated using the semanage command. For example, to allow the Apache HTTP Server to communicate with MariaDB, enable the httpd_can_network_connect_db Boolean:
```
~# setsebool -P httpd_can_network_connect_db on
```
### Evolving Rules and Broken Applications
Applications may be broken, causing SELinux to deny access. Also, SELinux rules are evolving – SELinux may not have seen an application running in a certain way, possibly causing it to deny access, even though the application is working as expected. For example, if a new version of PostgreSQL is released,it may perform actions the current policy has not seen before, causing access to be denied, even though access should be allowed. For these situations, after access is denied, use the audit2allow utility to create a custom policy module to allow access.
## Example fix clamav-daemon access
### Platform info
OS: Debian 10
SELinux status:
```
~# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31
```
Installed pkg: auditd, clamav-daemon, clamav-freshclam
### Problems info
When SELinux is set enforcing, clamav-daemon.service is failed:
```
~# systemctl status clamav-daemon.service
● clamav-daemon.service - Clam AntiVirus userspace daemon
Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled; vendor preset: enabled)
Drop-In: /etc/systemd/system/clamav-daemon.service.d
└─extend.conf
Active: failed (Result: exit-code) since Sun 2020-09-13 04:51:04 EDT; 20h ago
Docs: man:clamd(8)
man:clamd.conf(5)
https://www.clamav.net/documents/
Process: 618 ExecStartPre=/bin/mkdir /run/clamav (code=exited, status=1/FAILURE)
Process: 619 ExecStartPre=/bin/chown clamav /run/clamav (code=exited, status=0/SUCCESS)
Process: 620 ExecStart=/usr/sbin/clamd --foreground=true (code=exited, status=1/FAILURE)
Main PID: 620 (code=exited, status=1/FAILURE)
Sep 13 04:50:47 debian systemd[1]: Starting Clam AntiVirus userspace daemon...
Sep 13 04:50:47 debian mkdir[618]: /bin/mkdir: cannot create directory ‘/run/clamav’: File exists
Sep 13 04:50:47 debian systemd[1]: Started Clam AntiVirus userspace daemon.
Sep 13 04:51:04 debian clamd[620]: Sun Sep 13 04:51:04 2020 -> !LOCAL: Socket file /var/run/clamav/clamd.ctl could not be bound: Permission denied
Sep 13 04:51:04 debian systemd[1]: clamav-daemon.service: Main process exited, code=exited, status=1/FAILURE
Sep 13 04:51:04 debian systemd[1]: clamav-daemon.service: Failed with result 'exit-code'.
```
### Find incorrect
#### First, check bool config of clamav relate
```
~# semanage boolean -l | grep clamav
clamav_read_all_non_security_files_clamscan (off , off) Determine whether clamscan can read all non-security files.
clamav_read_user_content_files_clamscan (off , off) Determine whether clamscan can read user content files.
~# semanage boolean -l | grep clamd
clamd_use_jit (off , off) Determine whether can clamd use JIT compiler.
```
#### Get descriptions of why the access was denied
```
~# grep clamd /var/log/audit/audit.log | audit2why
type=AVC msg=audit(1599973736.201:32): avc: denied { search } for pid=454 comm="clamd" name="dbus" dev="tmpfs" ino=16346 scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1599973754.677:52): avc: denied { getattr } for pid=454 comm="clamd" path="/run/clamav" dev="tmpfs" ino=16617 scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
......
```
According to the above information, it can be concluded that it is caused by the missing of TE allow rules.
### To fix this problems
#### Set SELinux in permissive mode
```
~# setenforce 0
```
#### Disable dontaudit rules
To temporarily disable dontaudit rules, allowing all denials to be logged, enter the following command as root:
```
~# semodule -DB
```
#### Restart service
TO restart clamav-daemon.service to generate audit logs:
```
~# systemctl restart clamav-daemon.service
```
#### Find deny message
Find AVC, USER_AVC, SELINUX_ERR message of audit.log:
```
~# ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today
type=AVC msg=audit(1600117445.764:3149): avc: denied { create } for pid=3857 comm="clamd" name="clamd.ctl" scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1600117445.764:3149): avc: denied { add_name } for pid=3857 comm="clamd" name="clamd.ctl" scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1600117445.764:3149): avc: denied { write } for pid=3857 comm="clamd" name="clamav" dev="tmpfs" ino=15823 scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1600117445.764:3149): avc: denied { search } for pid=3857 comm="clamd" name="clamav" dev="tmpfs" ino=15823 scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=1
......
```
#### Generate a loadable module and install
```
~# grep clamd /var/log/audit/audit.log | audit2allow -M clamd
~# semodule -i clamd.pp
```
#### Enable dontaudit rules
```
semodule -B
```
#### Set SELinux in enforcing mode
```
~# setenforce 1
```
#### Check
Check module is install success:
```
# semodule -l | grep clamd
clamd
```
Check whether the allow rule setting is successful:
```
~# cat clamd.te
module clamd 1.0;
require {
type system_dbusd_var_run_t;
type system_dbusd_t;
type initrc_var_run_t;
type clamd_t;
type init_t;
class dir { add_name getattr remove_name search write };
class sock_file { create setattr unlink write };
class unix_stream_socket connectto;
class dbus send_msg;
}
#============= clamd_t ==============
allow clamd_t init_t:dbus send_msg;
allow clamd_t initrc_var_run_t:dir { add_name getattr remove_name search write };
allow clamd_t initrc_var_run_t:sock_file { create setattr unlink };
allow clamd_t system_dbusd_t:dbus send_msg;
allow clamd_t system_dbusd_t:unix_stream_socket connectto;
allow clamd_t system_dbusd_var_run_t:dir search;
allow clamd_t system_dbusd_var_run_t:sock_file write;
#============= init_t ==============
allow init_t clamd_t:dbus send_msg;
~# sesearch --allow -s clamd_t -t initrc_var_run_t -p create
allow clamd_t initrc_var_run_t:sock_file { create setattr unlink };
```
## Reference
[https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/pdf/selinux_users_and_administrators_guide/Red_Hat_Enterprise_Linux-7-SELinux_Users_and_Administrators_Guide-en-US.pdf](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/pdf/selinux_users_and_administrators_guide/Red_Hat_Enterprise_Linux-7-SELinux_Users_and_Administrators_Guide-en-US.pdf)
================================================
FILE: docs/configurations/manual-operation-docs/how_to_migrating_from_iptables_to_nftables_in_debian10.md
================================================
# How to migrating from iptables to nftables in debian Buster
Debian Buster uses the nftables framework by default.
## Pre-install
```
# apt install nftables
```
## Check iptables link point
Starting with Debian Buster, nf_tables is the default backend when using iptables, by means of the iptables-nft layer (i.e, using iptables syntax with the nf_tables kernel subsystem). This also affects ip6tables, arptables and ebtables.
You can switch back and forth between iptables-nft and iptables-legacy by means of update-alternatives (same applies to arptables and ebtables).
Check iptables currently link:
```
# update-alternatives --display iptables
iptables - auto mode
link best version is /usr/sbin/iptables-nft
link currently points to /usr/sbin/iptables-nft
link iptables is /usr/sbin/iptables
slave iptables-restore is /usr/sbin/iptables-restore
slave iptables-save is /usr/sbin/iptables-save
/usr/sbin/iptables-legacy - priority 10
slave iptables-restore: /usr/sbin/iptables-legacy-restore
slave iptables-save: /usr/sbin/iptables-legacy-save
/usr/sbin/iptables-nft - priority 20
slave iptables-restore: /usr/sbin/iptables-nft-restore
slave iptables-save: /usr/sbin/iptables-nft-save
```
If you see above, don't need switching, if currently link to iptables-legacy, need use command to switching to iptables-nft:
```
# update-alternatives --set iptables /usr/sbin/iptables-nft
# update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
# update-alternatives --set arptables /usr/sbin/arptables-nft
# update-alternatives --set ebtables /usr/sbin/ebtables-nft
# update-alternatives --display iptables
```
## Migrating
move from an existing iptables ruleset to nftables:
### Command translation
You can generate a translation of an iptables/ip6tables command to know the nftables equivalent.
```
# iptables-translate -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
nft add rule ip filter INPUT tcp dport 22 ct state new counter accept
# ip6tables-translate -A FORWARD -i eth0 -o eth3 -p udp -m multiport --dports 111,222 -j ACCEPT
nft add rule ip6 filter FORWARD iifname "eth0" oifname "eth3" meta l4proto udp udp dport { 111,222} counter accept
```
Instead of translating command by command, you can translate your whole ruleset in a single run:
```
# iptables-save > save.txt
# iptables-restore-translate -f save.txt
# Translated by iptables-restore-translate v1.8.2 on Fri Jul 12 04:33:36 2019
add table ip filter
add chain ip filter INPUT { type filter hook input priority 0; policy drop; }
add chain ip filter FORWARD { type filter hook forward priority 0; policy drop; }
add chain ip filter OUTPUT { type filter hook output priority 0; policy drop; }
add chain ip filter LOGDROP
add rule ip filter INPUT iifname "lo" counter accept
add rule ip filter INPUT ip saddr 127.0.0.0/8 counter drop
add rule ip filter INPUT ip protocol tcp ct state established counter accept
add rule ip filter INPUT ip protocol udp ct state established counter accept
add rule ip filter INPUT ip protocol icmp ct state established counter accept
add rule ip filter INPUT ip protocol icmp ct state related counter accept
add rule ip filter INPUT limit rate 3/minute burst 5 packets counter log prefix "SFW2-IN-ILL-TARGET " flags tcp options flags ip options
add rule ip filter INPUT iifname "ens33" tcp flags & (fin|syn|rst|ack) != syn ct state new limit rate 5/minute burst 7 packets counter log prefix "Drop Syn"
add rule ip filter INPUT iifname "ens33" tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop
add rule ip filter INPUT iifname "ens33" ip frag-off & 0x1fff != 0 limit rate 5/minute burst 7 packets counter log prefix "Fragments Packets"
add rule ip filter INPUT iifname "ens33" ip frag-off & 0x1fff != 0 counter drop
add rule ip filter INPUT iifname "ens33" tcp flags & (fin|syn|rst|psh|ack|urg) == fin|psh|urg counter drop
add rule ip filter INPUT iifname "ens33" tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter drop
add rule ip filter INPUT iifname "ens33" tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 limit rate 5/minute burst 7 packets counter log prefix "NULL Packets"
add rule ip filter INPUT iifname "ens33" tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop
add rule ip filter INPUT iifname "ens33" tcp flags & (syn|rst) == syn|rst counter drop
add rule ip filter INPUT iifname "ens33" tcp flags & (fin|syn) == fin|syn limit rate 5/minute burst 7 packets counter log prefix "XMAS Packets"
add rule ip filter INPUT iifname "ens33" tcp flags & (fin|syn) == fin|syn counter drop
add rule ip filter INPUT iifname "ens33" tcp flags & (fin|ack) == fin limit rate 5/minute burst 7 packets counter log prefix "Fin Packets Scan"
add rule ip filter INPUT iifname "ens33" tcp flags & (fin|ack) == fin counter drop
add rule ip filter INPUT iifname "ens33" tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|ack|urg counter drop
add rule ip filter INPUT iifname "ens33" tcp dport 137-139 counter reject
add rule ip filter INPUT iifname "ens33" udp dport 137-139 counter reject
add rule ip filter INPUT icmp type source-quench counter accept
add rule ip filter INPUT tcp dport 22 ct state new counter accept
add rule ip filter INPUT udp dport 123 ct state new counter accept
add rule ip filter INPUT udp dport 68 ct state new counter accept
add rule ip filter INPUT tcp dport 80 ct state new counter accept
add rule ip filter INPUT icmp type echo-request ct state new,related,established counter accept
add rule ip filter INPUT counter log
add rule ip filter INPUT counter drop
add rule ip filter FORWARD limit rate 3/minute burst 5 packets counter log prefix "SFW2-FWD-ILL-ROUTING " flags tcp options flags ip options
add rule ip filter FORWARD counter log
add rule ip filter OUTPUT oifname "lo" counter accept
add rule ip filter OUTPUT ip protocol tcp ct state new,established counter accept
add rule ip filter OUTPUT ip protocol udp ct state new,established counter accept
add rule ip filter OUTPUT ip protocol icmp ct state new,established counter accept
add rule ip filter OUTPUT icmp type echo-request counter accept
add rule ip filter OUTPUT icmp type echo-reply ct state related,established counter accept
add rule ip filter LOGDROP counter log
add rule ip filter LOGDROP counter drop
add table ip nat
add chain ip nat PREROUTING { type nat hook prerouting priority -100; policy accept; }
add chain ip nat INPUT { type nat hook input priority 100; policy accept; }
add chain ip nat POSTROUTING { type nat hook postrouting priority 100; policy accept; }
add chain ip nat OUTPUT { type nat hook output priority -100; policy accept; }
add table ip mangle
add chain ip mangle PREROUTING { type filter hook prerouting priority -150; policy accept; }
add chain ip mangle INPUT { type filter hook input priority -150; policy accept; }
add chain ip mangle FORWARD { type filter hook forward priority -150; policy accept; }
add chain ip mangle OUTPUT { type route hook output priority -150; policy accept; }
add chain ip mangle POSTROUTING { type filter hook postrouting priority -150; policy accept; }
# Completed on Fri Jul 12 04:33:36 2019
```
You should be able to directly give this to nftables:
```
# iptables-restore-translate -f save.txt > ruleset.nft
# nft -f ruleset.nft
```
# nft list ruleset
List nft ruleset:
```
table ip filter {
chain INPUT {
type filter hook input priority 0; policy drop;
iifname "ens33" meta l4proto tcp tcp dport 22 ct state new # recent: UPDATE seconds: 60 hit_count: 4 name: DEFAULT side: source mask: 255.255.255.255 counter packets 0 bytes 0 jump LOGDROP
iifname "ens33" meta l4proto tcp tcp dport 22 ct state new # recent: SET name: DEFAULT side: source mask: 255.255.255.255 counter packets 0 bytes 0
iifname "lo" counter packets 0 bytes 0 accept
ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop
meta l4proto tcp ct state established counter packets 487 bytes 34832 accept
meta l4proto udp ct state established counter packets 4 bytes 1060 accept
meta l4proto icmp ct state established counter packets 0 bytes 0 accept
meta l4proto icmp ct state related counter packets 0 bytes 0 accept
limit rate 3/minute counter packets 0 bytes 0 log prefix "SFW2-IN-ILL-TARGET " flags tcp options flags ip options
iifname "ens33" meta l4proto tcp tcp flags & (fin|syn|rst|ack) != syn ct state new limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "Drop Syn"
iifname "ens33" meta l4proto tcp tcp flags & (fin|syn|rst|ack) != syn ct state new counter packets 0 bytes 0 drop
iifname "ens33" ip frag-off & 8191 != 0 limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "Fragments Packets"
iifname "ens33" ip frag-off & 8191 != 0 counter packets 0 bytes 0 drop
iifname "ens33" meta l4proto tcp tcp flags & (fin|syn|rst|psh|ack|urg) == fin|psh|urg counter packets 0 bytes 0 drop
iifname "ens33" meta l4proto tcp tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter packets 0 bytes 0 drop
iifname "ens33" meta l4proto tcp tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "NULL Packets"
iifname "ens33" meta l4proto tcp tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter packets 0 bytes 0 drop
iifname "ens33" meta l4proto tcp tcp flags & (syn|rst) == syn|rst counter packets 0 bytes 0 drop
iifname "ens33" meta l4proto tcp tcp flags & (fin|syn) == fin|syn limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "XMAS Packets"
iifname "ens33" meta l4proto tcp tcp flags & (fin|syn) == fin|syn counter packets 0 bytes 0 drop
iifname "ens33" meta l4proto tcp tcp flags & (fin|ack) == fin limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "Fin Packets Scan"
iifname "ens33" meta l4proto tcp tcp flags & (fin|ack) == fin counter packets 0 bytes 0 drop
iifname "ens33" meta l4proto tcp tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|ack|urg counter packets 0 bytes 0 drop
iifname "ens33" meta l4proto tcp tcp dport 137-139 counter packets 0 bytes 0 reject
iifname "ens33" meta l4proto udp udp dport 137-139 counter packets 0 bytes 0 reject
meta l4proto icmp icmp type source-quench counter packets 0 bytes 0 accept
meta l4proto tcp tcp dport 22 ct state new counter packets 0 bytes 0 accept
meta l4proto udp udp dport 123 ct state new counter packets 0 bytes 0 accept
meta l4proto udp udp dport 68 ct state new counter packets 0 bytes 0 accept
meta l4proto tcp tcp dport 80 ct state new counter packets 0 bytes 0 accept
meta l4proto icmp icmp type echo-request ct state new,related,established counter packets 0 bytes 0 accept
counter packets 0 bytes 0 log
counter packets 0 bytes 0 drop
iifname "lo" counter packets 0 bytes 0 accept
ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop
ip protocol tcp ct state established counter packets 0 bytes 0 accept
ip protocol udp ct state established counter packets 0 bytes 0 accept
ip protocol icmp ct state established counter packets 0 bytes 0 accept
ip protocol icmp ct state related counter packets 0 bytes 0 accept
limit rate 3/minute counter packets 0 bytes 0 log prefix "SFW2-IN-ILL-TARGET " flags tcp options flags ip options
iifname "ens33" tcp flags & (fin | syn | rst | ack) != syn ct state new limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "Drop Syn"
iifname "ens33" tcp flags & (fin | syn | rst | ack) != syn ct state new counter packets 0 bytes 0 drop
iifname "ens33" ip frag-off & 8191 != 0 limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "Fragments Packets"
iifname "ens33" ip frag-off & 8191 != 0 counter packets 0 bytes 0 drop
iifname "ens33" tcp flags & (fin | syn | rst | psh | ack | urg) == fin | psh | urg counter packets 0 bytes 0 drop
iifname "ens33" tcp flags & (fin | syn | rst | psh | ack | urg) == fin | syn | rst | psh | ack | urg counter packets 0 bytes 0 drop
iifname "ens33" tcp flags & (fin | syn | rst | psh | ack | urg) == 0x0 limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "NULL Packets"
iifname "ens33" tcp flags & (fin | syn | rst | psh | ack | urg) == 0x0 counter packets 0 bytes 0 drop
iifname "ens33" tcp flags & (syn | rst) == syn | rst counter packets 0 bytes 0 drop
iifname "ens33" tcp flags & (fin | syn) == fin | syn limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "XMAS Packets"
iifname "ens33" tcp flags & (fin | syn) == fin | syn counter packets 0 bytes 0 drop
iifname "ens33" tcp flags & (fin | ack) == fin limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "Fin Packets Scan"
iifname "ens33" tcp flags & (fin | ack) == fin counter packets 0 bytes 0 drop
iifname "ens33" tcp flags & (fin | syn | rst | psh | ack | urg) == fin | syn | rst | ack | urg counter packets 0 bytes 0 drop
iifname "ens33" tcp dport 137-139 counter packets 0 bytes 0 reject
iifname "ens33" udp dport 137-139 counter packets 0 bytes 0 reject
icmp type source-quench counter packets 0 bytes 0 accept
tcp dport ssh ct state new counter packets 0 bytes 0 accept
udp dport ntp ct state new counter packets 0 bytes 0 accept
udp dport bootpc ct state new counter packets 0 bytes 0 accept
tcp dport http ct state new counter packets 0 bytes 0 accept
icmp type echo-request ct state established,related,new counter packets 0 bytes 0 accept
counter packets 0 bytes 0 log
counter packets 0 bytes 0 drop
}
chain FORWARD {
type filter hook forward priority 0; policy drop;
# PHYSDEV match --physdev-is-bridged counter packets 0 bytes 0 accept
limit rate 3/minute counter packets 0 bytes 0 log prefix "SFW2-FWD-ILL-ROUTING " flags tcp options flags ip options
counter packets 0 bytes 0 log
limit rate 3/minute counter packets 0 bytes 0 log prefix "SFW2-FWD-ILL-ROUTING " flags tcp options flags ip options
counter packets 0 bytes 0 log
}
chain OUTPUT {
type filter hook output priority 0; policy drop;
oifname "lo" counter packets 0 bytes 0 accept
meta l4proto tcp ct state new,established counter packets 308 bytes 44704 accept
meta l4proto udp ct state new,established counter packets 4 bytes 1060 accept
meta l4proto icmp ct state new,established counter packets 0 bytes 0 accept
meta l4proto icmp icmp type echo-request counter packets 0 bytes 0 accept
meta l4proto icmp icmp type echo-reply ct state related,established counter packets 0 bytes 0 accept
oifname "lo" counter packets 0 bytes 0 accept
ip protocol tcp ct state established,new counter packets 0 bytes 0 accept
ip protocol udp ct state established,new counter packets 0 bytes 0 accept
ip protocol icmp ct state established,new counter packets 0 bytes 0 accept
icmp type echo-request counter packets 0 bytes 0 accept
icmp type echo-reply ct state established,related counter packets 0 bytes 0 accept
}
chain LOGDROP {
counter packets 0 bytes 0 log
counter packets 0 bytes 0 drop
counter packets 0 bytes 0 log
counter packets 0 bytes 0 drop
}
}
table ip nat {
chain PREROUTING {
type nat hook prerouting priority -100; policy accept;
}
chain INPUT {
type nat hook input priority 100; policy accept;
}
chain POSTROUTING {
type nat hook postrouting priority 100; policy accept;
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
}
}
table ip mangle {
chain PREROUTING {
type filter hook prerouting priority -150; policy accept;
}
chain INPUT {
type filter hook input priority -150; policy accept;
}
chain FORWARD {
type filter hook forward priority -150; policy accept;
}
chain OUTPUT {
type route hook output priority -150; policy accept;
}
chain POSTROUTING {
type filter hook postrouting priority -150; policy accept;
}
}
```
## Uninstall iptables
```
# apt purge --autoremove iptables
```
## Reference
[https://wiki.debian.org/nftables](https://wiki.debian.org/nftables)
[https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables](https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables)
================================================
FILE: docs/configurations/manual-operation-docs/how_to_persistent_iptables_rules_with_debian_9.mkd
================================================
# How to persistent iptables rules with debian 9
## Test platform info
Debian 9.6
iptables 1.6.0+snapshot20161117-6
iptables-persistent 1.0.4+nmu2
netfilter-persistent 1.0.4+nmu2
## Install
```
# apt-get install -y iptables-persistent
```
This command will install iptables-persistent and netfilter-persistent(depended iptables-persistent),
## How to enable netfilter-persistent service
netfilter-persistent service is auto running when netfilter-persistent was installed.
Check service status:
```
# systemctl status netfilter-persistent
```
If netfilter-persistent service is not started, use the following command to enable netfilter-persistent service:
```
# systemctl start netfilter-persistent
```
## How to config for persistent iptables
First, when configuring iptables rules done, need use the following command to save current iptables rules:
```
# dpkg-reconfigure iptables-persistent
```
or
```
# iptables-save > /etc/iptables/rules.v4
# ip6tables-save > /etc/iptables/rules.v6
```
Note: User iptables-save/ip6tables-save command, save file must is above file name.
## Well-done
Iptables rules would auto restore iptables rules when Operation system restart, or manual to exec following command:
```
# systemctl restart netfilter-persistent
```
================================================
FILE: docs/configurations/manual-operation-docs/how_to_persistent_nft_rules_with_debian_10.mkd
================================================
# How to persistent nft rules with debian 10
## Test platform info
Debian 10.0
netfilter-persistent 1.0.11
nftables 0.9.0-2
## Pre-Install
```
# apt-get install -y nftables netfilter-persistent
```
## Uninstall iptables
```
# apt purge --autoremove iptables
```
## How to enable netfilter-persistent service
netfilter-persistent service is auto running when netfilter-persistent was installed.
Check service status:
```
# systemctl status netfilter-persistent
```
If netfilter-persistent service is not started, use the following command to enable netfilter-persistent service:
```
# systemctl start netfilter-persistent
```
## How to config for persistent nft rules
### Get nftables ruleset
```
~$ wget https://raw.githubusercontent.com/hardenedlinux/harbian-audit/master/docs/configurations/etc.nftables.conf
~# mv etc.nftables.conf /etc/nftables.conf
```
Note: Please replace ens33 to interface name of your device
### Get plugin of netfilter-persistent
```
~$ wget https://raw.githubusercontent.com/hardenedlinux/harbian-audit/master/docs/configurations/usr.share.netfilter-persistent.plugins.d.15-nft
~# mv usr.share.netfilter-persistent.plugins.d.15-nft /usr/share/netfilter-persistent/plugins.d/15-nft
~# chmod 755 /usr/share/netfilter-persistent/plugins.d/15-nft
```
## Well-done
Nft rules would auto restore nftables rules when Operation system restart, or manual to exec following command:
```
# netfilter-persistent start
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-nft start
```
## Additional usage
### Flush nft rules
```
# netfilter-persistent flush
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-nft flush
```
### Save nft rules
```
# netfilter-persistent save
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-nft save
```
### Restore nft rules
```
# netfilter-persistent start
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-nft start
```
## Reference
[http://manpages.org/netfilter-persistent/8](http://manpages.org/netfilter-persistent/8)
================================================
FILE: docs/configurations/usr.share.netfilter-persistent.plugins.d.15-nft
================================================
#!/bin/sh
# This file is part of netfilter-persistent
# Copyright (C) 2019, Samson W
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation, either version 3
# of the License, or (at your option) any later version.
set -e
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
NFT_RULESET="/etc/nftables.conf"
NFT_CMD=$(which nft)
load_rules()
{
#load nft rules
if [ ! -f ${NFT_RULESET} ]; then
echo "Warning: nft ruleset file ${NFT_RULESET} is not exist!"
else
${NFT_CMD} -f ${NFT_RULESET}
fi
}
save_rules()
{
if [ ! -f ${NFT_RULESET} ]; then
echo "Warning: nft ruleset file ${NFT_RULESET} is not exist!"
touch ${NFT_RULESET}
chmod 0640 ${NFT_RULESET}
else
:
fi
${NFT_CMD} list ruleset -n > ${NFT_RULESET}
}
flush_rules()
{
if [ ! -f ${NFT_CMD} ]; then
echo "Warning: nft ruleset file ${NFT_CMD} is not exist!"
else
${NFT_CMD} flush ruleset
fi
}
case "$1" in
start|restart|reload|force-reload)
load_rules
;;
save)
save_rules
;;
stop)
# Why? because if stop is used, the firewall gets flushed for a variable
# amount of time during package upgrades, leaving the machine vulnerable
# It's also not always desirable to flush during purge
echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
;;
flush)
flush_rules
;;
*)
echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2
exit 1
;;
esac
================================================
FILE: docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd
================================================
# harbian audit Debian GNU/Linux 9 Benchmark
## Version 0.1
This document is a description of the additions to the sections not included in the CIS reference documentation. Includes STIG reference documentation and additional checks recommended by the HardenedLinux community.
## 1.2 Enable Option for signature of packages from a repository (scored)
### Profile Applicability
Level 2
### Description
The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.
### Rationale
Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA.
### Audit
Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components from a repository without verification that they have been digitally signed using a certificate that is recognized and approved by the organization. Check that apt verifies the signature of packages from a repository prior to install with the following command:
```
$ sudo grep AllowUnauthenticated /etc/apt/ -r
APT::Get::AllowUnauthenticated "true";
```
If "AllowUnauthenticated" is set to "true", this is a finding.
### Remediation
Delete the configuration line containing "AllowUnauthenticated".
## 1.3 Enable verify the signature of local packages (scored)
### Profile Applicability
Level 2
### Description
The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.
### Rationale
Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA.
### Audit
Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components from a repository without verification that they have been digitally signed using a certificate that is recognized and approved by the organization. Check that apt verifies the signature of packages from a repository prior to install with the following command:
```
$ sudo grep -v "^#" /etc/dpkg/dpkg.cfg | grep no-debsig
no-debsig
```
If "no-debsig" is set, this is a finding.
### Remediation
Delete the configuration line containing "no-debsig".
## 1.4 Set no allow insecure repository when by apt update (scored)
### Profile Applicability
Level 2
### Description
The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of packages without verification of the repository metadata.
### Rationale
Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved Certificate Authority.
### Audit
Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components of local packages without verification of the repository metadata. Check that apt verifies the package metadata prior to install with the following command:
```
$ sudo grep AllowInsecureRepositories /etc/apt/ -r
Acquire::AllowInsecureRepositories "true";
```
If "AllowInsecureRepositories" is set to "true", this is a finding.
### Remediation
Configure the operating system to verify the repository metadata by setting the following options in the "/etc/apt/[conf-file]" file:
```
Acquire::AllowInsecureRepositories "false";
```
## 2.26 Set nosuid option for /home filesystem/Partition (scored)
### Profile Applicability
Level 2
### Description
File systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed.
### Rationale
The "nosuid" mount option causes the system to not execute setuid and setgid files with owner privileges. This option must be used for mounting any file system not containing approved setuid and setguid files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
### Audit
Verify file systems that contain user home directories are mounted with the "nosuid" option. Find the file system(s) that contain the user home directories with the following command:
Note: If a separate file system has not been created for the user home directories (user home directories are mounted under "/"), this is not a finding as the "nosuid" option cannot be used on the "/" system.
```
$ sudo cut -d: -f 1,3,6 /etc/passwd | egrep ":[1-4][0-9]{3}"
smithj:1001:/home/smithj
thomasr:1002:/home/thomasr
```
Check the file systems that are mounted at boot time with the following command:
```
$ sudo more /etc/fstab
UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home ext4 rw,relatime,discard,data=ordered,nosuid 0 2
```
### Remediation
Configure the "/etc/fstab" to use the "nosuid" option on file systems that contain user home directories.
## 2.27 Set nosuid option for nfs/nfs4 filesystem/Partition (scored)
### Profile Applicability
Level 2
### Description
File systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed.
### Rationale
The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
### Audit
Verify file systems that are being NFS exported are mounted with the "nosuid" option. Find the file system(s) that contain the directories being exported with the following command:
```
$ sudo more /etc/fstab | grep nfs
UUID=59754be2-37c0-4938-973f-e8865dc84d10 /hardenedlinux nfs errors=remount-ro 0 2
arrakis.internal.falcot.com:/shared /srv/shared nfs4 rw 0 2
```
If a file system found in "/etc/fstab" refers to NFS and it does not have the "nosuid" option set, this is a finding.
### Remediation
Configure the "/etc/fstab" to use the "nosuid" option on file systems that are being exported via NFS/NFS4.
## 2.28 Set noexec option for nfs/nfs4 filesystem/Partition (scored)
### Profile Applicability
Level 2
### Description
File systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed.
### Rationale
The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
### Audit
Verify file systems that are being NFS exported are mounted with the "noexec" option. Find the file system(s) that contain the directories being exported with the following command:
```
$ sudo more /etc/fstab | grep nfs
UUID=59754be2-37c0-4938-973f-e8865dc84d10 /hardenedlinux nfs errors=remount-ro 0 2
arrakis.internal.falcot.com:/shared /srv/shared nfs4 rw 0 2
```
If a file system found in "/etc/fstab" refers to NFS and it does not have the "noexec" option set, and use of NFS exported binaries is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
### Remediation
Configure the "/etc/fstab" to use the "noexec" option on file systems that are being exported via NFS/NFS4.
## 2.29 Set RPCSEC_GSS option for nfs/nfs4 filesystem/Partition (scored)
### Profile Applicability
Level 2
### Description
The Network File System (NFS) must be configured to use RPCSEC_GSS.
### Rationale
When an NFS server is configured to use RPCSEC_SYS, a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The RPCSEC_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request.
### Audit
Verify "AUTH_GSS" is being used to authenticate NFS mounts. To check if the system is importing an NFS file system, look for any entries in the "/etc/fstab" file that have a file system type of "nfs" with the following command:
```
$ sudo cat /etc/fstab | grep nfs
192.168.21.5:/mnt/export /data1 nfs4 rw,sync ,soft,sec=krb5:krb5i:krb5p
```
If the system is mounting file systems via NFS and has the sec option without the "krb5:krb5i:krb5p" settings, the "sec" option has the "sys" setting, or the "sec" option is missing, this is a finding.
### Remediation
Update the "/etc/fstab" file so the option "sec" is defined for each NFS mounted file system and the "sec" option does not have the "sys" setting. \n\nEnsure the "sec" option is defined as "krb5:krb5i:krb5p"
## 4.6 Disable USB Devices (scored)
### Profile Applicability
Level 4
### Description
USB Devices must be disabled.
### Rationale
USB Devices permits easy introduction of unknown devices, thereby facilitating malicious activity.
### Audit
If there is an HBSS with a Device Control Module and a Data Loss Prevention mechanism, this requirement is not applicable. Verify the operating system disables the ability to use USB devices. Check to see if USB Devices is disabled with the following command:
```
$ sudo grep '^ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"' /etc/udev/rules.d/ -r
/etc/udev/rules.d/CIS_4.6_usb_devices.conf:ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"
```
If the command does not return any output, and use of USB storage devices is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
### Remediation
Configure the operating system to disable the ability to use USB devices.
```
$ sudo vim /etc/udev/rules.d/CIS_4.6_usb_devices.conf
```
Add or update the line:
```
# By default, disable all.
ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"
# Enable hub devices.
ACTION=="add", ATTR{bDeviceClass}=="09", TEST=="authorized", ATTR{authorized}="1"
# Enables keyboard devices
ACTION=="add", ATTR{product}=="*[Kk]eyboard*", TEST=="authorized", ATTR{authorized}="1"
# PS2-USB converter
ACTION=="add", ATTR{product}=="*Thinnet TM*", TEST=="authorized", ATTR{authorized}="1"
```
## 5.7 Install screen (scored)
### Profile Applicability
Level 4
### Description
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. The screen package allows for a session lock to be implemented and configured.
### Rationale
You can use the lock function of the screen to lock the current terminal and prevent the current session from exiting due to timeout.
### Audit
Verify the operating system has the screen package installed. Check to see if the screen package is installed with the following command:
```
# dpkg -s screen | grep '^Status: install'
```
### Remediation
Install the screen program (if it is not on the system) with the following command:
```
# apt-get install screen
```
The console can now be locked with the following key combination: ctrl+a x
## 5.8 Ensure openssh server is enabled (scored)
### Profile Applicability
Level 2
### Description
All networked systems must have SSH installed.
### Rationale
Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa.
### Audit
Check to see if sshd is installed with the following command:
```
# dpkg -s openssh-server | grep '^Status: install'
Status: install ok installed
# dpkg -s openssh-client | grep '^Status: install'
Status: install ok installed
```
If the "openssh-server" package is not installed, this is a finding. If the "openssh-client" package is not installed, this is a finding.
### Remediation
Install SSH packages onto the host with the following commands:
```
# apt-get install -y openssh-server openssh-client
```
## 5.9 Ensure ctrl-alt-del key sequence is disabled (scored)
### Profile Applicability
Level 2
### Description
The x86 Ctrl-Alt-Delete key sequence must be disabled.
### Rationale
A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.
### Audit
Verify the operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed. Check that the ctrl-alt-del.service is not active with the following command:
```
# find /lib/systemd/ /etc/systemd/ -name ctrl-alt-del.target -exec ls -l {} \;| grep -v "/dev/null" | awk '{print $NF}'
/lib/systemd/system/ctrl-alt-del.target
/etc/systemd/system/ctrl-alt-del.target
```
If the ctrl-alt-del.target is not link to /dev/null, this is a finding.
### Remediation
Configure the system to disable the Ctrl-Alt_Delete sequence for the command line with the following command:
if config file is in /lib/systemd/:
```
# rm /lib/systemd/system/ctrl-alt-del.target
# systemctl daemon-reload
```
if config file is in /etc/systemd/:
```
# systemctl mask /etc/systemd/ctrl-alt-del.target
# systemctl daemon-reload
```
## 5.10 Ensure sudo is installed (scored)
### Profile Applicability
Level 2
### Description
Systems must have sudo installed.
### Rationale
The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access.
### Audit
Verify the operating system has the sudo package installed. Check to see if the sudo package is installed with the following command:
```
# dpkg -s sudo | grep '^Status: install'
```
### Remediation
Install the sudo program (if it is not on the system) with the following command:
```
# apt-get install sudo
```
## 6.17 ensure virul scan server is enabled (scored)
### Profile Applicability
Level 4
### Description
The system must use a virus scan program.
### Rationale
Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems. The virus scanning software should be configured to perform scans dynamically on accessed files. If this capability is not available, the system must be configured to scan, at a minimum, all altered files on the system on a daily basis.
### Audit
Verify the system is using a virus scan program. check for the presence of "clamav" on the system with the following command:
```
# systemctl | grep clamav-daemon
clamav-daemon.service loaded active running Clam AntiVirus userspace daemon
```
If neither of these applications are loaded and active, ask the System Administrator if there is an antivirus package installed and active on the system. If no antivirus scan program is active on the system, this is a finding.
### Remediation
Install the clamav program (if it is not on the system) with the following command:
```
# apt-get install -y clamav-daemon
```
## 6.18 ensure virul scan server update is enabled (scored)
### Profile Applicability
Level 4
### Description
The system must update the virus scan program every seven days or more frequently.
### Rationale
Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems. The virus scanning software should be configured to check for software and virus definition updates with a frequency no longer than seven days. If a manual process is required to update the virus scan software or definitions, it must be documented with the Information System Security Officer (ISSO).
### Audit
Verify the system is using a virus scan program and the virus definition file is less than seven days old. Check for the presence of "clamav" on the system with the following command:
```
# systemctl | grep clamav
clamav-daemon.service loaded active running Clam AntiVirus userspace daemon
```
If "clamav" is active on the system, check the dates of the virus database with the following commands:
```
# grep -i databasedirectory /etc/clamav/clamd.conf
DatabaseDirectory /var/lib/clamav
# ls -al /var/lib/clamav/daily.cvd
-rw-r--r-- 1 clamav clamav 51698014 Oct 26 2018 /var/lib/clamav/daily.cvd
```
If the database file has a date older than seven days from the current date, this is a finding.
### Remediation
Update the virus scan software and virus definition files, enable clamav-freshclam service.
## 7.1.3 Disable promiscuous mode for network interface (scored)
### Profile Applicability
Level 2
### Description
Network interfaces must not be in promiscuous mode.
### Rationale
Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow then to collect information such as logon IDs, passwords, and key exchanges between systems. If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information System Security Officer (ISSO) and restricted to only authorized personnel.
### Audit
Verify network interfaces are not in promiscuous mode unless approved by the ISSO and documented. Check for the status with the following command:
```
# ip link | grep -i promisc
```
If network interfaces are found on the system in promiscuous mode and their use has not been approved by the ISSO and documented, this is a finding.
### Remediation
Configure network interfaces to turn off promiscuous mode unless approved by the ISSO and documented. Set the promiscuous mode of an interface to off with the following command:
```
#ip link set dev multicast off promisc off
```
## 7.7.2 Ensure the Firewall is set rules (scored)
### Profile Applicability
Level 2
### Description
The host must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments.
### Rationale
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.
### Audit
Inspect the firewall configuration and running services to verify that it is configured to prohibit or restrict the use of functions, ports, protocols, and/or services that are unnecessary or prohibited. Check which services are currently active with the following command:
```
# /sbin/iptables -S | grep -Ec "^-A|^-I"
100
```
If rules count is equal 0, this is a finding.
### Remediation
Create a direct firewall rule to protect against DoS attacks need administrator add rules.
## 7.7.3 Ensure the Firewall is set rules of protect DOS attacks (scored)
### Profile Applicability
Level 2
### Description
The operating system must protect against or limit the effects of Denial of Service (DoS) attacks by validating the operating system is implementing rate-limiting measures on impacted network interfaces.
### Rationale
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This requirement addresses the configuration of the operating system to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.
### Audit
Verify the operating system protects against or limits the effects of DoS attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces. Check the firewall configuration with the following command:
```
# /sbin/iptables -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst"
```
If a rule with both the limit and limit-burst arguments parameters does not exist, this is a finding.
### Remediation
Create a direct firewall rule to protect against DoS attacks need administrator add rules.
## 8.1.1.4 Set failure mode of audit service (scored)
### Profile Applicability
Level 4
### Description
The operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure.
### Rationale
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.
### Audit
Confirm the audit configuration regarding how auditing processing failures are handled. Check to see what level "auditctl" is set to with following command:
```
# auditctl -s | grep -i "fail"
failure 2
```
If the value of "failure" is set to "2", the system is configured to panic (shut down) in the event of an auditing failure. If the value of "failure" is set to "1", the system is configured to only send information to the kernel log regarding the failure. If the "failure" setting is not set, this is a CAT I finding. If the "failure" setting is set to any value other than "1" or "2", this is a CAT II finding. If the "failure" setting is set to "1" but the availability concern is not documented or there is no monitoring of the kernel log, this is a CAT III finding.
### Remediation
Configure the operating system to shut down in the event of an audit processing failure. Add or correct the option to shut down the operating system with the following command:
```
# auditctl -f 2
```
Edit the "/etc/audit/rules.d/audit.rules" file and add the following line:
```
-f 2
```
If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure with the following command:
```
# auditctl -f 1
```
Edit the "/etc/audit/rules.d/audit.rules" file and add the following line:
```
-f 1
```
Kernel log monitoring must also be configured to properly alert designated staff. The audit daemon must be restarted for the changes to take effect.
## 8.1.1.5 Ensure set remote_server for audit service (scored)
### Profile Applicability
Level 4
### Description
The operating system must off-load audit records onto a different system or media from the system being audited.
### Rationale
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
### Audit
Verify the operating system off-loads audit records onto a different system or media from the system being audited. To determine the remote server that the records are being sent to, use the following command:
```
# grep -i remote_server /etc/audisp/audisp-remote.conf
remote_server = 10.0.21.1
```
If a remote server is not configured, or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. If there is no evidence that the audit logs are being off-loaded to another system or media, this is a finding.
### Remediation (Need manual fix)
Configure the operating system to off-load audit records onto a different system or media from the system being audited. Set the remote server option in "/etc/audisp/audisp-remote.conf" with the IP address of the log aggregation server.
## 8.1.1.6 Ensure enable_krb5 set to yes for remote audit service (scored)
### Profile Applicability
Level 4
### Description
The operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.
### Rationale
Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.
### Audit
Verify the operating system encrypts audit records off-loaded onto a different system or media from the system being audited. To determine if the transfer is encrypted, use the following command:
```
# grep -i enable_krb5 /etc/audisp/audisp-remote.conf
enable_krb5 = yes
```
If the value of the "enable_krb5" option is not set to "yes" or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. If there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding.
### Remediation (Need manual fix)
Configure the operating system to encrypt the transfer of off-loaded audit records onto a different system or media from the system being audited. Uncomment the "enable_krb5" option in "/etc/audisp/audisp-remote.conf" and set it with the following line:
```
enable_krb5 = yes
```
## 8.1.1.7 Ensure set action for audit storage volume is fulled (scored)
### Profile Applicability
Level 4
### Description
The audit system must take appropriate action when the audit storage volume is full.
### Rationale
Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.
### Audit
Verify the action the operating system takes if the disk the audit records are written to becomes full. To determine the action that takes place if the disk is full on the remote server, use the following command:
```
# grep -i disk_full_action /etc/audisp/audisp-remote.conf
disk_full_action = single
```
If the value of the "disk_full_action" option is not "syslog", "single", or "halt", or the line is commented out, this is a finding.
### Remediation (Need manual fix)
Configure the action the operating system takes if the disk the audit records are written to becomes full. Uncomment or edit the "disk_full_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt", such as the following line:
```
disk_full_action = syslog
```
## 8.1.1.8 Ensure set action for network failure on remote audit service (scored)
### Profile Applicability
Level 4
### Description
The audit system must take appropriate action when the network connection fails.
### Rationale
Taking appropriate action in case of network connection is failure.
### Audit
Verify the action the operating system takes if the network connection fails. To determine the action that takes place if the network connection failure on the remote server, use the following command:
```
# grep -i network_failure_action /etc/audisp/audisp-remote.conf
network_failure_action = single
```
If the value of the "network_failure_action" option is not "syslog", "single", or "halt", or the line is commented out, this is a finding.
### Remediation (Need manual fix)
Configure the action the operating system takes if the network connection is failure. Uncomment or edit the "network_failure_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt", such as the following line:
```
network_failure_action = syslog
```
## 8.1.1.9 Set space left for auditd service (scored)
### Profile Applicability
Level 4
### Description
The operating system must immediately notify the System Administrator (SA) and Information System Security Officer ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.
### Rationale
If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.
### Audit
Verify the operating system immediately notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. Check the system configuration to determine the partition the audit records are being written to with the following command:
```
# grep log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log
```
Check the size of the partition that audit records are written to (with the example being "/var/log/audit/"):
```
# df -B 1m /var/log/audit/
Filesystem 1M-blocks Used Available Use% Mounted on
/dev/sda1 18015 2002 15076 12% /
```
Determine what the threshold is for the system to take action when 75 percent of the repository maximum audit record storage capacity is reached:
```
# grep -i space_left /etc/audit/auditd.conf
space_left = 225
```
If the value of the "space_left" keyword is not equal or greater to 25 percent of the total partition size, this is a finding.
### Remediation
Configure the operating system to immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. Check the system configuration to determine the partition the audit records are being written to:
```
# grep log_file /etc/audit/auditd.conf
```
Determine the size of the partition that audit records are written to (with the example being "/var/log/audit/"):
```
# df -B 1m /var/log/audit/
Filesystem 1M-blocks Used Available Use% Mounted on
/dev/sda1 18015 2002 15076 12% /
```
Set the value of the "space_left" keyword in "/etc/audit/auditd.conf" to 25 percent of the partition size.
## 8.1.19 Recorded ssh-keysign command usage (scored)
### Profile Applicability
Level 4
### Description
All uses of the ssh-keysign command must be audited.
### Rationale
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged ssh commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
### Audit
Verify the operating system generates audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur. Check for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":
```
# grep -i /usr/lib/openssh/ssh-keysign /etc/audit/audit.rules
-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
```
If the command does not return any output, this is a finding.
### Remediation
Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules":
```
-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
```
The audit daemon must be restarted for the changes to take effect.
## 8.1.20 Recorded open_by_handle_at syscall (scored)
### Profile Applicability
Level 4
### Description
All uses of the open_by_handle_at commands must be audited.
### Rationale
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
### Audit
Verify the operating system generates audit records when successful/unsuccessful attempts to use the "open_by_handle_at" command occur. Check the file system rules in "/etc/audit/audit.rules" with the following commands:
```
# grep -iw open_by_handle_at /etc/audit/audit.rules
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
```
If there are no audit rules defined for the open_by_handle_at syscall, this is a finding. If the output does not produce a rule containing -F exit=-EPERM, this is a finding. If the output does not produce a rule containing -F exit=-EACCES, this is a finding.
### Remediation
Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "open_by_handle_at" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules":
```
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
```
The audit daemon must be restarted for the changes to take effect.
## 8.1.21 Recorded Events that privileged-pasdsw command usage (Scored)
### Profile Applicability
Level 4
### Description
All uses of the privileged-passwd commands must be audited.
### Rationale
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
### Audit
Verify the operating system generates audit records when successful/unsuccessful attempts to use the "privileged-passwd" commands occur. Check the file system rule in "/etc/audit/audit.rules" with the following command:
```
# grep -i /usr/bin/passwd /etc/audit/audit.rules
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
# grep -i /sbin/unix_chkpwd /etc/audit/audit.rules
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
# grep -i /usr/bin/gpasswd /etc/audit/audit.rules
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
# grep -i /usr/bin/chage /etc/audit/audit.rules
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd'
```
If the command does not return any output, this is a finding.
### Remediation
Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "privileged-passwd" commands occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules":
```
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
```
The audit daemon must be restarted for the changes to take effect.
## 8.1.22 Recorded Events that privileged-priv-change command usage (Scored)
### Profile Applicability
Level 4
### Description
All uses of the privileged-priv-change commands must be audited.
### Rationale
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
### Audit
Verify the operating system generates audit records when successful/unsuccessful attempts to use the "privileged-priv-change" commands occur. Check for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":
```
# grep -i /bin/su /etc/audit/audit.rules
-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
# grep -i /usr/bin/sudo /etc/audit/audit.rules
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
# grep -i /usr/bin/newgrp /etc/audit/audit.rules
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
# grep -i /usr/bin/chsh /etc/audit/audit.rules
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
# grep -i /usr/bin/sudoedit /etc/audit/audit.rules
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
```
If the command does not return any output, this is a finding.
### Remediation
Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "privileged-priv-change" commands occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules":
```
-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
```
The audit daemon must be restarted for the changes to take effect.
## 8.1.23 Recorded Events that privileged-postfix commands usage (Scored)
### Profile Applicability
Level 4
### Description
All uses of the privileged-postfix commands must be audited.
### Rationale
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
### Audit
Verify the operating system generates audit records when successful/unsuccessful attempts to use the "privileged-postfix" commands occur.Check for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":
```
# grep -i /usr/sbin/postdrop /etc/audit/audit.rules
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
# grep -i /usr/sbin/postqueue /etc/audit/audit.rules
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
```
If the command does not return any output, this is a finding.
### Remediation
Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "privileged-postfix" commands occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules":
```
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
```
The audit daemon must be restarted for the changes to take effect.
## 8.1.24 Recorded crontab command usage (scored)
### Profile Applicability
Level 4
### Description
All uses of the crontab command must be audited.
### Rationale
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
### Audit
Verify the operating system generates audit records when successful/unsuccessful attempts to use the "crontab" command occur. Check for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":
```
# grep -i /usr/bin/crontab /etc/audit/audit.rules
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron
```
If the command does not return any output, this is a finding.
### Remediation
Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "crontab" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules":
```
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron
```
The audit daemon must be restarted for the changes to take effect.
## 8.1.25 Recorded pam_timestamp_check command usage (scored)
### Profile Applicability
Level 4
### Description
All uses of the pam_timestamp_check command must be audited.
### Rationale
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
### Audit
Verify the operating system generates audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. Check the auditing rules in "/etc/audit/audit.rules" with the following command:
```
# grep -i "/sbin/pam_timestamp_check" /etc/audit/audit.rules
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam
```
If the command does not return any output, this is a finding.
### Remediation
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules":
```
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam
```
The audit daemon must be restarted for the changes to take effect.
## 8.1.26 Recorded pam_tally/pam_tally2 command usage (scored)
### Profile Applicability
Level 4
### Description
All uses of the pam_tally/pam_tally2 command must be audited.
### Rationale
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
### Audit
Verify the operating system generates audit records when successful/unsuccessful attempts to use the "pam_tally/pam_tally2" command occur. Check the auditing rules in "/etc/audit/audit.rules" with the following command:
```
# grep "/sbin/pam_tally[2]*" /etc/audit/audit.rules
-a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
-a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
```
If the command does not return any output, this is a finding.
### Remediation
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "pam_tally/pam_tally2" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules":
```
-a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
-a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
```
The audit daemon must be restarted for the changes to take effect.
## 8.1.27 Record Events That Modify configuration files (scored)
### Profile Applicability
Level 4
### Description
Record events affecting the auditd, grub, fstab, pam, systectl configuration files. th
### Rationale
Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.
### Audit
Verify the operating system generates audit records that modify configuration. Check the auditing rules in "/etc/audit/audit.rules" with the following command:
```
# grep "config_file_change" /etc/audit/audit.rules
-w /etc/audisp/audisp-remote.conf -p wa -k config_file_change
-w /etc/audit/auditd.conf -p wa -k config_file_change
-w /etc/audit/rules.d/ -p wa -k config_file_change
-w /etc/default/grub -p wa -k config_file_change
-w /etc/fstab -p wa -k config_file_change
-w /etc/hosts.deny -p wa -k config_file_change
-w /etc/login.defs -p wa -k config_file_change
-w /etc/pam.d/ -p wa -k config_file_change
-w /etc/profile -p wa -k config_file_change
-w /etc/profile.d/ -p wa -k config_file_change
-w /etc/security/ -p wa -k config_file_change
-w /etc/iptables/ -p wa -k config_file_change
-w /etc/sysctl.conf -p wa -k config_file_change
```
If the command does not return any output, this is a finding.
### Remediation
Fixtext: Configure the operating system to generate audit records that modify configuration files. Add or update the following rule in "/etc/audit/rules.d/audit.rules":
```
-w /etc/audisp/audisp-remote.conf -p wa -k config_file_change
-w /etc/audit/auditd.conf -p wa -k config_file_change
-w /etc/audit/rules.d/ -p wa -k config_file_change
-w /etc/default/grub -p wa -k config_file_change
-w /etc/fstab -p wa -k config_file_change
-w /etc/hosts.deny -p wa -k config_file_change
-w /etc/login.defs -p wa -k config_file_change
-w /etc/pam.d/ -p wa -k config_file_change
-w /etc/profile -p wa -k config_file_change
-w /etc/profile.d/ -p wa -k config_file_change
-w /etc/security/ -p wa -k config_file_change
-w /etc/iptables/ -p wa -k config_file_change
-w /etc/sysctl.conf -p wa -k config_file_change
```
The audit daemon must be restarted for the changes to take effect.
## 8.1.28 Recorded setfacl and chacl commands usage (scored)
### Profile Applicability
Level 4
### Description
All uses of the setfacl and chacl commands must be audited.
### Rationale
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
### Audit
Verify the operating system generates an audit record when successful/unsuccessful attempts to use the "setfacl" and "chacl" command occur. Check that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/rules.d/audit.rules":
```
$ sudo grep -w setfacl /etc/audit/rules.d/audit.rules
-a always,exit -F arch=b32 path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F arch=b64 path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
$ sudo grep -w chacl /etc/audit/rules.d/audit.rules
-a always,exit -F arch=b32 path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F arch=b64 path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
```
If the command does not return a line, or the line is commented out, this is a finding.
### Remediation
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "setfacl" and "chacl" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file:
```
-a always,exit -F arch=b32 path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F arch=b64 path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F arch=b32 path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F arch=b64 path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
```
The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:
```
$ sudo systemctl restart auditd.service
```
If The audit system is in immutable mode, the operating system must be reboot for the changes to take effect.
## 8.1.29 Recorded usermod command usage (scored)
### Profile Applicability
Level 4
### Description
All uses of the usermod command must be audited.
### Rationale
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
### Audit
Verify that an audit event is generated for any successful/unsuccessful use of the "usermod" command. Check for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/rules.d/audit.rules":
```
$ sudo grep -w usermod /etc/audit/rules.d/audit.rules
-a always,exit -F arch=b32 path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod
-a always,exit -F arch=b64 path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod
```
If the command does not return a line, or the line is commented out, this is a finding.
### Remediation
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "usermod" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file:
```
-a always,exit -F arch=b32 path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod
-a always,exit -F arch=b64 path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod
```
The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:
```
$ sudo systemctl restart auditd.service
```
If The audit system is in immutable mode, the operating system must be reboot for the changes to take effect.
## 8.1.30 Recorded unix_update command usage (scored)
### Profile Applicability
Level 4
### Description
All uses of the usermod command must be audited.
### Rationale
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
### Audit
Verify that an audit event is generated for any successful/unsuccessful use of the "unix_update" command.\n\nCheck for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/rules.d/audit.rules":
```
$ sudo grep -w "unix_update" /etc/audit/rules.d/audit.rules
-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update
```
If the command does not return a line, or the line is commented out, this is a finding.
### Remediation
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "unix_update" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file:
```
-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update
```
The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:
```
$ sudo systemctl restart auditd.service
```
If The audit system is in immutable mode, the operating system must be reboot for the changes to take effect.
## 8.1.31 Record Events the execve systemcall usage (scored)
### Profile Applicability
Level 4
### Description
The audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software.
### Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.
### Audit
Verify the operating system audits the execution of privilege functions. Check if the operating system is configured to audit the execution of the "execve" system call, by running the following command:
```
$ sudo grep execve /etc/audit/rules.d/audit.rules
-a always,exit -F arch=b32 -S execve -C uid!=euid -F key=execpriv
-a always,exit -F arch=b64 -S execve -C uid!=euid -F key=execpriv
-a always,exit -F arch=b32 -S execve -C gid!=egid -F key=execpriv
-a always,exit -F arch=b64 -S execve -C gid!=egid -F key=execpriv
```
If the command does not return all lines, or the lines are commented out, this is a finding.
### Remediation
Configure the operating system to audit the execution of the "execve" system call. Add or update the following file system rules to "/etc/audit/rules.d/audit.rules":
```
-a always,exit -F arch=b32 -S execve -C uid!=euid -F key=execpriv
-a always,exit -F arch=b64 -S execve -C uid!=euid -F key=execpriv
-a always,exit -F arch=b32 -S execve -C gid!=egid -F key=execpriv
-a always,exit -F arch=b64 -S execve -C gid!=egid -F key=execpriv
```
The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command:
```
$ sudo systemctl restart auditd.service
```
If The audit system is in immutable mode, the operating system must be reboot for the changes to take effect.
## 8.7 Verifies integrity all packages (scored)
### Profile Applicability
Level 5
### Description
Without cryptographic integrity protections, system command and files can be altered by unauthorized users without detection. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.
### Rationale
Verify integrity all packages features to to monitor the files of the packages installed by the system.
### Audit
Perform the following to determine(example):
```
$ sudo dpkg -V
??5?????? c /etc/sudoers
??5?????? c /etc/vim/vimrc
```
### Remediation
Run the following command to determine which package owns the file:
```
$ sudo dpkg -S
```
If the confirmation is not modified by owner, the package can be reinstalled from a apt repository using the command:
```
$ sudo apt-get --reinstall
```
## 9.2.1 Set password creation requirement Parameters Using pam_cracklib: retry option (scored)
### Profile Applicability
Level 2
### Description
When user at 3 times enter error password, returning error.
### Rationale
Prevent multiple attempts and guess the password.
### Audit
The "retry" option sets the number of attempt password times. Check for the value of the "retry" option in "/etc/pam.d/common-password" with the following command:
```
$ sudo grep retry /etc/pam.d/common-password
password requisite pam_cracklib.so retry=3 minlen=8 difok=3
```
If the value of "retry" is set to more than "3", this is a finding.
### Remediation
Add the following line to "/etc/pam.d/common-password" (or modify the line to have the required value):
```
password requisite pam_cracklib.so retry=3 minlen=8 difok=3
```
## 9.2.2 Set password creation requirement Parameters Using pam_cracklib: minlen option (scored)
### Profile Applicability
Level 2
### Description
Passwords must be a minimum of 14 characters in length.
### Rationale
The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force Passwords are one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.
### Audit
Verify the operating system enforces a minimum 14-character password length. The "minlen" option sets the minimum number of characters in a new password. Check for the value of the "minlen" option in "/etc/pam.d/common-password " with the following command:
```
$ sudo grep minlen /etc/pam.d/common-password
password requisite pam_cracklib.so retry=3 minlen=8 difok=3
```
If the command does not return a "minlen" value of 14 or greater, this is a finding.
### Remediation
Configure operating system to enforce a minimum 14-character password length. Add the following line to "/etc/pam.d/common-password" (or modify the line to have the required value):
```
password requisite pam_cracklib.so retry=3 minlen=14 difok=3
```
## 9.2.3 Set password creation requirement Parameters Using pam_cracklib: dcredit option (scored)
### Profile Applicability
Level 2
### Description
When passwords are changed or new passwords are assigned, the new password must contain at least one numeric character.
### Rationale
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
### Audit
The value to require a number of numeric characters to be set is expressed as a negative number in "/etc/pam.d/common-password ". Check the value for "dcredit" in "/etc/pam.d/common-password" with the following command:
```
$ sudo grep dcredit /etc/pam.d/common-password
password requisite pam_cracklib.so retry=3 minlen=8 difok=3 dcredit=-1
```
If the value of "dcredit" is not set to a negative value, this is a finding.
### Remediation
Configure the operating system to enforce password complexity by requiring that at least one numeric character be used by setting the "dcredit" option. Add the following line to /etc/pam.d/common-password (or modify the line to have the required value):
```
password requisite pam_cracklib.so retry=3 minlen=8 difok=3 dcredit=-1
```
## 9.2.4 Set password creation requirement Parameters Using pam_cracklib: ucredit option (scored)
### Profile Applicability
Level 2
### Description
When passwords are changed or new passwords are established, the new password must contain at least one upper-case character.
### Rationale
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
### Audit
The value to require a number of upper-case characters to be set is expressed as a negative number in "/etc/pam.d/common-password". Check the value for "ucredit" in "/etc/pam.d/common-password" with the following command:
```
$ sudo grep ucredit /etc/pam.d/common-password
password requisite pam_cracklib.so retry=3 minlen=8 difok=3 ucredit=-1
```
If the value of "ucredit" is not set to a negative value, this is a finding.
### Remediation
Add the following line to "/etc/pam.d/common-password" (or modify the line to have the required value):
```
password requisite pam_cracklib.so retry=3 minlen=8 difok=3 ucredit=-1
```
## 9.2.5 Set password creation requirement Parameters Using pam_cracklib: ocredit option (scored)
### Profile Applicability
Level 2
### Description
When passwords are changed or new passwords are assigned, the new password must contain at least one special character.
### Rationale
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
### Audit
Verify the operating system enforces password complexity by requiring that at least one special character be used. Note: The value to require a number of special characters to be set is expressed as a negative number in "/etc/pam.d/common-password". Check the value for "ocredit" in "/etc/pam.d/common-password" with the following command:
```
$ sudo grep ocredit /etc/pam.d/common-password
password requisite pam_cracklib.so retry=3 minlen=8 difok=3 nocredit=-1
```
If the value of "ocredit" is not set to a negative value, this is a finding.
### Remediation
Add the following line to "/etc/pam.d/common-password" (or modify the line to have the required value):
```
password requisite pam_cracklib.so retry=3 minlen=8 difok=3 ocredit=-1
```
## 9.2.6 Set password creation requirement Parameters Using pam_cracklib: lcredit option (scored)
### Profile Applicability
Level 2
### Description
When passwords are changed or new passwords are established, the new password must contain at least one lower-case character.
### Rationale
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
### Audit
The value to require a number of lower-case characters to be set is expressed as a negative number in "/etc/pam.d/common-password ". Check the value for "lcredit" in "/etc/pam.d/common-password " with the following command:
```
$ sudo grep lcredit /etc/pam.d/common-password
password requisite pam_cracklib.so retry=3 minlen=8 difok=3 lcredit=-1
```
If the value of "lcredit" is not set to a negative value, this is a finding.
### Remediation
Add the following line to "/etc/pam.d/common-password" (or modify the line to have the required value):
```
password requisite pam_cracklib.so retry=3 minlen=8 difok=3 lcredit=-1
```
## 9.2.7 Set password creation requirement Parameters Using pam_cracklib: difok option (scored)
### Profile Applicability
Level 2
### Description
When passwords are changed a minimum of eight of the total number of characters must be changed.
### Rationale
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
### Audit
The "difok" option sets the number of characters in a password that must not be present in the old password. Check for the value of the "difok" option in "/etc/pam.d/common-password" with the following command:
```
$ sudo grep difok /etc/pam.d/common-password
password requisite pam_cracklib.so retry=3 minlen=8 difok=3
```
If the value of "difok" is set to less than "8", this is a finding.
### Remediation
Add the following line to "/etc/pam.d/common-password" (or modify the line to have the required value):
```
password requisite pam_cracklib.so retry=3 minlen=8 difok=8
```
## 9.2.8 Set password creation requirement Parameters Using pam_cracklib: minclass option (scored)
### Profile Applicability
Level 2
### Description
When passwords are changed a minimum of four character classes must be changed.
### Rationale
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
### Audit
The "minclass" option sets the minimum number of required classes of characters for the new password (digits, upper-case, lower-case, others). Check for the value of the "minclass" option in "/etc/pam.d/common-password" with the following command:
```
$ sudo grep minclass /etc/pam.d/common-password
password requisite pam_cracklib.so retry=3 minlen=8 difok=8 minclass=4
```
If the value of "minclass" is set to less than "4", this is a finding.
### Remediation
Configure the operating system to require the change of at least four character classes when passwords are changed by setting the "minclass" option. Add the following line to "/etc/pam.d/common-password" (or modify the line to have the required value):
```
password requisite pam_cracklib.so retry=3 minlen=8 difok=8 minclass=4
```
## 9.2.9 Set password creation requirement Parameters Using pam_cracklib: maxrepeat option (scored)
### Profile Applicability
Level 2
### Description
When passwords are changed the number of repeating consecutive characters must not be more than three characters.
### Rationale
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
### Audit
The "maxrepeat" option sets the maximum number of allowed same consecutive characters in a new password. Check for the value of the "maxrepeat" option in "/etc/pam.d/common-password" with the following command:
```
$ sudo grep maxrepeat /etc/pam.d/common-password
password requisite pam_cracklib.so retry=3 minlen=8 difok=8 maxrepeat=3
```
If the value of "maxrepeat" is set to more than "3", this is a finding.
### Remediation
Configure the operating system to require the change of the number of repeating consecutive characters when passwords are changed by setting the "maxrepeat" option. Add the following line to "/etc/pam.d/common-password" (or modify the line to have the required value):
```
password requisite pam_cracklib.so retry=3 minlen=8 difok=8 maxrepeat=3
```
## 9.2.10 Set password creation requirement Parameters Using pam_cracklib: maxclassrepeat option (scored)
### Profile Applicability
Level 2
### Description
When passwords are changed the number of repeating characters of the same character class must not be more than four characters.
### Rationale
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
### Audit
The "maxclassrepeat" option sets the maximum number of allowed same consecutive characters in the same class in the new password. Check for the value of the "maxclassrepeat" option in "/etc/pam.d/common-password" with the following command:
```
$ sudo grep maxclassrepeat /etc/pam.d/common-password
password requisite pam_cracklib.so retry=3 minlen=8 difok=3 maxclassrepeat=4
```
If the value of "maxclassrepeat" is set to more than "4", this is a finding.
### Remediation
Configure the operating system to require the change of the number of repeating characters of the same character class when passwords are changed by setting the "maxclassrepeat" option. Add the following line to "/etc/pam.d/common-password" conf (or modify the line to have the required value):
```
password requisite pam_cracklib.so retry=3 minlen=8 difok=3 maxclassrepeat=4
```
## 9.2.11 Set deny times for Password Attempts (scored)
### Profile Applicability
Level 3
### Description
Accounts subject to three unsuccessful logon attempts must be deny login.
### Rationale
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.
### Audit
Check that the system deny an account for the maximum period after three unsuccessful logon attempts with the following command:
```
$ sudo grep -w "^auth.*pam_tally2.so.*deny" /etc/pam.d/common-auth
auth required pam_tally2.so deny=3 unlock_time=900
```
If the "deny" setting is less than or equal to "3" on both lines with the "pam_tally2.so" module name or is missing from a line, this is a finding.
### Remediation
Configure the operating system to deny an account when three unsuccessful logon attempts are made. Modify "/etc/pam.d/common-auth" files to match the following lines:
```
auth required pam_tally2.so deny=3 unlock_time=900
```
## 9.2.13 Set password creation requirement Parameters Using pam_unix: sha512 option (scored)
### Profile Applicability
Level 2
### Description
The PAM system service must be configured to store only encrypted representations of passwords.
### Rationale
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.
### Audit
Verify the PAM system service is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512. Check that the system is configured to create SHA512 hashed passwords with the following command:
```
$ sudo grep "password.*pam_unix.*sha512" /etc/pam.d/common-password
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
```
If the "/etc/pam.d/common-password" configuration files allow for password hashes other less than SHA512 to be used, this is a finding.
### Remediation
Configure the operating system to store only SHA512 encrypted representations of passwords. Add the following line in "/etc/pam.d/common-password":
```
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
```
## 9.2.14 Check auth config is not blank or null passwords using pam_unix (scored)
### Profile Applicability
Level 2
### Description
The system must not have accounts configured with blank or null passwords.
### Rationale
If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.
### Audit
To verify that null passwords cannot be used, run the following command:
```
$ sudo grep nullok /etc/pam.d/common-auth
$ sudo grep nullok_secure /etc/pam.d/common-auth
```
If this produces any output, it may be possible to log on with accounts with empty passwords. If null passwords can be used, this is a finding.
### Remediation
If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating. Remove any instances of the "nullok" option in "/etc/pam.d/common-auth" to prevent logons with empty passwords.
```
$ sudo sed -ie "s/nullok//" /etc/pam.d/common-auth
$ sudo sed -ie "s/nullok_secure//" /etc/pam.d/common-auth
```
## 9.2.15 Set login display the date and time of last fail logon using pam_lastlog (scored)
### Profile Applicability
Level 3
### Description
The system must display the date and time of the last successful account logon upon logon.
### Rationale
Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.
### Audit
Verify users are provided with feedback on when account accesses last occurred. Check that "pam_lastlog" is used and not silent with the following command:
```
$ sudo grep pam_lastlog /etc/pam.d/login
session optional pam_lastlog.so showfailed
```
If "pam_lastlog" is missing from "/etc/pam.d/login" file, this is a finding.
### Remediation
Configure the operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/login". Add the following line to the top of "/etc/pam.d/login":
```
session optional pam_lastlog.so showfailed
```
## 9.2.16 Set lockout time for Failed Password Attempts (scored)
### Profile Applicability
Level 3
### Description
Accounts subject to three unsuccessful login attempts must be set unlock_time for associated account.
### Rationale
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
### Audit
Check that the system unlock_time an account for the maximum period after three unsuccessful logon attempts with the following command:
```
$ sudo grep -w "^auth.*pam_tally2.so.*unlock_time" /etc/pam.d/common-auth
auth required pam_tally2.so deny=3 unlock_time=900
```
If the "unlock_time" setting is less than "900" on both lines with the "pam_tally2.so" module name or is missing from a line, this is a finding.
### Remediation
Configure the operating system to deny an account when three unsuccessful logon attempts are made. Modify "/etc/pam.d/common-auth" files to match the following lines:
```
auth required pam_tally2.so deny=3 unlock_time=900
```
## 9.2.17 Ensure unsuccessful root login occur the associated account must be locked (scored)
### Profile Applicability
Level 3
### Description
Accounts subject to three unsuccessful root login attempts must be deny login.
### Rationale
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.
### Audit
Check that the system deny an account for the maximum period after three unsuccessful logon attempts with the following command:
```
$ sudo grep -w "^auth.*pam_tally2.so.*even_deny_root" /etc/pam.d/common-auth
auth required pam_tally2.so deny=3 unlock_time=900 even_deny_root
```
If the "even_deny_root" is missing from a line, this is a finding.
### Remediation
Configure the operating system to deny an account when three unsuccessful logon attempts are made. Modify "/etc/pam.d/common-auth" files to match the following lines:
```
auth required pam_tally2.so deny=3 unlock_time=900 even_deny_root
```
## 9.3.15 Set login display the date and time of last fail logon using pam_lastlog (scored)
### Profile Applicability
Level 2
### Description
The system must display the date and time of the last successful account logon upon an SSH logon.
### Rationale
Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.
### Audit
Verify SSH provides users with feedback on when account accesses last occurred. Check that "PrintLastLog" keyword in the sshd daemon configuration file is used and set to "yes" with the following command:
```
$ sudo grep -i printlastlog /etc/ssh/sshd_config
PrintLastLog yes
```
If the "PrintLastLog" keyword is set to "no", is missing, or is commented out, this is a finding.
### Remediation
Add the following line to "/etc/ssh/sshd_config":
```
PrintLastLog yes
```
The SSH service must be restarted for changes to "sshd_config" to take effect.
## 9.3.16 Set SSHD ignoreuserknownhosts to yes (scored)
### Profile Applicability
Level 2
### Description
The SSH daemon must not allow authentication using known hosts authentication.
### Rationale
Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.
### Audit
Verify the SSH daemon does not allow authentication using known hosts authentication. To determine how the SSH daemon's "IgnoreUserKnownHosts" option is set, run the following command:
```
$ sudo grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config
IgnoreUserKnownHosts yes
```
If the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.
### Remediation
Configure the SSH daemon to not allow authentication using known hosts authentication. Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes":
```
IgnoreUserKnownHosts yes
```
The SSH service must be restarted for changes to take effect.
## 9.3.17 Set SSHD GSSAPIAuthentication to yes (scored)
### Profile Applicability
Level 2
### Description
The SSH daemon must not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.
### Rationale
GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the systems GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.
### Audit
Verify the SSH daemon does not permit GSSAPI authentication unless approved. Check that the SSH daemon does not permit GSSAPI authentication with the following command:
```
$ sudo grep -i gssapiauth /etc/ssh/sshd_config
GSSAPIAuthentication no
```
If the "GSSAPIAuthentication" keyword is missing, is set to "yes" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding.
### Remediation
Uncomment the "GSSAPIAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no":
```
GSSAPIAuthentication no
```
The SSH service must be restarted for changes to take effect. If GSSAPI authentication is required, it must be documented, to include the location of the configuration file, with the ISSO.
## 9.3.18 Set SSHD KerberosAuthentication to yes (scored)
### Profile Applicability
Level 2
### Description
The SSH daemon must not permit Kerberos authentication unless needed.
### Rationale
Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subject to exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be disabled for systems not using this capability.
### Audit
Verify the SSH daemon does not permit Kerberos to authenticate passwords unless approved. Check that the SSH daemon does not permit Kerberos to authenticate passwords with the following command:
```
$ sudo grep -i kerberosauth /etc/ssh/sshd_config
KerberosAuthentication no
```
If the "KerberosAuthentication" keyword is missing, or is set to "yes" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding.
### Remediation
Uncomment the "KerberosAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no":
```
KerberosAuthentication no
```
The SSH service must be restarted for changes to take effect. If Kerberos authentication is required, it must be documented, to include the location of the configuration file, with the ISSO.
## 9.3.19 Set SSHD StrictModes to yes (scored)
### Profile Applicability
Level 2
### Description
The SSH daemon must perform strict mode checking of home directory configuration files.
### Rationale
If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.
### Audit
Verify the SSH daemon performs strict mode checking of home directory configuration files. The location of the "sshd_config" file may vary if a different daemon is in use. Inspect the "sshd_config" file with the following command:
```
$ sudo grep -i strictmodes /etc/ssh/sshd_config
StrictModes yes
```
If "StrictModes" is set to "no", is missing, or the returned line is commented out, this is a finding.
### Remediation
Uncomment the "StrictModes" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "yes":
```
StrictModes yes
```
The SSH service must be restarted for changes to take effect.
## 9.3.20 Set SSHD UsePrivilegeSeparation to sandbox (scored)
### Profile Applicability
Level 2
### Description
The SSH daemon must use privilege separation.
### Rationale
SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section.
### Audit
Verify the SSH daemon performs privilege separation. Check that the SSH daemon performs privilege separation with the following command:
```
$ sudo grep -i usepriv /etc/ssh/sshd_config
UsePrivilegeSeparation sandbox
```
If the "UsePrivilegeSeparation" keyword is set to "no", is missing, or the returned line is commented out, this is a finding.
### Remediation
Uncomment the "UsePrivilegeSeparation" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "sandbox":
```
UsePrivilegeSeparation sandbox
```
The SSH service must be restarted for changes to take effect.
## 9.3.21 Set SSHD Compression to no (scored)
### Profile Applicability
Level 2
### Description
The SSH daemon must not allow compression or must only allow compression after successful authentication.
### Rationale
If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.
### Audit
Verify the SSH daemon performs compression after a user successfully authenticates. Check that the SSH daemon performs compression after a user successfully authenticates with the following command:
```
$ sudo grep -i compression /etc/ssh/sshd_config
Compression delayed
```
If the "Compression" keyword is set to "yes", is missing, or the returned line is commented out, this is a finding.
### Remediation
Uncomment the "Compression" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) on the system and set the value to "no":
```
Compression no
```
The SSH service must be restarted for changes to take effect.
## 9.3.22 Set SSHD MACs to hmac-sha2-256,hmac-sha2-512 (scored)
### Profile Applicability
Level 2
### Description
The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
### Rationale
DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2 hash algorithm meeting this requirement is SHA.
### Audit
Verify the SSH daemon is configured to only use MACs employing FIPS 140-2-approved ciphers. Check that the SSH daemon is configured to only use MACs employing FIPS 140-2-approved ciphers with the following command:
```
$ sudo grep -i macs /etc/ssh/sshd_config
MACs hmac-sha2-256,hmac-sha2-512
```
If any ciphers other than "hmac-sha2-256" or "hmac-sha2-512" are listed or the returned line is commented out, this is a finding.
### Remediation
Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "MACs" keyword and set its value to "hmac-sha2-256" and/or "hmac-sha2-512" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):
```
MACs hmac-sha2-256,hmac-sha2-512
```
The SSH service must be restarted for changes to take effect.
## 9.3.23 Check SSH public host key permission (scored)
### Profile Applicability
Level 2
### Description
The SSH public host key files must have mode 0644 or less permissive.
### Rationale
If a public host key file is modified by an unauthorized user, the SSH service may be compromised.
### Audit
Verify the SSH public host key files have mode "0644" or less permissive. Note: SSH public key files may be found in other directories on the system depending on the installation. The following command will find all SSH public key files on the system:
```
$ sudo find /etc/ssh/ -name "*key.pub" -perm /133 -exec ls -l {} \;
-rw-rw-rw- 1 root root 91 Jun 13 00:40 /etc/ssh/ssh_host_ed25519_key.pub
-rw-rw-rw- 1 root root 391 Jun 13 00:40 /etc/ssh/ssh_host_rsa_key.pub
```
If any file has a mode more permissive than "0644", this is a finding.
### Remediation
Note: SSH public key files may be found in other directories on the system depending on the installation. Change the mode of public host key files under "/etc/ssh" to "0644" with the following command:
```
$ sudo chmod 0644 /etc/ssh/*.key.pub
```
## 9.3.24 Check SSH private host key permission (scored)
### Profile Applicability
Level 2
### Description
The SSH private host key files must have mode 0600 or less permissive.
### Rationale
If an unauthorized user obtains the private SSH host key file, the host could be impersonated.
### Audit
Verify the SSH private host key files have mode "0600" or less permissive. Check the mode of the private host key files under "/etc/ssh" file with the following command:
```
$ sudo find /etc/ssh/ -type f -name "*ssh_host*key" -exec ls -l {} \;
-rwxrwxrwx 1 root root 399 Jun 13 00:40 /etc/ssh/ssh_host_ed25519_key
-rwxrwxrwx 1 root root 1679 Jun 13 00:40 /etc/ssh/ssh_host_rsa_key
-rwxrwxrwx 1 root root 227 Jun 13 00:40 /etc/ssh/ssh_host_ecdsa_key
```
If any file has a mode more permissive than "0600", this is a finding.
### Remediation
Configure the mode of SSH private host key files under "/etc/ssh" to "0600" with the following command:
```
# chmod 0600 /etc/ssh/ssh_host*key
```
## 10.1.4 Set encrypt method (Scored)
### Profile Applicability
Level 3
### Description
The shadow file must be configured to store only encrypted representations of passwords.
### Rationale
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.
### Audit
Verify the system's shadow file is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512. Check that the system is configured to create SHA512 hashed passwords with the following command:
```
$ sudo grep -i encrypt /etc/login.defs
ENCRYPT_METHOD SHA512
```
If the "/etc/login.defs" configuration file does not exist or allows for password hashes other than SHA512 to be used, this is a finding.
### Remediation
Configure the operating system to store only SHA512 encrypted representations of passwords. Add or update the following line in "/etc/login.defs":
```
ENCRYPT_METHOD SHA512
```
## 10.1.6 Remove(Replace) NOPASSWD to PASSWD in the sudoers config file (Scored)
### Profile Applicability
Level 3
### Description
Users must provide a password for privilege escalation.
### Rationale
Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate.
### Audit
If passwords are not being used for authentication, this is Not Applicable. Verify the operating system requires users to supply a password for privilege escalation. Check the configuration of the "/etc/sudoers" and "/etc/sudoers.d/*" files with the following command:
```
$ sudo grep -i nopasswd /etc/sudoers /etc/sudoers.d/*
```
If any uncommented line is found with a "NOPASSWD" tag, this is a finding.
### Remediation
Replace any occurrences of "NOPASSWD" tags to "PASSWD" tags in the file.
## 10.1.7 Remove(Replace) not authenticate(!authenticate) to authenticate in the sudoers config file (Scored)
### Profile Applicability
Level 3
### Description
Users must re-authenticate for privilege escalation.
### Rationale
Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate.
### Audit
Verify the operating system requires users to reauthenticate for privilege escalation. Check the configuration of the "/etc/sudoers" and "/etc/sudoers.d/*" files with the following command:
```
$ sudo grep -i authenticate /etc/sudoers /etc/sudoers.d/*
```
If any line is found with a "!authenticate" tag, this is a finding.
### Remediation
Replace any occurrences of "!authenticate" tags to "authenticate" tags in the file.
## 10.1.8 Set FAIL_DELAY to wait to allow login when the last login failed (Scored)
### Profile Applicability
Level 2
### Description
The delay between logon prompts following a failed console logon attempt must be at least four seconds.
### Rationale
Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.
### Audit
Verify the operating system enforces a delay of at least four seconds between console logon prompts following a failed logon attempt. Check the value of the "delay" parameter in the "/etc/pam.d/login" file with the following command:
```
$ sudo grep -i delay /etc/pam.d/login
auth optional pam_faildelay.so delay=4000000
```
If the value of "delay" is not set to "4000000" or greater, this is a finding.
### Remediation
Configure the operating system to enforce a delay of at least four seconds between logon prompts following a failed console logon attempt. Modify the "/etc/pam.d/login" file to set the "delay" parameter to "4000000" or greater:
```
auth optional pam_faildelay.so delay=4000000
```
## 10.1.9 Set create home bool to yes (Scored)
### Profile Applicability
Level 3
### Description
All local interactive user accounts, upon creation, must be assigned a home directory.
### Rationale
If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.
### Audit
Verify all local interactive users on the system are assigned a home directory upon creation. Check to see if the system is configured to create home directories for local interactive users with the following command:
```
$ sudo grep -i create_home /etc/login.defs
CREATE_HOME yes
```
If the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out, this is a finding.
### Remediation
Configure the operating system to assign home directories to all new local interactive users by setting the "CREATE_HOME" parameter in "/etc/login.defs" to "yes" as follows.
```
CREATE_HOME yes
```
## 10.1.10 Set maxlogins for all accounts (Scored)
### Profile Applicability
Level 2
### Description
The operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.
### Rationale
Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system.
### Audit
Verify the operating system limits the number of concurrent sessions to "10" for all accounts and/or account types by issuing the following command:
```
$ sudo grep "maxlogins" /etc/security/limits.conf
* hard maxlogins 10
```
This can be set as a global domain (with the * wildcard) but may be set differently for multiple domains. If the "maxlogins" item is missing or the value is not set to "10" or less for all domains that have the "maxlogins" item assigned, this is a finding.
### Remediation
Configure the operating system to limit the number of concurrent sessions to "10" for all accounts and/or account types. Add the following line to the top of the /etc/security/limits.conf:
```
* hard maxlogins 10
```
## 10.1.11 Ensure no shosts configure file on system (Scored)
### Profile Applicability
Level 3
### Description
There must be no .shosts and shosts.equiv files on the system.
### Rationale
The .shosts and shosts.equiv files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.
### Audit
Verify there are no ".shosts" and "shosts.equiv" files on the system. Check the system for the existence of these files with the following command:
```
$ sudo find / -name .shosts
$ sudo find / -name shosts.equiv
```
If any ".shosts" and "shosts.equiv" files are found on the system, this is a finding.
### Remediation
Remove any found ".shosts" and "shosts.equiv" files from the system.
```
# rm /[path]/[to]/[file]/.shosts
# rm /[path]/[to]/[file]/shosts.equiv
```
## 10.5 Set Timeout on ttys (Scored)
### Profile Applicability
Level 2
### Description
All network connections associated with a communication session must be terminated at the end of the session or after 10 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements.
### Rationale
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.
### Audit
Verify the operating system terminates all network connections associated with a communications session at the end of the session or based on inactivity. Check the value of the system inactivity timeout with the following command:
```
$ sudo grep -i tmout /etc/bashrc /etc/profile.d/*
TMOUT=600
```
If "TMOUT" is not set to "600" or less in "/etc/bashrc" or in a script created to enforce session termination after inactivity, this is a finding.
### Remediation
Configure the operating system to terminate all network connections associated with a communications session at the end of the session or after a period of inactivity. Add or update the following lines in "/etc/profile".
```
TMOUT=600
readonly TMOUT
export TMOUT
```
Or create a script to enforce the inactivity timeout (for example /etc/profile.d/tmout.sh) such as:
```
#!/bin/bash
TMOUT=600
readonly TMOUT
export TMOUT
```
================================================
FILE: docs/use-cases/apache2-usecase/Readme.mkd
================================================
# Apache2 deploy
## Install
```
# apt-get install apache2
```
# How to use harbian-audit to audit and apply
## Set firewall
```
sed -i 's/PUB_IFS=.*/PUB_IFS="interface of machine"/g' ./etc.iptables.rules.v4.4http.sh
# bash ./etc.iptables.rules.v4.4http.sh
```
## Audit and apply
See the documentation for more details:
[harbian-audit-readme](https://github.com/hardenedlinux/harbian-audit/blob/master/README.md)
```
# bash bin/hardening.sh --audit-all
```
This is set special service to exception(6.10)
```
# bash bin/hardening.sh --set-hardening-level 5 --allow-service http
# bash bin/hardening.sh --audit-all
# bash bin/hardening.sh --apply
```
================================================
FILE: docs/use-cases/apache2-usecase/etc.iptables.rules.v4.4http.sh
================================================
#!/bin/bash
IPT="/sbin/iptables"
echo "Starting IPv4 Wall..."
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -N LOGDROP
modprobe ip_conntrack
PUB_IFS="eth0"
# DROP all incoming traffic
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
#unlimited
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A INPUT -s 127.0.0.0/8 -j DROP
$IPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
$IPT -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
$IPT -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT
$IPT -A INPUT -p icmp -m state --state RELATED -j ACCEPT
$IPT -A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
$IPT -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT
$IPT -A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
for PUB_IF in $PUB_IFS
do
# sync
$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Syn"
$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP
# Fragments
$IPT -A INPUT -i ${PUB_IF} -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets"
$IPT -A INPUT -i ${PUB_IF} -f -j DROP
# block bad stuff
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets"
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets"
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan"
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# No smb/windows sharing packets - too much logging
$IPT -A INPUT -p tcp -i ${PUB_IF} --dport 137:139 -j REJECT
$IPT -A INPUT -p udp -i ${PUB_IF} --dport 137:139 -j REJECT
$IPT -I INPUT -p tcp --dport 22 -i ${PUB_IF} -m state --state NEW -m recent --set
$IPT -I INPUT -p tcp --dport 22 -i ${PUB_IF} -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j LOGDROP
done
# Allow full outgoing connection but no incoming stuff
$IPT -A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
$IPT -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# allow ssh/http only
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p udp --dport 123 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p udp --dport 68 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
# $IPT -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
# allow incoming ICMP ping pong stuff
$IPT -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# prevent ssh brute force attack
$IPT -A LOGDROP -j LOG
$IPT -A LOGDROP -j DROP
# Log everything else
# *** Required for psad ****
$IPT -A INPUT -j LOG
$IPT -A FORWARD -j LOG
$IPT -A INPUT -j DROP
exit 0
================================================
FILE: docs/use-cases/hyperledger-cello-usecase/README.mkd
================================================
# Use case deploy document
[deploy-hyperledger-cello-on-debian-9](https://github.com/hardenedlinux/Debian-GNU-Linux-Profiles/blob/master/docs/blockchains/deploy-hyperledger-cello-on-debian-9.md)
# How to use harbian-audit to audit and apply
## Master node
```
# iptables-restore master-ufw-rules.conf
# bash bin/hardening.sh --audit-all
# bash bin/hardening.sh --set-hardening-level 5
# bash bin/hardening.sh --audit-all
# bash bin/hardening.sh --apply
```
## Worker node
```
# iptables-restore worker-ufw-rules.conf
# bash bin/hardening.sh --audit-all
# bash bin/hardening.sh --set-hardening-level 5
# bash bin/hardening.sh --audit-all
# bash bin/hardening.sh --apply
```
================================================
FILE: docs/use-cases/hyperledger-cello-usecase/master-ufw-rules.conf
================================================
# Generated by iptables-save v1.6.0 on Tue Mar 19 05:00:53 2019
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o br-68253164bea9 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-68253164bea9 -j DOCKER
-A FORWARD -i br-68253164bea9 ! -o br-68253164bea9 -j ACCEPT
-A FORWARD -i br-68253164bea9 -o br-68253164bea9 -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A DOCKER -d 172.18.0.2/32 ! -i br-68253164bea9 -o br-68253164bea9 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.18.0.6/32 ! -i br-68253164bea9 -o br-68253164bea9 -p tcp -m tcp --dport 8443 -j ACCEPT
-A DOCKER -d 172.18.0.6/32 ! -i br-68253164bea9 -o br-68253164bea9 -p tcp -m tcp --dport 8080 -j ACCEPT
-A DOCKER -d 172.18.0.9/32 ! -i br-68253164bea9 -o br-68253164bea9 -p tcp -m tcp --dport 8080 -j ACCEPT
-A DOCKER -d 172.18.0.10/32 ! -i br-68253164bea9 -o br-68253164bea9 -p tcp -m tcp --dport 8081 -j ACCEPT
-A DOCKER -d 172.18.0.11/32 ! -i br-68253164bea9 -o br-68253164bea9 -p tcp -m tcp --dport 2049 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i br-68253164bea9 ! -o br-68253164bea9 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o br-68253164bea9 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 8080 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 8080 -j ACCEPT
-A ufw-user-input -p tcp -m multiport --dports 80,2049,8080,8081,8083,8084 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
-A ufw-user-output -p tcp -m tcp --dport 8080 -j ACCEPT
COMMIT
# Completed on Tue Mar 19 05:00:53 2019
# Generated by iptables-save v1.6.0 on Tue Mar 19 05:00:53 2019
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.18.0.0/16 ! -o br-68253164bea9 -j MASQUERADE
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.18.0.6/32 -d 172.18.0.6/32 -p tcp -m tcp --dport 8443 -j MASQUERADE
-A POSTROUTING -s 172.18.0.6/32 -d 172.18.0.6/32 -p tcp -m tcp --dport 8080 -j MASQUERADE
-A POSTROUTING -s 172.18.0.9/32 -d 172.18.0.9/32 -p tcp -m tcp --dport 8080 -j MASQUERADE
-A POSTROUTING -s 172.18.0.10/32 -d 172.18.0.10/32 -p tcp -m tcp --dport 8081 -j MASQUERADE
-A POSTROUTING -s 172.18.0.11/32 -d 172.18.0.11/32 -p tcp -m tcp --dport 2049 -j MASQUERADE
-A DOCKER -i br-68253164bea9 -j RETURN
-A DOCKER -i docker0 -j RETURN
-A DOCKER ! -i br-68253164bea9 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.18.0.2:80
-A DOCKER ! -i br-68253164bea9 -p tcp -m tcp --dport 8084 -j DNAT --to-destination 172.18.0.6:8443
-A DOCKER ! -i br-68253164bea9 -p tcp -m tcp --dport 8083 -j DNAT --to-destination 172.18.0.6:8080
-A DOCKER ! -i br-68253164bea9 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.18.0.9:8080
-A DOCKER ! -i br-68253164bea9 -p tcp -m tcp --dport 8081 -j DNAT --to-destination 172.18.0.10:8081
-A DOCKER ! -i br-68253164bea9 -p tcp -m tcp --dport 2049 -j DNAT --to-destination 172.18.0.11:2049
COMMIT
# Completed on Tue Mar 19 05:00:53 2019
================================================
FILE: docs/use-cases/hyperledger-cello-usecase/worker-ufw-rules.conf
================================================
# Generated by iptables-save v1.6.0 on Tue Mar 19 04:58:05 2019
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.20.0.0/16 ! -o br-7141b8d56620 -j MASQUERADE
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o br-e8ca1119d5c5 -j MASQUERADE
-A POSTROUTING -s 172.19.0.0/16 ! -o br-5e355971f13c -j MASQUERADE
-A POSTROUTING -s 172.20.0.2/32 -d 172.20.0.2/32 -p tcp -m tcp --dport 7050 -j MASQUERADE
-A POSTROUTING -s 172.20.0.3/32 -d 172.20.0.3/32 -p tcp -m tcp --dport 7054 -j MASQUERADE
-A POSTROUTING -s 172.20.0.4/32 -d 172.20.0.4/32 -p tcp -m tcp --dport 7054 -j MASQUERADE
-A POSTROUTING -s 172.20.0.5/32 -d 172.20.0.5/32 -p tcp -m tcp --dport 7053 -j MASQUERADE
-A POSTROUTING -s 172.20.0.5/32 -d 172.20.0.5/32 -p tcp -m tcp --dport 7051 -j MASQUERADE
-A POSTROUTING -s 172.20.0.6/32 -d 172.20.0.6/32 -p tcp -m tcp --dport 7053 -j MASQUERADE
-A POSTROUTING -s 172.20.0.8/32 -d 172.20.0.8/32 -p tcp -m tcp --dport 7053 -j MASQUERADE
-A POSTROUTING -s 172.20.0.7/32 -d 172.20.0.7/32 -p tcp -m tcp --dport 7053 -j MASQUERADE
-A POSTROUTING -s 172.20.0.6/32 -d 172.20.0.6/32 -p tcp -m tcp --dport 7051 -j MASQUERADE
-A POSTROUTING -s 172.20.0.8/32 -d 172.20.0.8/32 -p tcp -m tcp --dport 7051 -j MASQUERADE
-A POSTROUTING -s 172.20.0.7/32 -d 172.20.0.7/32 -p tcp -m tcp --dport 7051 -j MASQUERADE
-A DOCKER -i br-7141b8d56620 -j RETURN
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-e8ca1119d5c5 -j RETURN
-A DOCKER -i br-5e355971f13c -j RETURN
-A DOCKER ! -i br-7141b8d56620 -p tcp -m tcp --dport 8050 -j DNAT --to-destination 172.20.0.2:7050
-A DOCKER ! -i br-7141b8d56620 -p tcp -m tcp --dport 7850 -j DNAT --to-destination 172.20.0.3:7054
-A DOCKER ! -i br-7141b8d56620 -p tcp -m tcp --dport 7950 -j DNAT --to-destination 172.20.0.4:7054
-A DOCKER ! -i br-7141b8d56620 -p tcp -m tcp --dport 7550 -j DNAT --to-destination 172.20.0.5:7053
-A DOCKER ! -i br-7141b8d56620 -p tcp -m tcp --dport 7450 -j DNAT --to-destination 172.20.0.5:7051
-A DOCKER ! -i br-7141b8d56620 -p tcp -m tcp --dport 7750 -j DNAT --to-destination 172.20.0.6:7053
-A DOCKER ! -i br-7141b8d56620 -p tcp -m tcp --dport 7350 -j DNAT --to-destination 172.20.0.8:7053
-A DOCKER ! -i br-7141b8d56620 -p tcp -m tcp --dport 7150 -j DNAT --to-destination 172.20.0.7:7053
-A DOCKER ! -i br-7141b8d56620 -p tcp -m tcp --dport 7650 -j DNAT --to-destination 172.20.0.6:7051
-A DOCKER ! -i br-7141b8d56620 -p tcp -m tcp --dport 7250 -j DNAT --to-destination 172.20.0.8:7051
-A DOCKER ! -i br-7141b8d56620 -p tcp -m tcp --dport 7050 -j DNAT --to-destination 172.20.0.7:7051
COMMIT
# Completed on Tue Mar 19 04:58:05 2019
# Generated by iptables-save v1.6.0 on Tue Mar 19 04:58:05 2019
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o br-7141b8d56620 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-7141b8d56620 -j DOCKER
-A FORWARD -i br-7141b8d56620 ! -o br-7141b8d56620 -j ACCEPT
-A FORWARD -i br-7141b8d56620 -o br-7141b8d56620 -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-e8ca1119d5c5 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-e8ca1119d5c5 -j DOCKER
-A FORWARD -i br-e8ca1119d5c5 ! -o br-e8ca1119d5c5 -j ACCEPT
-A FORWARD -i br-e8ca1119d5c5 -o br-e8ca1119d5c5 -j ACCEPT
-A FORWARD -o br-5e355971f13c -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-5e355971f13c -j DOCKER
-A FORWARD -i br-5e355971f13c ! -o br-5e355971f13c -j ACCEPT
-A FORWARD -i br-5e355971f13c -o br-5e355971f13c -j ACCEPT
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A DOCKER -d 172.20.0.2/32 ! -i br-7141b8d56620 -o br-7141b8d56620 -p tcp -m tcp --dport 7050 -j ACCEPT
-A DOCKER -d 172.20.0.3/32 ! -i br-7141b8d56620 -o br-7141b8d56620 -p tcp -m tcp --dport 7054 -j ACCEPT
-A DOCKER -d 172.20.0.4/32 ! -i br-7141b8d56620 -o br-7141b8d56620 -p tcp -m tcp --dport 7054 -j ACCEPT
-A DOCKER -d 172.20.0.5/32 ! -i br-7141b8d56620 -o br-7141b8d56620 -p tcp -m tcp --dport 7053 -j ACCEPT
-A DOCKER -d 172.20.0.5/32 ! -i br-7141b8d56620 -o br-7141b8d56620 -p tcp -m tcp --dport 7051 -j ACCEPT
-A DOCKER -d 172.20.0.6/32 ! -i br-7141b8d56620 -o br-7141b8d56620 -p tcp -m tcp --dport 7053 -j ACCEPT
-A DOCKER -d 172.20.0.8/32 ! -i br-7141b8d56620 -o br-7141b8d56620 -p tcp -m tcp --dport 7053 -j ACCEPT
-A DOCKER -d 172.20.0.7/32 ! -i br-7141b8d56620 -o br-7141b8d56620 -p tcp -m tcp --dport 7053 -j ACCEPT
-A DOCKER -d 172.20.0.6/32 ! -i br-7141b8d56620 -o br-7141b8d56620 -p tcp -m tcp --dport 7051 -j ACCEPT
-A DOCKER -d 172.20.0.8/32 ! -i br-7141b8d56620 -o br-7141b8d56620 -p tcp -m tcp --dport 7051 -j ACCEPT
-A DOCKER -d 172.20.0.7/32 ! -i br-7141b8d56620 -o br-7141b8d56620 -p tcp -m tcp --dport 7051 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i br-7141b8d56620 ! -o br-7141b8d56620 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-e8ca1119d5c5 ! -o br-e8ca1119d5c5 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-5e355971f13c ! -o br-5e355971f13c -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o br-7141b8d56620 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-e8ca1119d5c5 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-5e355971f13c -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 2375 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 2375 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 2375 -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Tue Mar 19 04:58:05 2019
================================================
FILE: docs/use-cases/nodejs-redis-mysql-usecase/README.md
================================================
# Nodejs + redis + mysql demo
## environment
* OS: Debian 9.6
* Nodejs: 10.13.0
* MySQL: 10.1.26-MariaDB-0+deb9u1
* Redis: 5.0.1
## Install packages
### Install mysql
```
# apt install mysql-server
```
#### Configure database
Create helloworld database
```
# mysql -uroot
MariaDB [(none)]> CREATE DATABASE helloworld;
```
Grant proper access to the helloworld database:
```
MariaDB [(none)]> GRANT ALL PRIVILEGES ON helloworld.* TO 'helloworld'@'localhost' \
IDENTIFIED BY 'HELLOWORLD_DBPASS';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON helloworld.* TO 'helloworld'@'%' \
IDENTIFIED BY 'HELLOWORLD_DBPASS';
MariaDB [(none)]> quit
```
Replace HEllOWORLD_DBPASS with a suitable password.
### Install Redis
edit `/etc/apt/source.list` and add `stretch-backports` source:
```
deb http://mirrors.163.com/debian/ stretch-backports main
deb-src http://mirrors.163.com/debian/ stretch-backports main
```
and update
```
# apt update
```
#### install the package
```
# apt -t stretch-backports install -y redis-server
```
#### Configure Redis
modify `/etc/redis/redis.conf`, change supervised no to
```
supervised systemd
```
Configuring a Redis Password
modify /etc/redis/redis.conf you can find the
```
# requirepass foobared
```
uncommnet it and change foobared to a suitable password
for example, you can gener:
```
openssl rand 60 | openssl base64 -A
jkO663LT4SLU522cIBaMrWshaEEP+67oRGIdDV3AEpIaS7IQ9yYWP78nmruBFM2cPdxSudvrrmlZeKil
```
systemctl restart redis
### Install Nodejs
```
# apt install curl -y
```
#as root
```
# curl -sL https://deb.nodesource.com/setup_10.x | bash -
# apt-get install -y nodejs
```
### Install pax-bites
```
cat < debian_auto_deploy.sh
#!/bin/bash
WORKDIR=/tmp/debian-grsec-configs
mkdir -p $WORKDIR
cd $WORKDIR
echo "###########################################################################"
echo -e "[+] \e[93mInstalling paxctl-ng/elfix...\e[0m"
echo "----------------------------------------------"
apt-get install -y vim libc6-dev libelf-dev libattr1-dev build-essential git
wget https://dev.gentoo.org/%7Eblueness/elfix/elfix-0.9.2.tar.gz && tar zxvf elfix-0.9.2.tar.gz
cd elfix-0.9.2
./configure --enable-ptpax --enable-xtpax --disable-tests
make && make install
cd $WORKDIR
echo "###########################################################################"
echo -e "[+] \e[93mDeploying configs....\e[0m"
echo "----------------------------------------------"
echo 'DPkg::Post-Invoke {"/bin/bash /usr/sbin/pax-bites.sh -e /etc/pax_flags_debian.config"; };' >77pax-bites
cp 77pax-bites /etc/apt/apt.conf.d/
wget https://github.com/hardenedlinux/hardenedlinux_profiles/raw/master/debian/pax_flags_debian.config
cp pax_flags_debian.config /etc/
echo "###########################################################################"
echo -e "[+] \e[93mDeploying pax-bites...\e[0m"
echo "----------------------------------------------"
git clone https://github.com/hardenedlinux/pax-bites.git
cp pax-bites/pax-bites.sh /usr/sbin/
pax-bites.sh -e /etc/pax_flags_debian.config
EOF
```
run command:
```
bash debian_auto_deploy.sh
```
after install paxctl and pax-bites
we should modify `/etc/pax_flags_debian.config`
add following content:
```
# Nodejs
/usr/bin/node;m
```
`-m` means `disable MPROTECT`
for more details you can check it from `paxctl-ng`
perform change
```
pax-bites.sh -e /etc/pax_flags_debian.config
```
## Add new user for helloworld service
```
# adduser helloworld
# sed -i '/root/ahelloworld ALL=(ALL:ALL) ALL' /etc/sudoers
```
## Usage
Using helloworld to install the dependencies.
unzip the helloworld.zip
```
//Installation all dependencies:
//As helloworld
$ unzip helloworld.zip
$ cd helloworld
$ npm install
```
## modify the config file locate in `config/config.js`
you can setup the mysql and redis
```
BASE_DIR = __dirname;
module.exports = {
port: 3000,
//mysql
mysql: {
host: 'localhost',
user: 'helloworld',
password: 'HELLOWORLD_DBPASS',
connectionLimit: 10,
charset: 'utf8mb4',
},
database: 'helloworld',
//redis
redis: {
tokenName: 'helloworld',
host: '127.0.0.1',
port: 6379,
password: 'jkO663LT4SLU522cIBaMrWshaEEP+67oRGIdDV3AEpIaS7IQ9yYWP78nmruBFM2cPdxSudvrrmlZeKil',
},
}
```
//Installation PM2:
```
# npm install pm2 -g
# chmod -R 755 /usr/lib/node_modules/pm2
```
```
$ su helloworld
$ export NODE_ENV=production && pm2 start ./app.js --name helloworld
$ pm2 startup systemd
[PM2] Init System found: systemd
[PM2] To setup the Startup Script, copy/paste the following command:
# env PATH=$PATH:/usr/bin /usr/lib/node_modules/pm2/bin/pm2 startup systemd -u helloworld --hp /home/helloworld
```
change to root user and execute
```
$ env PATH=$PATH:/usr/bin /usr/lib/node_modules/pm2/bin/pm2 startup systemd -u helloworld --hp /home/helloworld
```
and switch back to `helloworld` user
```
$ pm2 save
```
now start the service
```
# systemctl start pm2-helloworld
```
## Set iptables rules
```
# iptables -I INPUT -p tcp -m tcp --dport 3000 -j ACCEPT
```
## Test
Open up http://{your server ip}:3000,then you can see the helloworld page.
Reference:
https://nodejs.org/en/
https://www.mysql.com/
http://pm2.keymetrics.io/
https://www.digitalocean.com/community/tutorials/how-to-set-up-a-node-js-application-for-production-on-debian-9
================================================
FILE: docs/use-cases/nodejs-redis-mysql-usecase/helloworld/app.js
================================================
const express = require('express');
const sql = require('./services/SqlService');
const myredis = require('./services/RedisService');
const { database, redis, port } = require('./config/config');
const app = express();
app.get('/', async (req, res) => {
//data from mysql
let data_mysql = await sql.query(`select content from ${database}.test limit 1`);
//data from redis
let data_redis = await myredis.get(redis.tokenName);
res.send(`
Hello World!
Data from mysql ${data_mysql[0]['content']}
Data from redis ${data_redis}
`);
});
app.listen(port, function () {
console.log('Hello world run on port 3000!');
});
================================================
FILE: docs/use-cases/nodejs-redis-mysql-usecase/helloworld/config/config.js
================================================
BASE_DIR = __dirname;
module.exports = {
port: 3000,
//mysql
mysql: {
host: 'localhost',
user: 'YOUR_MYSQL_USER',
password: 'YOUR_MYSQL_PASSWORD',
connectionLimit: 10,
charset: 'utf8mb4',
},
database: 'helloworld',
//redis
redis: {
tokenName: 'helloworld',
host: '127.0.0.1',
port: 6379,
password: 'YOUR_REDIS_PASSWORD',
},
}
================================================
FILE: docs/use-cases/nodejs-redis-mysql-usecase/helloworld/package.json
================================================
{
"name": "helloworld",
"version": "1.0.0",
"description": "This is helloworld project",
"main": "index.js",
"scripts": {
"start": "nodemon ./app.js"
},
"author": "",
"license": "ISC",
"devDependencies": {
"log4js": "^3.0.6",
"mysql": "^2.15.0",
"redis": "^2.8.0"
},
"dependencies": {
"express": "^4.15.4",
"nodemon": "^1.18.6"
}
}
================================================
FILE: docs/use-cases/nodejs-redis-mysql-usecase/helloworld/services/LogService.js
================================================
const log4js = require('log4js');
log4js.configure({
appenders: { helloworld: { type: 'file', filename: 'helloworld.log' } },
categories: { default: { appenders: ['helloworld'], level: 'debug' } },
pm2: true
});
const logger = log4js.getLogger('helloworld');
module.exports = logger;
================================================
FILE: docs/use-cases/nodejs-redis-mysql-usecase/helloworld/services/RedisService.js
================================================
const redis = require("redis")
const logger = require('./LogService')
const config = require('../config/config')
class RedisService {
constructor() {
this.client = null
this.init()
this.set(config.redis.tokenName, 'hello,i am data from redis')
}
//redis service init
init() {
let option = {}
option['host'] = config.redis.host
option['port'] = config.redis.port
if (config.redis.password) {
option['password'] = config.redis.password
}
this.client = redis.createClient(option)
this.client.on("error", function (err) {
console.log('Redis connect fail!')
logger.info(err)
});
}
/*
* get value
* redis.get('tokens','object') / redis.get('tokens')
*/
get(key, type) {
return new Promise((resolve, reject) => {
this.client.get(key, (err, reply) => {
if (err) {
logger.info(err)
reject(err)
} else {
if (type === 'object') {
resolve(JSON.parse(reply))
} else {
resolve(reply)
}
}
})
})
}
//
/*
* set value
* redis.set('tokens',tokens,'object') / redis.set('tokens',tokens)
*/
set(key, value, type) {
return new Promise((resolve, reject) => {
this.client.set(key, (type === 'object' ? JSON.stringify(value) : value), (err, reply) => {
if (err) {
logger.info(err)
reject(err)
} else {
resolve(reply)
}
})
})
}
}
module.exports = new RedisService()
================================================
FILE: docs/use-cases/nodejs-redis-mysql-usecase/helloworld/services/SqlService.js
================================================
const mysql = require('mysql');
const logger = require('./LogService');
const config = require('../config/config');
const { database } = config;
class SqlService {
constructor() {
this.connection = {};
this.init();
}
//mysql service init
async init() {
let mysqlConfig, pool;
mysqlConfig = Object.assign({}, config.mysql);
pool = mysql.createPool(mysqlConfig);
this.connection.getConnection = (cb) => {
pool.getConnection((err, connection) => {
if (err) {
cb(null);
return;
}
logger.info(`mysql connect success`);
cb(connection);
})
}
//if exist database
await this.init_database();
//if exist table
let queries = [
{
tableName: 'test',
sqls: [
{ sql: "CREATE TABLE IF NOT EXISTS " + `${database}.test` + " (`id` int(11) NOT NULL AUTO_INCREMENT,`content` text NOT NULL,PRIMARY KEY (`id`)) ENGINE=InnoDB DEFAULT CHARSET=utf8;", params: [] },
{ sql: `insert into ${database}.test(content) values(?)`, params: ['hello,i am data from mysql'] },
]
},
]
await this.init_tables(queries);
}
//init database
async init_database() {
await this.query(`CREATE DATABASE IF NOT EXISTS ${database} DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci;`);
}
//init tables
async init_tables(data) {
for (let i = 0; i < data.length; i++) {
let { tableName, sqls } = data[i];
let isExist;
try {
isExist = await this.query(`select count(*) from ${database}.${tableName}`);
} catch (e) {
}
if (!isExist) {
logger.info(`Table ${tableName} is not existed~`);
for (let j = 0; j < sqls.length; j++) {
await this.query(sqls[j]['sql'], sqls[j]['params']);
}
}
}
}
//mysql single query
query(sql, params) {
logger.info(sql)
logger.info(params)
return new Promise((resolve, reject) => {
return this.connection.getConnection((connection) => {
connection.query(sql, params ? params : [], (error, result) => {
if (error) {
//release connection
connection.release()
logger.info(error)
reject(error)
} else {
//release connection
connection.release()
resolve(result)
}
})
})
})
}
}
module.exports = new SqlService()
================================================
FILE: docs/use-cases/tls-transmission-usecase/nginx-mutual-ssl-proxy-http-service/Readme.mkd
================================================
# Use case deploy document
[nginx-mutual-ssl-proxy-http](https://github.com/hardenedlinux/Debian-GNU-Linux-Profiles/blob/master/docs/tls/nginx-mutual-ssl-proxy-http.md)
# How to use harbian-audit to audit and apply
## Server node
```
# iptables-restore iptables_ufw-4-server.cfg
# bash bin/hardening.sh --audit-all
```
This is set special service to exception(6.2 6.3 6.10)
```
# bash bin/hardening.sh --set-hardening-level 5 --allow-service dns,http,cups
# bash bin/hardening.sh --audit-all
# bash bin/hardening.sh --apply
```
## Client node
```
# iptables-restore iptables_ufw-4-client.cfg
# bash bin/hardening.sh --audit-all
```
This is set special service to exception(6.10)
```
# bash bin/hardening.sh --set-hardening-level 5 --allow-service http
# bash bin/hardening.sh --audit-all
# bash bin/hardening.sh --apply
```
================================================
FILE: docs/use-cases/tls-transmission-usecase/nginx-mutual-ssl-proxy-http-service/iptables_ufw-4-client.cfg
================================================
# Generated by iptables-save v1.6.0 on Sat Mar 30 14:58:29 2019
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Sat Mar 30 14:58:29 2019
# Generated by iptables-save v1.6.0 on Sat Mar 30 14:58:29 2019
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Sat Mar 30 14:58:29 2019
# Generated by iptables-save v1.6.0 on Sat Mar 30 14:58:29 2019
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:LOGDROP - [0:0]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -i ens33 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --mask 255.255.255.255 --rsource -j LOGDROP
-A INPUT -i ens33 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state RELATED -j ACCEPT
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -i ens33 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "Drop Syn"
-A INPUT -i ens33 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -i ens33 -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "Fragments Packets"
-A INPUT -i ens33 -f -j DROP
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "NULL Packets"
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "XMAS Packets"
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "Fin Packets Scan"
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A INPUT -i ens33 -p tcp -m tcp --dport 137:139 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i ens33 -p udp -m udp --dport 137:139 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j LOG
-A INPUT -j DROP
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -m physdev --physdev-is-bridged -j ACCEPT
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A FORWARD -j LOG
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A LOGDROP -j LOG
-A LOGDROP -j DROP
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-output -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-logging-forward -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
-A ufw-before-logging-input -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
-A ufw-before-logging-output -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT INVALID] "
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-reject-input -j REJECT --reject-with icmp-port-unreachable
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j REJECT --reject-with icmp-port-unreachable
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Sat Mar 30 14:58:29 2019
================================================
FILE: docs/use-cases/tls-transmission-usecase/nginx-mutual-ssl-proxy-http-service/iptables_ufw-4-server.cfg
================================================
# Generated by iptables-save v1.6.0 on Sat Mar 30 14:58:29 2019
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Sat Mar 30 14:58:29 2019
# Generated by iptables-save v1.6.0 on Sat Mar 30 14:58:29 2019
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Sat Mar 30 14:58:29 2019
# Generated by iptables-save v1.6.0 on Sat Mar 30 14:58:29 2019
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:LOGDROP - [0:0]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -i ens33 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --mask 255.255.255.255 --rsource -j LOGDROP
-A INPUT -i ens33 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state RELATED -j ACCEPT
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -i ens33 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "Drop Syn"
-A INPUT -i ens33 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -i ens33 -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "Fragments Packets"
-A INPUT -i ens33 -f -j DROP
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "NULL Packets"
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "XMAS Packets"
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "Fin Packets Scan"
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A INPUT -i ens33 -p tcp -m tcp --dport 137:139 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i ens33 -p udp -m udp --dport 137:139 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j LOG
-A INPUT -j DROP
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -m physdev --physdev-is-bridged -j ACCEPT
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A FORWARD -j LOG
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A LOGDROP -j LOG
-A LOGDROP -j DROP
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-output -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-logging-forward -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
-A ufw-before-logging-input -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
-A ufw-before-logging-output -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT INVALID] "
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-reject-input -j REJECT --reject-with icmp-port-unreachable
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j REJECT --reject-with icmp-port-unreachable
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Sat Mar 30 14:58:29 2019
================================================
FILE: docs/use-cases/tls-transmission-usecase/using-Nginx-as-SSL-tunnel-4TCP-UDP-service/Readme.mkd
================================================
# Use case document
[nginx-mutual-ssl-proxy-tcp-udp](https://github.com/hardenedlinux/Debian-GNU-Linux-Profiles/blob/master/docs/tls/nginx-mutual-ssl-proxy-tcp-udp.md)
# How to use harbian-audit to audit and apply
## Server node
```
# iptables-restore iptables_ufw-4-server.cfg
# bash bin/hardening.sh --audit-all
```
This is set special service to exception(6.2 6.3 6.10)
```
# bash bin/hardening.sh --set-hardening-level 5 --allow-service dns,http,cups
# bash bin/hardening.sh --audit-all
# bash bin/hardening.sh --apply
```
## Client node
```
# iptables-restore iptables_ufw-4-client.cfg
# bash bin/hardening.sh --audit-all
```
This is set special service to exception(6.10)
```
# bash bin/hardening.sh --set-hardening-level 5 --allow-service http
# bash bin/hardening.sh --audit-all
# bash bin/hardening.sh --apply
```
================================================
FILE: docs/use-cases/tls-transmission-usecase/using-Nginx-as-SSL-tunnel-4TCP-UDP-service/iptables_ufw-4-client.cfg
================================================
# Generated by iptables-save v1.6.0 on Sat Mar 30 14:58:29 2019
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Sat Mar 30 14:58:29 2019
# Generated by iptables-save v1.6.0 on Sat Mar 30 14:58:29 2019
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Sat Mar 30 14:58:29 2019
# Generated by iptables-save v1.6.0 on Sat Mar 30 14:58:29 2019
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:LOGDROP - [0:0]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -i ens33 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --mask 255.255.255.255 --rsource -j LOGDROP
-A INPUT -i ens33 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state RELATED -j ACCEPT
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -i ens33 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "Drop Syn"
-A INPUT -i ens33 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -i ens33 -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "Fragments Packets"
-A INPUT -i ens33 -f -j DROP
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "NULL Packets"
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "XMAS Packets"
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "Fin Packets Scan"
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A INPUT -i ens33 -p tcp -m tcp --dport 137:139 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i ens33 -p udp -m udp --dport 137:139 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j LOG
-A INPUT -j DROP
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -m physdev --physdev-is-bridged -j ACCEPT
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A FORWARD -j LOG
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A LOGDROP -j LOG
-A LOGDROP -j DROP
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-output -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-logging-forward -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
-A ufw-before-logging-input -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
-A ufw-before-logging-output -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT INVALID] "
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-reject-input -j REJECT --reject-with icmp-port-unreachable
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j REJECT --reject-with icmp-port-unreachable
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Sat Mar 30 14:58:29 2019
================================================
FILE: docs/use-cases/tls-transmission-usecase/using-Nginx-as-SSL-tunnel-4TCP-UDP-service/iptables_ufw-4-server.cfg
================================================
# Generated by iptables-save v1.6.0 on Sat Mar 30 14:58:29 2019
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Sat Mar 30 14:58:29 2019
# Generated by iptables-save v1.6.0 on Sat Mar 30 14:58:29 2019
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Sat Mar 30 14:58:29 2019
# Generated by iptables-save v1.6.0 on Sat Mar 30 14:58:29 2019
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:LOGDROP - [0:0]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -i ens33 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --mask 255.255.255.255 --rsource -j LOGDROP
-A INPUT -i ens33 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state RELATED -j ACCEPT
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -i ens33 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "Drop Syn"
-A INPUT -i ens33 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -i ens33 -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "Fragments Packets"
-A INPUT -i ens33 -f -j DROP
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "NULL Packets"
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "XMAS Packets"
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "Fin Packets Scan"
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A INPUT -i ens33 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A INPUT -i ens33 -p tcp -m tcp --dport 137:139 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i ens33 -p udp -m udp --dport 137:139 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9243 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j LOG
-A INPUT -j DROP
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -m physdev --physdev-is-bridged -j ACCEPT
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A FORWARD -j LOG
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A LOGDROP -j LOG
-A LOGDROP -j DROP
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-output -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-logging-forward -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
-A ufw-before-logging-input -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
-A ufw-before-logging-output -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT INVALID] "
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-reject-input -j REJECT --reject-with icmp-port-unreachable
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j REJECT --reject-with icmp-port-unreachable
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Sat Mar 30 14:58:29 2019
================================================
FILE: etc/conf.d/.gitignore
================================================
*.cfg
================================================
FILE: etc/conf.d/README
================================================
# Put Here your Custom configuration files
# Name convention : $SCRIPT_NAME.cfg
================================================
FILE: etc/default.cfg
================================================
# Default file for CIS Debian/CentOS hardening scripts
# Define here root directory for CIS debian/CentOS hardening scripts
CIS_ROOT_DIR='/opt/harbianaudit'
# If distor is Debian9~debian13, set 9~13; if distor is less than 9, set 1 It's default
# If distor is CentOS set 2; if distor is Ubuntu set 3
OS_RELEASE=1
================================================
FILE: etc/hardening.cfg
================================================
# CIS Debian 7 Hardening
# Main Configuration File, put here global variables
# Valid values are debug info ok warning error
LOGLEVEL=info
# Backup directory, every file modified by hardening will be backuped here, with versioning
# Means that if a file is modified more than once during the process, you will have hardening step diffs in the folder
BACKUPDIR="$CIS_ROOT_DIR/tmp/backups"
# If set to 1, Don't use uid in auditd rules, all of the users will record to auditd log
# If set to 0, use uid in auditd rules
DONT_AUDITD_BY_UID=0
================================================
FILE: lib/common.sh
================================================
# CIS Debian 7 Hardening common functions
#
# File Backup functions
#
backup_file() {
FILE=$1
if [ ! -f $FILE ]; then
crit "Cannot backup $FILE, it's not a file"
FNRET=1
else
TARGET=$(echo $FILE | sed -s -e 's/\//./g' -e 's/^.//' -e "s/$/.$(date +%F-%H_%M_%S)/" )
TARGET="$BACKUPDIR/$TARGET"
debug "Backuping $FILE to $TARGET"
cp -a $FILE $TARGET
FNRET=0
fi
}
#
# Logging functions
#
case $LOGLEVEL in
error )
MACHINE_LOG_LEVEL=1
;;
warning )
MACHINE_LOG_LEVEL=2
;;
ok )
MACHINE_LOG_LEVEL=3
;;
info )
MACHINE_LOG_LEVEL=4
;;
debug )
MACHINE_LOG_LEVEL=5
;;
*)
MACHINE_LOG_LEVEL=4 ## Default loglevel value to info
esac
_logger() {
COLOR=$1
shift
test -z "$SCRIPT_NAME" && SCRIPT_NAME=$(basename $0)
builtin echo "$*" | /usr/bin/logger -t "[CIS_Hardening] $SCRIPT_NAME" -p "user.info"
SCRIPT_NAME_FIXEDLEN=$(printf "%-25.25s" "$SCRIPT_NAME")
cecho $COLOR "$SCRIPT_NAME_FIXEDLEN $*"
}
cecho () {
COLOR=$1
shift
builtin echo -e "${COLOR}$*${NC}"
}
crit () {
if [ $MACHINE_LOG_LEVEL -ge 1 ]; then _logger $BRED "[ KO ] $*"; fi
# This variable incrementation is used to measure failure or success in tests
CRITICAL_ERRORS_NUMBER=$((CRITICAL_ERRORS_NUMBER+1))
}
no_entity() {
if [ $MACHINE_LOG_LEVEL -ge 1 ]; then _logger $BGREEN "[ none entity, so it's not scored ] $*"; fi
# This variable incrementation is used to measure whether the service exists in tests
NONEXISTENT_NUMBER=$((NONEXISTENT_NUMBER+1))
}
warn () {
if [ $MACHINE_LOG_LEVEL -ge 2 ]; then _logger $BYELLOW "[WARN] $*"; fi
}
ok () {
if [ $MACHINE_LOG_LEVEL -ge 3 ]; then _logger $BGREEN "[ OK ] $*"; fi
}
info () {
if [ $MACHINE_LOG_LEVEL -ge 4 ]; then _logger '' "[INFO] $*"; fi
}
debug () {
if [ $MACHINE_LOG_LEVEL -ge 5 ]; then _logger $GRAY "[DBG ] $*"; fi
}
reset_ok () {
info "Reset to ok!!!"
CRITICAL_ERRORS_NUMBER=0
}
================================================
FILE: lib/constants.sh
================================================
# Defines constants for CIS Debian 7 Hardening
# Script and shell commands homogeneity
export LANG=C
#### Useful Color constants settings for loglevels
# Reset Color (for syslog)
NC='\033[0m'
WHITE='\033[0m'
# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[0;33m'
GRAY='\033[0;40m' # Gray
# Bold
BRED='\033[1;31m' # Red
BGREEN='\033[1;32m' # Green
BYELLOW='\033[1;33m' # Yellow
BWHITE='\033[1;37m' # White
================================================
FILE: lib/main.sh
================================================
LONG_SCRIPT_NAME=$(basename $0)
SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh}
# Variable initialization, to avoid crash
CRITICAL_ERRORS_NUMBER=0 # This will be used to see if a script failed, or passed
NONEXISTENT_NUMBER=0 #This will be used to see if service is exist
status=""
forcedstatus=""
SUDO_CMD=""
[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh
[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
# Environment Sanitizing
export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
info "Working on $SCRIPT_NAME"
# Arguments parsing
while [[ $# > 0 ]]; do
ARG="$1"
case $ARG in
--audit-all)
debug "Audit all specified, setting status to audit regardless of configuration"
forcedstatus=auditall
;;
--audit)
if [ "$status" != 'disabled' -a "$status" != 'false' ]; then
debug "Audit argument detected, setting status to audit"
forcedstatus=audit
else
info "Audit argument passed but script is disabled"
fi
;;
--sudo)
SUDO_CMD="sudo -n"
;;
*)
debug "Unknown option passed"
;;
esac
shift
done
# Source specific configuration file
if ! [ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] ; then
# If it doesn't exist, create it with default values
echo "# Configuration for $SCRIPT_NAME, created from default values on `date`" > $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
# If create_config is a defined function, execute it.
# Otherwise, just disable the test by default.
if type -t create_config | grep -qw function ; then
create_config >> $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
else
echo "status=disabled" >> $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
fi
fi
[ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
# Now check configured value for status, and potential cmdline parameter
if [ "$forcedstatus" = "auditall" ] ; then
# We want to audit even disabled script, so override config value in any case
status=audit
elif [ "$forcedstatus" = "audit" ] ; then
# We want to audit only enabled scripts
if [ "$status" != 'disabled' -a "$status" != 'false' ]; then
debug "Audit argument detected, setting status to audit"
status=audit
else
info "Audit argument passed but script is disabled"
fi
elif [ $NONEXISTENT_NUMBER -gt 0 ]; then
status=nonexistent
fi
if [ -z $status ]; then
crit "Could not find status variable for $SCRIPT_NAME, considered as disabled"
exit 2
fi
case $status in
enabled | true )
info "Checking Configuration"
check_config
info "Performing audit"
audit # Perform audit
info "Applying Hardening"
apply # Perform hardening
;;
audit )
info "Checking Configuration"
check_config
info "Performing audit"
audit # Perform audit
;;
disabled | false )
info "$SCRIPT_NAME is disabled, ignoring"
exit 2 # Means unknown status
;;
nonexistent)
no_entity "Check ${SCRIPT_NAME} Service is nonexistent "
exit 3
;;
*)
warn "Wrong value for status : $status. Must be [ enabled | true | audit | disabled | false ]"
;;
esac
if [ $CRITICAL_ERRORS_NUMBER = 0 ]; then
ok "Check Passed"
exit 0 # Means ok status
else
crit "Check Failed"
exit 1 # Means critical status
fi
================================================
FILE: lib/utils.sh
================================================
# CIS Debian 7 Hardening Utility functions
#
# debian version check
#
is_centos_8()
{
if [ -r /etc/redhat-release ]; then
if [ $(grep -c "^CentOS.*8.[0-9].*" /etc/redhat-release) -eq 1 ]; then
debug "CentOS version is equal to 8"
FNRET=0
else
debug "CentOS version is less than 8"
FNRET=1
fi
else
debug "Current OS is not redhat/CentOS"
FNRET=2
fi
}
# return 9 if it is debian9, return 10 if it is debian10, return 11 if it is debian11, return 12 if it is debian12, return 13 if it is debian13, return 1 if it is less than 9
get_debian_ver()
{
DEBIAN13CODENAME="trixie"
DEBIAN12CODENAME="bookworm"
DEBIAN11CODENAME="bullseye"
DEBIAN10CODENAME="buster"
DEBIAN9CODENAME="stretch"
if [ -r /etc/debian_version ]; then
if [ $(grep -cwi "^$DEBIAN13CODENAME" /etc/debian_version) -eq 1 -o $(cat /etc/debian_version | awk -F"." '{print $1}') -eq 13 ]; then
debug "Debian version is 13"
FNRET=13
elif [ $(grep -cwi "^$DEBIAN12CODENAME" /etc/debian_version) -eq 1 -o $(cat /etc/debian_version | awk -F"." '{print $1}') -eq 12 ]; then
debug "Debian version is 12"
FNRET=12
elif [ $(grep -cwi "^$DEBIAN11CODENAME" /etc/debian_version) -eq 1 -o $(cat /etc/debian_version | awk -F"." '{print $1}') -eq 11 ]; then
debug "Debian version is 11"
FNRET=11
elif [ $(grep -cwi "^$DEBIAN10CODENAME" /etc/debian_version) -eq 1 -o $(cat /etc/debian_version | awk -F"." '{print $1}') -eq 10 ]; then
debug "Debian version is 10"
FNRET=10
elif [ $(grep -cwi "^$DEBIAN9CODENAME" /etc/debian_version) -eq 1 -o $(cat /etc/debian_version | awk -F"." '{print $1}') -eq 9 ]; then
debug "Debian version is 9"
FNRET=9
else
debug "Debian version is less than 9"
FNRET=1
fi
fi
}
is_debian_13()
{
# For debian13
DEBIAN13CODENAME="trixie"
if [ -r /etc/debian_version ]; then
if [ $(grep -cw "^$DEBIAN13CODENAME" /etc/debian_version) -eq 1 ]; then
debug "Debian version is 13"
FNRET=0
return
fi
if [ $(cat /etc/debian_version | awk -F"." '{print $1}') -eq 13 ]; then
debug "Debian version is 13"
FNRET=0
else
debug "Current OS is not Debian 13."
FNRET=2
fi
else
debug "Current OS is not Debian."
FNRET=2
fi
}
is_debian_12()
{
# For debian12
DEBIAN12CODENAME="bookworm"
if [ -r /etc/debian_version ]; then
if [ $(grep -cw "^$DEBIAN12CODENAME" /etc/debian_version) -eq 1 ]; then
debug "Debian version is 12"
FNRET=0
return
fi
if [ $(cat /etc/debian_version | awk -F"." '{print $1}') -eq 12 ]; then
debug "Debian version is 12"
FNRET=0
else
debug "Current OS is not Debian 12."
FNRET=2
fi
else
debug "Current OS is not Debian."
FNRET=2
fi
}
is_debian_ge_13()
{
# For debian13
DEBIAN13CODENAME="trixie"
if [ -r /etc/debian_version ]; then
if [ $(grep -cw "^$DEBIAN13CODENAME" /etc/debian_version) -eq 1 ]; then
debug "Debian version is greater than or equal to 13"
FNRET=0
return
fi
if [ $(cat /etc/debian_version | awk -F"." '{print $1}') -ge 13 ]; then
debug "Debian version is greater than or equal to 13"
FNRET=0
else
debug "Debian version is less than 13"
FNRET=1
fi
else
debug "Current OS is not Debian."
FNRET=2
fi
}
is_debian_ge_10()
{
# For debian11
DEBIAN11CODENAME="bullseye"
if [ -r /etc/debian_version ]; then
if [ $(grep -cw "^$DEBIAN11CODENAME" /etc/debian_version) -eq 1 ]; then
debug "Debian version is greater than or equal to 10"
FNRET=0
return
fi
if [ $(cat /etc/debian_version | awk -F"." '{print $1}') -ge 10 ]; then
debug "Debian version is greater than or equal to 10"
FNRET=0
else
debug "Debian version is less than 10"
FNRET=1
fi
else
debug "Current OS is not Debian."
FNRET=2
fi
}
is_debian_ge_9()
{
# For debian11
DEBIAN11CODENAME="bullseye"
if [ -r /etc/debian_version ]; then
if [ $(grep -cw "^$DEBIAN11CODENAME" /etc/debian_version) -eq 1 ]; then
debug "Debian version is greater than or equal to 10"
FNRET=0
return
fi
if [ $(cat /etc/debian_version | awk -F"." '{print $1}') -ge 9 ]; then
debug "Debian version is greater than or equal to 9"
FNRET=0
else
debug "Debian version is less than 9"
FNRET=1
fi
else
debug "Current OS is not Debian."
FNRET=2
fi
}
is_debian_9()
{
if [ -r /etc/debian_version ]; then
if $(cat /etc/debian_version | grep -q "^9.[0-9]"); then
debug "Debian version is 9.*."
FNRET=0
else
debug "Debian version is not 9.*."
FNRET=1
fi
else
debug "Current OS is not Debian."
FNRET=2
fi
}
is_debian_10()
{
if [ -r /etc/debian_version ]; then
if $(cat /etc/debian_version | grep -q "^10.[0-9]"); then
debug "Debian version is buster/10."
FNRET=0
else
debug "Debian version is not buster/10."
FNRET=1
fi
else
debug "Current OS is not Debian."
FNRET=2
fi
}
is_debian_11()
{
if [ -r /etc/debian_version ]; then
if $(cat /etc/debian_version | grep -q "^11.[0-9]"); then
debug "Debian version is 11."
FNRET=0
else
debug "Debian version is not 11."
FNRET=1
fi
else
debug "Current OS is not Debian."
FNRET=2
fi
}
is_64bit_arch()
{
if $(uname -m | grep -q "64"); then
FNRET=0
debug "This machine architecture is 64 bit."
else
FNRET=1
debug "This machine architecture is not 64 bit."
fi
}
#
# Sysctl
#
has_sysctl_param_expected_result() {
local SYSCTL_PARAM=$1
local EXP_RESULT=$2
if [ "$($SUDO_CMD sysctl $SYSCTL_PARAM 2>/dev/null)" = "$SYSCTL_PARAM = $EXP_RESULT" ]; then
FNRET=0
elif [ $? = 255 ]; then
debug "$SYSCTL_PARAM does not exist"
FNRET=255
else
debug "$SYSCTL_PARAM should be set to $EXP_RESULT"
FNRET=1
fi
}
does_sysctl_param_exists() {
local SYSCTL_PARAM=$1
if [ "$($SUDO_CMD sysctl -a 2>/dev/null |grep "$SYSCTL_PARAM" -c)" = 0 ]; then
FNRET=1
else
FNRET=0
fi
}
set_sysctl_param() {
local SYSCTL_PARAM=$1
local VALUE=$2
debug "Setting $SYSCTL_PARAM to $VALUE"
if [ "$(sysctl -w $SYSCTL_PARAM=$VALUE 2>/dev/null)" = "$SYSCTL_PARAM = $VALUE" ]; then
echo "$SYSCTL_PARAM = $VALUE" >> /etc/sysctl.conf
FNRET=0
elif [ $? = 255 ]; then
debug "$SYSCTL_PARAM does not exist"
FNRET=255
else
warn "$SYSCTL_PARAM failed!"
FNRET=1
fi
}
#
# Dmesg
#
does_pattern_exist_in_dmesg() {
local PATTERN=$1
if $($SUDO_CMD dmesg | grep -qE "$PATTERN"); then
FNRET=0
else
FNRET=1
fi
}
#
# File
#
does_file_exist() {
local FILE=$1
if $SUDO_CMD [ -r $FILE ]; then
FNRET=0
else
FNRET=1
fi
}
has_file_correct_ownership() {
local FILE=$1
local USER=$2
local GROUP=$3
local USERID=$(id -u $USER)
local GROUPID=$(getent group $GROUP | cut -d: -f3)
debug "$SUDO_CMD stat -c '%u %g' $FILE"
if [ "$($SUDO_CMD stat -c "%u %g" $FILE)" = "$USERID $GROUPID" ]; then
FNRET=0
else
FNRET=1
fi
}
has_file_correct_permissions() {
local FILE=$1
local PERMISSIONS=$2
if [ -e $FILE ]; then
if [ $($SUDO_CMD stat -L -c "%a" $1) = "$PERMISSIONS" ]; then
FNRET=0
else
FNRET=1
fi
else
FNRET=1
info "$FILE is not exist!"
fi
}
does_pattern_exist_in_file() {
local FILE=$1
local PATTERN=$2
debug "Checking if $PATTERN is present in $FILE"
if $SUDO_CMD [ -r "$FILE" ] ; then
debug "$SUDO_CMD grep -qE -- '$PATTERN' $FILE"
if $($SUDO_CMD grep -qE -- "$PATTERN" $FILE); then
FNRET=0
else
FNRET=1
fi
else
debug "File $FILE is not readable!"
FNRET=2
fi
}
# Check after deleting blank lines and comment lines
does_valid_pattern_exist_in_file() {
local FILE=$1
local PATTERN=$2
debug "Checking if $PATTERN is present in $FILE"
if $SUDO_CMD [ -r "$FILE" ] ; then
debug "$SUDO_CMD sed '/^#/d' $FILE | sed '/^$/d' | grep -c '$PATTERN'"
if [ $($SUDO_CMD sed '/^#/d' $FILE | sed '/^$/d' | grep -c "$PATTERN") -gt 0 ]; then
FNRET=0
else
FNRET=1
fi
else
debug "File $FILE is not readable!"
FNRET=2
fi
}
add_end_of_file() {
local FILE=$1
local LINE=$2
debug "Adding $LINE at the end of $FILE"
backup_file "$FILE"
echo "$LINE" >> $FILE
}
add_line_file_before_pattern() {
local FILE=$1
local LINE=$2
local PATTERN=$3
backup_file "$FILE"
debug "Inserting $LINE before $PATTERN in $FILE"
PATTERN=$(sed 's@/@\\\/@g' <<< $PATTERN)
debug "sed -i '/$PATTERN/i $LINE' $FILE"
sed -i "/$PATTERN/i $LINE" $FILE
FNRET=0
}
add_line_file_after_pattern() {
local FILE=$1
local LINE=$2
local PATTERN=$3
backup_file "$FILE"
debug "Inserting $LINE before $PATTERN in $FILE"
PATTERN=$(sed 's@/@\\\/@g' <<< $PATTERN)
debug "sed -i '/$PATTERN/a $LINE' $FILE"
sed -i "/$PATTERN/a $LINE" $FILE
FNRET=0
}
add_line_file_after_pattern_lastline() {
local FILE=$1
local LINE=$2
local PATTERN=$3
local LASTLINE=-1
backup_file "$FILE"
debug "Inserting $LINE after $PATTERN in $FILE"
PATTERN=$(sed 's@/@\\\/@g' <<< $PATTERN)
if [ $(grep "^$PATTERN" $FILE -c) -gt 0 ]; then
LASTLINE=$(grep "$PATTERN" $FILE -n | sed -n '$p' | awk -F: '{print $1}')
debug "sed -i '$LASTLINE a $LINE' $FILE"
sed -i "$LASTLINE a $LINE" $FILE
FNRET=0
else
crit "$PATTERN is not exist in $FILE"
FNRET=1
fi
}
replace_in_file() {
local FILE=$1
local SOURCE=$2
local DESTINATION=$3
backup_file "$FILE"
debug "Replacing $SOURCE to $DESTINATION in $FILE"
SOURCE=$(sed 's@/@\\\/@g' <<< $SOURCE)
debug "sed -i 's/$SOURCE/$DESTINATION/g' $FILE"
sed -i "s/$SOURCE/$DESTINATION/g" $FILE
FNRET=0
}
delete_line_in_file() {
local FILE=$1
local PATTERN=$2
backup_file "$FILE"
debug "Deleting lines from $FILE containing $PATTERN"
PATTERN=$(sed 's@/@\\\/@g' <<< $PATTERN)
debug "sed -i '/$PATTERN/d' $FILE"
sed -i "/$PATTERN/d" $FILE
FNRET=0
}
#
# Users and groups
#
does_user_exist() {
local USER=$1
if $(getent passwd $USER >/dev/null 2>&1); then
FNRET=0
else
FNRET=1
fi
}
does_group_exist() {
local GROUP=$1
if $(getent group $GROUP >/dev/null 2>&1); then
FNRET=0
else
FNRET=1
fi
}
#
# Service Boot Checks
#
is_service_active() {
local SERVICE=$1
if [ $OS_RELEASE -eq 2 ]; then
FNRET=0
else
is_debian_ge_9
fi
if [ $FNRET = 0 ]; then
if [ $(systemctl is-active $SERVICE | grep -c "^active") -eq 1 ]; then
debug "Service $SERVICE is active"
FNRET=0
else
debug "Service $SERVICE is inactived"
FNRET=1
fi
else
if [ $($SUDO_CMD find /etc/rc?.d/ -name "S*$SERVICE" -print | wc -l) -gt 0 ]; then
debug "Service $SERVICE is enabled"
FNRET=0
else
debug "Service $SERVICE is disabled"
FNRET=1
fi
fi
}
is_service_enabled() {
local SERVICE=$1
if [ $OS_RELEASE -eq 2 ]; then
FNRET=0
else
is_debian_ge_9
fi
if [ $FNRET = 0 ]; then
if [ $(systemctl is-enabled $SERVICE | grep -c "^enabled") -eq 1 ]; then
debug "Service $SERVICE is enabled"
FNRET=0
else
debug "Service $SERVICE is disabled"
FNRET=1
fi
else
if [ $($SUDO_CMD find /etc/rc?.d/ -name "S*$SERVICE" -print | wc -l) -gt 0 ]; then
debug "Service $SERVICE is enabled"
FNRET=0
else
debug "Service $SERVICE is disabled"
FNRET=1
fi
fi
}
#
# Kernel Options checks
#
is_kernel_option_enabled() {
local KERNEL_OPTION="$1"
local MODULE_NAME=""
if [ $# -ge 2 ] ; then
MODULE_NAME="$2"
fi
if $SUDO_CMD [ -r "/proc/config.gz" ] ; then
RESULT=$($SUDO_CMD zgrep "^$KERNEL_OPTION=" /proc/config.gz) || :
elif $SUDO_CMD [ -r "/boot/config-$(uname -r)" ] ; then
RESULT=$($SUDO_CMD grep "^$KERNEL_OPTION=" "/boot/config-$(uname -r)") || :
fi
ANSWER=$(cut -d = -f 2 <<< "$RESULT")
if [ "x$ANSWER" = "xy" ]; then
debug "Kernel option $KERNEL_OPTION enabled"
FNRET=0
elif [ "x$ANSWER" = "xn" ]; then
debug "Kernel option $KERNEL_OPTION disabled"
FNRET=1
else
debug "Kernel option $KERNEL_OPTION not found"
FNRET=2 # Not found
fi
if $SUDO_CMD [ "$FNRET" -ne 0 -a -n "$MODULE_NAME" -a -d "/lib/modules/$(uname -r)" ] ; then
# also check in modules, because even if not =y, maybe
# the admin compiled it separately later (or out-of-tree)
# as a module (regardless of the fact that we have =m or not)
debug "Checking if we have $MODULE_NAME.ko"
local modulefile=$($SUDO_CMD find "/lib/modules/$(uname -r)/" -type f -name "$MODULE_NAME.ko")
if $SUDO_CMD [ -n "$modulefile" ] ; then
debug "We do have $modulefile!"
# ... but wait, maybe it's blacklisted? check files in /etc/modprobe.d/ for "blacklist xyz"
if grep -qRE "^\s*blacklist\s+$MODULE_NAME\s*$" /etc/modprobe.d/ ; then
debug "... but it's blacklisted!"
FNRET=1 # Not found (found but blacklisted)
# FIXME: even if blacklisted, it might be present in the initrd and
# be insmod from there... but painful to check :/ maybe lsmod would be enough ?
fi
FNRET=0 # Found!
fi
fi
}
#
# Mounting point
#
# Verify $1 is a partition declared in fstab
is_a_partition() {
local PARTITION=$1
FNRET=128
if $(grep "[[:space:]]*${PARTITION}[[:space:]].*" /etc/fstab | grep -vqE "^#"); then
debug "$PARTITION found in fstab"
FNRET=0
else
debug "Unable to find $PARTITION in fstab"
FNRET=1
fi
}
# Verify that $1 is mounted at runtime
is_mounted() {
local PARTITION=$1
if $(grep -q "[[:space:]]$1[[:space:]]" /proc/mounts); then
debug "$PARTITION found in /proc/mounts, it's mounted"
FNRET=0
else
debug "Unable to find $PARTITION in /proc/mounts"
FNRET=1
fi
}
# Verify $1 has the proper option $2 in fstab
has_mount_option() {
local PARTITION=$1
local OPTION=$2
if $(grep "[[:space:]]$1[[:space:]]" /etc/fstab | grep -vE "^#" | awk {'print $4'} | grep -q "$2"); then
debug "$OPTION has been detected in fstab for partition $PARTITION"
FNRET=0
else
debug "Unable to find $OPTION in fstab for partition $PARTITION"
FNRET=1
fi
}
# Verify option $2 in $1 service
has_mount_option_systemd() {
local SERVICENAME=$1
local OPTION=$2
if $(grep -i "options" "$SERVICENAME" | grep -vE "^#" | grep -q "$2"); then
debug "$OPTION has been detected in systemd service $SERVICENAME"
FNRET=0
else
debug "Unable to find $OPTION in systemd service $SERVICENAME"
FNRET=1
fi
}
# Verify $1 has the proper option $2 at runtime
has_mounted_option() {
local PARTITION=$1
local OPTION=$2
if $(grep "[[:space:]]$1[[:space:]]" /proc/mounts | awk {'print $4'} | grep -q "$2"); then
debug "$OPTION has been detected in /proc/mounts for partition $PARTITION"
FNRET=0
else
debug "Unable to find $OPTION in /proc/mounts for partition $PARTITION"
FNRET=1
fi
}
# Setup mount option in fstab
# Notice: The format of the entry in the fstab file must be in the format shown in the following example, otherwise an error may occur.
add_option_to_fstab() {
local PARTITION=$1
local OPTION=$2
debug "Setting $OPTION for $PARTITION in fstab"
backup_file "/etc/fstab"
# For example :
# local PARTITION="/home"
# local OPTION="nosuid"
# UUID=40327bc9-f9d1-5816-a312-df307cc8732e /home ext4 errors=remount-ro 0 2
# UUID=40327bc9-f9d1-5816-a312-df307cc8732e /home ext4 errors=remount-ro,nosuid 0 2
# debug "Sed command : sed -ie \"s;\(.*\)\(\s*\)\s\($PARTITION\)\s\(\s*\)\(\w*\)\(\s*\)\(\w*\)*;\1\2 \3 \4\5\6\7,$OPTION;\" /etc/fstab"
# sed -ie "s;\(^[^#].*${PARTITION}\)\(\s.*\)\(\s\w.*\)\(\s[0-2]\s*[0-2]\);\1\2\3,${OPTION}\4;" /etc/fstab
MOUNT_OPTION=$(grep -v "^#" /etc/fstab | awk '$2=="'${PARTITION}'" {print $4}')
CURLINE=$(grep -v "^#" /etc/fstab -n | grep "${PARTITION}" | awk -F: '{print $1}')
#This case is for option of starting with "no", example: nosuid noexec nodev
NOTNOOPTION=$(echo $OPTION | cut -c 3-)
if [ "${MOUNT_OPTION}" == "defaults" ]; then
if [ "$OPTION" == "noexec" ]; then
NEWOP='rw,nosuid,nodev,noexec,auto,async'
else
NEWOP='rw,nosuid,nodev,auto,async'
fi
sed -i "${CURLINE}s/$MOUNT_OPTION/$NEWOP/" /etc/fstab
#This case is for option of starting with "no", example: nosuid noexec nodev
elif [ $(echo $MOUNT_OPTION | grep -cw ${NOTNOOPTION}) -gt 0 ]; then
sed -i "${CURLINE}s/${NOTNOOPTION}/${OPTION}/" /etc/fstab
elif [ $(echo $MOUNT_OPTION | grep -cw $OPTION) -eq 0 ]; then
sed -i "${CURLINE}s/${MOUNT_OPTION}/${MOUNT_OPTION},${OPTION}/" /etc/fstab
fi
}
remount_partition() {
local PARTITION=$1
debug "Remounting $PARTITION"
mount -o remount $PARTITION
}
# Setup mount option in systemd
add_option_to_systemd() {
local SERVICEPATH=$1
local OPTION=$2
local SERVICENAME=$3
debug "Setting $OPTION for in systemd"
backup_file "$SERVICEPATH"
if [ $OS_RELEASE -eq 2 ]; then
# For CentOS
warn "This item to apply requires reboot OS."
else
# For debian
systemctl stop $SERVICENAME
fi
# For example :
# Options=mode=1777,strictatime,nosuid
# Options=mode=1777,strictatime,nosuid,nodev
#debug "Sed command : sed -ie "s;\(^Options.*=mode=[1,2,4,7][1,2,4,7][1,2,4,7][1,2,4,7].*\);\1,$OPTION;\" $SERVICEPATH"
sed -ie "s;\(^Options.*=mode=[1,2,4,7][1,2,4,7][1,2,4,7][1,2,4,7].*\);\1,$OPTION;" $SERVICEPATH
systemctl daemon-reload
}
remount_partition_by_systemd() {
local SERVICENAME=$1
local PARTITION=$2
debug "Remounting $PARTITION by systemd"
if [ $OS_RELEASE -eq 2 ]; then
# For CentOS
warn "This item to apply requires reboot OS."
else
# For debian
systemctl start $SERVICENAME
fi
}
#
# APT
#
apt_update_if_needed()
{
if [ -e /var/cache/apt/pkgcache.bin ]
then
UPDATE_AGE=$(( $(date +%s) - $(stat -c '%Y' /var/cache/apt/pkgcache.bin) ))
if [ $UPDATE_AGE -gt 3600 ]
then
# update too old, refresh database
$SUDO_CMD apt-get update >/dev/null 2>/dev/null
fi
else
$SUDO_CMD apt-get update >/dev/null 2>/dev/null
fi
}
apt_check_updates()
{
local NAME="$1"
local DETAILS="/dev/shm/${NAME}"
$SUDO_CMD apt-get upgrade -s 2>/dev/null | grep -E "^Inst" > $DETAILS || :
local COUNT=$(wc -l < "$DETAILS")
FNRET=128 # Unknown function return result
RESULT="" # Result output for upgrade
if [ $COUNT -gt 0 ]; then
RESULT="There is $COUNT updates available :\n$(cat $DETAILS)"
FNRET=1
else
RESULT="OK, no updates available"
FNRET=0
fi
rm $DETAILS
}
apt_install()
{
local PACKAGE=$1
DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install $PACKAGE -y
FNRET=0
}
yum_install()
{
local PACKAGE=$1
yum install -y $PACKAGE
FNRET=0
}
install_package()
{
if [ $OS_RELEASE -eq 1 -o $OS_RELEASE -ge 9 ]; then
local PACKAGE=$1
apt_install $PACKAGE
elif [ $OS_RELEASE -eq 2 ]; then
local PACKAGE=$1
yum_install $PACKAGE
else
warn "Current OS is not support!"
fi
FNRET=0
}
#
# Return 0 if a package is installed
#
is_pkg_installed()
{
PKG_NAME=$1
if [ $OS_RELEASE -eq 2 ]; then
if [ $(yum list installed | grep -c "^$PKG_NAME\.") -gt 0 ]; then
debug "$PKG_NAME is installed"
FNRET=0
else
debug "$PKG_NAME is not installed"
FNRET=1
fi
else
if $(dpkg -s $PKG_NAME 2> /dev/null | grep -q '^Status: install ') ; then
debug "$PKG_NAME is installed"
FNRET=0
else
debug "$PKG_NAME is not installed"
FNRET=1
fi
fi
}
verify_integrity_all_packages()
{
if [ $OS_RELEASE -eq 2 ]; then
rpm -Va > /dev/shm/yum_verify_ret
COUNT=$(cat /dev/shm/yum_verify_ret | wc -l )
if [ $COUNT -gt 0 ]; then
debug "Verify integrity all packages is fail"
cat /dev/shm/yum_verify_ret
rm /dev/shm/yum_verify_ret
FNRET=1
else
debug "Verify integrity all packages is OK"
FNRET=0
fi
else
dpkg -V > /dev/shm/dpkg_verify_ret
if [ $(cat /dev/shm/dpkg_verify_ret | wc -l) -gt 0 ]; then
debug "Verify integrity all packages is fail"
cat /dev/shm/dpkg_verify_ret
FNRET=1
else
debug "Verify integrity all packages is OK"
FNRET=0
fi
fi
}
# Check parameter with str
# example: Storage=persistent
# return: 0 1 2 3
check_param_pair_by_str ()
{
FILENAME=$1
OPTION=$2
EXPECT_OPSTR=$3
#Example:
# FILENAME="/etc/systemd/journald.conf"
# OPTION="Storage"
# EXPECT_OPSTR="persistent"
if [ ! -f $FILENAME ]; then
debug "$FILENAME file is not exist!"
FNRET=1
else
if [ $(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' $FILENAME | grep "$OPTION=" | wc -l) -gt 0 ]; then
debug "$OPTION is exist in $FILENAME."
OP_STR=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' $FILENAME | grep $OPTION | awk -F'=' '{print $2}')
if [ $OP_STR == $EXPECT_OPSTR ]; then
debug "The str value is eq to expect str."
FNRET=0
else
debug "The str value is not eq to expect str."
FNRET=2
fi
else
debug "The options $OPTION is not exist in $FILENAME"
FNRET=3
fi
fi
}
reset_option_str_to_journald ()
{
FILENAME=$1
OPTION=$2
SET_OPSTR=$3
#Example:
# FILENAME="/etc/systemd/journald.conf"
# OPTION="Storage"
# SET_OPSTR="persistent"
sed -i "s/${OPTION}=.*/${OPTION}=${SET_OPSTR}/" $FILENAME
}
# Check parameter with value
# example : minlen = 9
# ruturn: 0 1 2 3
check_param_pair_by_value ()
{
FILENAME=$1
OPTION=$2
COMPARE=$3
OP_VALUE=$4
#Example:
# FILENAME="/etc/security/pwquality.conf"
# OPTION="minlen"
# COMPARE="ge"
# OP_VALUE=15
if [ -f "$FILENAME" ];then
COUNT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' $FILENAME | grep "^$OPTION[[:space:]]=[[:space:]]" | wc -l)
if [ $COUNT -eq 1 ]; then
debug "$OPTION is conf"
RESULT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' $FILENAME | grep "^$OPTION[[:space:]]=[[:space:]]")
if [ "$(echo $RESULT | awk -F'= ' '{print $2}')" "-$COMPARE" "$OP_VALUE" ]; then
debug "$OPTION conf is right."
FNRET=0
else
debug "$OPTION conf is not right."
FNRET=1
fi
else
debug "$OPTION is not conf of $FILENAME"
FNRET=2
fi
else
debug "$FILENAME is not exist"
FNRET=3
fi
}
# Only check option name
check_no_param_option_by_value()
{
LOCATION=$1
OPTION=$2
#Example:
#LOCATION="/etc/security/faillock.conf"
#OPTION="even_deny_root"
if [ -f "$LOCATION" ];then
RESULT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' $LOCATION | grep "$OPTION" | wc -l)
if [ "$RESULT" -eq 1 ]; then
debug "$OPTION is conf"
FNRET=0
else
debug "$OPTION is not conf"
FNRET=2
fi
else
debug "$LOCATION is not exist"
FNRET=1
fi
}
check_param_pair_by_pam()
{
LOCATION=$1
KEYWORD=$2
OPTION=$3
COMPARE=$4
CONDITION=$5
#Example:
#LOCATION="/etc/pam.d/common-password"
#LOCATION="/etc/pam.d/login"
#KEYWORD="pam_cracklib.so"
#OPTION="ocredit"
#COMPARE="gt"
#CONDITION="-1"
if [ -f "$LOCATION" ];then
RESULT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' $LOCATION | grep -w "$KEYWORD.*$OPTION" | wc -l)
if [ "$RESULT" -eq 1 ]; then
debug "$KEYWORD $OPTION is conf"
cndt_value=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' $LOCATION | grep "$KEYWORD.*$OPTION" | tr "\t" " " | tr " " "\n" | sed -n "/$OPTION/p" | awk -F "=" '{print $2}')
if [ "$cndt_value" "-$COMPARE" "$CONDITION" ]; then
debug "$cndt_value -$COMPARE $CONDITION is ok"
FNRET=0
elif [ "$cndt_value" -eq 0 ]; then
debug "$cndt_value -eq 0, is not ok"
FNRET=5
else
debug "$cndt_value -$COMPARE $CONDITION is not ok"
FNRET=5
fi
else
debug "$KEYWORD $OPTION is not conf"
FNRET=4
fi
else
debug "$LOCATION is not exist"
FNRET=3
fi
}
# Only check option name
check_no_param_option_by_pam()
{
KEYWORD=$1
OPTION=$2
LOCATION=$3
#Example:
#KEYWORD="pam_unix.so"
#OPTION="sha512"
#LOCATION="/etc/pam.d/common-password"
if [ -f "$LOCATION" ];then
RESULT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' $LOCATION | grep "$KEYWORD.*$OPTION" | wc -l)
if [ "$RESULT" -eq 1 ]; then
debug "$KEYWORD $OPTION is conf"
FNRET=0
else
debug "$KEYWORD $OPTION is not conf"
FNRET=4
fi
else
debug "$LOCATION is not exist"
FNRET=3
fi
}
# Add password check option
add_option_to_password_check()
{
#Example:
#local PAMPWDFILE="/etc/pam.d/common-password"
#local KEYWORD="pam_cracklib.so"
#local OPTIONSTR="retry=3"
local PAMPWDFILE=$1
local KEYWORD=$2
local OPTIONSTR=$3
debug "Setting $OPTIONSTR for $KEYWORD"
backup_file "$PAMPWDFILE"
# For example :
# password requisite pam_cracklib.so minlen=8 difok=3
# password requisite pam_cracklib.so minlen=8 difok=3 retry=3
sed -i "s;\(^password.*$KEYWORD.*\);\1 $OPTIONSTR;" $PAMPWDFILE
}
# Add session check option
add_option_to_session_check()
{
#Example:
#local PAMPWDFILE="/etc/pam.d/login"
#local KEYWORD="pam_lastlog.so"
#local OPTIONSTR="showfailed"
local PAMPWDFILE=$1
local KEYWORD=$2
local OPTIONSTR=$3
debug "Setting $OPTIONSTR for $KEYWORD"
backup_file "$PAMPWDFILE"
# For example :
# password requisite pam_cracklib.so minlen=8 difok=3
# password requisite pam_cracklib.so minlen=8 difok=3 retry=3
sed -i "s;\(^session.*$KEYWORD.*\);\1 $OPTIONSTR;" $PAMPWDFILE
}
# Add auth check option
add_option_to_auth_check()
{
#Example:
#local PAMPWDFILE="/etc/pam.d/common-auth"
#local KEYWORD="pam_cracklib.so"
#local OPTIONSTR="retry=3"
local PAMPWDFILE=$1
local KEYWORD=$2
local OPTIONSTR=$3
debug "Setting $OPTIONSTR for $KEYWORD"
backup_file "$PAMPWDFILE"
# For example :
# password requisite pam_cracklib.so minlen=8 difok=3
# password requisite pam_cracklib.so minlen=8 difok=3 retry=3
sed -i "s;\(^auth.*$KEYWORD.*\);\1 $OPTIONSTR;" $PAMPWDFILE
}
# Reset password check option value when option is not set a correct value
reset_option_to_password_check()
{
#Example:
#local PAMPWDFILE="/etc/pam.d/common-password"
#local KEYWORD="pam_cracklib.so"
#local OPTIONNAME="retry"
#local OPTIONVAL="3"
local PAMPWDFILE=$1
local KEYWORD=$2
local OPTIONNAME=$3
local OPTIONVAL=$4
debug "Setting $OPTION for $KEYWORD reset option value to $OPTIONVAL"
backup_file "$PAMPWDFILE"
# For example :
# password requisite pam_cracklib.so minlen=8 difok=3 retry=1
# password requisite pam_cracklib.so minlen=8 difok=3 retry=3
cndt_value=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' $PAMPWDFILE | grep "$KEYWORD.*$OPTIONNAME" | tr "\t" " " | tr " " "\n" | sed -n "/$OPTIONNAME/p" | awk -F "=" '{print $2}')
sed -i "s/${OPTIONNAME}=${cndt_value}/${OPTIONNAME}=${OPTIONVAL}/" $PAMPWDFILE
}
# Reset auth check option value when option is not set a correct value
reset_option_to_auth_check()
{
#Example:
#local PAMPWDFILE="/etc/pam.d/common-password"
#local KEYWORD="pam_cracklib.so"
#local OPTIONNAME="retry"
#local OPTIONVAL="3"
local PAMPWDFILE=$1
local KEYWORD=$2
local OPTIONNAME=$3
local OPTIONVAL=$4
debug "Setting $OPTION for $KEYWORD reset option value to $OPTIONVAL"
backup_file "$PAMPWDFILE"
# For example :
# password requisite pam_cracklib.so minlen=8 difok=3 retry=1
# password requisite pam_cracklib.so minlen=8 difok=3 retry=3
sed -i "s/${OPTIONNAME}=.*/${OPTIONNAME}=${OPTIONVAL}/" $PAMPWDFILE
}
# Only check option name
check_auth_option_nullok_by_pam()
{
KEYWORD=$1
OPTION1=$2
OPTION2=$3
LOCATION="/etc/pam.d/common-auth"
#Example:
#KEYWORD="pam_unix.so"
#OPTION1="nullok"
#OPTION2="nullok_secure"
if [ -f "$LOCATION" ];then
RESULT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' $LOCATION | grep "$KEYWORD.*$OPTION2" | wc -l)
if [ "$RESULT" -eq 1 ]; then
debug "$KEYWORD $OPTION2 is conf, that is error conf"
FNRET=5
else
debug "$KEYWORD $OPTION2 is not conf, that is ok"
RESULT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' $LOCATION | grep "$KEYWORD.*$OPTION1" | wc -l)
if [ "$RESULT" -eq 1 ]; then
debug "$KEYWORD $OPTION1 is conf, that is error conf"
FNRET=4
else
debug "$KEYWORD $OPTION1 is not conf, that is ok"
FNRET=0
fi
fi
else
debug "$LOCATION is not exist"
FNRET=3
fi
}
# Ensure is set accept for INPUT of loopback traffic
ensure_lo_traffic_input_is_accept()
{
IPS4=$(which iptables)
IPS6=$(which ip6tables)
# Check the loopback interface to accept INPUT traffic.
version=$1
if [ $version == 'IPS4' ]; then
if [ $(${IPS4} -S | grep -c "^\-A INPUT \-i lo \-j ACCEPT") -ge 1 -o $(${IPS4} -S | grep -c "^\-A INPUT \-i 127.0.0.1 \-j ACCEPT") -ge 1 ]; then
debug "Ip4tables loopback traffic INPUT has configured!"
FNRET=0
else
debug "Ip4tables: loopback traffic INPUT is not configured!"
FNRET=1
fi
else
if [ $(${IPS6} -S | grep -c "^\-A INPUT \-i lo \-j ACCEPT") -ge 1 -o $(${IPS6} -S | grep -c "^\-A INPUT \-i ::/0 \-j ACCEPT") -ge 1 ]; then
debug "Ip6tables loopback traffic INPUT has configured!"
FNRET=0
else
debug "Ip6tables: loopback traffic INPUT is not configured!"
FNRET=1
fi
fi
}
# Ensure is set accept for OUTPUT of loopback traffic
ensure_lo_traffic_output_is_accept()
{
IPS4=$(which iptables)
IPS6=$(which ip6tables)
# Check the loopback interface to accept OUTPUT traffic.
version=$1
if [ $version == 'IPS4' ]; then
if [ $(${IPS4} -S | grep -c "^\-A OUTPUT \-o lo \-j ACCEPT") -ge 1 -o $(${IPS4} -S | grep -c "^\-A OUTPUT \-o 127.0.0.1 \-j ACCEPT") -ge 1 ]; then
debug "Ip4tables loopback traffic OUTPUT has configured!"
FNRET=0
else
debug "Ip4tables: loopback traffic OUTPUT is not configured!"
FNRET=1
fi
else
if [ $(${IPS6} -S | grep -c "^\-A OUTPUT \-o lo \-j ACCEPT") -ge 1 -o $(${IPS6} -S | grep -c "^\-A OUTPUT \-o ::/0 \-j ACCEPT") -ge 1 ]; then
debug "Ip6tables loopback traffic OUTPUT has configured!"
FNRET=0
else
debug "Ip6tables: loopback traffic OUTPUT is not configured!"
FNRET=1
fi
fi
}
# Ensure is set deny for other interfaces INPUT of loopback traffic
ensure_lo_traffic_other_if_input_is_deny()
{
IPS4=$(which iptables)
IPS6=$(which ip6tables)
# all other interfaces to deny traffic to the loopback network.
version=$1
if [ $version == 'IPS4' ]; then
if [ $(${IPS4} -S | grep -c "^\-A INPUT \-s 127.0.0.0/8 \-j DROP") -eq 0 ]; then
debug "Ip4tables: loopback traffic INPUT deny from 127.0.0.0/8 is not configured!"
FNRET=1
else
debug "Ip4tables loopback traffic INPUT deny from 127.0.0.0/8 has configured!"
FNRET=0
fi
else
if [ $(${IPS6} -S | grep -c "^\-A INPUT \-s ::1 \-j DROP") -ge 0 ]; then
debug "Ip6tables: loopback traffic INPUT deny from ::1 is not configured!"
FNRET=1
else
debug "Ip6tables loopback traffic INPUT deny from ::1 has configured!"
FNRET=0
fi
fi
}
#Ensure is set accept for all outbound
check_outbound_connect_is_accept()
{
PATTERN="\-\-state NEW,ESTABLISHED \-j ACCEPT"
IPS4=$(which iptables)
IPS6=$(which ip6tables)
# $1 maybe is: tcp udp icmp
proto=$1
version=$2
if [ $version == 'IPS4' ]; then
if [ $(${IPS4} -S | grep "^\-A OUTPUT" | grep "\-p ${proto}" | grep -c "$PATTERN") -eq 0 ]; then
debug "Iptables: Protocol $proto outbound is not configured!"
FNRET=1
else
debug "Iptables: Protocol $proto outbound is configured!"
FNRET=0
fi
else
if [ $(${IPS6} -S | grep "^\-A OUTPUT" | grep "\-p ${proto}" | grep -c "$PATTERN") -eq 0 ]; then
debug "Ip6tables: Protocol $proto outbound is not configured!"
FNRET=1
else
debug "Ip6tables: Protocol $proto outbound is configured!"
FNRET=0
fi
fi
}
#Ensure is set accept for input with ESTABLISHED
check_input_with_established_is_accept()
{
PATTERN="\-\-state ESTABLISHED \-j ACCEPT"
IPS4=$(which iptables)
IPS6=$(which ip6tables)
# $1 maybe is: tcp udp icmp
proto=$1
version=$2
if [ $version == 'IPS4' ]; then
if [ $(${IPS4} -S | grep "^\-A INPUT" | grep "\-p ${proto}" | grep -c "$PATTERN") -eq 0 ]; then
debug "Iptables: Protocol $proto INPUT is not configured!"
FNRET=1
else
debug "Iptables: Protocol $proto INPUT is configured!"
FNRET=0
fi
else
if [ $(${IPS6} -S | grep "^\-A INPUT" | grep "\-p ${proto}" | grep -c "$PATTERN") -eq 0 ]; then
debug "Ip6tables: Protocol $proto INPUT is not configured!"
FNRET=1
else
debug "Ip6tables: Protocol $proto INPUT is configured!"
FNRET=0
fi
fi
}
# for: Create file if parent dir is not exist
extend_touch_file()
{
NEWFILEALLPATH=$1
if [ ! -d $(dirname ${NEWFILEALLPATH}) ]; then
mkdir -p "$(dirname ${NEWFILEALLPATH})"
touch ${NEWFILEALLPATH}
else
touch ${NEWFILEALLPATH}
fi
}
# Check ipv6 is enable
check_ipv6_is_enable()
{
if [ $(ip -6 addr | wc -l) -gt 0 ]; then
debug "Ipv6 is enabled."
FNRET=0
else
debug "Ipv6 is disabled."
FNRET=1
fi
}
check_auditd_is_immutable_mode()
{
if [ $(auditctl -s | head -n 1 | awk '{print $2}') -eq 2 ]; then
warn "The auditd system is in immutable mode, no rule changes allowed. So must need reboot after adding/modifying the auditd rule!"
else
eval $(pkill -HUP -P 1 auditd)
fi
}
#
# yum
#
# FNRET values:
# 100: need update
# 0: not need update
# 1: error
yum_check_updates()
{
FNRET=$($SUDO_CMD yum check-update > /dev/null; echo $?)
if [ $FNRET -eq 100 ]; then
# update too old, refresh database
$SUDO_CMD yum makecache >/dev/null 2>/dev/null
fi
}
# Check path of audit rule is exist, return 0 if path string is not NULL, else return 1
# Example:
# Process only the following format:
# AUDITRULE="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd" or
# AUDITRULE="-a always,exit -F dir=/home/ -F auid>=1000 -F auid!=4294967295 -k privileged-passwd" or
# AUDITRULE="-w /home/ -k privileged-passwd"
# Please manually execute apt-file (Debian) / yum Provides (redhat) to ensure that the path already exists in the repository.
# example: apt-file search /usr/bin/passwd
# freedom-maker: /usr/bin/passwd-in-image
# passwd: /usr/bin/passwd
check_audit_path ()
{
AUDITRULE=$1
# Check -w style, for example: "-w /etc/shadow -p wa" "-w /etc/ -p wa"
if [[ $AUDITRULE =~ "-w" ]]; then
RESULT=$(echo $AUDITRULE | awk '{print $2}')
if [ -f $(eval echo $RESULT) -o -d $(eval echo $RESULT) ]; then
debug "File $RESULT is exist!"
FNRET=0
else
warn "File $RESULT is not exist!"
FNRET=1
fi
# Check -F style, for example: "-a always,exit -F path=/etc/shadow -F perm=wa" "-a always,exit -F dir=/etc/ -F perm=wa"
elif [ $(echo $AUDITRULE | grep -c "\-F.*path=") -eq 1 -o $(echo $AUDITRULE | grep -c "\-F.*dir=") -eq 1 ]; then
RESULT=$(echo $AUDITRULE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
if [ -f $(eval echo $RESULT) -o -d $(eval echo $RESULT) ]; then
debug "File $RESULT is exist!"
FNRET=0
else
warn "File $RESULT is not exist!"
FNRET=1
fi
else
info "This rule is not including path or dir."
FNRET=0
fi
}
# For CentOS 8
# Reference: https://access.redhat.com/solutions/3906701
tcp_wrappers_warn ()
{
warn "The package(tcp_wrappers) has been deprecated in RHEL 7 and therefore it will not be available in RHEL 8 or later RHEL release."
}
uninstall_pkg ()
{
PKGNAME=$1
if [ $OS_RELEASE -eq 1 ]; then
apt-get -y purge --autoremove $PKGNAME
elif [ $OS_RELEASE -eq 2 ]; then
yum -y autoremove $PKGNAME
fi
}
# Check apparmor is active by aa-status
# Only support Debian
check_aa_status ()
{
APPARMOR_STATUS='/usr/sbin/aa-status'
if [ -f "$APPARMOR_STATUS" ]; then
$APPARMOR_STATUS > /dev/null 2>&1
case $? in
0) info "AppArmor is enabled and policy is loaded."
FNRET=0
;;
1) info "AppArmor is not enabled/loaded."
FNRET=1
;;
2) info "AppArmor enabled but no policy is loaded."
FNRET=2
;;
3) info "AppArmor control files aren't available under /sys/kernel/security/."
FNRET=3
;;
4) info "The user running the script doesn't have enough privileges to read the AppArmor control files."
FNRET=4
;;
esac
else
info "$APPARMOR_STATUS is not exist!"
FNRET=5
fi
}
# Check sshd access limit
# If not exist key of above, it's fail because default is everyone to allow
# Example: $1='AllowUsers' $2='AllowUsers[[:space:]]*\*'
check_sshd_access_limit ()
{
if [ $(sshd -T | grep -ic $1) -eq 1 ]; then
if [ $(sshd -T | grep -ic $2) -eq 1 ]; then
debug "$1 is not set limit!"
FNRET=2
else
debug "$1 has set limit!"
FNRET=0
fi
else
debug "Arguments $1 is not exist! By default, login is allowed for all."
FNRET=1
fi
}
# Check sshd conf for one value sshd -T return 'keyword value' pairs
# If the value of keyword is equal $2, return 0
# If the keyword does not exist in the sshd runtime configuration, return 1
# If the value of keyword is not equal $2, return 2
# Example: $1='PermitRootLogin' $2='no'
check_sshd_conf_for_one_value_runtime ()
{
COUNT=$(sshd -T | grep -i "^$1" | wc -l)
if [ $COUNT -eq 0 ]; then
debug "The keyword $1 does not exist in the sshd runtime configuration."
FNRET=1
else
RUNTIMEVALUE=$(sshd -T | grep -i "^$1" | awk '{print $2}')
if [ "$RUNTIMEVALUE" = "$2" ]; then
debug "The value of keyword $1 has set to $2, it's correct."
FNRET=0
else
debug "The value of keyword $1 is not set to $2, it's incorrect."
FNRET=2
fi
fi
}
# Check blacklist module set of /etc/modprobe.d/*
# If set, return 0; else return 1
# Example: $1='nf_nat_sip'
check_blacklist_module_set ()
{
MODPROBE_CONF_FILE_PATTERN="/etc/modprobe.d/*"
COUNT=$(grep -hw $1 -r $MODPROBE_CONF_FILE_PATTERN | sed -e 's/^[ ]*//g' |grep "^blacklist" | wc -l)
if [ $COUNT -ge 1 ]; then
debug "$1 has set in $MODPROBE_CONF_FILE_PATTERN"
FNRET=0
else
debug "$1 is not set in $MODPROBE_CONF_FILE_PATTERN"
FNRET=1
fi
}
sysctl_check() {
local param=$1
local exp_val=$2
if [ "$(sysctl -n "$param" 2>/dev/null)" = "$exp_val" ]; then
ok "$param is correctly set to $exp_val"
FNRET=0
else
crit "$param is not set to $exp_val"
FNRET=1
fi
}
sysctl_apply() {
local param=$1
local exp_val=$2
warn "Setting $param to $exp_val"
sysctl -w "$param=$exp_val" || true
echo "$param = $exp_val" >> /etc/sysctl.d/99-sysctl.conf
}
service_disable_check() {
local svc=$1
if systemctl is-enabled "$svc" 2>/dev/null | grep -q "enabled"; then
crit "$svc is enabled"
FNRET=1
else
ok "$svc is disabled or not installed"
FNRET=0
fi
}
service_disable_apply() {
local svc=$1
warn "Disabling $svc"
systemctl disable "$svc" 2>/dev/null || true
systemctl mask "$svc" 2>/dev/null || true
}
file_limit_check() {
local conf=$1
if grep -q "^$conf" /etc/security/limits.conf /etc/security/limits.d/* 2>/dev/null; then
ok "Limits configured: $conf"
FNRET=0
else
crit "Limits not configured: $conf"
FNRET=1
fi
}
file_limit_apply() {
local conf=$1
warn "Configuring limits: $conf"
echo "$conf" >> /etc/security/limits.conf
}
pkg_installed_check() {
local pkg=$1
if dpkg-query -W -f='${Status}' "$pkg" 2>/dev/null | grep -q "install ok installed"; then
ok "$pkg is installed"
FNRET=0
else
crit "$pkg is not installed"
FNRET=1
fi
}
pkg_installed_apply() {
local pkg=$1
warn "Installing $pkg"
apt-get install -y "$pkg" || true
}
service_enable_check() {
local svc=$1
if systemctl is-enabled "$svc" 2>/dev/null | grep -q "enabled"; then
ok "$svc is enabled"
FNRET=0
else
crit "$svc is not enabled"
FNRET=1
fi
}
service_enable_apply() {
local svc=$1
warn "Enabling $svc"
systemctl enable "$svc" 2>/dev/null || true
systemctl start "$svc" 2>/dev/null || true
}
replace_in_file_custom() {
local file=$1
local regex=$2
local replace=$3
if [ ! -f "$file" ]; then
touch "$file"
fi
if grep -qE "$regex" "$file"; then
sed -i -E "s|$regex|$replace|g" "$file"
else
echo "$replace" >> "$file"
fi
}
================================================
FILE: src/skel
================================================
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# Hardening script skeleton replace this line with proper point treated
#
set -e # One error, it's over
set -u # One variable unset, it's over
# This function will be called if the script status is on enabled / audit mode
audit () {
:
}
# This function will be called if the script status is on enabled mode
apply () {
:
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r "$CIS_ROOT_DIR"/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
================================================
FILE: src/skel.cfg
================================================
# Configuration for script of same name
status=disabled