ovh
diff --git a/‎bin/hardening/cron_allow_restrictions.sh‎
Lines changed: 126 additions & 0 deletions b/‎bin/hardening/cron_allow_restrictions.sh‎
Lines changed: 126 additions & 0 deletions
diff --git a/‎bin/hardening/gdm_disable_automount_overriden.sh‎
Lines changed: 126 additions & 0 deletions b/‎bin/hardening/gdm_disable_automount_overriden.sh‎
Lines changed: 126 additions & 0 deletions
@@ -0,0 +1,126 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure cron is restricted to authorized users (Automated)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Ensure cron is restricted to authorized users."
+
+PACKAGE='cron'
+CRON_ALLOW='/etc/cron.allow'
+CRON_DENY='/etc/cron.deny'
+PERMISSIONS='640'
+USER='root'
+GROUP='root'
+
+# Global state
+CRON_ALLOW_RESTR_INSTALLED=1
+CRON_ALLOW_RESTR_FILE_OK=1
+CRON_DENY_FILE_OK=1
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        ok "$PACKAGE is not installed, cron restrictions not applicable"
+        CRON_ALLOW_RESTR_INSTALLED=0
+        return
+    fi
+    ok "$PACKAGE is installed"
+
+    # Check /etc/cron.allow
+    if [ ! -f "$CRON_ALLOW" ]; then
+        crit "$CRON_ALLOW does not exist"
+        CRON_ALLOW_RESTR_FILE_OK=0
+    else
+        has_file_correct_ownership "$CRON_ALLOW" "$USER" "$GROUP"
+        if [ "$FNRET" != 0 ]; then
+            crit "$CRON_ALLOW ownership is not $USER:$GROUP"
+            CRON_ALLOW_RESTR_FILE_OK=0
+        else
+            ok "$CRON_ALLOW has correct ownership"
+        fi
+
+        has_file_correct_permissions "$CRON_ALLOW" "$PERMISSIONS"
+        if [ "$FNRET" != 0 ]; then
+            crit "$CRON_ALLOW permissions are not $PERMISSIONS"
+            CRON_ALLOW_RESTR_FILE_OK=0
+        else
+            ok "$CRON_ALLOW has correct permissions"
+        fi
+    fi
+
+    # Check /etc/cron.deny - should not exist or have restrictive permissions
+    if [ -f "$CRON_DENY" ]; then
+        warn "$CRON_DENY exists, it should be removed when using $CRON_ALLOW"
+        CRON_DENY_FILE_OK=0
+    else
+        ok "$CRON_DENY does not exist"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$CRON_ALLOW_RESTR_INSTALLED" -eq 0 ]; then
+        ok "$PACKAGE is not installed, nothing to apply"
+        return
+    fi
+
+    # Create/fix cron.allow
+    if [ "$CRON_ALLOW_RESTR_FILE_OK" -eq 0 ]; then
+        if [ ! -f "$CRON_ALLOW" ]; then
+            info "Creating $CRON_ALLOW"
+            touch "$CRON_ALLOW"
+        fi
+
+        info "Setting ownership and permissions on $CRON_ALLOW"
+        chown "$USER":"$GROUP" "$CRON_ALLOW"
+        chmod "$PERMISSIONS" "$CRON_ALLOW"
+    else
+        ok "$CRON_ALLOW is correctly configured"
+    fi
+
+    # Remove cron.deny if it exists
+    if [ "$CRON_DENY_FILE_OK" -eq 0 ]; then
+        if [ -f "$CRON_DENY" ]; then
+            info "Removing $CRON_DENY"
+            rm -f "$CRON_DENY"
+        fi
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "${CIS_LIB_DIR}" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is ${CIS_LIB_DIR} in /etc/default/cis-hardening"
+    exit 128
+fi
@@ -0,0 +1,126 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+#  Ensure GDM disabling automatic mounting of removable media is not overridden (Automated)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Ensure GDM disabling automatic mounting of removable media is not overridden."
+
+PACKAGES='gdm gdm3'
+DCONF_DB_DIR='/etc/dconf/db/local.d'
+
+# Global state
+GDM_DA_INSTALLED=0
+GDM_DA_AUTOMOUNT_OK=0
+GDM_DA_AUTOMOUNT_OPEN_OK=0
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    # Check if GNOME Desktop Manager is installed
+    local l_pkg_installed=0
+    for l_package in $PACKAGES; do
+        is_pkg_installed "$l_package"
+        if [ "$FNRET" = 0 ]; then
+            ok "Package $l_package is installed"
+            l_pkg_installed=1
+            GDM_DA_INSTALLED=1
+            break
+        fi
+    done
+
+    if [ "$l_pkg_installed" -eq 0 ]; then
+        ok "GNOME Desktop Manager package is not installed on the system - Recommendation is not applicable"
+        return
+    fi
+
+    # Search /etc/dconf/db/local.d/ for automount settings
+    local l_automount_setting
+    local l_automount_open_setting
+
+    l_automount_setting=$(grep -Psir -- '^\h*automount=false\b' "$DCONF_DB_DIR" 2>/dev/null || true)
+    l_automount_open_setting=$(grep -Psir -- '^\h*automount-open=false\b' "$DCONF_DB_DIR" 2>/dev/null || true)
+
+    # Check for automount setting
+    if [ -n "$l_automount_setting" ]; then
+        ok "automount setting found and set to false"
+        GDM_DA_AUTOMOUNT_OK=1
+    else
+        crit "automount setting not found or not set to false in $DCONF_DB_DIR"
+        GDM_DA_AUTOMOUNT_OK=0
+    fi
+
+    # Check for automount-open setting
+    if [ -n "$l_automount_open_setting" ]; then
+        ok "automount-open setting found and set to false"
+        GDM_DA_AUTOMOUNT_OPEN_OK=1
+    else
+        crit "automount-open setting not found or not set to false in $DCONF_DB_DIR"
+        GDM_DA_AUTOMOUNT_OPEN_OK=0
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$GDM_DA_INSTALLED" -eq 0 ]; then
+        ok "GNOME Desktop Manager is not installed, nothing to apply"
+        return
+    fi
+
+    # Create the directory if it doesn't exist
+    if [ ! -d "$DCONF_DB_DIR" ]; then
+        info "Creating directory $DCONF_DB_DIR"
+        mkdir -p "$DCONF_DB_DIR"
+    fi
+
+    # Apply automount settings if needed
+    if [ "$GDM_DA_AUTOMOUNT_OK" -eq 0 ] || [ "$GDM_DA_AUTOMOUNT_OPEN_OK" -eq 0 ]; then
+        info "Configuring automount settings in $DCONF_DB_DIR/00-media-automount"
+        cat >"$DCONF_DB_DIR/00-media-automount" <<EOF
+[org/gnome/desktop/media-handling]
+automount=false
+automount-open=false
+EOF
+    fi
+
+    # Update dconf database
+    if command -v dconf >/dev/null 2>&1; then
+        info "Updating dconf database"
+        dconf update
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "${CIS_LIB_DIR}" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is ${CIS_LIB_DIR} in /etc/default/cis-hardening"
+    exit 128
+fi