Skip to content

Commit 45b81ee

Browse files
damcav35damien cavagnini
andauthored
feat: add new debian12 scripts (#306)
- journald_log_file_access.sh -> 6.2.1.1.2 - journald_log_rotation.sh -> 6.2.1.1.3 - audit_log_perms.sh -> 6.3.4.1 - audit_log_user.sh -> 6.3.4.2 - audit_log_group.sh -> 6.3.4.3 - audit_log_directory_perms.sh -> 6.3.4.4 - audit_confs_perms.sh -> 6.3.4.5 Co-authored-by: damien cavagnini <damien.cavagnini@corp.ovh.com>
1 parent 059bd75 commit 45b81ee

14 files changed

+892
-0
lines changed

bin/hardening/audit_confs_perms.sh

Lines changed: 74 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,74 @@
1+
#!/bin/bash
2+
3+
# run-shellcheck
4+
#
5+
# CIS Debian Hardening
6+
#
7+
8+
#
9+
# Ensure audit configuration files mode is configured (Automated)
10+
#
11+
12+
set -e # One error, it's over
13+
set -u # One variable unset, it's over
14+
15+
# shellcheck disable=2034
16+
HARDENING_LEVEL=3
17+
# shellcheck disable=2034
18+
DESCRIPTION="the audit configuration files have mode 640 or more restrictive"
19+
20+
AUDITD_CONF_DIR="/etc/audit"
21+
22+
# This function will be called if the script status is on enabled / audit mode
23+
audit() {
24+
AUDIT_INVALID_PERM_FILES=""
25+
26+
does_file_exist "$AUDITD_CONF_DIR"
27+
if [ "$FNRET" -eq 0 ]; then
28+
29+
AUDIT_INVALID_PERM_FILES=$($SUDO_CMD find "$AUDITD_CONF_DIR" -type f \( -name '*.conf' -o -name '*.rules' \) -perm /0137)
30+
31+
if [ -n "$AUDIT_INVALID_PERM_FILES" ]; then
32+
crit "Some files have invalid permissions"
33+
for file in $AUDIT_INVALID_PERM_FILES; do
34+
info "$file"
35+
done
36+
fi
37+
38+
else
39+
info "$AUDITD_CONF_DIR does not exist"
40+
fi
41+
}
42+
43+
# This function will be called if the script status is on enabled mode
44+
apply() {
45+
for file in $AUDIT_INVALID_PERM_FILES; do
46+
info "Set perm 640 to $file"
47+
chmod 0640 "$file"
48+
done
49+
}
50+
51+
# This function will check config parameters required
52+
check_config() {
53+
:
54+
}
55+
56+
# Source Root Dir Parameter
57+
if [ -r /etc/default/cis-hardening ]; then
58+
# shellcheck source=../../debian/default
59+
. /etc/default/cis-hardening
60+
fi
61+
if [ -z "$CIS_LIB_DIR" ]; then
62+
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
63+
echo "Cannot source CIS_LIB_DIR variable, aborting."
64+
exit 128
65+
fi
66+
67+
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
68+
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
69+
# shellcheck source=../../lib/main.sh
70+
. "${CIS_LIB_DIR}"/main.sh
71+
else
72+
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
73+
exit 128
74+
fi
Lines changed: 91 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,91 @@
1+
#!/bin/bash
2+
3+
# run-shellcheck
4+
#
5+
# CIS Debian Hardening
6+
#
7+
8+
#
9+
# Ensure the audit log directory mode is configured (Automated)
10+
#
11+
12+
set -e # One error, it's over
13+
set -u # One variable unset, it's over
14+
15+
# shellcheck disable=2034
16+
HARDENING_LEVEL=3
17+
# shellcheck disable=2034
18+
DESCRIPTION="Ensure the audit log directory mode is configured"
19+
20+
AUDITD_CONF_FILE="/etc/audit/auditd.conf"
21+
AUDIT_LOG_DIR_EXPECTED_PERM=""
22+
23+
# This function will be called if the script status is on enabled / audit mode
24+
audit() {
25+
AUDIT_LOG_DIR_PERMS=0
26+
27+
does_file_exist "$AUDITD_CONF_FILE"
28+
if [ "$FNRET" -eq 0 ]; then
29+
30+
AUDIT_LOG_DIRECTORY="$(dirname "$($SUDO_CMD grep -E "^\s*log_file" "$AUDITD_CONF_FILE" | awk -F"=" '{print $2}')")"
31+
local log_dir_perms
32+
log_dir_perms=$(stat -Lc %a "$AUDIT_LOG_DIRECTORY")
33+
34+
# 0750 will be output as 750 by stat
35+
# we add the missing 0 ourselves for easier comparison
36+
if [ "$(echo -n "$log_dir_perms" | wc -m)" -lt 4 ]; then
37+
log_dir_perms="0$log_dir_perms"
38+
fi
39+
40+
if [ "$log_dir_perms" != "$AUDIT_LOG_DIR_EXPECTED_PERM" ]; then
41+
crit "audit log directory '$AUDIT_LOG_DIRECTORY' permissions are '$log_dir_perms' instead of '$AUDIT_LOG_DIR_EXPECTED_PERM'"
42+
AUDIT_LOG_DIR_PERMS=1
43+
fi
44+
45+
else
46+
info "$AUDITD_CONF_FILE does not exist"
47+
fi
48+
}
49+
50+
# This function will be called if the script status is on enabled mode
51+
apply() {
52+
if [ "$AUDIT_LOG_DIR_PERMS" -eq 1 ]; then
53+
info "changing permission to on '$AUDIT_LOG_DIR_EXPECTED_PERM' '$AUDIT_LOG_DIRECTORY'"
54+
chmod "$AUDIT_LOG_DIR_EXPECTED_PERM" "$AUDIT_LOG_DIRECTORY"
55+
fi
56+
}
57+
58+
# This function will check config parameters required
59+
check_config() {
60+
:
61+
}
62+
63+
create_config() {
64+
cat <<EOF
65+
# shellcheck disable=2034
66+
status=audit
67+
# the expected permission for the directory owning the "log_file" directive in /etc/audit/auditd.conf
68+
# default is 0750, but can be less permissive
69+
AUDIT_LOG_DIR_EXPECTED_PERM="0750"
70+
EOF
71+
}
72+
73+
# Source Root Dir Parameter
74+
if [ -r /etc/default/cis-hardening ]; then
75+
# shellcheck source=../../debian/default
76+
. /etc/default/cis-hardening
77+
fi
78+
if [ -z "$CIS_LIB_DIR" ]; then
79+
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
80+
echo "Cannot source CIS_LIB_DIR variable, aborting."
81+
exit 128
82+
fi
83+
84+
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
85+
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
86+
# shellcheck source=../../lib/main.sh
87+
. "${CIS_LIB_DIR}"/main.sh
88+
else
89+
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
90+
exit 128
91+
fi

bin/hardening/audit_log_group.sh

Lines changed: 102 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,102 @@
1+
#!/bin/bash
2+
3+
# run-shellcheck
4+
#
5+
# CIS Debian Hardening
6+
#
7+
8+
#
9+
# Ensure only authorized groups are assigned ownership of audit log files (Automated)
10+
#
11+
12+
set -e # One error, it's over
13+
set -u # One variable unset, it's over
14+
15+
# shellcheck disable=2034
16+
HARDENING_LEVEL=3
17+
# shellcheck disable=2034
18+
DESCRIPTION="Ensure 'root' or 'adm' groups are assigned ownership of audit log files"
19+
AUDITD_CONF_FILE="/etc/audit/auditd.conf"
20+
AUDIT_LOG_GROUP=""
21+
22+
# This function will be called if the script status is on enabled / audit mode
23+
audit() {
24+
AUDIT_LOG_GROUP_VALID=0
25+
AUDIT_INVALID_LOGS=""
26+
27+
does_file_exist "$AUDITD_CONF_FILE"
28+
if [ "$FNRET" -eq 0 ]; then
29+
local log_file
30+
log_file=$($SUDO_CMD grep -E "^\s*log_file" "$AUDITD_CONF_FILE" | awk -F "=" '{print $2}')
31+
log_group=$($SUDO_CMD grep -E "^\s*log_group" "$AUDITD_CONF_FILE" | awk -F "=" '{print $2}')
32+
# look for all files in the directory
33+
AUDIT_INVALID_LOGS=$(find "$(dirname "$log_file")" -type f ! -group "$AUDIT_LOG_GROUP" -a ! -group root -exec stat -Lc "%n %G" {} +)
34+
35+
if [ -n "$AUDIT_INVALID_LOGS" ]; then
36+
crit "Some audit logs are not owned by group $AUDIT_LOG_GROUP nor root"
37+
for file in $AUDIT_INVALID_LOGS; do
38+
info "$file"
39+
done
40+
fi
41+
42+
if [[ "$log_group" != "$AUDIT_LOG_GROUP" ]]; then
43+
crit "'log_group' is '$log_group' instead of '$AUDIT_LOG_GROUP' in $AUDITD_CONF_FILE"
44+
AUDIT_LOG_GROUP_VALID=1
45+
fi
46+
47+
else
48+
info "$AUDITD_CONF_FILE does not exist"
49+
fi
50+
}
51+
52+
# This function will be called if the script status is on enabled mode
53+
apply() {
54+
if [ "$AUDIT_LOG_GROUP_VALID" -eq 1 ]; then
55+
info "changing log_group to $AUDIT_LOG_GROUP in $AUDITD_CONF_FILE"
56+
sed -Ei "/\s*log_group/s/=.*$/=$AUDIT_LOG_GROUP/" "$AUDITD_CONF_FILE"
57+
fi
58+
59+
if [ -n "$AUDIT_INVALID_LOGS" ]; then
60+
for file in $AUDIT_INVALID_LOGS; do
61+
file_path=$(awk '{print $1}' <<<"$file")
62+
info "Change group to '$AUDIT_LOG_GROUP' for '$file_path'"
63+
chgrp "$AUDIT_LOG_GROUP" "$file_path"
64+
done
65+
fi
66+
}
67+
68+
# This function will check config parameters required
69+
check_config() {
70+
:
71+
}
72+
73+
create_config() {
74+
cat <<EOF
75+
# shellcheck disable=2034
76+
status=audit
77+
# put here the group name that maybe allowed to own audit log files
78+
# this is the one found under the "log_group" directive in /etc/audit/auditd.conf
79+
# the 'root' group is allowed in addition to this one
80+
AUDIT_LOG_GROUP='adm'
81+
EOF
82+
}
83+
84+
# Source Root Dir Parameter
85+
if [ -r /etc/default/cis-hardening ]; then
86+
# shellcheck source=../../debian/default
87+
. /etc/default/cis-hardening
88+
fi
89+
if [ -z "$CIS_LIB_DIR" ]; then
90+
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
91+
echo "Cannot source CIS_LIB_DIR variable, aborting."
92+
exit 128
93+
fi
94+
95+
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
96+
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
97+
# shellcheck source=../../lib/main.sh
98+
. "${CIS_LIB_DIR}"/main.sh
99+
else
100+
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
101+
exit 128
102+
fi

bin/hardening/audit_log_perms.sh

Lines changed: 86 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,86 @@
1+
#!/bin/bash
2+
3+
# run-shellcheck
4+
#
5+
# CIS Debian Hardening
6+
#
7+
8+
#
9+
# Ensure audit log files mode is configured (Automated)
10+
#
11+
12+
set -e # One error, it's over
13+
set -u # One variable unset, it's over
14+
15+
# shellcheck disable=2034
16+
HARDENING_LEVEL=3
17+
# shellcheck disable=2034
18+
DESCRIPTION="audit log files have mode 0640 or less permissive"
19+
AUDITD_CONF_FILE="/etc/audit/auditd.conf"
20+
21+
# This function will be called if the script status is on enabled / audit mode
22+
audit() {
23+
AUDIT_INVALID_LOGS=""
24+
25+
does_file_exist "$AUDITD_CONF_FILE"
26+
if [ "$FNRET" -eq 0 ]; then
27+
local log_file
28+
log_file=$($SUDO_CMD grep -E "^\s*log_file" "$AUDITD_CONF_FILE" | awk -F "=" '{print $2}')
29+
# look for all files in the directory
30+
AUDIT_INVALID_LOGS=$($SUDO_CMD find "$(dirname "$log_file")" -type f -perm /0137)
31+
32+
if [ -n "$AUDIT_INVALID_LOGS" ]; then
33+
crit "Some audit logs have not perms 0640 or less"
34+
for file in $AUDIT_INVALID_LOGS; do
35+
info "$file"
36+
done
37+
fi
38+
39+
else
40+
info "$AUDITD_CONF_FILE does not exist"
41+
fi
42+
}
43+
44+
# This function will be called if the script status is on enabled mode
45+
apply() {
46+
for file in $AUDIT_INVALID_LOGS; do
47+
info "Change mode to 0640 for '$file'"
48+
chmod 0640 "$file"
49+
done
50+
}
51+
52+
# This function will check config parameters required
53+
check_config() {
54+
:
55+
}
56+
57+
create_config() {
58+
cat <<EOF
59+
# shellcheck disable=2034
60+
status=audit
61+
# put here the group name that maybe allowed to own audi log files
62+
# this is the one found under the "log_group" directive in /etc/audit/auditd.conf
63+
# the 'root' group is allowed in addition to this one
64+
AUDIT_LOG_GROUP='adm'
65+
EOF
66+
}
67+
68+
# Source Root Dir Parameter
69+
if [ -r /etc/default/cis-hardening ]; then
70+
# shellcheck source=../../debian/default
71+
. /etc/default/cis-hardening
72+
fi
73+
if [ -z "$CIS_LIB_DIR" ]; then
74+
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
75+
echo "Cannot source CIS_LIB_DIR variable, aborting."
76+
exit 128
77+
fi
78+
79+
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
80+
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
81+
# shellcheck source=../../lib/main.sh
82+
. "${CIS_LIB_DIR}"/main.sh
83+
else
84+
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
85+
exit 128
86+
fi

0 commit comments

Comments
 (0)