ovh
diff --git a/‎bin/hardening/audit_chacl.sh‎
Lines changed: 117 additions & 0 deletions b/‎bin/hardening/audit_chacl.sh‎
Lines changed: 117 additions & 0 deletions
diff --git a/‎bin/hardening/audit_chcon.sh‎
Lines changed: 117 additions & 0 deletions b/‎bin/hardening/audit_chcon.sh‎
Lines changed: 117 additions & 0 deletions
diff --git a/‎bin/hardening/audit_file_deletion.sh‎
Lines changed: 127 additions & 0 deletions b/‎bin/hardening/audit_file_deletion.sh‎
Lines changed: 127 additions & 0 deletions
@@ -0,0 +1,117 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure use of chacl command is audited (Automated)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=4
+# shellcheck disable=2034
+DESCRIPTION="Ensure audit rules for chacl command are configured."
+
+AUDIT_RULES_FILE='/etc/audit/rules.d/50-perm_chng.rules'
+AUDIT_RULES_DIR='/etc/audit/rules.d'
+
+# Global state
+AC_RULES_OK=0
+AC_UID_MIN=""
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    AC_RULES_OK=0
+
+    # Get UID_MIN
+    AC_UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
+    if [ -z "$AC_UID_MIN" ]; then
+        crit "Unable to determine UID_MIN from /etc/login.defs"
+        return
+    fi
+
+    # Check on disk configuration
+    local l_ondisk_result
+    l_ondisk_result=$(awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${AC_UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/bin\/chacl/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" "$AUDIT_RULES_DIR"/*.rules 2>/dev/null || true)
+
+    # Check running configuration
+    local l_running_result
+    l_running_result=$(auditctl -l 2>/dev/null | awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${AC_UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/bin\/chacl/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" || true)
+
+    if [ -n "$l_ondisk_result" ] && [ -n "$l_running_result" ]; then
+        ok "chacl audit rules are correctly configured on disk and running"
+        AC_RULES_OK=1
+    else
+        if [ -z "$l_ondisk_result" ]; then
+            crit "chacl audit rule not found in on-disk configuration"
+        fi
+        if [ -z "$l_running_result" ]; then
+            crit "chacl audit rule not found in running configuration"
+        fi
+        AC_RULES_OK=0
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$AC_RULES_OK" -eq 1 ]; then
+        ok "chacl audit rules already correctly configured"
+        return
+    fi
+
+    if [ -z "$AC_UID_MIN" ]; then
+        crit "Unable to determine UID_MIN, cannot apply"
+        return
+    fi
+
+    info "Configuring chacl audit rules"
+    mkdir -p "$AUDIT_RULES_DIR"
+
+    # Remove any existing chacl rules to avoid duplicates
+    if [ -f "$AUDIT_RULES_FILE" ]; then
+        sed -i '/path=\/usr\/bin\/chacl/d' "$AUDIT_RULES_FILE"
+    fi
+
+    # Create file with header if it doesn't exist
+    if [ ! -f "$AUDIT_RULES_FILE" ]; then
+        echo "## Permission modification" >"$AUDIT_RULES_FILE"
+    fi
+
+    # Add the rule
+    echo "-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=${AC_UID_MIN} -F auid!=unset -k perm_chng" >>"$AUDIT_RULES_FILE"
+
+    # Load the rules
+    info "Loading audit rules"
+    augenrules --load
+    ok "chacl audit rules configured and loaded"
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "${CIS_LIB_DIR}" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is ${CIS_LIB_DIR} in /etc/default/cis-hardening"
+    exit 128
+fi
@@ -0,0 +1,117 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure use of chcon command is audited (Automated)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=4
+# shellcheck disable=2034
+DESCRIPTION="Ensure audit rules for chcon command are configured."
+
+AUDIT_RULES_FILE='/etc/audit/rules.d/50-perm_chng.rules'
+AUDIT_RULES_DIR='/etc/audit/rules.d'
+
+# Global state
+ACO_RULES_OK=0
+ACO_UID_MIN=""
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    ACO_RULES_OK=0
+
+    # Get UID_MIN
+    ACO_UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
+    if [ -z "$ACO_UID_MIN" ]; then
+        crit "Unable to determine UID_MIN from /etc/login.defs"
+        return
+    fi
+
+    # Check on disk configuration
+    local l_ondisk_result
+    l_ondisk_result=$(awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${ACO_UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/bin\/chcon/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" "$AUDIT_RULES_DIR"/*.rules 2>/dev/null || true)
+
+    # Check running configuration
+    local l_running_result
+    l_running_result=$(auditctl -l 2>/dev/null | awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${ACO_UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/bin\/chcon/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" || true)
+
+    if [ -n "$l_ondisk_result" ] && [ -n "$l_running_result" ]; then
+        ok "chcon audit rules are correctly configured on disk and running"
+        ACO_RULES_OK=1
+    else
+        if [ -z "$l_ondisk_result" ]; then
+            crit "chcon audit rule not found in on-disk configuration"
+        fi
+        if [ -z "$l_running_result" ]; then
+            crit "chcon audit rule not found in running configuration"
+        fi
+        ACO_RULES_OK=0
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$ACO_RULES_OK" -eq 1 ]; then
+        ok "chcon audit rules already correctly configured"
+        return
+    fi
+
+    if [ -z "$ACO_UID_MIN" ]; then
+        crit "Unable to determine UID_MIN, cannot apply"
+        return
+    fi
+
+    info "Configuring chcon audit rules"
+    mkdir -p "$AUDIT_RULES_DIR"
+
+    # Remove any existing chcon rules to avoid duplicates
+    if [ -f "$AUDIT_RULES_FILE" ]; then
+        sed -i '/path=\/usr\/bin\/chcon/d' "$AUDIT_RULES_FILE"
+    fi
+
+    # Create file with header if it doesn't exist
+    if [ ! -f "$AUDIT_RULES_FILE" ]; then
+        echo "## Permission modification" >"$AUDIT_RULES_FILE"
+    fi
+
+    # Add the rule
+    echo "-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=${ACO_UID_MIN} -F auid!=unset -k perm_chng" >>"$AUDIT_RULES_FILE"
+
+    # Load the rules
+    info "Loading audit rules"
+    augenrules --load
+    ok "chcon audit rules configured and loaded"
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "${CIS_LIB_DIR}" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is ${CIS_LIB_DIR} in /etc/default/cis-hardening"
+    exit 128
+fi
@@ -0,0 +1,127 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure file deletion events by users are collected
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=4
+# shellcheck disable=2034
+DESCRIPTION="Ensure file deletion events are audited"
+
+AUDIT_RULES_FILE="/etc/audit/rules.d/50-delete.rules"
+AUDIT_RULES_DIR='/etc/audit/rules.d'
+
+# Global state
+AFD_RULES_OK=0
+AFD_UID_MIN=""
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    AFD_RULES_OK=0
+
+    # Get UID_MIN
+    AFD_UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
+    if [ -z "$AFD_UID_MIN" ]; then
+        crit "Unable to determine UID_MIN from /etc/login.defs"
+        return
+    fi
+
+    # Check on disk configuration
+    local l_ondisk_result
+    l_ondisk_result=$(awk "/^ *-a *always,exit/ &&/ -F *arch=b(32|64)/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${AFD_UID_MIN}/ &&/ -S/ &&(/unlink/||/rename/||/unlinkat/||/renameat/) &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" "$AUDIT_RULES_DIR"/*.rules 2>/dev/null || true)
+
+    # Check running configuration
+    local l_running_result
+    l_running_result=$(auditctl -l 2>/dev/null | awk "/^ *-a *always,exit/ &&/ -F *arch=b(32|64)/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${AFD_UID_MIN}/ &&/ -S/ &&(/unlink/||/rename/||/unlinkat/||/renameat/) &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" || true)
+
+    # We need both b64 and b32 rules in both configurations
+    local l_ondisk_b64 l_ondisk_b32 l_running_b64 l_running_b32
+    l_ondisk_b64=$(echo "$l_ondisk_result" | grep -c "b64" || true)
+    l_ondisk_b32=$(echo "$l_ondisk_result" | grep -c "b32" || true)
+    l_running_b64=$(echo "$l_running_result" | grep -c "b64" || true)
+    l_running_b32=$(echo "$l_running_result" | grep -c "b32" || true)
+
+    if [ "$l_ondisk_b64" -ge 1 ] && [ "$l_ondisk_b32" -ge 1 ] && [ "$l_running_b64" -ge 1 ] && [ "$l_running_b32" -ge 1 ]; then
+        ok "File deletion events are correctly configured on disk and running"
+        AFD_RULES_OK=1
+    else
+        if [ "$l_ondisk_b64" -eq 0 ] || [ "$l_ondisk_b32" -eq 0 ]; then
+            crit "File deletion audit rules not found or incomplete in on-disk configuration"
+        fi
+        if [ "$l_running_b64" -eq 0 ] || [ "$l_running_b32" -eq 0 ]; then
+            crit "File deletion audit rules not found or incomplete in running configuration"
+        fi
+        AFD_RULES_OK=0
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$AFD_RULES_OK" -eq 1 ]; then
+        ok "File deletion audit rules already correctly configured"
+        return
+    fi
+
+    if [ -z "$AFD_UID_MIN" ]; then
+        crit "Unable to determine UID_MIN, cannot apply"
+        return
+    fi
+
+    info "Configuring file deletion audit rules"
+    mkdir -p "$AUDIT_RULES_DIR"
+
+    # Remove any existing delete rules to avoid duplicates
+    if [ -f "$AUDIT_RULES_FILE" ]; then
+        sed -i '/\-k delete/d' "$AUDIT_RULES_FILE"
+    fi
+
+    # Create file with header if it doesn't exist
+    if [ ! -f "$AUDIT_RULES_FILE" ]; then
+        echo "## File deletion events" >"$AUDIT_RULES_FILE"
+    fi
+
+    # Add the rules
+    {
+        echo "-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=${AFD_UID_MIN} -F auid!=unset -k delete"
+        echo "-a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>=${AFD_UID_MIN} -F auid!=unset -k delete"
+    } >>"$AUDIT_RULES_FILE"
+
+    # Load the rules
+    info "Loading audit rules"
+    augenrules --load
+    ok "File deletion audit rules configured and loaded"
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi