Skip to content

Commit 5e25306

Browse files
damcav35damien cavagnini
damcav35
and
damien cavagnini
authored
add new scripts for debian12 (#319)
- grub_cfg_permissions.sh -> 1.4.2 - motd_no_os_info.sh -> 1.6.1 - issue_no_os_info.sh -> 1.6.2 - gdm_disable_user_list.sh -> 1.7.3 - gnome_screensaver_idle_lock.sh -> 1.7.4 Co-authored-by: damien cavagnini <damien.cavagnini@corp.ovh.com>
1 parent efbd5b3 commit 5e25306

10 files changed

+911
-0
lines changed

bin/hardening/gdm_disable_user_list.sh

Lines changed: 106 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,106 @@
1+
#!/bin/bash
2+
3+
# run-shellcheck
4+
#
5+
# CIS Debian Hardening
6+
#
7+
8+
set -e
9+
set -u
10+
11+
# shellcheck disable=2034
12+
HARDENING_LEVEL=1
13+
# shellcheck disable=2034
14+
DESCRIPTION="Ensure GDM disable-user-list option is enabled"
15+
16+
# Global variables with unique prefix
17+
GDM_USER_LIST_PACKAGE="gdm3"
18+
GDM_USER_LIST_CONFIG="/etc/gdm3/greeter.dconf-defaults"
19+
GDM_USER_LIST_KEY="disable-user-list"
20+
GDM_USER_LIST_VALUE="true"
21+
# Global variables to store audit state
22+
GDM_USER_LIST_PKG_INSTALLED=1
23+
GDM_USER_LIST_CONFIG_EXISTS=1
24+
GDM_USER_LIST_SETTING_CORRECT=1
25+
26+
audit() {
27+
is_pkg_installed "$GDM_USER_LIST_PACKAGE"
28+
GDM_USER_LIST_PKG_INSTALLED=$FNRET
29+
if [ "$GDM_USER_LIST_PKG_INSTALLED" -ne 0 ]; then
30+
ok "$GDM_USER_LIST_PACKAGE is not installed"
31+
return
32+
fi
33+
34+
does_file_exist "$GDM_USER_LIST_CONFIG"
35+
GDM_USER_LIST_CONFIG_EXISTS=$FNRET
36+
if [ "$GDM_USER_LIST_CONFIG_EXISTS" -ne 0 ]; then
37+
crit "$GDM_USER_LIST_CONFIG does not exist"
38+
return
39+
fi
40+
41+
does_pattern_exist_in_file "$GDM_USER_LIST_CONFIG" "^[[:space:]]*${GDM_USER_LIST_KEY}[[:space:]]*=[[:space:]]*${GDM_USER_LIST_VALUE}"
42+
GDM_USER_LIST_SETTING_CORRECT=$FNRET
43+
if [ "$GDM_USER_LIST_SETTING_CORRECT" -ne 0 ]; then
44+
crit "$GDM_USER_LIST_KEY is not set to $GDM_USER_LIST_VALUE in $GDM_USER_LIST_CONFIG"
45+
else
46+
ok "$GDM_USER_LIST_KEY is correctly set in $GDM_USER_LIST_CONFIG"
47+
fi
48+
}
49+
50+
apply() {
51+
if [ "$GDM_USER_LIST_PKG_INSTALLED" -ne 0 ]; then
52+
ok "$GDM_USER_LIST_PACKAGE is not installed (nothing to apply)"
53+
return
54+
fi
55+
56+
if [ "$GDM_USER_LIST_CONFIG_EXISTS" -ne 0 ]; then
57+
warn "$GDM_USER_LIST_CONFIG does not exist, creating it"
58+
mkdir -p "$(dirname "$GDM_USER_LIST_CONFIG")"
59+
echo "[org/gnome/login-screen]" >"$GDM_USER_LIST_CONFIG"
60+
echo "${GDM_USER_LIST_KEY}=${GDM_USER_LIST_VALUE}" >>"$GDM_USER_LIST_CONFIG"
61+
ok "$GDM_USER_LIST_CONFIG created with correct setting"
62+
return
63+
fi
64+
65+
if [ "$GDM_USER_LIST_SETTING_CORRECT" -ne 0 ]; then
66+
info "Setting $GDM_USER_LIST_KEY to $GDM_USER_LIST_VALUE in $GDM_USER_LIST_CONFIG"
67+
backup_file "$GDM_USER_LIST_CONFIG"
68+
69+
# Check if [org/gnome/login-screen] section exists
70+
if ! grep -q "^\[org/gnome/login-screen\]" "$GDM_USER_LIST_CONFIG"; then
71+
echo "[org/gnome/login-screen]" >>"$GDM_USER_LIST_CONFIG"
72+
fi
73+
74+
# Remove all instances of the key before adding the correct value
75+
sed -i "/^[[:space:]]*${GDM_USER_LIST_KEY}/d" "$GDM_USER_LIST_CONFIG"
76+
sed -i "/^\[org\/gnome\/login-screen\]/a ${GDM_USER_LIST_KEY}=${GDM_USER_LIST_VALUE}" "$GDM_USER_LIST_CONFIG"
77+
78+
ok "$GDM_USER_LIST_KEY set to $GDM_USER_LIST_VALUE"
79+
else
80+
ok "$GDM_USER_LIST_KEY is already correctly configured"
81+
fi
82+
}
83+
84+
check_config() {
85+
:
86+
}
87+
88+
# Source Root Dir Parameter
89+
if [ -r /etc/default/cis-hardening ]; then
90+
# shellcheck source=../../debian/default
91+
. /etc/default/cis-hardening
92+
fi
93+
94+
if [ -z "${CIS_LIB_DIR:-}" ]; then
95+
echo "There is no /etc/default/cis-hardening file nor CIS_LIB_DIR in environment."
96+
exit 128
97+
fi
98+
99+
# Main function
100+
if [ -r "${CIS_LIB_DIR}/main.sh" ]; then
101+
# shellcheck source=../../lib/main.sh
102+
. "${CIS_LIB_DIR}/main.sh"
103+
else
104+
echo "Cannot find main.sh in CIS_LIB_DIR=${CIS_LIB_DIR}"
105+
exit 128
106+
fi

bin/hardening/gnome_screensaver_idle_lock.sh

Lines changed: 196 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,196 @@
1+
#!/bin/bash
2+
3+
# run-shellcheck
4+
#
5+
# CIS Debian Hardening
6+
#
7+
8+
set -e
9+
set -u
10+
11+
# shellcheck disable=2034
12+
HARDENING_LEVEL=1
13+
# shellcheck disable=2034
14+
DESCRIPTION="Ensure screen locks when the user is idle (lock-delay <= 5s, idle-delay <= 900s and not 0)"
15+
16+
# Global variables with unique prefix
17+
GNOME_LOCK_PACKAGE="gnome-shell"
18+
GNOME_LOCK_DCONF_DB="local"
19+
GNOME_LOCK_PROFILE_DIR="/etc/dconf/profile"
20+
GNOME_LOCK_PROFILE_FILE="${GNOME_LOCK_PROFILE_DIR}/user"
21+
GNOME_LOCK_DB_DIR="/etc/dconf/db/${GNOME_LOCK_DCONF_DB}.d"
22+
GNOME_LOCK_SETTINGS_FILE="${GNOME_LOCK_DB_DIR}/00-screensaver"
23+
# shellcheck disable=2034
24+
GNOME_LOCK_MAX_LOCK_DELAY=5
25+
# shellcheck disable=2034
26+
GNOME_LOCK_MAX_IDLE_DELAY=900
27+
# Global variables to store audit state
28+
GNOME_LOCK_PKG_INSTALLED=1
29+
GNOME_LOCK_PROFILE_EXISTS=1
30+
GNOME_LOCK_PROFILE_HAS_USER_DB=1
31+
GNOME_LOCK_PROFILE_HAS_SYSTEM_DB=1
32+
GNOME_LOCK_SETTINGS_EXISTS=1
33+
GNOME_LOCK_SETTINGS_HAS_SECTION=1
34+
GNOME_LOCK_SETTINGS_HAS_IDLE_ENABLED=1
35+
GNOME_LOCK_SETTINGS_HAS_LOCK_ENABLED=1
36+
37+
audit() {
38+
is_pkg_installed "$GNOME_LOCK_PACKAGE"
39+
GNOME_LOCK_PKG_INSTALLED=$FNRET
40+
if [ "$GNOME_LOCK_PKG_INSTALLED" -ne 0 ]; then
41+
ok "$GNOME_LOCK_PACKAGE is not installed"
42+
return
43+
fi
44+
45+
# Check profile file
46+
does_file_exist "$GNOME_LOCK_PROFILE_FILE"
47+
GNOME_LOCK_PROFILE_EXISTS=$FNRET
48+
if [ "$GNOME_LOCK_PROFILE_EXISTS" -ne 0 ]; then
49+
crit "$GNOME_LOCK_PROFILE_FILE does not exist"
50+
return
51+
fi
52+
53+
does_pattern_exist_in_file "$GNOME_LOCK_PROFILE_FILE" "^user-db:user$"
54+
GNOME_LOCK_PROFILE_HAS_USER_DB=$FNRET
55+
if [ "$GNOME_LOCK_PROFILE_HAS_USER_DB" -ne 0 ]; then
56+
crit "$GNOME_LOCK_PROFILE_FILE missing user-db:user"
57+
return
58+
fi
59+
60+
does_pattern_exist_in_file "$GNOME_LOCK_PROFILE_FILE" "^system-db:${GNOME_LOCK_DCONF_DB}$"
61+
GNOME_LOCK_PROFILE_HAS_SYSTEM_DB=$FNRET
62+
if [ "$GNOME_LOCK_PROFILE_HAS_SYSTEM_DB" -ne 0 ]; then
63+
crit "$GNOME_LOCK_PROFILE_FILE missing system-db:${GNOME_LOCK_DCONF_DB}"
64+
return
65+
fi
66+
67+
# Check settings file
68+
does_file_exist "$GNOME_LOCK_SETTINGS_FILE"
69+
GNOME_LOCK_SETTINGS_EXISTS=$FNRET
70+
if [ "$GNOME_LOCK_SETTINGS_EXISTS" -ne 0 ]; then
71+
crit "$GNOME_LOCK_SETTINGS_FILE does not exist"
72+
return
73+
fi
74+
75+
does_pattern_exist_in_file "$GNOME_LOCK_SETTINGS_FILE" "^\[org/gnome/desktop/screensaver\]$"
76+
GNOME_LOCK_SETTINGS_HAS_SECTION=$FNRET
77+
if [ "$GNOME_LOCK_SETTINGS_HAS_SECTION" -ne 0 ]; then
78+
crit "$GNOME_LOCK_SETTINGS_FILE missing screensaver section"
79+
return
80+
fi
81+
82+
does_pattern_exist_in_file "$GNOME_LOCK_SETTINGS_FILE" "^idle-activation-enabled=true$"
83+
GNOME_LOCK_SETTINGS_HAS_IDLE_ENABLED=$FNRET
84+
if [ "$GNOME_LOCK_SETTINGS_HAS_IDLE_ENABLED" -ne 0 ]; then
85+
crit "$GNOME_LOCK_SETTINGS_FILE missing or incorrect idle-activation-enabled"
86+
return
87+
fi
88+
89+
does_pattern_exist_in_file "$GNOME_LOCK_SETTINGS_FILE" "^lock-enabled=true$"
90+
GNOME_LOCK_SETTINGS_HAS_LOCK_ENABLED=$FNRET
91+
if [ "$GNOME_LOCK_SETTINGS_HAS_LOCK_ENABLED" -ne 0 ]; then
92+
crit "$GNOME_LOCK_SETTINGS_FILE missing or incorrect lock-enabled"
93+
return
94+
fi
95+
96+
ok "GNOME screensaver idle lock is correctly configured"
97+
}
98+
99+
apply() {
100+
if [ "$GNOME_LOCK_PKG_INSTALLED" -ne 0 ]; then
101+
ok "$GNOME_LOCK_PACKAGE is not installed (nothing to apply)"
102+
return
103+
fi
104+
105+
# Create profile directory and file
106+
if [ ! -d "$GNOME_LOCK_PROFILE_DIR" ]; then
107+
info "Creating $GNOME_LOCK_PROFILE_DIR"
108+
mkdir -p "$GNOME_LOCK_PROFILE_DIR"
109+
fi
110+
111+
if [ "$GNOME_LOCK_PROFILE_EXISTS" -ne 0 ]; then
112+
info "Creating $GNOME_LOCK_PROFILE_FILE"
113+
cat >"$GNOME_LOCK_PROFILE_FILE" <<EOF
114+
user-db:user
115+
system-db:${GNOME_LOCK_DCONF_DB}
116+
EOF
117+
else
118+
if [ "$GNOME_LOCK_PROFILE_HAS_USER_DB" -ne 0 ]; then
119+
info "Setting user-db:user in $GNOME_LOCK_PROFILE_FILE"
120+
backup_file "$GNOME_LOCK_PROFILE_FILE"
121+
sed -i '/^user-db:/d' "$GNOME_LOCK_PROFILE_FILE"
122+
echo "user-db:user" >>"$GNOME_LOCK_PROFILE_FILE"
123+
fi
124+
125+
if [ "$GNOME_LOCK_PROFILE_HAS_SYSTEM_DB" -ne 0 ]; then
126+
info "Setting system-db:${GNOME_LOCK_DCONF_DB} in $GNOME_LOCK_PROFILE_FILE"
127+
if [ "$GNOME_LOCK_PROFILE_HAS_USER_DB" -eq 0 ]; then
128+
backup_file "$GNOME_LOCK_PROFILE_FILE"
129+
fi
130+
sed -i '/^system-db:/d' "$GNOME_LOCK_PROFILE_FILE"
131+
echo "system-db:${GNOME_LOCK_DCONF_DB}" >>"$GNOME_LOCK_PROFILE_FILE"
132+
fi
133+
fi
134+
135+
# Create settings directory and file
136+
if [ ! -d "$GNOME_LOCK_DB_DIR" ]; then
137+
info "Creating $GNOME_LOCK_DB_DIR"
138+
mkdir -p "$GNOME_LOCK_DB_DIR"
139+
fi
140+
141+
if [ "$GNOME_LOCK_SETTINGS_EXISTS" -ne 0 ]; then
142+
info "Creating $GNOME_LOCK_SETTINGS_FILE"
143+
cat >"$GNOME_LOCK_SETTINGS_FILE" <<EOF
144+
[org/gnome/desktop/screensaver]
145+
idle-activation-enabled=true
146+
lock-enabled=true
147+
EOF
148+
else
149+
backup_file "$GNOME_LOCK_SETTINGS_FILE"
150+
151+
if [ "$GNOME_LOCK_SETTINGS_HAS_SECTION" -ne 0 ]; then
152+
info "Adding screensaver section to $GNOME_LOCK_SETTINGS_FILE"
153+
echo "[org/gnome/desktop/screensaver]" >>"$GNOME_LOCK_SETTINGS_FILE"
154+
fi
155+
156+
if [ "$GNOME_LOCK_SETTINGS_HAS_IDLE_ENABLED" -ne 0 ]; then
157+
info "Setting idle-activation-enabled=true"
158+
sed -i '/^\[org\/gnome\/desktop\/screensaver\]/a idle-activation-enabled=true' "$GNOME_LOCK_SETTINGS_FILE"
159+
fi
160+
161+
if [ "$GNOME_LOCK_SETTINGS_HAS_LOCK_ENABLED" -ne 0 ]; then
162+
info "Setting lock-enabled=true"
163+
sed -i '/^\[org\/gnome\/desktop\/screensaver\]/a lock-enabled=true' "$GNOME_LOCK_SETTINGS_FILE"
164+
fi
165+
fi
166+
167+
# Update dconf database
168+
info "Updating dconf database"
169+
dconf update
170+
171+
ok "GNOME screensaver idle lock configuration applied"
172+
}
173+
174+
check_config() {
175+
:
176+
}
177+
178+
# Source Root Dir Parameter
179+
if [ -r /etc/default/cis-hardening ]; then
180+
# shellcheck source=../../debian/default
181+
. /etc/default/cis-hardening
182+
fi
183+
184+
if [ -z "${CIS_LIB_DIR:-}" ]; then
185+
echo "There is no /etc/default/cis-hardening file nor CIS_LIB_DIR in environment."
186+
exit 128
187+
fi
188+
189+
# Main function
190+
if [ -r "${CIS_LIB_DIR}/main.sh" ]; then
191+
# shellcheck source=../../lib/main.sh
192+
. "${CIS_LIB_DIR}/main.sh"
193+
else
194+
echo "Cannot find main.sh in CIS_LIB_DIR=${CIS_LIB_DIR}"
195+
exit 128
196+
fi

bin/hardening/grub_cfg_permissions.sh

Lines changed: 92 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,92 @@
1+
#!/bin/bash
2+
3+
# run-shellcheck
4+
#
5+
# CIS Debian Hardening
6+
#
7+
8+
set -e
9+
set -u
10+
11+
# shellcheck disable=2034
12+
HARDENING_LEVEL=1
13+
# shellcheck disable=2034
14+
DESCRIPTION="Ensure permissions on /boot/grub/grub.cfg are 0600 or more restrictive, and owned by root:root"
15+
16+
# Global variables with unique prefix
17+
GRUB_CFG_PERM_FILE="/boot/grub/grub.cfg"
18+
GRUB_CFG_PERM_USER="root"
19+
GRUB_CFG_PERM_GROUP="root"
20+
GRUB_CFG_PERM_MODE="600"
21+
# Global variables to store audit state
22+
GRUB_CFG_PERM_FILE_EXISTS=1
23+
GRUB_CFG_PERM_OWNERSHIP_OK=1
24+
GRUB_CFG_PERM_PERMISSIONS_OK=1
25+
26+
audit() {
27+
does_file_exist "$GRUB_CFG_PERM_FILE"
28+
GRUB_CFG_PERM_FILE_EXISTS=$FNRET
29+
if [ "$GRUB_CFG_PERM_FILE_EXISTS" -ne 0 ]; then
30+
ok "$GRUB_CFG_PERM_FILE not found (GRUB not installed)"
31+
return
32+
fi
33+
34+
has_file_correct_ownership "$GRUB_CFG_PERM_FILE" "$GRUB_CFG_PERM_USER" "$GRUB_CFG_PERM_GROUP"
35+
GRUB_CFG_PERM_OWNERSHIP_OK=$FNRET
36+
if [ "$GRUB_CFG_PERM_OWNERSHIP_OK" -ne 0 ]; then
37+
crit "$GRUB_CFG_PERM_FILE ownership is incorrect (expected $GRUB_CFG_PERM_USER:$GRUB_CFG_PERM_GROUP)"
38+
return
39+
fi
40+
41+
has_file_correct_permissions "$GRUB_CFG_PERM_FILE" "$GRUB_CFG_PERM_MODE"
42+
GRUB_CFG_PERM_PERMISSIONS_OK=$FNRET
43+
if [ "$GRUB_CFG_PERM_PERMISSIONS_OK" -ne 0 ]; then
44+
crit "$GRUB_CFG_PERM_FILE permissions are incorrect (expected $GRUB_CFG_PERM_MODE or more restrictive)"
45+
return
46+
fi
47+
48+
ok "$GRUB_CFG_PERM_FILE has correct ownership and permissions"
49+
}
50+
51+
apply() {
52+
if [ "$GRUB_CFG_PERM_FILE_EXISTS" -ne 0 ]; then
53+
ok "$GRUB_CFG_PERM_FILE not found (nothing to apply)"
54+
return
55+
fi
56+
57+
if [ "$GRUB_CFG_PERM_OWNERSHIP_OK" -ne 0 ]; then
58+
info "Setting ownership of $GRUB_CFG_PERM_FILE to $GRUB_CFG_PERM_USER:$GRUB_CFG_PERM_GROUP"
59+
chown "$GRUB_CFG_PERM_USER:$GRUB_CFG_PERM_GROUP" "$GRUB_CFG_PERM_FILE"
60+
fi
61+
62+
if [ "$GRUB_CFG_PERM_PERMISSIONS_OK" -ne 0 ]; then
63+
info "Setting permissions of $GRUB_CFG_PERM_FILE to $GRUB_CFG_PERM_MODE"
64+
chmod "$GRUB_CFG_PERM_MODE" "$GRUB_CFG_PERM_FILE"
65+
fi
66+
67+
ok "$GRUB_CFG_PERM_FILE ownership and permissions are now correct"
68+
}
69+
70+
check_config() {
71+
:
72+
}
73+
74+
# Source Root Dir Parameter
75+
if [ -r /etc/default/cis-hardening ]; then
76+
# shellcheck source=../../debian/default
77+
. /etc/default/cis-hardening
78+
fi
79+
80+
if [ -z "${CIS_LIB_DIR:-}" ]; then
81+
echo "There is no /etc/default/cis-hardening file nor CIS_LIB_DIR in environment."
82+
exit 128
83+
fi
84+
85+
# Main function
86+
if [ -r "${CIS_LIB_DIR}/main.sh" ]; then
87+
# shellcheck source=../../lib/main.sh
88+
. "${CIS_LIB_DIR}/main.sh"
89+
else
90+
echo "Cannot find main.sh in CIS_LIB_DIR=${CIS_LIB_DIR}"
91+
exit 128
92+
fi

0 commit comments

Comments
 (0)