Add new debian12 scripts

    bin/hardening/cron_allow_restrictions.sh                -> 2.4.1.8
    bin/hardening/gdm_disable_automount.sh                  -> 1.7.6 / 1.7.7
    bin/hardening/gdm_disable_autorun.sh                    -> 1.7.8 / 1.7.9
    bin/hardening/gdm_disable_xdmcp.sh                      -> 1.7.10
    bin/hardening/pam_pwhistory_enforce_root.sh             -> 5.3.3.3.2
    bin/hardening/pam_pwhistory_use_authtok.sh              -> 5.3.3.3.3

Author: damien cavagnini

bin/hardening/cron_allow_restrictions.sh

@@ -0,0 +1,126 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure cron is restricted to authorized users (Automated)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Ensure cron is restricted to authorized users."
+
+PACKAGE='cron'
+CRON_ALLOW='/etc/cron.allow'
+CRON_DENY='/etc/cron.deny'
+PERMISSIONS='640'
+USER='root'
+GROUP='root'
+
+# Global state
+CRON_ALLOW_RESTR_INSTALLED=1
+CRON_ALLOW_RESTR_FILE_OK=1
+CRON_DENY_FILE_OK=1
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        ok "$PACKAGE is not installed, cron restrictions not applicable"
+        CRON_ALLOW_RESTR_INSTALLED=0
+        return
+    fi
+    ok "$PACKAGE is installed"
+
+    # Check /etc/cron.allow
+    if [ ! -f "$CRON_ALLOW" ]; then
+        crit "$CRON_ALLOW does not exist"
+        CRON_ALLOW_RESTR_FILE_OK=0
+    else
+        has_file_correct_ownership "$CRON_ALLOW" "$USER" "$GROUP"
+        if [ "$FNRET" != 0 ]; then
+            crit "$CRON_ALLOW ownership is not $USER:$GROUP"
+            CRON_ALLOW_RESTR_FILE_OK=0
+        else
+            ok "$CRON_ALLOW has correct ownership"
+        fi
+
+        has_file_correct_permissions "$CRON_ALLOW" "$PERMISSIONS"
+        if [ "$FNRET" != 0 ]; then
+            crit "$CRON_ALLOW permissions are not $PERMISSIONS"
+            CRON_ALLOW_RESTR_FILE_OK=0
+        else
+            ok "$CRON_ALLOW has correct permissions"
+        fi
+    fi
+
+    # Check /etc/cron.deny - should not exist or have restrictive permissions
+    if [ -f "$CRON_DENY" ]; then
+        warn "$CRON_DENY exists, it should be removed when using $CRON_ALLOW"
+        CRON_DENY_FILE_OK=0
+    else
+        ok "$CRON_DENY does not exist"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$CRON_ALLOW_RESTR_INSTALLED" -eq 0 ]; then
+        ok "$PACKAGE is not installed, nothing to apply"
+        return
+    fi
+
+    # Create/fix cron.allow
+    if [ "$CRON_ALLOW_RESTR_FILE_OK" -eq 0 ]; then
+        if [ ! -f "$CRON_ALLOW" ]; then
+            info "Creating $CRON_ALLOW"
+            touch "$CRON_ALLOW"
+        fi
+
+        info "Setting ownership and permissions on $CRON_ALLOW"
+        chown "$USER":"$GROUP" "$CRON_ALLOW"
+        chmod "$PERMISSIONS" "$CRON_ALLOW"
+    else
+        ok "$CRON_ALLOW is correctly configured"
+    fi
+
+    # Remove cron.deny if it exists
+    if [ "$CRON_DENY_FILE_OK" -eq 0 ]; then
+        if [ -f "$CRON_DENY" ]; then
+            info "Removing $CRON_DENY"
+            rm -f "$CRON_DENY"
+        fi
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "${CIS_LIB_DIR}" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is ${CIS_LIB_DIR} in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/gdm_disable_automount.sh

@@ -0,0 +1,178 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure GDM disabling of automount is not overridden (Automated)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Ensure GDM disabling of automount is not overridden."
+
+PACKAGE='gdm3'
+DCONF_PROFILE_DIR='/etc/dconf/profile'
+DCONF_DB_DIR='/etc/dconf/db/local.d'
+DCONF_LOCK_DIR='/etc/dconf/db/local.d/locks'
+USER_PROFILE_FILE="$DCONF_PROFILE_DIR/user"
+AUTOMOUNT_CONF_FILE="$DCONF_DB_DIR/00-media-automount"
+AUTOMOUNT_LOCK_FILE="$DCONF_LOCK_DIR/media-automount"
+
+# Global state
+GDM_AUTOMOUNT_INSTALLED=1
+GDM_AUTOMOUNT_PROFILE_OK=1
+GDM_AUTOMOUNT_SETTINGS_OK=1
+GDM_AUTOMOUNT_LOCKS_OK=1
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        ok "$PACKAGE is not installed, automount settings not applicable"
+        GDM_AUTOMOUNT_INSTALLED=0
+        return
+    fi
+    ok "$PACKAGE is installed"
+
+    # Check profile file
+    if [ ! -f "$USER_PROFILE_FILE" ]; then
+        crit "DConf user profile file $USER_PROFILE_FILE does not exist"
+        GDM_AUTOMOUNT_PROFILE_OK=0
+    else
+        does_pattern_exist_in_file "$USER_PROFILE_FILE" "user-db:user"
+        if [ "$FNRET" != 0 ]; then
+            crit "DConf user profile missing 'user-db:user' directive"
+            GDM_AUTOMOUNT_PROFILE_OK=0
+        else
+            does_pattern_exist_in_file "$USER_PROFILE_FILE" "system-db:local"
+            if [ "$FNRET" != 0 ]; then
+                crit "DConf user profile missing 'system-db:local' directive"
+                GDM_AUTOMOUNT_PROFILE_OK=0
+            else
+                ok "DConf user profile correctly configured"
+            fi
+        fi
+    fi
+
+    # Check automount settings
+    if [ ! -f "$AUTOMOUNT_CONF_FILE" ]; then
+        crit "Automount configuration file $AUTOMOUNT_CONF_FILE does not exist"
+        GDM_AUTOMOUNT_SETTINGS_OK=0
+    else
+        does_pattern_exist_in_file "$AUTOMOUNT_CONF_FILE" "automount=false"
+        if [ "$FNRET" != 0 ]; then
+            crit "automount not set to false in $AUTOMOUNT_CONF_FILE"
+            GDM_AUTOMOUNT_SETTINGS_OK=0
+        else
+            ok "automount correctly set to false"
+        fi
+        does_pattern_exist_in_file "$AUTOMOUNT_CONF_FILE" "automount-open=false"
+        if [ "$FNRET" != 0 ]; then
+            crit "automount-open not set to false in $AUTOMOUNT_CONF_FILE"
+            GDM_AUTOMOUNT_SETTINGS_OK=0
+        else
+            ok "automount-open correctly set to false"
+        fi
+    fi
+
+    # Check locks
+    if [ ! -f "$AUTOMOUNT_LOCK_FILE" ]; then
+        crit "Automount lock file $AUTOMOUNT_LOCK_FILE does not exist"
+        GDM_AUTOMOUNT_LOCKS_OK=0
+    else
+        does_pattern_exist_in_file "$AUTOMOUNT_LOCK_FILE" "/org/gnome/desktop/media-handling/automount"
+        if [ "$FNRET" != 0 ]; then
+            crit "automount not locked in $AUTOMOUNT_LOCK_FILE"
+            GDM_AUTOMOUNT_LOCKS_OK=0
+        else
+            ok "automount is locked"
+        fi
+        does_pattern_exist_in_file "$AUTOMOUNT_LOCK_FILE" "/org/gnome/desktop/media-handling/automount-open"
+        if [ "$FNRET" != 0 ]; then
+            crit "automount-open not locked in $AUTOMOUNT_LOCK_FILE"
+            GDM_AUTOMOUNT_LOCKS_OK=0
+        else
+            ok "automount-open is locked"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$GDM_AUTOMOUNT_INSTALLED" -eq 0 ]; then
+        ok "$PACKAGE is not installed, nothing to apply"
+        return
+    fi
+
+    # Create profile directory and file
+    if [ "$GDM_AUTOMOUNT_PROFILE_OK" -eq 0 ]; then
+        info "Creating/updating DConf user profile"
+        mkdir -p "$DCONF_PROFILE_DIR"
+        cat >"$USER_PROFILE_FILE" <<EOF
+user-db:user
+system-db:local
+EOF
+        GDM_AUTOMOUNT_PROFILE_OK=1
+    fi
+
+    # Create automount settings
+    if [ "$GDM_AUTOMOUNT_SETTINGS_OK" -eq 0 ]; then
+        info "Creating automount configuration"
+        mkdir -p "$DCONF_DB_DIR"
+        cat >"$AUTOMOUNT_CONF_FILE" <<EOF
+[org/gnome/desktop/media-handling]
+automount=false
+automount-open=false
+EOF
+        GDM_AUTOMOUNT_SETTINGS_OK=1
+    fi
+
+    # Create locks
+    if [ "$GDM_AUTOMOUNT_LOCKS_OK" -eq 0 ]; then
+        info "Creating automount locks"
+        mkdir -p "$DCONF_LOCK_DIR"
+        cat >"$AUTOMOUNT_LOCK_FILE" <<EOF
+/org/gnome/desktop/media-handling/automount
+/org/gnome/desktop/media-handling/automount-open
+EOF
+        GDM_AUTOMOUNT_LOCKS_OK=1
+    fi
+
+    # Update dconf database
+    if command -v dconf >/dev/null 2>&1; then
+        info "Updating dconf database"
+        dconf update
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "${CIS_LIB_DIR}" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is ${CIS_LIB_DIR} in /etc/default/cis-hardening"
+    exit 128
+fi