diff --git a/remediation-kits/services/3.1-disable-http-server.sh b/remediation-kits/services/3.1-disable-http-server.sh index 91c1117c976ae6dacbd355732fbc1e75b4d88a1f..8ef566f6bc8132d24d09f42667abf91b11bdfd84 100755 --- a/remediation-kits/services/3.1-disable-http-server.sh +++ b/remediation-kits/services/3.1-disable-http-server.sh @@ -1 +1,12 @@ -systemctl --now disable httpd +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa httpd)" ]; then + result=$(systemctl is-enabled httpd) + if [ $result == enabled ]; then + systemctl --now disable httpd + else + exit 1 + fi +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.10-disable-rsync-server.sh b/remediation-kits/services/3.10-disable-rsync-server.sh index 98e9e76721867e3f44f60a6a5aeeb3b5b13b0e87..6b020db5c6b96b7413acfa4c8c9d490f3ef4323d 100644 --- a/remediation-kits/services/3.10-disable-rsync-server.sh +++ b/remediation-kits/services/3.10-disable-rsync-server.sh @@ -1 +1,12 @@ -systemctl --now disable rsyncd \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa | grep rsync)" ]; then + result=$(systemctl is-enabled rsyncd) + if [ $result == enabled ]; then + systemctl --now disable rsyncd + else + exit 1 + fi +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.11-disable-avahi-server.sh b/remediation-kits/services/3.11-disable-avahi-server.sh index 0e1fbb47547ad770d8e0d414191cb994cc9c6f37..226877c3fececc3505d7b415c7aafa57d912cdb0 100644 --- a/remediation-kits/services/3.11-disable-avahi-server.sh +++ b/remediation-kits/services/3.11-disable-avahi-server.sh @@ -1,2 +1,10 @@ -systemctl --now disable avahi-daemon.socket -systemctl --now disable avahi-daemon.service \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa avahi)" ]; then + result=$(systemctl is-enabled avahi-daemon.socket) + result2=$(systemctl is-enabled avahi-daemon) + [[ $result == enabled ]] && systemctl --now disable avahi-daemon.socket + [[ $result2 == enabled ]] && systemctl --now disable avahi-daemon.service +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.12-disable-snmp-server.sh b/remediation-kits/services/3.12-disable-snmp-server.sh index 295a8c7e36de456e79efe5a2984b48f9b397835f..02d5a4510fd1e840849190840e2fedbedabb13b8 100644 --- a/remediation-kits/services/3.12-disable-snmp-server.sh +++ b/remediation-kits/services/3.12-disable-snmp-server.sh @@ -1 +1,12 @@ -systemctl --now disable snmpd \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa net-snmp)" ]; then + result=$(systemctl is-enabled snmpd) + if [ $result == enabled ]; then + systemctl --now disable snmpd + else + exit 1 + fi +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.13-disable-http-proxy-server.sh b/remediation-kits/services/3.13-disable-http-proxy-server.sh index f0e2bb0fb216caec4a2bade47a1784ff5bf80a78..a57179715e84ba4fe7705c91e294533f8be19700 100644 --- a/remediation-kits/services/3.13-disable-http-proxy-server.sh +++ b/remediation-kits/services/3.13-disable-http-proxy-server.sh @@ -1 +1,12 @@ -systemctl --now disable squid \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa squid)" ]; then + result=$(systemctl is-enabled squid) + if [ $result == enabled ]; then + systemctl --now disable squid + else + exit 1 + fi +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.14-disable-samba.sh b/remediation-kits/services/3.14-disable-samba.sh index 2e8dc44ed9a5426728967f76d5e8641725a877f7..133c850419081fe931b7181883c0122771d6edbf 100644 --- a/remediation-kits/services/3.14-disable-samba.sh +++ b/remediation-kits/services/3.14-disable-samba.sh @@ -1 +1,12 @@ -systemctl --now disable smb \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa samba)" ]; then + result=$(systemctl is-enabled smb) + if [ $result == enabled ]; then + systemctl --now disable smb + else + exit 1 + fi +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.15-disable-imap-and-pop3-server.sh b/remediation-kits/services/3.15-disable-imap-and-pop3-server.sh index 83aada00fb4800f6b5a9c72c35a382d06e19cb82..018fb8cd488e6870203bac0c55944f12e3331f0f 100644 --- a/remediation-kits/services/3.15-disable-imap-and-pop3-server.sh +++ b/remediation-kits/services/3.15-disable-imap-and-pop3-server.sh @@ -1 +1,12 @@ -systemctl --now disable dovecot \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa dovecot)" ]; then + result=$(systemctl is-enabled dovecot) + if [ $result == enabled ]; then + systemctl --now disable dovecot + else + exit 1 + fi +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.16-disable-smtp-protocol.sh b/remediation-kits/services/3.16-disable-smtp-protocol.sh index 3af11c964c7c6b804d1275c1323998e4818fe98f..718d3318a3ed7cb553ce6a645dbad3b84fd93f4d 100644 --- a/remediation-kits/services/3.16-disable-smtp-protocol.sh +++ b/remediation-kits/services/3.16-disable-smtp-protocol.sh @@ -1 +1,12 @@ -systemctl --now disable postfix.service +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa postfix)" ]; then + result=$(systemctl is-enabled postfix.service) + if [ $result == enabled ]; then + systemctl --now disable postfix.service + else + exit 1 + fi +else + exit 1 +fi diff --git a/remediation-kits/services/3.17-disable-or-uninstall-the-telnet.sh b/remediation-kits/services/3.17-disable-or-uninstall-the-telnet.sh index 7364559ceead8e441d50fda3904925fb1ef993c8..ee95e9e7f72bfdae5f4d83cea833f5d40bc8768b 100644 --- a/remediation-kits/services/3.17-disable-or-uninstall-the-telnet.sh +++ b/remediation-kits/services/3.17-disable-or-uninstall-the-telnet.sh @@ -1 +1,14 @@ -dnf remove -y telnet telnet-server || systemctl --now disable telnet.socket \ No newline at end of file +#!/usr/bin/env bash +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa | grep telnet)" ]; then + dnf remove -y telnet telnet-server + [[ $? != 0 ]] && result=$(systemctl is-enabled telnet.socket) + if [[ $result == enabled ]]; then + systemctl --now disable telnet.socket + else + exit 1 + fi +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.18-uninstall-the-avahi-server.sh b/remediation-kits/services/3.18-uninstall-the-avahi-server.sh index 26adfaf794e5fc3658a9507be2e6d753e569a9f6..14ee7bcaf5d581ad57c98f2fd321c462c9801ded 100644 --- a/remediation-kits/services/3.18-uninstall-the-avahi-server.sh +++ b/remediation-kits/services/3.18-uninstall-the-avahi-server.sh @@ -1 +1,7 @@ -yum remove -y --noautoremove avahi \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa avahi)" ]; then + yum remove -y --noautoremove avahi +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.19-uninstall-the-kexec-tools.sh b/remediation-kits/services/3.19-uninstall-the-kexec-tools.sh index 7d5e3c5a92dd6ff658fe88d477d580f303fedfe8..d809b6ebffbdbe95b82ab24f07108b55e86d2a98 100644 --- a/remediation-kits/services/3.19-uninstall-the-kexec-tools.sh +++ b/remediation-kits/services/3.19-uninstall-the-kexec-tools.sh @@ -1 +1,7 @@ -yum remove -y --noautoremove kexec-tools \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa | grep kexec)" ]; then + yum remove -y --noautoremove kexec-tools +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.2-disable-ftp-server.sh b/remediation-kits/services/3.2-disable-ftp-server.sh index fd2956c7e7605d4ecbd41ab41153589505d8ceb4..ff378f5b72062ec61c870c9c36424256a978d4f6 100644 --- a/remediation-kits/services/3.2-disable-ftp-server.sh +++ b/remediation-kits/services/3.2-disable-ftp-server.sh @@ -1 +1,12 @@ -systemctl --now disable vsftpd \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa vsftpd)" ]; then + result=$(systemctl is-enabled vsftpd) + if [ $result == enabled ]; then + systemctl --now disable vsftpd + else + exit 1 + fi +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.20-uninstall-the-firstboot.sh b/remediation-kits/services/3.20-uninstall-the-firstboot.sh index 008ae9d62052c3440805717424732412061dc4f9..cbeea2f83f24dfa5526874d49442a2812b70564d 100644 --- a/remediation-kits/services/3.20-uninstall-the-firstboot.sh +++ b/remediation-kits/services/3.20-uninstall-the-firstboot.sh @@ -1 +1,7 @@ -yum remove -y --noautoremove firstboot \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa | grep firstboot)" ]; then + yum remove -y --noautoremove firstboot +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.21-uninstall-the-wpa_supplicant.sh b/remediation-kits/services/3.21-uninstall-the-wpa_supplicant.sh index 084aa8668fc8d7216f74b03b5076f0dd5f7954af..1732f6d4fbc972c8c598a057d85aac76f78a9c3b 100644 --- a/remediation-kits/services/3.21-uninstall-the-wpa_supplicant.sh +++ b/remediation-kits/services/3.21-uninstall-the-wpa_supplicant.sh @@ -1 +1,7 @@ -yum remove -y --noautoremove wpa_supplicant \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa wpa_supplicant)" ]; then + yum remove -y --noautoremove wpa_supplicant +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.22-ensure-NIS-Client-is-not-installed.sh b/remediation-kits/services/3.22-ensure-NIS-Client-is-not-installed.sh index b3c39f7e087a78b9f190b57bcedfb42ce505708a..69db79668b53c8f37aec036e6fea29b153fe40d1 100644 --- a/remediation-kits/services/3.22-ensure-NIS-Client-is-not-installed.sh +++ b/remediation-kits/services/3.22-ensure-NIS-Client-is-not-installed.sh @@ -1 +1,7 @@ -dnf remove -y ypbind \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa ypbind)" ]; then + dnf remove -y ypbind +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.23-disable-rsh.sh b/remediation-kits/services/3.23-disable-rsh.sh index 87bda8141990ce2a4136e1e68adcd91a9a716412..231969d66042dfe34020ae48e75303ab103212d2 100644 --- a/remediation-kits/services/3.23-disable-rsh.sh +++ b/remediation-kits/services/3.23-disable-rsh.sh @@ -1 +1,12 @@ -systemctl --now disable rsh.socket \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa rsh)" ]; then + result=$(systemctl is-enabled rsh.socket) + if [ $result == enabled ]; then + systemctl --now disable rsh.socket + else + exit 1 + fi +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.24-disable-ntalk.sh b/remediation-kits/services/3.24-disable-ntalk.sh index f6828df5ebccf4f0da6de3a74ef3060c1fefbd58..fe4d3500120be1db70378fada9f74f623df3739d 100644 --- a/remediation-kits/services/3.24-disable-ntalk.sh +++ b/remediation-kits/services/3.24-disable-ntalk.sh @@ -1 +1,12 @@ -systemctl --now disable ntalk.socket \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa ntalk)" ]; then + result=$(systemctl is-enabled ntalk.socket) + if [ $result == enabled ]; then + systemctl --now disable ntalk.socket + else + exit 1 + fi +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.25-ensure-xinetd-is-not-installed.sh b/remediation-kits/services/3.25-ensure-xinetd-is-not-installed.sh index 43110c0ec7429f88005f614efc5c70d1193fb083..776621b1701756ebd42bfc634924e4826e20e4c6 100644 --- a/remediation-kits/services/3.25-ensure-xinetd-is-not-installed.sh +++ b/remediation-kits/services/3.25-ensure-xinetd-is-not-installed.sh @@ -1 +1,7 @@ -dnf remove -y xinetd \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa xinetd)" ]; then + dnf remove -y xinetd +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.28-disable-automounting.sh b/remediation-kits/services/3.28-disable-automounting.sh index d1adc9ce45d3a4badbc3c13e40dba90925f3d8d4..1f23ec6df3a494b7e60206fec99eb8aef307ff99 100644 --- a/remediation-kits/services/3.28-disable-automounting.sh +++ b/remediation-kits/services/3.28-disable-automounting.sh @@ -1 +1,13 @@ -(rpm -e --test autofs && dnf remove -y autofs) || systemctl --now disable autofs \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa autofs)" ]; then + yum remove -y --noautoremove autofs + [[ $? != 0 ]] && result=$(systemctl is-enabled autofs.service) + if [[ $result == enabled ]]; then + systemctl --now disable autofs + else + exit 1 + fi +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.3-disable-dns-server.sh b/remediation-kits/services/3.3-disable-dns-server.sh index 262765b3dea58147674bb41b1b946336fe4e1c1b..d2dfcd12c770a77acc352059b8f7619fe46e3353 100644 --- a/remediation-kits/services/3.3-disable-dns-server.sh +++ b/remediation-kits/services/3.3-disable-dns-server.sh @@ -1 +1,12 @@ -systemctl --now disable named \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa bind)" ]; then + result=$(systemctl is-enabled named) + if [ $result == enabled ]; then + systemctl --now disable named + else + exit 1 + fi +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.4-disable-nfs.sh b/remediation-kits/services/3.4-disable-nfs.sh index 24c403293dd9451534d8d5ad2f8bc9e24757c1d3..fd293907eef27f92ddc28a98c659c17c6a8a62df 100644 --- a/remediation-kits/services/3.4-disable-nfs.sh +++ b/remediation-kits/services/3.4-disable-nfs.sh @@ -1 +1,12 @@ -systemctl --now disable nfs-server \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa nfs-utils)" ]; then + result=$(systemctl is-enabled nfs-server) + if [ $result == enabled ]; then + systemctl --now disable nfs-server + else + exit 1 + fi +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.5-disable-rpc.sh b/remediation-kits/services/3.5-disable-rpc.sh index a775260e45bece8de083f6c38fb64fe6212e82e7..fd9f38ae6c2e924d6ef209695aa07b86ff81f338 100644 --- a/remediation-kits/services/3.5-disable-rpc.sh +++ b/remediation-kits/services/3.5-disable-rpc.sh @@ -1,3 +1,14 @@ -systemctl stop rpcbind.socket -systemctl mask rpcbind -systemctl stop rpcbind.service \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa rpcbind)" ]; then + result=$(systemctl is-enabled rpcbind) + if [ $result == enabled ]; then + systemctl stop rpcbind.socket + systemctl mask rpcbind + systemctl stop rpcbind.service + else + exit 1 + fi +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.6-disable-ldap-server.sh b/remediation-kits/services/3.6-disable-ldap-server.sh index a2f34927ba02300ed0e23e57aacc3f3bcd6a86e4..174a3e3e151f045d530836233de3c485353a7807 100644 --- a/remediation-kits/services/3.6-disable-ldap-server.sh +++ b/remediation-kits/services/3.6-disable-ldap-server.sh @@ -1 +1,12 @@ -systemctl --now disable slapd \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa openldap-servers)" ]; then + result=$(systemctl is-enabled slapd) + if [ $result == enabled ]; then + systemctl --now disable slapd + else + exit 1 + fi +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.7-disable-dhcp-server.sh b/remediation-kits/services/3.7-disable-dhcp-server.sh index 122d95d030aaf19267b388a8daa3a071d5f4a8f4..8e71e895a8b99cde4420df6c2a1f8c097ffd4a49 100644 --- a/remediation-kits/services/3.7-disable-dhcp-server.sh +++ b/remediation-kits/services/3.7-disable-dhcp-server.sh @@ -1 +1,12 @@ -systemctl --now disable dhcpd \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa | grep dhcp)" ]; then + result=$(systemctl is-enabled dhcpd) + if [ $result == enabled ]; then + systemctl --now disable dhcpd + else + exit 1 + fi +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.8-disable-cups.sh b/remediation-kits/services/3.8-disable-cups.sh index 7ee05ccf626c5a49c32c57f98a2dca48f0214d78..42b1c693599f3c6956a09efcfd52fcc150d3a62a 100644 --- a/remediation-kits/services/3.8-disable-cups.sh +++ b/remediation-kits/services/3.8-disable-cups.sh @@ -1 +1,12 @@ -systemctl --now disable cups \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa cups)" ]; then + result=$(systemctl is-enabled cups) + if [ $result == enabled ]; then + systemctl --now disable cups + else + exit 1 + fi +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.9-disable-nis-server.sh b/remediation-kits/services/3.9-disable-nis-server.sh index 782bcc76c2c6e20f5390e88e24b5e55b2a1ca4c6..ac9162e3d849a125ac11cde2949f76eef630247e 100644 --- a/remediation-kits/services/3.9-disable-nis-server.sh +++ b/remediation-kits/services/3.9-disable-nis-server.sh @@ -1 +1,12 @@ -systemctl --now disable ypserv \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa ypserv)" ]; then + result=$(systemctl is-enabled ypserv) + if [ $result == enabled ]; then + systemctl --now disable ypserv + else + exit 1 + fi +else + exit 1 +fi \ No newline at end of file diff --git a/scanners/mandatory-access-control/5.2-ensure-selinux-policy-is-configured.sh b/scanners/mandatory-access-control/5.2-ensure-selinux-policy-is-configured.sh index 81bfeb6da61608b16dbd9a961818271a1b4d72a2..e91fe530faed52c3d3d623885e3acdcd985abd90 100755 --- a/scanners/mandatory-access-control/5.2-ensure-selinux-policy-is-configured.sh +++ b/scanners/mandatory-access-control/5.2-ensure-selinux-policy-is-configured.sh @@ -1,4 +1,6 @@ #!/bin/bash +export LANG="en_US.UTF-8" + SELINUX=`grep -E "^\s*SELINUX=disabled\b" /etc/selinux/config` SELINUX_R=`echo $?` # include 0 diff --git a/scanners/mandatory-access-control/5.9-ensure-setroubleshoot-is-not-installed.sh b/scanners/mandatory-access-control/5.9-ensure-setroubleshoot-is-not-installed.sh index 44763208e61562cf4517846ed691b82e3ec84c27..e012fe2b21787e2e684194141620199fa4ebed1a 100644 --- a/scanners/mandatory-access-control/5.9-ensure-setroubleshoot-is-not-installed.sh +++ b/scanners/mandatory-access-control/5.9-ensure-setroubleshoot-is-not-installed.sh @@ -1,4 +1,6 @@ #!/usr/bin/env bash +export LANG="en_US.UTF-8" + result=false rpm -q setroubleshoot | grep -Psiq "^package\s+setroubleshoot\s+is\s+not\s+installed$" && result=true diff --git a/scanners/services/3.28-disable-automounting.sh b/scanners/services/3.28-disable-automounting.sh index fc9286d7f400b59404a0ef363796bdce9ce247ef..d4619b63a6ecd4e148a0d725693330a2a86d2e84 100644 --- a/scanners/services/3.28-disable-automounting.sh +++ b/scanners/services/3.28-disable-automounting.sh @@ -1,3 +1,5 @@ +export LANG="en_US.UTF-8" + rpmAutofs=$(rpm -qa | grep ^autofs) [[ -z $rpmAutofs ]] || sysAutofs=$(systemctl is-enabled autofs) diff --git a/scanners/services/3.3-disable-dns-server.sh b/scanners/services/3.3-disable-dns-server.sh index bc8ac1d1ccc6208a924b5729197053950bf79d4f..665b8a327e81ad6b8857d24b16337b9a4c815cc5 100644 --- a/scanners/services/3.3-disable-dns-server.sh +++ b/scanners/services/3.3-disable-dns-server.sh @@ -1,4 +1,4 @@ -if [ "$(rpm -qa named)" ]; then +if [ "$(rpm -qa bind)" ]; then result=$(systemctl is-enabled named) if [ $result != enabled ]; then echo "pass" diff --git a/scanners/system-configurations/4.46-ensure-wireless-interfaces-are-disabled.sh b/scanners/system-configurations/4.46-ensure-wireless-interfaces-are-disabled.sh index d1372ad042e4f9d3de7a67a43011fc5de27c0f71..6c3d54cad1353b6012fb53faa49ac469529f7df5 100644 --- a/scanners/system-configurations/4.46-ensure-wireless-interfaces-are-disabled.sh +++ b/scanners/system-configurations/4.46-ensure-wireless-interfaces-are-disabled.sh @@ -1,3 +1,5 @@ +export LANG="en_US.UTF-8" + if command -v nmcli >/dev/null 2>&1 ; then if nmcli radio all | grep -Eq '\s*\S+\s+disabled\s+\S+\s+disabled\b'; then echo "pass" diff --git a/scanners/system-configurations/4.60-ensure-iptables-is-not-enabled.sh b/scanners/system-configurations/4.60-ensure-iptables-is-not-enabled.sh index f01945b5135d7a67d8740e06265454ab61bf63a9..d4e3483f0828bab2f4e94c49fb593c30d05c90d9 100644 --- a/scanners/system-configurations/4.60-ensure-iptables-is-not-enabled.sh +++ b/scanners/system-configurations/4.60-ensure-iptables-is-not-enabled.sh @@ -1,3 +1,5 @@ +export LANG="en_US.UTF-8" + result="" rpm -q iptables-services | grep -Psq "^iptables\-services.*" || result=true diff --git a/scanners/system-configurations/4.61-ensure-nftables-is-not-enabled.sh b/scanners/system-configurations/4.61-ensure-nftables-is-not-enabled.sh index 341662afb2d7df018b41087ad57955ceb42371d2..f4b89a9272450a83fd980b3dce4115d979f5e41e 100644 --- a/scanners/system-configurations/4.61-ensure-nftables-is-not-enabled.sh +++ b/scanners/system-configurations/4.61-ensure-nftables-is-not-enabled.sh @@ -1,3 +1,5 @@ +export LANG="en_US.UTF-8" + result="" rpm -q nftables | grep -Psq "^nftables\-.*" || result=true diff --git a/tools/remediation-kits/config/Anolis_security_benchmark_level1.config b/tools/remediation-kits/config/Anolis_security_benchmark_level1.config index 8466135a75a701bb8d228eb2466509a92e899781..7db57000c9544a2dd4f10e7e02ac87b212186c91 100644 --- a/tools/remediation-kits/config/Anolis_security_benchmark_level1.config +++ b/tools/remediation-kits/config/Anolis_security_benchmark_level1.config @@ -39,10 +39,36 @@ 2.18 2.19 2.26 +3.1 +3.2 +3.3 +3.4 3.5 +3.6 +3.7 +3.8 +3.9 +3.10 +3.11 +3.12 +3.13 +3.14 +3.15 +3.16 +3.17 +3.18 +3.20 +3.21 +3.22 +3.23 +3.24 +3.25 3.26 +3.27 +3.28 4.2 4.3 +4.7 4.8 4.9 4.11 @@ -51,6 +77,7 @@ 4.44 4.45 4.46 +4.47 4.48 4.49 4.50 @@ -65,4 +92,4 @@ 4.67 4.68 5.1 -4.1 \ No newline at end of file +4.1 diff --git a/tools/remediation-kits/config/Anolis_security_benchmark_level3.config b/tools/remediation-kits/config/Anolis_security_benchmark_level3.config index 5eeeb35d8951f83c3e27923fed9ca892ee8a37a6..0ec9b9cce69747f77014acd93949f66f5523c0b6 100644 --- a/tools/remediation-kits/config/Anolis_security_benchmark_level3.config +++ b/tools/remediation-kits/config/Anolis_security_benchmark_level3.config @@ -45,11 +45,37 @@ 2.24 2.25 2.26 +3.1 +3.2 +3.3 +3.4 3.5 +3.6 +3.7 +3.8 +3.9 +3.10 +3.11 +3.12 +3.13 +3.14 +3.15 +3.16 +3.17 +3.18 3.19 +3.20 +3.21 +3.22 +3.23 +3.24 +3.25 3.26 +3.27 +3.28 4.2 4.3 +4.7 4.8 4.9 4.11 @@ -58,6 +84,7 @@ 4.44 4.45 4.46 +4.47 4.48 4.49 4.50 @@ -76,4 +103,4 @@ 5.1 5.2 5.3 -4.1 \ No newline at end of file +4.1 diff --git a/tools/remediation-kits/config/README.md b/tools/remediation-kits/config/README.md new file mode 100644 index 0000000000000000000000000000000000000000..c9d88a22a08f83be4244ac265c85e430201ccfb8 --- /dev/null +++ b/tools/remediation-kits/config/README.md @@ -0,0 +1,13 @@ +# 1. 部分未通过项目说明: + +##### 1.34-ensure-inactive-password-lock-is-30-days-or-less + +[benchmark](https://gitee.com/anolis/security-benchmark/blob/master/benchmarks/access-and-control/1.34-ensure-inactive-password-lock-is-30-days-or-less.md) + +[修复脚本](https://gitee.com/anolis/security-benchmark/blob/master/remediation-kits/access-and-control/1.34-ensure-inactive-password-lock-is-30-days-or-less.sh) + +[检测脚本](https://gitee.com/anolis/security-benchmark/blob/master/scanners/access-and-control/1.34-ensure-inactive-password-lock-is-30-days-or-less.sh) + +- 因ISO镜像中,root用户如从未修改过密码,在shadow文件的密码修改时间会记录为空。如此时执行此项加固,将导致root用户被锁定无法正常登陆。 +- 鉴于以上原因,此项修复脚本中加入了对密码修改时间的检测,如有密码修改时间为空的账户,将会退出本次修复流程,并展示异常用户。 +- 对异常用户进行一次密码修改即可解决该问题,之后可重新执行修复脚本进行修复。 diff --git a/tools/remediation-kits/config/Reference_CIS.config b/tools/remediation-kits/config/Reference_CIS.config index 8725e02d96f4d8f3ef7980b531e4717ed0858569..4963f7e7a25bdef47aa8bd9b63545bad52e7aa5e 100644 --- a/tools/remediation-kits/config/Reference_CIS.config +++ b/tools/remediation-kits/config/Reference_CIS.config @@ -33,10 +33,29 @@ 2.24 2.25 2.26 +3.1 +3.2 +3.3 +3.4 3.5 +3.6 +3.7 +3.8 +3.9 +3.10 +3.11 +3.12 +3.13 +3.14 +3.15 +3.22 +3.25 3.26 +3.27 +3.28 4.2 4.3 +4.7 4.8 4.9 4.11 @@ -44,6 +63,7 @@ 4.44 4.45 4.46 +4.47 4.48 4.49 4.50 @@ -56,4 +76,4 @@ 4.63 4.64 4.1 -4.71 \ No newline at end of file +4.71 diff --git a/tools/remediation-kits/config/Reference_DengBaoThree.config b/tools/remediation-kits/config/Reference_DengBaoThree.config index 1da9a40c428cd2965b840cae6964a5c2d823fccc..7903aa86bd7a64d837f3a5f810bb8b52264cd746 100644 --- a/tools/remediation-kits/config/Reference_DengBaoThree.config +++ b/tools/remediation-kits/config/Reference_DengBaoThree.config @@ -12,5 +12,15 @@ 2.21 2.22 2.23 +3.4 3.5 -3.19 \ No newline at end of file +3.14 +3.15 +3.17 +3.18 +3.19 +3.20 +3.21 +3.22 +3.23 +3.24 \ No newline at end of file