From e3329fe1f1ef845f22e0b2774ac24bfa82bce285 Mon Sep 17 00:00:00 2001 From: YuQing Yang Date: Tue, 7 Nov 2023 16:37:42 +0800 Subject: [PATCH 1/4] tools/remediation-kits/config: Anolis_security_benchmark_level1.config Anolis_security_benchmark_level3.config Reference_CIS.config Reference_DengBaoThree.config Updating the config file of the remediation-kits tool to align with the latest version of anolis8.8 Signed-off-by: YuQing Yang --- .../Anolis_security_benchmark_level1.config | 29 ++++++++++++++++++- .../Anolis_security_benchmark_level3.config | 29 ++++++++++++++++++- .../config/Reference_CIS.config | 22 +++++++++++++- .../config/Reference_DengBaoThree.config | 12 +++++++- 4 files changed, 88 insertions(+), 4 deletions(-) diff --git a/tools/remediation-kits/config/Anolis_security_benchmark_level1.config b/tools/remediation-kits/config/Anolis_security_benchmark_level1.config index 8466135..7db5700 100644 --- a/tools/remediation-kits/config/Anolis_security_benchmark_level1.config +++ b/tools/remediation-kits/config/Anolis_security_benchmark_level1.config @@ -39,10 +39,36 @@ 2.18 2.19 2.26 +3.1 +3.2 +3.3 +3.4 3.5 +3.6 +3.7 +3.8 +3.9 +3.10 +3.11 +3.12 +3.13 +3.14 +3.15 +3.16 +3.17 +3.18 +3.20 +3.21 +3.22 +3.23 +3.24 +3.25 3.26 +3.27 +3.28 4.2 4.3 +4.7 4.8 4.9 4.11 @@ -51,6 +77,7 @@ 4.44 4.45 4.46 +4.47 4.48 4.49 4.50 @@ -65,4 +92,4 @@ 4.67 4.68 5.1 -4.1 \ No newline at end of file +4.1 diff --git a/tools/remediation-kits/config/Anolis_security_benchmark_level3.config b/tools/remediation-kits/config/Anolis_security_benchmark_level3.config index 5eeeb35..0ec9b9c 100644 --- a/tools/remediation-kits/config/Anolis_security_benchmark_level3.config +++ b/tools/remediation-kits/config/Anolis_security_benchmark_level3.config @@ -45,11 +45,37 @@ 2.24 2.25 2.26 +3.1 +3.2 +3.3 +3.4 3.5 +3.6 +3.7 +3.8 +3.9 +3.10 +3.11 +3.12 +3.13 +3.14 +3.15 +3.16 +3.17 +3.18 3.19 +3.20 +3.21 +3.22 +3.23 +3.24 +3.25 3.26 +3.27 +3.28 4.2 4.3 +4.7 4.8 4.9 4.11 @@ -58,6 +84,7 @@ 4.44 4.45 4.46 +4.47 4.48 4.49 4.50 @@ -76,4 +103,4 @@ 5.1 5.2 5.3 -4.1 \ No newline at end of file +4.1 diff --git a/tools/remediation-kits/config/Reference_CIS.config b/tools/remediation-kits/config/Reference_CIS.config index 8725e02..4963f7e 100644 --- a/tools/remediation-kits/config/Reference_CIS.config +++ b/tools/remediation-kits/config/Reference_CIS.config @@ -33,10 +33,29 @@ 2.24 2.25 2.26 +3.1 +3.2 +3.3 +3.4 3.5 +3.6 +3.7 +3.8 +3.9 +3.10 +3.11 +3.12 +3.13 +3.14 +3.15 +3.22 +3.25 3.26 +3.27 +3.28 4.2 4.3 +4.7 4.8 4.9 4.11 @@ -44,6 +63,7 @@ 4.44 4.45 4.46 +4.47 4.48 4.49 4.50 @@ -56,4 +76,4 @@ 4.63 4.64 4.1 -4.71 \ No newline at end of file +4.71 diff --git a/tools/remediation-kits/config/Reference_DengBaoThree.config b/tools/remediation-kits/config/Reference_DengBaoThree.config index 1da9a40..7903aa8 100644 --- a/tools/remediation-kits/config/Reference_DengBaoThree.config +++ b/tools/remediation-kits/config/Reference_DengBaoThree.config @@ -12,5 +12,15 @@ 2.21 2.22 2.23 +3.4 3.5 -3.19 \ No newline at end of file +3.14 +3.15 +3.17 +3.18 +3.19 +3.20 +3.21 +3.22 +3.23 +3.24 \ No newline at end of file -- Gitee From 1b37a1f131dc3c49052cd4dcaf53201ff15dff61 Mon Sep 17 00:00:00 2001 From: Yuqing Yang Date: Wed, 8 Nov 2023 15:47:29 +0800 Subject: [PATCH 2/4] tools/remediation-kits/config/README.md Added readme file: Added section repair script instructions. Signed-off-by: Yuqing Yang --- tools/remediation-kits/config/README.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 tools/remediation-kits/config/README.md diff --git a/tools/remediation-kits/config/README.md b/tools/remediation-kits/config/README.md new file mode 100644 index 0000000..c9d88a2 --- /dev/null +++ b/tools/remediation-kits/config/README.md @@ -0,0 +1,13 @@ +# 1. 部分未通过项目说明: + +##### 1.34-ensure-inactive-password-lock-is-30-days-or-less + +[benchmark](https://gitee.com/anolis/security-benchmark/blob/master/benchmarks/access-and-control/1.34-ensure-inactive-password-lock-is-30-days-or-less.md) + +[修复脚本](https://gitee.com/anolis/security-benchmark/blob/master/remediation-kits/access-and-control/1.34-ensure-inactive-password-lock-is-30-days-or-less.sh) + +[检测脚本](https://gitee.com/anolis/security-benchmark/blob/master/scanners/access-and-control/1.34-ensure-inactive-password-lock-is-30-days-or-less.sh) + +- 因ISO镜像中,root用户如从未修改过密码,在shadow文件的密码修改时间会记录为空。如此时执行此项加固,将导致root用户被锁定无法正常登陆。 +- 鉴于以上原因,此项修复脚本中加入了对密码修改时间的检测,如有密码修改时间为空的账户,将会退出本次修复流程,并展示异常用户。 +- 对异常用户进行一次密码修改即可解决该问题,之后可重新执行修复脚本进行修复。 -- Gitee From f784812147019647e892ef7c2b61dbc4ff071023 Mon Sep 17 00:00:00 2001 From: Yuqing Yang Date: Wed, 8 Nov 2023 15:53:28 +0800 Subject: [PATCH 3/4] Added support for non-English language systems. Signed-off-by: Yuqing Yang --- .../5.2-ensure-selinux-policy-is-configured.sh | 2 ++ .../5.9-ensure-setroubleshoot-is-not-installed.sh | 2 ++ scanners/services/3.28-disable-automounting.sh | 2 ++ .../4.46-ensure-wireless-interfaces-are-disabled.sh | 2 ++ .../4.60-ensure-iptables-is-not-enabled.sh | 2 ++ .../4.61-ensure-nftables-is-not-enabled.sh | 2 ++ 6 files changed, 12 insertions(+) diff --git a/scanners/mandatory-access-control/5.2-ensure-selinux-policy-is-configured.sh b/scanners/mandatory-access-control/5.2-ensure-selinux-policy-is-configured.sh index 81bfeb6..e91fe53 100755 --- a/scanners/mandatory-access-control/5.2-ensure-selinux-policy-is-configured.sh +++ b/scanners/mandatory-access-control/5.2-ensure-selinux-policy-is-configured.sh @@ -1,4 +1,6 @@ #!/bin/bash +export LANG="en_US.UTF-8" + SELINUX=`grep -E "^\s*SELINUX=disabled\b" /etc/selinux/config` SELINUX_R=`echo $?` # include 0 diff --git a/scanners/mandatory-access-control/5.9-ensure-setroubleshoot-is-not-installed.sh b/scanners/mandatory-access-control/5.9-ensure-setroubleshoot-is-not-installed.sh index 4476320..e012fe2 100644 --- a/scanners/mandatory-access-control/5.9-ensure-setroubleshoot-is-not-installed.sh +++ b/scanners/mandatory-access-control/5.9-ensure-setroubleshoot-is-not-installed.sh @@ -1,4 +1,6 @@ #!/usr/bin/env bash +export LANG="en_US.UTF-8" + result=false rpm -q setroubleshoot | grep -Psiq "^package\s+setroubleshoot\s+is\s+not\s+installed$" && result=true diff --git a/scanners/services/3.28-disable-automounting.sh b/scanners/services/3.28-disable-automounting.sh index fc9286d..d4619b6 100644 --- a/scanners/services/3.28-disable-automounting.sh +++ b/scanners/services/3.28-disable-automounting.sh @@ -1,3 +1,5 @@ +export LANG="en_US.UTF-8" + rpmAutofs=$(rpm -qa | grep ^autofs) [[ -z $rpmAutofs ]] || sysAutofs=$(systemctl is-enabled autofs) diff --git a/scanners/system-configurations/4.46-ensure-wireless-interfaces-are-disabled.sh b/scanners/system-configurations/4.46-ensure-wireless-interfaces-are-disabled.sh index d1372ad..6c3d54c 100644 --- a/scanners/system-configurations/4.46-ensure-wireless-interfaces-are-disabled.sh +++ b/scanners/system-configurations/4.46-ensure-wireless-interfaces-are-disabled.sh @@ -1,3 +1,5 @@ +export LANG="en_US.UTF-8" + if command -v nmcli >/dev/null 2>&1 ; then if nmcli radio all | grep -Eq '\s*\S+\s+disabled\s+\S+\s+disabled\b'; then echo "pass" diff --git a/scanners/system-configurations/4.60-ensure-iptables-is-not-enabled.sh b/scanners/system-configurations/4.60-ensure-iptables-is-not-enabled.sh index f01945b..d4e3483 100644 --- a/scanners/system-configurations/4.60-ensure-iptables-is-not-enabled.sh +++ b/scanners/system-configurations/4.60-ensure-iptables-is-not-enabled.sh @@ -1,3 +1,5 @@ +export LANG="en_US.UTF-8" + result="" rpm -q iptables-services | grep -Psq "^iptables\-services.*" || result=true diff --git a/scanners/system-configurations/4.61-ensure-nftables-is-not-enabled.sh b/scanners/system-configurations/4.61-ensure-nftables-is-not-enabled.sh index 341662a..f4b89a9 100644 --- a/scanners/system-configurations/4.61-ensure-nftables-is-not-enabled.sh +++ b/scanners/system-configurations/4.61-ensure-nftables-is-not-enabled.sh @@ -1,3 +1,5 @@ +export LANG="en_US.UTF-8" + result="" rpm -q nftables | grep -Psq "^nftables\-.*" || result=true -- Gitee From 980970a57cf1b87939f9c3b0494a8ad0dc47c3b1 Mon Sep 17 00:00:00 2001 From: Yuqing Yang Date: Wed, 8 Nov 2023 15:54:31 +0800 Subject: [PATCH 4/4] remediation-kits/services/: Add checks to the repair scripts in the 'services' section to increase repeatability. scanners/services/3.3-disable-dns-server.sh: Fix the rpm package name bug. Signed-off-by: Yuqing Yang --- .../services/3.1-disable-http-server.sh | 13 ++++++++++++- .../services/3.10-disable-rsync-server.sh | 13 ++++++++++++- .../services/3.11-disable-avahi-server.sh | 12 ++++++++++-- .../services/3.12-disable-snmp-server.sh | 13 ++++++++++++- .../services/3.13-disable-http-proxy-server.sh | 13 ++++++++++++- remediation-kits/services/3.14-disable-samba.sh | 13 ++++++++++++- .../3.15-disable-imap-and-pop3-server.sh | 13 ++++++++++++- .../services/3.16-disable-smtp-protocol.sh | 13 ++++++++++++- .../3.17-disable-or-uninstall-the-telnet.sh | 15 ++++++++++++++- .../services/3.18-uninstall-the-avahi-server.sh | 8 +++++++- .../services/3.19-uninstall-the-kexec-tools.sh | 8 +++++++- .../services/3.2-disable-ftp-server.sh | 13 ++++++++++++- .../services/3.20-uninstall-the-firstboot.sh | 8 +++++++- .../3.21-uninstall-the-wpa_supplicant.sh | 8 +++++++- .../3.22-ensure-NIS-Client-is-not-installed.sh | 8 +++++++- remediation-kits/services/3.23-disable-rsh.sh | 13 ++++++++++++- remediation-kits/services/3.24-disable-ntalk.sh | 13 ++++++++++++- .../3.25-ensure-xinetd-is-not-installed.sh | 8 +++++++- .../services/3.28-disable-automounting.sh | 14 +++++++++++++- .../services/3.3-disable-dns-server.sh | 13 ++++++++++++- remediation-kits/services/3.4-disable-nfs.sh | 13 ++++++++++++- remediation-kits/services/3.5-disable-rpc.sh | 17 ++++++++++++++--- .../services/3.6-disable-ldap-server.sh | 13 ++++++++++++- .../services/3.7-disable-dhcp-server.sh | 13 ++++++++++++- remediation-kits/services/3.8-disable-cups.sh | 13 ++++++++++++- .../services/3.9-disable-nis-server.sh | 13 ++++++++++++- scanners/services/3.3-disable-dns-server.sh | 2 +- 27 files changed, 286 insertions(+), 30 deletions(-) diff --git a/remediation-kits/services/3.1-disable-http-server.sh b/remediation-kits/services/3.1-disable-http-server.sh index 91c1117..8ef566f 100755 --- a/remediation-kits/services/3.1-disable-http-server.sh +++ b/remediation-kits/services/3.1-disable-http-server.sh @@ -1 +1,12 @@ -systemctl --now disable httpd +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa httpd)" ]; then + result=$(systemctl is-enabled httpd) + if [ $result == enabled ]; then + systemctl --now disable httpd + else + exit 1 + fi +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.10-disable-rsync-server.sh b/remediation-kits/services/3.10-disable-rsync-server.sh index 98e9e76..6b020db 100644 --- a/remediation-kits/services/3.10-disable-rsync-server.sh +++ b/remediation-kits/services/3.10-disable-rsync-server.sh @@ -1 +1,12 @@ -systemctl --now disable rsyncd \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa | grep rsync)" ]; then + result=$(systemctl is-enabled rsyncd) + if [ $result == enabled ]; then + systemctl --now disable rsyncd + else + exit 1 + fi +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.11-disable-avahi-server.sh b/remediation-kits/services/3.11-disable-avahi-server.sh index 0e1fbb4..226877c 100644 --- a/remediation-kits/services/3.11-disable-avahi-server.sh +++ b/remediation-kits/services/3.11-disable-avahi-server.sh @@ -1,2 +1,10 @@ -systemctl --now disable avahi-daemon.socket -systemctl --now disable avahi-daemon.service \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa avahi)" ]; then + result=$(systemctl is-enabled avahi-daemon.socket) + result2=$(systemctl is-enabled avahi-daemon) + [[ $result == enabled ]] && systemctl --now disable avahi-daemon.socket + [[ $result2 == enabled ]] && systemctl --now disable avahi-daemon.service +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.12-disable-snmp-server.sh b/remediation-kits/services/3.12-disable-snmp-server.sh index 295a8c7..02d5a45 100644 --- a/remediation-kits/services/3.12-disable-snmp-server.sh +++ b/remediation-kits/services/3.12-disable-snmp-server.sh @@ -1 +1,12 @@ -systemctl --now disable snmpd \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa net-snmp)" ]; then + result=$(systemctl is-enabled snmpd) + if [ $result == enabled ]; then + systemctl --now disable snmpd + else + exit 1 + fi +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.13-disable-http-proxy-server.sh b/remediation-kits/services/3.13-disable-http-proxy-server.sh index f0e2bb0..a571797 100644 --- a/remediation-kits/services/3.13-disable-http-proxy-server.sh +++ b/remediation-kits/services/3.13-disable-http-proxy-server.sh @@ -1 +1,12 @@ -systemctl --now disable squid \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa squid)" ]; then + result=$(systemctl is-enabled squid) + if [ $result == enabled ]; then + systemctl --now disable squid + else + exit 1 + fi +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.14-disable-samba.sh b/remediation-kits/services/3.14-disable-samba.sh index 2e8dc44..133c850 100644 --- a/remediation-kits/services/3.14-disable-samba.sh +++ b/remediation-kits/services/3.14-disable-samba.sh @@ -1 +1,12 @@ -systemctl --now disable smb \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa samba)" ]; then + result=$(systemctl is-enabled smb) + if [ $result == enabled ]; then + systemctl --now disable smb + else + exit 1 + fi +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.15-disable-imap-and-pop3-server.sh b/remediation-kits/services/3.15-disable-imap-and-pop3-server.sh index 83aada0..018fb8c 100644 --- a/remediation-kits/services/3.15-disable-imap-and-pop3-server.sh +++ b/remediation-kits/services/3.15-disable-imap-and-pop3-server.sh @@ -1 +1,12 @@ -systemctl --now disable dovecot \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa dovecot)" ]; then + result=$(systemctl is-enabled dovecot) + if [ $result == enabled ]; then + systemctl --now disable dovecot + else + exit 1 + fi +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.16-disable-smtp-protocol.sh b/remediation-kits/services/3.16-disable-smtp-protocol.sh index 3af11c9..718d331 100644 --- a/remediation-kits/services/3.16-disable-smtp-protocol.sh +++ b/remediation-kits/services/3.16-disable-smtp-protocol.sh @@ -1 +1,12 @@ -systemctl --now disable postfix.service +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa postfix)" ]; then + result=$(systemctl is-enabled postfix.service) + if [ $result == enabled ]; then + systemctl --now disable postfix.service + else + exit 1 + fi +else + exit 1 +fi diff --git a/remediation-kits/services/3.17-disable-or-uninstall-the-telnet.sh b/remediation-kits/services/3.17-disable-or-uninstall-the-telnet.sh index 7364559..ee95e9e 100644 --- a/remediation-kits/services/3.17-disable-or-uninstall-the-telnet.sh +++ b/remediation-kits/services/3.17-disable-or-uninstall-the-telnet.sh @@ -1 +1,14 @@ -dnf remove -y telnet telnet-server || systemctl --now disable telnet.socket \ No newline at end of file +#!/usr/bin/env bash +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa | grep telnet)" ]; then + dnf remove -y telnet telnet-server + [[ $? != 0 ]] && result=$(systemctl is-enabled telnet.socket) + if [[ $result == enabled ]]; then + systemctl --now disable telnet.socket + else + exit 1 + fi +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.18-uninstall-the-avahi-server.sh b/remediation-kits/services/3.18-uninstall-the-avahi-server.sh index 26adfaf..14ee7bc 100644 --- a/remediation-kits/services/3.18-uninstall-the-avahi-server.sh +++ b/remediation-kits/services/3.18-uninstall-the-avahi-server.sh @@ -1 +1,7 @@ -yum remove -y --noautoremove avahi \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa avahi)" ]; then + yum remove -y --noautoremove avahi +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.19-uninstall-the-kexec-tools.sh b/remediation-kits/services/3.19-uninstall-the-kexec-tools.sh index 7d5e3c5..d809b6e 100644 --- a/remediation-kits/services/3.19-uninstall-the-kexec-tools.sh +++ b/remediation-kits/services/3.19-uninstall-the-kexec-tools.sh @@ -1 +1,7 @@ -yum remove -y --noautoremove kexec-tools \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa | grep kexec)" ]; then + yum remove -y --noautoremove kexec-tools +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.2-disable-ftp-server.sh b/remediation-kits/services/3.2-disable-ftp-server.sh index fd2956c..ff378f5 100644 --- a/remediation-kits/services/3.2-disable-ftp-server.sh +++ b/remediation-kits/services/3.2-disable-ftp-server.sh @@ -1 +1,12 @@ -systemctl --now disable vsftpd \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa vsftpd)" ]; then + result=$(systemctl is-enabled vsftpd) + if [ $result == enabled ]; then + systemctl --now disable vsftpd + else + exit 1 + fi +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.20-uninstall-the-firstboot.sh b/remediation-kits/services/3.20-uninstall-the-firstboot.sh index 008ae9d..cbeea2f 100644 --- a/remediation-kits/services/3.20-uninstall-the-firstboot.sh +++ b/remediation-kits/services/3.20-uninstall-the-firstboot.sh @@ -1 +1,7 @@ -yum remove -y --noautoremove firstboot \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa | grep firstboot)" ]; then + yum remove -y --noautoremove firstboot +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.21-uninstall-the-wpa_supplicant.sh b/remediation-kits/services/3.21-uninstall-the-wpa_supplicant.sh index 084aa86..1732f6d 100644 --- a/remediation-kits/services/3.21-uninstall-the-wpa_supplicant.sh +++ b/remediation-kits/services/3.21-uninstall-the-wpa_supplicant.sh @@ -1 +1,7 @@ -yum remove -y --noautoremove wpa_supplicant \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa wpa_supplicant)" ]; then + yum remove -y --noautoremove wpa_supplicant +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.22-ensure-NIS-Client-is-not-installed.sh b/remediation-kits/services/3.22-ensure-NIS-Client-is-not-installed.sh index b3c39f7..69db796 100644 --- a/remediation-kits/services/3.22-ensure-NIS-Client-is-not-installed.sh +++ b/remediation-kits/services/3.22-ensure-NIS-Client-is-not-installed.sh @@ -1 +1,7 @@ -dnf remove -y ypbind \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa ypbind)" ]; then + dnf remove -y ypbind +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.23-disable-rsh.sh b/remediation-kits/services/3.23-disable-rsh.sh index 87bda81..231969d 100644 --- a/remediation-kits/services/3.23-disable-rsh.sh +++ b/remediation-kits/services/3.23-disable-rsh.sh @@ -1 +1,12 @@ -systemctl --now disable rsh.socket \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa rsh)" ]; then + result=$(systemctl is-enabled rsh.socket) + if [ $result == enabled ]; then + systemctl --now disable rsh.socket + else + exit 1 + fi +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.24-disable-ntalk.sh b/remediation-kits/services/3.24-disable-ntalk.sh index f6828df..fe4d350 100644 --- a/remediation-kits/services/3.24-disable-ntalk.sh +++ b/remediation-kits/services/3.24-disable-ntalk.sh @@ -1 +1,12 @@ -systemctl --now disable ntalk.socket \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa ntalk)" ]; then + result=$(systemctl is-enabled ntalk.socket) + if [ $result == enabled ]; then + systemctl --now disable ntalk.socket + else + exit 1 + fi +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.25-ensure-xinetd-is-not-installed.sh b/remediation-kits/services/3.25-ensure-xinetd-is-not-installed.sh index 43110c0..776621b 100644 --- a/remediation-kits/services/3.25-ensure-xinetd-is-not-installed.sh +++ b/remediation-kits/services/3.25-ensure-xinetd-is-not-installed.sh @@ -1 +1,7 @@ -dnf remove -y xinetd \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa xinetd)" ]; then + dnf remove -y xinetd +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.28-disable-automounting.sh b/remediation-kits/services/3.28-disable-automounting.sh index d1adc9c..1f23ec6 100644 --- a/remediation-kits/services/3.28-disable-automounting.sh +++ b/remediation-kits/services/3.28-disable-automounting.sh @@ -1 +1,13 @@ -(rpm -e --test autofs && dnf remove -y autofs) || systemctl --now disable autofs \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa autofs)" ]; then + yum remove -y --noautoremove autofs + [[ $? != 0 ]] && result=$(systemctl is-enabled autofs.service) + if [[ $result == enabled ]]; then + systemctl --now disable autofs + else + exit 1 + fi +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.3-disable-dns-server.sh b/remediation-kits/services/3.3-disable-dns-server.sh index 262765b..d2dfcd1 100644 --- a/remediation-kits/services/3.3-disable-dns-server.sh +++ b/remediation-kits/services/3.3-disable-dns-server.sh @@ -1 +1,12 @@ -systemctl --now disable named \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa bind)" ]; then + result=$(systemctl is-enabled named) + if [ $result == enabled ]; then + systemctl --now disable named + else + exit 1 + fi +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.4-disable-nfs.sh b/remediation-kits/services/3.4-disable-nfs.sh index 24c4032..fd29390 100644 --- a/remediation-kits/services/3.4-disable-nfs.sh +++ b/remediation-kits/services/3.4-disable-nfs.sh @@ -1 +1,12 @@ -systemctl --now disable nfs-server \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa nfs-utils)" ]; then + result=$(systemctl is-enabled nfs-server) + if [ $result == enabled ]; then + systemctl --now disable nfs-server + else + exit 1 + fi +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.5-disable-rpc.sh b/remediation-kits/services/3.5-disable-rpc.sh index a775260..fd9f38a 100644 --- a/remediation-kits/services/3.5-disable-rpc.sh +++ b/remediation-kits/services/3.5-disable-rpc.sh @@ -1,3 +1,14 @@ -systemctl stop rpcbind.socket -systemctl mask rpcbind -systemctl stop rpcbind.service \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa rpcbind)" ]; then + result=$(systemctl is-enabled rpcbind) + if [ $result == enabled ]; then + systemctl stop rpcbind.socket + systemctl mask rpcbind + systemctl stop rpcbind.service + else + exit 1 + fi +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.6-disable-ldap-server.sh b/remediation-kits/services/3.6-disable-ldap-server.sh index a2f3492..174a3e3 100644 --- a/remediation-kits/services/3.6-disable-ldap-server.sh +++ b/remediation-kits/services/3.6-disable-ldap-server.sh @@ -1 +1,12 @@ -systemctl --now disable slapd \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa openldap-servers)" ]; then + result=$(systemctl is-enabled slapd) + if [ $result == enabled ]; then + systemctl --now disable slapd + else + exit 1 + fi +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.7-disable-dhcp-server.sh b/remediation-kits/services/3.7-disable-dhcp-server.sh index 122d95d..8e71e89 100644 --- a/remediation-kits/services/3.7-disable-dhcp-server.sh +++ b/remediation-kits/services/3.7-disable-dhcp-server.sh @@ -1 +1,12 @@ -systemctl --now disable dhcpd \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa | grep dhcp)" ]; then + result=$(systemctl is-enabled dhcpd) + if [ $result == enabled ]; then + systemctl --now disable dhcpd + else + exit 1 + fi +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.8-disable-cups.sh b/remediation-kits/services/3.8-disable-cups.sh index 7ee05cc..42b1c69 100644 --- a/remediation-kits/services/3.8-disable-cups.sh +++ b/remediation-kits/services/3.8-disable-cups.sh @@ -1 +1,12 @@ -systemctl --now disable cups \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa cups)" ]; then + result=$(systemctl is-enabled cups) + if [ $result == enabled ]; then + systemctl --now disable cups + else + exit 1 + fi +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/services/3.9-disable-nis-server.sh b/remediation-kits/services/3.9-disable-nis-server.sh index 782bcc7..ac9162e 100644 --- a/remediation-kits/services/3.9-disable-nis-server.sh +++ b/remediation-kits/services/3.9-disable-nis-server.sh @@ -1 +1,12 @@ -systemctl --now disable ypserv \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa ypserv)" ]; then + result=$(systemctl is-enabled ypserv) + if [ $result == enabled ]; then + systemctl --now disable ypserv + else + exit 1 + fi +else + exit 1 +fi \ No newline at end of file diff --git a/scanners/services/3.3-disable-dns-server.sh b/scanners/services/3.3-disable-dns-server.sh index bc8ac1d..665b8a3 100644 --- a/scanners/services/3.3-disable-dns-server.sh +++ b/scanners/services/3.3-disable-dns-server.sh @@ -1,4 +1,4 @@ -if [ "$(rpm -qa named)" ]; then +if [ "$(rpm -qa bind)" ]; then result=$(systemctl is-enabled named) if [ $result != enabled ]; then echo "pass" -- Gitee