diff --git a/remediation-kits/access-and-control/1.1-ensure-cron-daemon-is-enabled.sh b/remediation-kits/access-and-control/1.1-ensure-cron-daemon-is-enabled.sh index 4957a2d8591746defe9b54a93675e348e48d9e99..7d19ce4cdb751ba3549683b8519fb115b66811bc 100644 --- a/remediation-kits/access-and-control/1.1-ensure-cron-daemon-is-enabled.sh +++ b/remediation-kits/access-and-control/1.1-ensure-cron-daemon-is-enabled.sh @@ -1 +1,12 @@ -systemctl --now enable crond \ No newline at end of file +result=$(systemctl is-enabled crond) + +if [[ $result == "enabled" ]] ; then + : +elif [[ $result == "masked" ]] ; then + systemctl --now unmask crond + systemctl --now enable crond +elif [[ $result == "disabled" ]] ; then + systemctl --now enable crond +else + : +fi \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh b/remediation-kits/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh index c4f74762a768cf612aa45757850df70b0c03d999..6fb48c05882dc52454c7ad5e1d24a81329bbb4ba 100644 --- a/remediation-kits/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh +++ b/remediation-kits/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh @@ -1 +1,19 @@ -grep -Eq "^(\s*)LogLevel\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)LogLevel\s+\S+(\s*#.*)?\s*$/\1LogLevel INFO\2/" /etc/ssh/sshd_config || echo "LogLevel INFO" >> /etc/ssh/sshd_config +sshLogLevelCount=$(grep -icP "Loglevel\s+.*" /etc/ssh/sshd_config) +sshLogLevel=$(grep -iP "Loglevel\s+.*" /etc/ssh/sshd_config) +sshLogLevelNum=$(grep -iPn "Loglevel\s+.*" /etc/ssh/sshd_config | cut -d: -f1) + +[[ $sshLogLevelCount -gt 1 ]] && exit 1 + +if [[ -z $sshLogLevel ]] ; then + echo "LogLevel INFO" >> /etc/ssh/sshd_config +elif [[ $(echo $sshLogLevel | grep -iP "^#+\s*LogLevel\s+(INFO|VERBOSE)") ]] ; then + #sed -ri "$sshLogLevelNum s/#//" /etc/ssh/sshd_config + : +elif [[ $(echo $sshLogLevel | grep -iP "^LogLevel\s+(INFO|VERBOSE)") ]] ; then + : +else + sed -i "$sshLogLevelNum"d /etc/ssh/sshd_config + echo "LogLevel INFO" >> /etc/ssh/sshd_config +fi + +systemctl restart sshd.service \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh b/remediation-kits/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh index c788cf6aa0cbf0fba0706d112ee7c94e8fa030d3..ba8ecdfe5980d5b74326cd2be51ac875668f6368 100644 --- a/remediation-kits/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh +++ b/remediation-kits/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh @@ -1 +1,3 @@ grep -Eq "^(\s*)MaxAuthTries\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)MaxAuthTries\s+\S+(\s*#.*)?\s*$/\1MaxAuthTries 4\2/" /etc/ssh/sshd_config || echo "MaxAuthTries 4" >> /etc/ssh/sshd_config + +systemctl restart sshd.service \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh b/remediation-kits/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh index ae6c4769471fae52e8f4426a68fd370c53c3a042..f7a79c3c3672732b0097bef48bb82bd6bcac1a65 100644 --- a/remediation-kits/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh +++ b/remediation-kits/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh @@ -1 +1,11 @@ -grep -Eq "^(\s*)IgnoreRhosts\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)IgnoreRhosts\s+\S+(\s*#.*)?\s*$/\1IgnoreRhosts yes\2/" /etc/ssh/sshd_config || echo "IgnoreRhosts yes" >> /etc/ssh/sshd_config +IgnoreRhosts=$(grep -E "^(\s*)IgnoreRhosts\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config | awk '{print $2}') + +if [[ -z $IgnoreRhosts ]] ; then + : +elif [[ $IgnoreRhosts == 'no' ]] ; then + sed -ri "s/^(\s*)IgnoreRhosts\s+\S+(\s*#.*)?\s*$/\1IgnoreRhosts yes\2/" /etc/ssh/sshd_config +else + : +fi + +systemctl restart sshd.service \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh b/remediation-kits/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh index e656d0db57529b1381b04b53b01ddb7ffe3fb3a4..619ee2a7d3b0e7d357c2ab6ea8c1fcadd0e4fd6d 100644 --- a/remediation-kits/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh +++ b/remediation-kits/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh @@ -1 +1,3 @@ grep -Eq "^(\s*)HostbasedAuthentication\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)HostbasedAuthentication\s+\S+(\s*#.*)?\s*$/\1HostbasedAuthentication no\2/" /etc/ssh/sshd_config || echo "HostbasedAuthentication no" >> /etc/ssh/sshd_config + +systemctl restart sshd.service \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh b/remediation-kits/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh index 2907dce7ce61c594d9380de88f328ae504dcdd36..d9028aeec4e2e287966633c15e6bf7fdb6b1e2d5 100644 --- a/remediation-kits/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh +++ b/remediation-kits/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh @@ -1 +1,3 @@ grep -Eq "^(\s*)PermitRootLogin\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)PermitRootLogin\s+\S+(\s*#.*)?\s*$/\1PermitRootLogin no\2/" /etc/ssh/sshd_config || echo "PermitRootLogin no" >> /etc/ssh/sshd_config + +systemctl restart sshd.service \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh b/remediation-kits/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh index b74e7ab77a3b9f2b88270900e4fd9871f50b8a3f..c6d6962a23f959c50c79cf2226b5aa9a8fc6da87 100644 --- a/remediation-kits/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh +++ b/remediation-kits/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh @@ -1 +1,3 @@ grep -Eq "^(\s*)PermitEmptyPasswords\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)PermitEmptyPasswords\s+\S+(\s*#.*)?\s*$/\1PermitEmptyPasswords no\2/" /etc/ssh/sshd_config || echo "PermitEmptyPasswords no" >> /etc/ssh/sshd_config + +systemctl restart sshd.service \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh b/remediation-kits/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh index 26173aef5da8fb9951f430ccb3694f8d2b4d6b7b..3c364d7395dab5e69edc8fcc943ca8bf274123e1 100644 --- a/remediation-kits/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh +++ b/remediation-kits/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh @@ -1 +1,3 @@ grep -Eq "^(\s*)PermitUserEnvironment\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)PermitUserEnvironment\s+\S+(\s*#.*)?\s*$/\1PermitUserEnvironment no\2/" /etc/ssh/sshd_config || echo "PermitUserEnvironment no" >> /etc/ssh/sshd_config + +systemctl restart sshd.service \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.2-ensure-permissions-on-etc-crontab-are-configured.sh b/remediation-kits/access-and-control/1.2-ensure-permissions-on-etc-crontab-are-configured.sh index f2515013b29f9094c568753f5ec2520db77eb7fb..017bb83894c38a7a390f2e1849d78bbc7fee6cfa 100644 --- a/remediation-kits/access-and-control/1.2-ensure-permissions-on-etc-crontab-are-configured.sh +++ b/remediation-kits/access-and-control/1.2-ensure-permissions-on-etc-crontab-are-configured.sh @@ -1,2 +1 @@ -chown root:root /etc/crontab -chmod og-rwx /etc/crontab \ No newline at end of file +[[ -e /etc/crontab ]] && chown root:root /etc/crontab && chmod og-rwx /etc/crontab \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh b/remediation-kits/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh index ac8940fd01aed1258a0a2da75d752bfdc0066129..7bb74ade3f194878be0eec05272e89036e11b571 100644 --- a/remediation-kits/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh +++ b/remediation-kits/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh @@ -1,2 +1,4 @@ grep -Eq "^(\s*)ClientAliveInterval\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)ClientAliveInterval\s+\S+(\s*#.*)?\s*$/\1ClientAliveInterval 900\2/" /etc/ssh/sshd_config || echo "ClientAliveInterval 300" >> /etc/ssh/sshd_config grep -Eq "^(\s*)ClientAliveCountMax\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)ClientAliveCountMax\s+\S+(\s*#.*)?\s*$/\1ClientAliveCountMax 0\2/" /etc/ssh/sshd_config || echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config + +systemctl restart sshd.service \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh b/remediation-kits/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh index 65003ec680088eb9b85ac162f0a895ac14f7f655..8c4a5813c6ca578d2888050277b30aea183e241e 100644 --- a/remediation-kits/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh +++ b/remediation-kits/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh @@ -1 +1,3 @@ grep -Eq "^(\s*)LoginGraceTime\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)LoginGraceTime\s+\S+(\s*#.*)?\s*$/\1LoginGraceTime 60\2/" /etc/ssh/sshd_config || echo "LoginGraceTime 60" >> /etc/ssh/sshd_config + +systemctl restart sshd.service \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh b/remediation-kits/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh index 3b6a476ccea5aa165988818f32766497d39da5a4..5f7d39833f45c2438be241e5bfef86af1bc1ebea 100644 --- a/remediation-kits/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh +++ b/remediation-kits/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh @@ -1 +1,3 @@ grep -Eq "^(\s*)Banner\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)Banner\s+\S+(\s*#.*)?\s*$/\1Banner \/etc\/issue.net\2/" /etc/ssh/sshd_config || echo "Banner /etc/issue.net" >> /etc/ssh/sshd_config + +systemctl restart sshd.service \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh b/remediation-kits/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh index d7662e48b481cc9a14ef2cd08897c458914752a8..5d593ab50f4460cf4852c978454695dc30f54aae 100644 --- a/remediation-kits/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh +++ b/remediation-kits/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh @@ -1 +1,3 @@ -grep -Eiq '^\s*UsePAM\s+yes' /etc/ssh/sshd_config || echo "UsePAM yes" >> /etc/ssh/sshd_config \ No newline at end of file +grep -Eiq '^\s*UsePAM\s+yes' /etc/ssh/sshd_config || echo "UsePAM yes" >> /etc/ssh/sshd_config + +systemctl restart sshd.service \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.sh b/remediation-kits/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.sh index e5081a0eeee4be7aded39cf0eb958c73a8ca7737..8b79b93f206fc15de13a88c375ffa09564b47458 100644 --- a/remediation-kits/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.sh +++ b/remediation-kits/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.sh @@ -1 +1,3 @@ -grep -iq "MaxStartups" /etc/ssh/sshd_config && sed -i "/maxstartups/Id" /etc/ssh/sshd_config && echo "maxstartups 10:30:60" >> /etc/ssh/sshd_config || echo "maxstartups 10:30:60" >> /etc/ssh/sshd_config \ No newline at end of file +grep -iq "MaxStartups" /etc/ssh/sshd_config && sed -i "/maxstartups/Id" /etc/ssh/sshd_config && echo "maxstartups 10:30:60" >> /etc/ssh/sshd_config || echo "maxstartups 10:30:60" >> /etc/ssh/sshd_config + +systemctl restart sshd.service \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh b/remediation-kits/access-and-control/1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh index 9bcb24d33ab1e44bf474b3acb08c3c95c0dde92e..486b9b35acfbc2b16035b7d0e5a34738fbed986c 100644 --- a/remediation-kits/access-and-control/1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh +++ b/remediation-kits/access-and-control/1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh @@ -1,2 +1,14 @@ -grep -Psq "^(\s*)MaxSessions\s+[1-9][0]{0,1}$" /etc/ssh/sshd_config || sed -ri 's/^(\s*)MaxSessions\s+[1-9][0-9]{0,}$/MaxSessions 10/g' /etc/ssh/sshd_config -grep -Psq "^(\s*)MaxSessions\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config || echo "MaxSessions 10" >> /etc/ssh/sshd_config \ No newline at end of file +maxSessions=$(grep -iP "^(\s*)MaxSessions\s+" /etc/ssh/sshd_config) +maxSessionsNum=$(grep -iP "^(\s*)MaxSessions\s+" /etc/ssh/sshd_config | awk '{print $2}') + +if [[ -z $maxSessions && -z $maxSessionsNum ]] ; then + echo "MaxSessions 10" >> /etc/ssh/sshd_config +elif [[ -n $maxSessions && $maxSessionsNum -le 10 ]] ; then + : +elif [[ -n $maxSessions && $maxSessionsNum -gt 10 ]] ; then + sed -ri 's/^(\s*)MaxSessions\s+.*/MaxSessions 10/g' /etc/ssh/sshd_config +else + : +fi + +systemctl restart sshd.service \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh b/remediation-kits/access-and-control/1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh index ca921af5a7ebe067fe85d47ae3b86c843ae1a8ae..f0513a833e69be7f60975788d5f030302d8a51f5 100644 --- a/remediation-kits/access-and-control/1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh +++ b/remediation-kits/access-and-control/1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh @@ -1,2 +1 @@ -chown root:root /etc/cron.hourly -chmod og-rwx /etc/cron.hourly \ No newline at end of file +[[ -e /etc/cron.hourly ]] && chown root:root /etc/cron.hourly && chmod og-rwx /etc/cron.hourly \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh b/remediation-kits/access-and-control/1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh index 745694839a0e4e123df2b1204e3e78fa53a93a2c..aaec1f4c5292e81e7058c1fa78a6a4e9b855bc34 100644 --- a/remediation-kits/access-and-control/1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh +++ b/remediation-kits/access-and-control/1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh @@ -1,2 +1 @@ -chown root:root /etc/cron.daily -chmod og-rwx /etc/cron.daily \ No newline at end of file +[[ -e /etc/cron.daily ]] && chown root:root /etc/cron.daily && chmod og-rwx /etc/cron.daily \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.41-ensure-ssh-server-use-protocol_2.sh b/remediation-kits/access-and-control/1.41-ensure-ssh-server-use-protocol_2.sh index e6123afb6eff62946c29243872b6f75093fac7f0..5c09b89f56d76c5d52b0f730de7df5860570ac19 100755 --- a/remediation-kits/access-and-control/1.41-ensure-ssh-server-use-protocol_2.sh +++ b/remediation-kits/access-and-control/1.41-ensure-ssh-server-use-protocol_2.sh @@ -1,4 +1,4 @@ #!/bin/bash grep -qiP '^Protocol' /etc/ssh/sshd_config && sed -i "/^Protocol/cProtocol 2" /etc/ssh/sshd_config || echo -e "Protocol 2" >> /etc/ssh/sshd_config -systemctl restart sshd +systemctl restart sshd.service diff --git a/remediation-kits/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh b/remediation-kits/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh index c788cf6aa0cbf0fba0706d112ee7c94e8fa030d3..ba8ecdfe5980d5b74326cd2be51ac875668f6368 100644 --- a/remediation-kits/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh +++ b/remediation-kits/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh @@ -1 +1,3 @@ grep -Eq "^(\s*)MaxAuthTries\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)MaxAuthTries\s+\S+(\s*#.*)?\s*$/\1MaxAuthTries 4\2/" /etc/ssh/sshd_config || echo "MaxAuthTries 4" >> /etc/ssh/sshd_config + +systemctl restart sshd.service \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh b/remediation-kits/access-and-control/1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh index 8401af78c7a4d51322be8a452e618d5ad8f2e17c..1cb124a6c3d778a67403a85768b0237b63f53e9c 100644 --- a/remediation-kits/access-and-control/1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh +++ b/remediation-kits/access-and-control/1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh @@ -1,2 +1 @@ -chown root:root /etc/cron.weekly -chmod og-rwx /etc/cron.weekly \ No newline at end of file +[[ -e /etc/cron.weekly ]] && chown root:root /etc/cron.weekly && chmod og-rwx /etc/cron.weekly \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.sh b/remediation-kits/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.sh index 3b3b369e4f0620880471acaa2e28d4226e8398ef..669c26b82bc26f8ccbd00a47961668f0fc733adc 100644 --- a/remediation-kits/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.sh +++ b/remediation-kits/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.sh @@ -1 +1,3 @@ grep -Eq "^(\s*)X11Forwarding\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)X11Forwarding\s+\S+(\s*#.*)?\s*$/\1X11Forwarding no\2/" /etc/ssh/sshd_config || echo "X11Forwarding no" >> /etc/ssh/sshd_config + +systemctl restart sshd.service \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.6-ensure-permissions-on-etc-cron.monthly-are-configured.sh b/remediation-kits/access-and-control/1.6-ensure-permissions-on-etc-cron.monthly-are-configured.sh index 5b358b119bd175e58758820b23988b83d0e7ff33..96c90b1d2732d04ea9d779cbfe4d4f42eb64576b 100644 --- a/remediation-kits/access-and-control/1.6-ensure-permissions-on-etc-cron.monthly-are-configured.sh +++ b/remediation-kits/access-and-control/1.6-ensure-permissions-on-etc-cron.monthly-are-configured.sh @@ -1,2 +1 @@ -chown root:root /etc/cron.monthly -chmod og-rwx /etc/cron.monthly \ No newline at end of file +[[ -e /etc/cron.monthly ]] && chown root:root /etc/cron.monthly && chmod og-rwx /etc/cron.monthly \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.7-ensure-permissions-on-etc-cron.d-are-configured.sh b/remediation-kits/access-and-control/1.7-ensure-permissions-on-etc-cron.d-are-configured.sh index 28f7a797a5d561d80b7a85a17600e3aeea36314d..b043518e29677ca2d79265550bcccb5981fc3749 100644 --- a/remediation-kits/access-and-control/1.7-ensure-permissions-on-etc-cron.d-are-configured.sh +++ b/remediation-kits/access-and-control/1.7-ensure-permissions-on-etc-cron.d-are-configured.sh @@ -1,2 +1 @@ -chown root:root /etc/cron.d -chmod og-rwx /etc/cron.d \ No newline at end of file +[[ -e /etc/cron.d ]] && chown root:root /etc/cron.d && chmod og-rwx /etc/cron.d \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.8-ensure-at-cron-is-restricted-to-authorized-users.sh b/remediation-kits/access-and-control/1.8-ensure-at-cron-is-restricted-to-authorized-users.sh index 4a0d3278c59964f2e493d4afeb9824ae37fa2627..f237fcccb2b3dbee286e25bfed1ca35c4feb95a8 100644 --- a/remediation-kits/access-and-control/1.8-ensure-at-cron-is-restricted-to-authorized-users.sh +++ b/remediation-kits/access-and-control/1.8-ensure-at-cron-is-restricted-to-authorized-users.sh @@ -1,8 +1,5 @@ -rm -f /etc/cron.deny -rm -f /etc/at.deny -touch /etc/cron.allow -touch /etc/at.allow -chmod og-rwx /etc/cron.allow -chmod og-rwx /etc/at.allow -chown root:root /etc/cron.allow -chown root:root /etc/at.allow \ No newline at end of file +[[ -e /etc/cron.deny ]] && rm -f /etc/cron.deny +[[ -e /etc/at.deny ]] && rm -f /etc/at.deny +[[ ! -e /etc/cron.allow ]] && touch /etc/cron.allow +[[ ! -e /etc/at.allow ]] && touch /etc/at.allow +[[ -e /etc/cron.allow ]] && chmod og-rwx /etc/cron.allow && chmod og-rwx /etc/at.allow && chown root:root /etc/cron.allow && chown root:root /etc/at.allow \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh b/remediation-kits/access-and-control/1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh index fa20c49c13841b1aead38fd9644bc223b76b5342..f44bbbff1ffdea0503d80985f39abca46c4d6e64 100644 --- a/remediation-kits/access-and-control/1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh +++ b/remediation-kits/access-and-control/1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh @@ -1,2 +1 @@ -chown root:root /etc/ssh/sshd_config -chmod og-rwx /etc/ssh/sshd_config \ No newline at end of file +[[ -e /etc/ssh/sshd_config ]] && chown root:root /etc/ssh/sshd_config && chmod og-rwx /etc/ssh/sshd_config \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.sh b/remediation-kits/logging-and-auditing/2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.sh index 53d1c1f83fae70d15179a9d587018353e872afd1..40d9c8dc379823685d412a2276997f3e3d214a3a 100644 --- a/remediation-kits/logging-and-auditing/2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.sh +++ b/remediation-kits/logging-and-auditing/2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.sh @@ -1 +1 @@ -chmod 0600 /var/log/audit/* \ No newline at end of file +[[ $(ls -A /var/log/audit/) ]] && chmod 0600 /var/log/audit/* \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.12-ensure-rsyslog-is-installed.sh b/remediation-kits/logging-and-auditing/2.12-ensure-rsyslog-is-installed.sh index 91ab25750209b9e8dbd2299199043851da0fae2f..427c6bd70029debb6bc8ba7ba27a07594b7fcb94 100644 --- a/remediation-kits/logging-and-auditing/2.12-ensure-rsyslog-is-installed.sh +++ b/remediation-kits/logging-and-auditing/2.12-ensure-rsyslog-is-installed.sh @@ -1 +1,7 @@ -yum install rsyslog -y \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ ! "$(rpm -qa rsyslog | grep -i "rsyslog\-")" ]; then + yum install rsyslog -y +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.13-ensure-rsyslog-service-is-enabled.sh b/remediation-kits/logging-and-auditing/2.13-ensure-rsyslog-service-is-enabled.sh index d942028eb693529e923bd97b5e5bab25580a47e1..f94941b06af7c9e0287544f6fde300619ee1e4b9 100644 --- a/remediation-kits/logging-and-auditing/2.13-ensure-rsyslog-service-is-enabled.sh +++ b/remediation-kits/logging-and-auditing/2.13-ensure-rsyslog-service-is-enabled.sh @@ -1 +1,17 @@ -systemctl --now enable rsyslog \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa rsyslog)" ]; then + result=$(systemctl is-enabled rsyslog.service) + if [[ $result == "enabled" ]] ; then + : + elif [[ $result == "masked" ]] ; then + systemctl --now unmask rsyslog.service + systemctl --now enable rsyslog.service + elif [[ $result == "disabled" ]] ; then + systemctl --now enable rsyslog.service + else + : + fi +else + : +fi \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.19-ensure-audit-is-installed.sh b/remediation-kits/logging-and-auditing/2.19-ensure-audit-is-installed.sh index 91a053725474302460f3ef1a582f88a99621ac60..4166cbb68a8436ddddd1db1832de1af904eb1fa6 100644 --- a/remediation-kits/logging-and-auditing/2.19-ensure-audit-is-installed.sh +++ b/remediation-kits/logging-and-auditing/2.19-ensure-audit-is-installed.sh @@ -1 +1,9 @@ -dnf install audit audit-libs -y +export LANG="en_US.UTF-8" + +if [ ! "$(rpm -qa audit)" ]; then + yum install audit -y +elif [ ! "$(rpm -qa audit-libs)" ]; then + yum install audit-libs -y +else + : +fi \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.2-ensure-only-authorized-users-own-audit-log-files.sh b/remediation-kits/logging-and-auditing/2.2-ensure-only-authorized-users-own-audit-log-files.sh index cd7d55b74555eb2ae1c72116d0c1d0fcaa9b75a1..3c762f4cd589b510dc1fd2dc6d61ed2bbd6471ec 100644 --- a/remediation-kits/logging-and-auditing/2.2-ensure-only-authorized-users-own-audit-log-files.sh +++ b/remediation-kits/logging-and-auditing/2.2-ensure-only-authorized-users-own-audit-log-files.sh @@ -1 +1 @@ -chown root /var/log/audit/* \ No newline at end of file +[[ $(ls -A /var/log/audit/) ]] && chown root /var/log/audit/* \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.20-ensure-audit-service-is-enabled.sh b/remediation-kits/logging-and-auditing/2.20-ensure-audit-service-is-enabled.sh index 4defd206e96fa7a0a23edc8ac3401aa925dcc7fc..b33ca4aac237a60bfc5f2fe2e84cd9ec43c7199d 100644 --- a/remediation-kits/logging-and-auditing/2.20-ensure-audit-service-is-enabled.sh +++ b/remediation-kits/logging-and-auditing/2.20-ensure-audit-service-is-enabled.sh @@ -1 +1,17 @@ -systemctl --now enable auditd +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa audit)" ]; then + result=$(systemctl is-enabled auditd.service) + if [[ $result == "enabled" ]] ; then + : + elif [[ $result == "masked" ]] ; then + systemctl --now unmask auditd.service + systemctl --now enable auditd.service + elif [[ $result == "disabled" ]] ; then + systemctl --now enable auditd.service + else + : + fi +else + : +fi \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh b/remediation-kits/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh index ef817a2bc05fabe260078a1f3cdec38d0da163cc..d6778c2c62a73ba42379bcd1ca6eb9991298cf26 100644 --- a/remediation-kits/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh +++ b/remediation-kits/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh @@ -4,4 +4,6 @@ if [[ `arch` == 'aarch64' ]] && [[ `uname -m` == 'aarch64' ]] ; then else grep -Pq "\-a\salways\,exit\s\-F\sarch=b(32|64)\s\-S\sunlink.*-k\sdelete" /etc/audit/rules.d/audit.rules || echo -e "\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n" >> /etc/audit/rules.d/audit.rules grep -Pq "\-a\salways\,exit\s\-F\sarch=b(32|64)\s\-S\sunlink.*-k\sdelete" /etc/audit/audit.rules || echo -e "\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n" >> /etc/audit/audit.rules -fi \ No newline at end of file +fi + +augenrules --load \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh b/remediation-kits/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh index d10611802d08eab495cdacac5cfe8522af72b97a..ffc7842d417be3a18d46ce371d718a7fa28d65bb 100644 --- a/remediation-kits/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh +++ b/remediation-kits/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh @@ -1,4 +1,6 @@ grep -q "\-w /etc/sudoers -p wa -k scope -w /etc/sudoers.d/ -p wa -k scope" /etc/audit/rules.d/audit.rules || echo -e "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/rules.d/audit.rules grep -q "\-w /etc/sudoers -p wa -k scope --w /etc/sudoers.d/ -p wa -k scope" /etc/audit/audit.rules || echo -e "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/audit.rules +-w /etc/sudoers.d/ -p wa -k scope" /etc/audit/audit.rules || echo -e "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/audit.rules + +augenrules --load \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh b/remediation-kits/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh index fcf6eb1f70664338d3cd21f944ce54167bb7059a..7d679dd7c4962a7bb9ad3d4ab0e683f8a4a17874 100644 --- a/remediation-kits/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh +++ b/remediation-kits/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh @@ -7,4 +7,6 @@ grep -q "\-w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity --w /etc/security/opasswd -p wa -k identity" /etc/audit/rules.d/*.rules || echo -e "\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n" >> /etc/audit/audit.rules \ No newline at end of file +-w /etc/security/opasswd -p wa -k identity" /etc/audit/rules.d/*.rules || echo -e "\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n" >> /etc/audit/audit.rules + +augenrules --load \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh b/remediation-kits/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh index f97599e54bc13d64b16f1b81d507d682bbc4bd94..08d7b60e3a745a27d80543c280e3460fa8d5a3c8 100644 --- a/remediation-kits/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh +++ b/remediation-kits/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh @@ -1,3 +1,5 @@ #!/bin/bash -grep -Psq "^max_log_file_action\s*=.*" /etc/audit/auditd.conf && sed -i 's/^max_log_file_action.*/max_log_file_action = keep_logs/' /etc/audit/auditd.conf || echo "max_log_file_action = keep_logs" >> /etc/audit/auditd.conf \ No newline at end of file +grep -Psq "^max_log_file_action\s*=.*" /etc/audit/auditd.conf && sed -i 's/^max_log_file_action.*/max_log_file_action = keep_logs/' /etc/audit/auditd.conf || echo "max_log_file_action = keep_logs" >> /etc/audit/auditd.conf + +augenrules --load \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh b/remediation-kits/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh index 4785a8f908ac86e1af4ce597ad20c4cd543e5abd..eb27c28fc8d1354190ee84bec68def2232fe7c56 100644 --- a/remediation-kits/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh +++ b/remediation-kits/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh @@ -1 +1,3 @@ -grep -Psq "^Defaults\slogfile\=.*\.log$" /etc/sudoers || echo "Defaults logfile=/var/log/sudo.log" >> /etc/sudoers \ No newline at end of file +grep -Psq "^Defaults\slogfile\=.*\.log$" /etc/sudoers || echo "Defaults logfile=/var/log/sudo.log" >> /etc/sudoers + +auditctl -s | grep "enabled" \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.4-ensure-the-audit-log-directory-is-0750-or-more-restrictive.sh b/remediation-kits/logging-and-auditing/2.4-ensure-the-audit-log-directory-is-0750-or-more-restrictive.sh index 7e4aa80c988cfd4380f9fd9b5a6a4f465f95b4b4..7db2548f9b07e3896a2eed97a72cac7ff2508512 100644 --- a/remediation-kits/logging-and-auditing/2.4-ensure-the-audit-log-directory-is-0750-or-more-restrictive.sh +++ b/remediation-kits/logging-and-auditing/2.4-ensure-the-audit-log-directory-is-0750-or-more-restrictive.sh @@ -1 +1 @@ -chmod -R g-w,o-rwx /var/log/audit \ No newline at end of file +[[ -d /var/log/audit ]] && chmod -R g-w,o-rwx /var/log/audit \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh b/remediation-kits/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh index b11695daecad9a0368b62ebf660a380256960794..91b937f6463206b03f040c7f27be6c68ce3de521 100644 --- a/remediation-kits/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh +++ b/remediation-kits/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh @@ -1,4 +1,15 @@ -printf " -kernel.randomize_va_space = 2 -" >> /etc/sysctl.d/50-kernel_sysctl.conf +conFile=$(grep -Ps "^kernel\.randomize_va_space\s*=" /run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf | cut -f1 -d:) + +conNum=$(grep -Ps "^kernel\.randomize_va_space\s*=" /run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf | cut -f2 -d= | sed -r 's/\s//g') + +if [[ -z $conFile && -z $conNum ]] ; then + echo "kernel.randomize_va_space = 2" >> /etc/sysctl.d/50-kernel_sysctl.conf +elif [[ -n $conFile && -n $conNum && $conNum -eq 2 ]] ; then + : +elif [[ -n $conFile && -n $conNum && $conNum -ne 2 ]] ; then + sed -ri 's/^kernel\.randomize_va_space.*/kernel.randomize_va_space = 2/g' $conFile +else + : +fi + sysctl -w kernel.randomize_va_space=2 \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh b/remediation-kits/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh index 5879a6396f9ac66062b1961d2462a5136182c673..558827cb2e1bc6ac2c35a2558daa68b55952839f 100644 --- a/remediation-kits/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh +++ b/remediation-kits/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh @@ -1,4 +1 @@ -dnf install pip -y -pip install toml -update-crypto-policies --set DEFAULT -update-crypto-policies \ No newline at end of file +grep -Eiq '^\s*LEGACY\s*(\s+#.*)?$' /etc/crypto-policies/config && update-crypto-policies --set DEFAULT && update-crypto-policies \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh b/remediation-kits/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh index 47bfd851c2e554600f60a09940da58670838ce2c..50d5a4d8cd8807df546cc4ac70f74c90e2b1e462 100644 --- a/remediation-kits/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh +++ b/remediation-kits/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh @@ -1,4 +1,4 @@ -chown root:root /etc/motd -chmod u-x,go-wx /etc/motd +[[ -e /etc/motd ]] && chown root:root /etc/motd +[[ -e /etc/motd ]] && chmod u-x,go-wx /etc/motd [[ -f /var/lib/update-motd/motd ]] && chown root:root /var/lib/update-motd/motd [[ -f /var/lib/update-motd/motd ]] && chmod u-x,go-wx /var/lib/update-motd/motd \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.44-ensure-sctp-is-disabled.sh b/remediation-kits/system-configurations/4.44-ensure-sctp-is-disabled.sh index fbce061912e1363328d94fab0452a9239a98707d..6d5bee2f04f756b7ed7898e307c2f9d14db32555 100644 --- a/remediation-kits/system-configurations/4.44-ensure-sctp-is-disabled.sh +++ b/remediation-kits/system-configurations/4.44-ensure-sctp-is-disabled.sh @@ -1,3 +1,7 @@ -printf " -install sctp /bin/true -" >> /etc/modprobe.d/sctp.conf \ No newline at end of file +modprobe -n -vq sctp + +if [[ $? -eq 0 ]]; then + : +else + echo -e "\ninstall sctp /bin/true" >> /etc/modprobe.d/sctp.conf +fi \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.45-ensure-dccp-is-disabled.sh b/remediation-kits/system-configurations/4.45-ensure-dccp-is-disabled.sh index fde18336252b24527607554f856fd15ce32fe11c..3a2db012f5e81187844bdf14212ef7138c2a989d 100644 --- a/remediation-kits/system-configurations/4.45-ensure-dccp-is-disabled.sh +++ b/remediation-kits/system-configurations/4.45-ensure-dccp-is-disabled.sh @@ -1,3 +1,7 @@ -printf " -install dccp /bin/true -" >> /etc/modprobe.d/dccp.conf \ No newline at end of file +modprobe -n -vq dccp + +if [[ $? -eq 0 ]]; then + : +else + echo -e "\ninstall dccp /bin/true" >> /etc/modprobe.d/dccp.conf +fi \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh b/remediation-kits/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh index 050e60a04755ea2a1ecfae57a7219621108512e4..5acd8381b1814415f60aa4aa0d2eec6ed7c7b9a5 100644 --- a/remediation-kits/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh +++ b/remediation-kits/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh @@ -1,2 +1,2 @@ -chown root:root /etc/issue -chmod u-x,go-wx /etc/issue \ No newline at end of file +[[ -e /etc/issue ]] && chown root:root /etc/issue +[[ -e /etc/issue ]] && chmod u-x,go-wx /etc/issue \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh b/remediation-kits/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh index d8556acfff577eaeb54e5ec62fa41d8b8aa52569..375556c96e8060d3391b8b1a6430fa4ee8bf9a5a 100644 --- a/remediation-kits/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh +++ b/remediation-kits/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh @@ -1 +1 @@ -dnf install firewalld nftables iptables -y \ No newline at end of file +dnf install firewalld nftables iptables iptables-services -y \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh b/remediation-kits/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh index 8eb80a61a926fcb4ae11145498c7b2b6f5fb645a..bf6735409bec5c0ab9f1d2262a21f6913f21f876 100644 --- a/remediation-kits/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh +++ b/remediation-kits/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh @@ -1 +1,17 @@ -systemctl --now enable firewalld \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa firewalld)" ]; then + result=$(systemctl is-enabled firewalld) + if [[ $result == "enabled" ]] ; then + : + elif [[ $result == "masked" ]] ; then + systemctl --now unmask firewalld + systemctl --now enable firewalld + elif [[ $result == "disabled" ]] ; then + systemctl --now enable firewalld + else + : + fi +else + : +fi \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh b/remediation-kits/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh index 62b717187106a63d5b586d434d705ca7335af3a9..f06a2bdccc87c96d0d716dc15abe5ed82ffe683b 100644 --- a/remediation-kits/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh +++ b/remediation-kits/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh @@ -1,2 +1,2 @@ -chown root:root /etc/issue.net -chmod u-x,go-wx /etc/issue.net \ No newline at end of file +[[ -e /etc/issue.net ]] && chown chown root:root /etc/issue.net +[[ -e /etc/issue.net ]] && chown chmod u-x,go-wx /etc/issue.net \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.60-ensure-iptables-is-not-enabled.sh b/remediation-kits/system-configurations/4.60-ensure-iptables-is-not-enabled.sh index d3e81ef14b72b4b064d85133cfdf9487fc20d22d..4145f02e4e1d54a9f8cf4bc1e9f949eb2e4be738 100644 --- a/remediation-kits/system-configurations/4.60-ensure-iptables-is-not-enabled.sh +++ b/remediation-kits/system-configurations/4.60-ensure-iptables-is-not-enabled.sh @@ -1 +1 @@ -systemctl --now mask iptables \ No newline at end of file +rpm -q iptables-services | grep -Psq "^iptables\-services.*" && systemctl is-enabled iptables | grep -Psiq "^enabled" && systemctl --now mask iptables.service \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.61-ensure-nftables-is-not-enabled.sh b/remediation-kits/system-configurations/4.61-ensure-nftables-is-not-enabled.sh index e4bb3023d1c6cf60b706f206277bb3237bb72b9d..384e893b6193efde2cbe394c5c229c129dab1a3e 100644 --- a/remediation-kits/system-configurations/4.61-ensure-nftables-is-not-enabled.sh +++ b/remediation-kits/system-configurations/4.61-ensure-nftables-is-not-enabled.sh @@ -1 +1 @@ -systemctl --now mask nftables \ No newline at end of file +rpm -q nftables | grep -Psq "^nftables\-*" && systemctl is-enabled nftables | grep -Psiq "^enabled" && systemctl --now mask nftables \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.62-ensure-nftables-service-is-enabled.sh b/remediation-kits/system-configurations/4.62-ensure-nftables-service-is-enabled.sh index ac348d0d53c1d407f669fe43455f2a79333c8c2b..326e27c299bcc479c5b167c70492ed5ea3474593 100644 --- a/remediation-kits/system-configurations/4.62-ensure-nftables-service-is-enabled.sh +++ b/remediation-kits/system-configurations/4.62-ensure-nftables-service-is-enabled.sh @@ -1 +1,17 @@ -systemctl --now enable nftables \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa nftables)" ]; then + result=$(systemctl is-enabled nftables) + if [[ $result == "enabled" ]] ; then + : + elif [[ $result == "masked" ]] ; then + systemctl --now unmask nftables + systemctl --now enable nftables + elif [[ $result == "disabled" ]] ; then + systemctl --now enable nftables + else + : + fi +else + : +fi \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked.sh b/remediation-kits/system-configurations/4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked.sh index a536a55fb3128e79c9898de6493f831ac09a3c85..5be62a6381fca480d35461be055d4a6170ba341f 100644 --- a/remediation-kits/system-configurations/4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked.sh +++ b/remediation-kits/system-configurations/4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked.sh @@ -1 +1 @@ -systemctl --now mask firewalld \ No newline at end of file +rpm -q firewalld | grep -Psq "^firewalld\-" && systemctl is-enabled firewalld | grep -Psiq "^enabled" && systemctl --now mask firewalld \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.8-ensure-aide-is-installed.sh b/remediation-kits/system-configurations/4.8-ensure-aide-is-installed.sh index dae797c3345a2853a82955f4da5a5a5b8e7c87b4..d968bf54bc853895cd0b8adb7971c9af126a8fe2 100644 --- a/remediation-kits/system-configurations/4.8-ensure-aide-is-installed.sh +++ b/remediation-kits/system-configurations/4.8-ensure-aide-is-installed.sh @@ -1,3 +1,9 @@ -dnf install aide -y -aide --init -mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ ! "$(rpm -qa aide)" ]; then + dnf install aide -y + aide --init + mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz +else + : +fi \ No newline at end of file diff --git a/scanners/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh b/scanners/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh index ce6ffb4b521a2c1a03dbfd747273472aaefa61da..0863d3460d58f6932b9a0ddef78afe093f5bb29d 100644 --- a/scanners/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh +++ b/scanners/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh @@ -1,6 +1,6 @@ result=false -sysctl kernel.randomize_va_space|grep -Psq "^kernel\.randomize\_va\_space\s+=\s+2$" && grep -Psq "^kernel\.randomize_va_space\s+=\s+2" /run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf && result=true +sysctl kernel.randomize_va_space|grep -Psq "^kernel\.randomize\_va\_space\s+=\s+2$" && grep -Psq "^kernel\.randomize_va_space\s*=\s*2" /run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf && result=true if [ "$result" = true ] ; then echo "pass" diff --git a/scanners/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh b/scanners/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh index a222e4177825accbccdd6c7cae0cbc94f3e50db5..3754a3ccbdc098ae9e75991e5a304f5222051533 100644 --- a/scanners/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh +++ b/scanners/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh @@ -1,6 +1,6 @@ result="" -rpm -qa | grep -Psq "^iptables\-.*" && result=true +rpm -qa | grep -Psq "^iptables\-.*" && rpm -qa | grep -Psq "^iptables\-services.*" && result=true [ -z "$result" ] && rpm -q nftables | grep -Psq "^nftables\-.*" && result=true [ -z "$result" ] && rpm -q firewalld | grep -Psq "^firewalld\-.*" && result=true