From e0aa9a5be80059ad6d1d41d1ab617de5c62172f7 Mon Sep 17 00:00:00 2001 From: Yuqing Yang Date: Tue, 21 Nov 2023 14:37:38 +0800 Subject: [PATCH 1/3] Idempotent support: remediation-kits/access-and-control/1.1-ensure-cron-daemon-is-enabled.sh remediation-kits/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh remediation-kits/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh remediation-kits/access-and-control/1.2-ensure-permissions-on-etc-crontab-are-configured.sh remediation-kits/access-and-control/1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh remediation-kits/access-and-control/1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh remediation-kits/access-and-control/1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh remediation-kits/access-and-control/1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh remediation-kits/access-and-control/1.6-ensure-permissions-on-etc-cron.monthly-are-configured.sh remediation-kits/access-and-control/1.7-ensure-permissions-on-etc-cron.d-are-configured.sh remediation-kits/access-and-control/1.8-ensure-at-cron-is-restricted-to-authorized-users.sh remediation-kits/access-and-control/1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh remediation-kits/logging-and-auditing/2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.sh remediation-kits/logging-and-auditing/2.12-ensure-rsyslog-is-installed.sh remediation-kits/logging-and-auditing/2.13-ensure-rsyslog-service-is-enabled.sh remediation-kits/logging-and-auditing/2.19-ensure-audit-is-installed.sh remediation-kits/logging-and-auditing/2.2-ensure-only-authorized-users-own-audit-log-files.sh remediation-kits/logging-and-auditing/2.20-ensure-audit-service-is-enabled.sh remediation-kits/logging-and-auditing/2.4-ensure-the-audit-log-directory-is-0750-or-more-restrictive.sh remediation-kits/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh remediation-kits/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh remediation-kits/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh remediation-kits/system-configurations/4.44-ensure-sctp-is-disabled.sh remediation-kits/system-configurations/4.45-ensure-dccp-is-disabled.sh remediation-kits/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh remediation-kits/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh remediation-kits/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh remediation-kits/system-configurations/4.60-ensure-iptables-is-not-enabled.sh remediation-kits/system-configurations/4.61-ensure-nftables-is-not-enabled.sh remediation-kits/system-configurations/4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked.sh remediation-kits/system-configurations/4.8-ensure-aide-is-installed.sh Signed-off-by: Yuqing Yang --- .../1.1-ensure-cron-daemon-is-enabled.sh | 13 +++++++++++- ...1.13-ensure-ssh-loglevel-is-appropriate.sh | 20 ++++++++++++++++++- ...1.15-ensure-ssh-ignorerhosts-is-enabled.sh | 12 ++++++++++- ...rmissions-on-etc-crontab-are-configured.sh | 3 +-- ...re-ssh-maxsessions-is-set-to-10-or-less.sh | 16 +++++++++++++-- ...sions-on-etc-cron.hourly-are-configured.sh | 3 +-- ...ssions-on-etc-cron.daily-are-configured.sh | 3 +-- ...sions-on-etc-cron.weekly-are-configured.sh | 3 +-- ...ions-on-etc-cron.monthly-are-configured.sh | 3 +-- ...ermissions-on-etc-cron.d-are-configured.sh | 3 +-- ...-cron-is-restricted-to-authorized-users.sh | 13 +++++------- ...s-on-etc-ssh-sshd_config-are-configured.sh | 3 +-- ...-write-accessible-by-unauthorized-users.sh | 2 +- .../2.12-ensure-rsyslog-is-installed.sh | 8 +++++++- .../2.13-ensure-rsyslog-service-is-enabled.sh | 18 ++++++++++++++++- .../2.19-ensure-audit-is-installed.sh | 10 +++++++++- ...ly-authorized-users-own-audit-log-files.sh | 2 +- .../2.20-ensure-audit-service-is-enabled.sh | 18 ++++++++++++++++- ...g-directory-is-0750-or-more-restrictive.sh | 2 +- ...-layout-randomization-(ASLR)-is-enabled.sh | 17 +++++++++++++--- ...system-wide-crypto-policy-is-not-legacy.sh | 5 +---- ...-permissions-on-etc-motd-are-configured.sh | 4 ++-- .../4.44-ensure-sctp-is-disabled.sh | 10 +++++++--- .../4.45-ensure-dccp-is-disabled.sh | 10 +++++++--- ...permissions-on-etc-issue-are-configured.sh | 4 ++-- ...irewalld-service-is-enabled-and-running.sh | 18 ++++++++++++++++- ...issions-on-etc-issue.net-are-configured.sh | 4 ++-- .../4.60-ensure-iptables-is-not-enabled.sh | 2 +- .../4.61-ensure-nftables-is-not-enabled.sh | 2 +- ...-is-not-installed-or-stopped-and-masked.sh | 2 +- .../4.8-ensure-aide-is-installed.sh | 12 ++++++++--- 31 files changed, 185 insertions(+), 60 deletions(-) diff --git a/remediation-kits/access-and-control/1.1-ensure-cron-daemon-is-enabled.sh b/remediation-kits/access-and-control/1.1-ensure-cron-daemon-is-enabled.sh index 4957a2d..7d19ce4 100644 --- a/remediation-kits/access-and-control/1.1-ensure-cron-daemon-is-enabled.sh +++ b/remediation-kits/access-and-control/1.1-ensure-cron-daemon-is-enabled.sh @@ -1 +1,12 @@ -systemctl --now enable crond \ No newline at end of file +result=$(systemctl is-enabled crond) + +if [[ $result == "enabled" ]] ; then + : +elif [[ $result == "masked" ]] ; then + systemctl --now unmask crond + systemctl --now enable crond +elif [[ $result == "disabled" ]] ; then + systemctl --now enable crond +else + : +fi \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh b/remediation-kits/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh index c4f7476..6fb48c0 100644 --- a/remediation-kits/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh +++ b/remediation-kits/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh @@ -1 +1,19 @@ -grep -Eq "^(\s*)LogLevel\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)LogLevel\s+\S+(\s*#.*)?\s*$/\1LogLevel INFO\2/" /etc/ssh/sshd_config || echo "LogLevel INFO" >> /etc/ssh/sshd_config +sshLogLevelCount=$(grep -icP "Loglevel\s+.*" /etc/ssh/sshd_config) +sshLogLevel=$(grep -iP "Loglevel\s+.*" /etc/ssh/sshd_config) +sshLogLevelNum=$(grep -iPn "Loglevel\s+.*" /etc/ssh/sshd_config | cut -d: -f1) + +[[ $sshLogLevelCount -gt 1 ]] && exit 1 + +if [[ -z $sshLogLevel ]] ; then + echo "LogLevel INFO" >> /etc/ssh/sshd_config +elif [[ $(echo $sshLogLevel | grep -iP "^#+\s*LogLevel\s+(INFO|VERBOSE)") ]] ; then + #sed -ri "$sshLogLevelNum s/#//" /etc/ssh/sshd_config + : +elif [[ $(echo $sshLogLevel | grep -iP "^LogLevel\s+(INFO|VERBOSE)") ]] ; then + : +else + sed -i "$sshLogLevelNum"d /etc/ssh/sshd_config + echo "LogLevel INFO" >> /etc/ssh/sshd_config +fi + +systemctl restart sshd.service \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh b/remediation-kits/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh index ae6c476..f7a79c3 100644 --- a/remediation-kits/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh +++ b/remediation-kits/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh @@ -1 +1,11 @@ -grep -Eq "^(\s*)IgnoreRhosts\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)IgnoreRhosts\s+\S+(\s*#.*)?\s*$/\1IgnoreRhosts yes\2/" /etc/ssh/sshd_config || echo "IgnoreRhosts yes" >> /etc/ssh/sshd_config +IgnoreRhosts=$(grep -E "^(\s*)IgnoreRhosts\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config | awk '{print $2}') + +if [[ -z $IgnoreRhosts ]] ; then + : +elif [[ $IgnoreRhosts == 'no' ]] ; then + sed -ri "s/^(\s*)IgnoreRhosts\s+\S+(\s*#.*)?\s*$/\1IgnoreRhosts yes\2/" /etc/ssh/sshd_config +else + : +fi + +systemctl restart sshd.service \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.2-ensure-permissions-on-etc-crontab-are-configured.sh b/remediation-kits/access-and-control/1.2-ensure-permissions-on-etc-crontab-are-configured.sh index f251501..017bb83 100644 --- a/remediation-kits/access-and-control/1.2-ensure-permissions-on-etc-crontab-are-configured.sh +++ b/remediation-kits/access-and-control/1.2-ensure-permissions-on-etc-crontab-are-configured.sh @@ -1,2 +1 @@ -chown root:root /etc/crontab -chmod og-rwx /etc/crontab \ No newline at end of file +[[ -e /etc/crontab ]] && chown root:root /etc/crontab && chmod og-rwx /etc/crontab \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh b/remediation-kits/access-and-control/1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh index 9bcb24d..486b9b3 100644 --- a/remediation-kits/access-and-control/1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh +++ b/remediation-kits/access-and-control/1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh @@ -1,2 +1,14 @@ -grep -Psq "^(\s*)MaxSessions\s+[1-9][0]{0,1}$" /etc/ssh/sshd_config || sed -ri 's/^(\s*)MaxSessions\s+[1-9][0-9]{0,}$/MaxSessions 10/g' /etc/ssh/sshd_config -grep -Psq "^(\s*)MaxSessions\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config || echo "MaxSessions 10" >> /etc/ssh/sshd_config \ No newline at end of file +maxSessions=$(grep -iP "^(\s*)MaxSessions\s+" /etc/ssh/sshd_config) +maxSessionsNum=$(grep -iP "^(\s*)MaxSessions\s+" /etc/ssh/sshd_config | awk '{print $2}') + +if [[ -z $maxSessions && -z $maxSessionsNum ]] ; then + echo "MaxSessions 10" >> /etc/ssh/sshd_config +elif [[ -n $maxSessions && $maxSessionsNum -le 10 ]] ; then + : +elif [[ -n $maxSessions && $maxSessionsNum -gt 10 ]] ; then + sed -ri 's/^(\s*)MaxSessions\s+.*/MaxSessions 10/g' /etc/ssh/sshd_config +else + : +fi + +systemctl restart sshd.service \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh b/remediation-kits/access-and-control/1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh index ca921af..f0513a8 100644 --- a/remediation-kits/access-and-control/1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh +++ b/remediation-kits/access-and-control/1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh @@ -1,2 +1 @@ -chown root:root /etc/cron.hourly -chmod og-rwx /etc/cron.hourly \ No newline at end of file +[[ -e /etc/cron.hourly ]] && chown root:root /etc/cron.hourly && chmod og-rwx /etc/cron.hourly \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh b/remediation-kits/access-and-control/1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh index 7456948..aaec1f4 100644 --- a/remediation-kits/access-and-control/1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh +++ b/remediation-kits/access-and-control/1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh @@ -1,2 +1 @@ -chown root:root /etc/cron.daily -chmod og-rwx /etc/cron.daily \ No newline at end of file +[[ -e /etc/cron.daily ]] && chown root:root /etc/cron.daily && chmod og-rwx /etc/cron.daily \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh b/remediation-kits/access-and-control/1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh index 8401af7..1cb124a 100644 --- a/remediation-kits/access-and-control/1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh +++ b/remediation-kits/access-and-control/1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh @@ -1,2 +1 @@ -chown root:root /etc/cron.weekly -chmod og-rwx /etc/cron.weekly \ No newline at end of file +[[ -e /etc/cron.weekly ]] && chown root:root /etc/cron.weekly && chmod og-rwx /etc/cron.weekly \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.6-ensure-permissions-on-etc-cron.monthly-are-configured.sh b/remediation-kits/access-and-control/1.6-ensure-permissions-on-etc-cron.monthly-are-configured.sh index 5b358b1..96c90b1 100644 --- a/remediation-kits/access-and-control/1.6-ensure-permissions-on-etc-cron.monthly-are-configured.sh +++ b/remediation-kits/access-and-control/1.6-ensure-permissions-on-etc-cron.monthly-are-configured.sh @@ -1,2 +1 @@ -chown root:root /etc/cron.monthly -chmod og-rwx /etc/cron.monthly \ No newline at end of file +[[ -e /etc/cron.monthly ]] && chown root:root /etc/cron.monthly && chmod og-rwx /etc/cron.monthly \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.7-ensure-permissions-on-etc-cron.d-are-configured.sh b/remediation-kits/access-and-control/1.7-ensure-permissions-on-etc-cron.d-are-configured.sh index 28f7a79..b043518 100644 --- a/remediation-kits/access-and-control/1.7-ensure-permissions-on-etc-cron.d-are-configured.sh +++ b/remediation-kits/access-and-control/1.7-ensure-permissions-on-etc-cron.d-are-configured.sh @@ -1,2 +1 @@ -chown root:root /etc/cron.d -chmod og-rwx /etc/cron.d \ No newline at end of file +[[ -e /etc/cron.d ]] && chown root:root /etc/cron.d && chmod og-rwx /etc/cron.d \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.8-ensure-at-cron-is-restricted-to-authorized-users.sh b/remediation-kits/access-and-control/1.8-ensure-at-cron-is-restricted-to-authorized-users.sh index 4a0d327..f237fcc 100644 --- a/remediation-kits/access-and-control/1.8-ensure-at-cron-is-restricted-to-authorized-users.sh +++ b/remediation-kits/access-and-control/1.8-ensure-at-cron-is-restricted-to-authorized-users.sh @@ -1,8 +1,5 @@ -rm -f /etc/cron.deny -rm -f /etc/at.deny -touch /etc/cron.allow -touch /etc/at.allow -chmod og-rwx /etc/cron.allow -chmod og-rwx /etc/at.allow -chown root:root /etc/cron.allow -chown root:root /etc/at.allow \ No newline at end of file +[[ -e /etc/cron.deny ]] && rm -f /etc/cron.deny +[[ -e /etc/at.deny ]] && rm -f /etc/at.deny +[[ ! -e /etc/cron.allow ]] && touch /etc/cron.allow +[[ ! -e /etc/at.allow ]] && touch /etc/at.allow +[[ -e /etc/cron.allow ]] && chmod og-rwx /etc/cron.allow && chmod og-rwx /etc/at.allow && chown root:root /etc/cron.allow && chown root:root /etc/at.allow \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh b/remediation-kits/access-and-control/1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh index fa20c49..f44bbbf 100644 --- a/remediation-kits/access-and-control/1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh +++ b/remediation-kits/access-and-control/1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh @@ -1,2 +1 @@ -chown root:root /etc/ssh/sshd_config -chmod og-rwx /etc/ssh/sshd_config \ No newline at end of file +[[ -e /etc/ssh/sshd_config ]] && chown root:root /etc/ssh/sshd_config && chmod og-rwx /etc/ssh/sshd_config \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.sh b/remediation-kits/logging-and-auditing/2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.sh index 53d1c1f..40d9c8d 100644 --- a/remediation-kits/logging-and-auditing/2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.sh +++ b/remediation-kits/logging-and-auditing/2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.sh @@ -1 +1 @@ -chmod 0600 /var/log/audit/* \ No newline at end of file +[[ $(ls -A /var/log/audit/) ]] && chmod 0600 /var/log/audit/* \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.12-ensure-rsyslog-is-installed.sh b/remediation-kits/logging-and-auditing/2.12-ensure-rsyslog-is-installed.sh index 91ab257..427c6bd 100644 --- a/remediation-kits/logging-and-auditing/2.12-ensure-rsyslog-is-installed.sh +++ b/remediation-kits/logging-and-auditing/2.12-ensure-rsyslog-is-installed.sh @@ -1 +1,7 @@ -yum install rsyslog -y \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ ! "$(rpm -qa rsyslog | grep -i "rsyslog\-")" ]; then + yum install rsyslog -y +else + exit 1 +fi \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.13-ensure-rsyslog-service-is-enabled.sh b/remediation-kits/logging-and-auditing/2.13-ensure-rsyslog-service-is-enabled.sh index d942028..f94941b 100644 --- a/remediation-kits/logging-and-auditing/2.13-ensure-rsyslog-service-is-enabled.sh +++ b/remediation-kits/logging-and-auditing/2.13-ensure-rsyslog-service-is-enabled.sh @@ -1 +1,17 @@ -systemctl --now enable rsyslog \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa rsyslog)" ]; then + result=$(systemctl is-enabled rsyslog.service) + if [[ $result == "enabled" ]] ; then + : + elif [[ $result == "masked" ]] ; then + systemctl --now unmask rsyslog.service + systemctl --now enable rsyslog.service + elif [[ $result == "disabled" ]] ; then + systemctl --now enable rsyslog.service + else + : + fi +else + : +fi \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.19-ensure-audit-is-installed.sh b/remediation-kits/logging-and-auditing/2.19-ensure-audit-is-installed.sh index 91a0537..4166cbb 100644 --- a/remediation-kits/logging-and-auditing/2.19-ensure-audit-is-installed.sh +++ b/remediation-kits/logging-and-auditing/2.19-ensure-audit-is-installed.sh @@ -1 +1,9 @@ -dnf install audit audit-libs -y +export LANG="en_US.UTF-8" + +if [ ! "$(rpm -qa audit)" ]; then + yum install audit -y +elif [ ! "$(rpm -qa audit-libs)" ]; then + yum install audit-libs -y +else + : +fi \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.2-ensure-only-authorized-users-own-audit-log-files.sh b/remediation-kits/logging-and-auditing/2.2-ensure-only-authorized-users-own-audit-log-files.sh index cd7d55b..3c762f4 100644 --- a/remediation-kits/logging-and-auditing/2.2-ensure-only-authorized-users-own-audit-log-files.sh +++ b/remediation-kits/logging-and-auditing/2.2-ensure-only-authorized-users-own-audit-log-files.sh @@ -1 +1 @@ -chown root /var/log/audit/* \ No newline at end of file +[[ $(ls -A /var/log/audit/) ]] && chown root /var/log/audit/* \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.20-ensure-audit-service-is-enabled.sh b/remediation-kits/logging-and-auditing/2.20-ensure-audit-service-is-enabled.sh index 4defd20..b33ca4a 100644 --- a/remediation-kits/logging-and-auditing/2.20-ensure-audit-service-is-enabled.sh +++ b/remediation-kits/logging-and-auditing/2.20-ensure-audit-service-is-enabled.sh @@ -1 +1,17 @@ -systemctl --now enable auditd +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa audit)" ]; then + result=$(systemctl is-enabled auditd.service) + if [[ $result == "enabled" ]] ; then + : + elif [[ $result == "masked" ]] ; then + systemctl --now unmask auditd.service + systemctl --now enable auditd.service + elif [[ $result == "disabled" ]] ; then + systemctl --now enable auditd.service + else + : + fi +else + : +fi \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.4-ensure-the-audit-log-directory-is-0750-or-more-restrictive.sh b/remediation-kits/logging-and-auditing/2.4-ensure-the-audit-log-directory-is-0750-or-more-restrictive.sh index 7e4aa80..7db2548 100644 --- a/remediation-kits/logging-and-auditing/2.4-ensure-the-audit-log-directory-is-0750-or-more-restrictive.sh +++ b/remediation-kits/logging-and-auditing/2.4-ensure-the-audit-log-directory-is-0750-or-more-restrictive.sh @@ -1 +1 @@ -chmod -R g-w,o-rwx /var/log/audit \ No newline at end of file +[[ -d /var/log/audit ]] && chmod -R g-w,o-rwx /var/log/audit \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh b/remediation-kits/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh index b11695d..91b937f 100644 --- a/remediation-kits/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh +++ b/remediation-kits/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh @@ -1,4 +1,15 @@ -printf " -kernel.randomize_va_space = 2 -" >> /etc/sysctl.d/50-kernel_sysctl.conf +conFile=$(grep -Ps "^kernel\.randomize_va_space\s*=" /run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf | cut -f1 -d:) + +conNum=$(grep -Ps "^kernel\.randomize_va_space\s*=" /run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf | cut -f2 -d= | sed -r 's/\s//g') + +if [[ -z $conFile && -z $conNum ]] ; then + echo "kernel.randomize_va_space = 2" >> /etc/sysctl.d/50-kernel_sysctl.conf +elif [[ -n $conFile && -n $conNum && $conNum -eq 2 ]] ; then + : +elif [[ -n $conFile && -n $conNum && $conNum -ne 2 ]] ; then + sed -ri 's/^kernel\.randomize_va_space.*/kernel.randomize_va_space = 2/g' $conFile +else + : +fi + sysctl -w kernel.randomize_va_space=2 \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh b/remediation-kits/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh index 5879a63..558827c 100644 --- a/remediation-kits/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh +++ b/remediation-kits/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh @@ -1,4 +1 @@ -dnf install pip -y -pip install toml -update-crypto-policies --set DEFAULT -update-crypto-policies \ No newline at end of file +grep -Eiq '^\s*LEGACY\s*(\s+#.*)?$' /etc/crypto-policies/config && update-crypto-policies --set DEFAULT && update-crypto-policies \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh b/remediation-kits/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh index 47bfd85..50d5a4d 100644 --- a/remediation-kits/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh +++ b/remediation-kits/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh @@ -1,4 +1,4 @@ -chown root:root /etc/motd -chmod u-x,go-wx /etc/motd +[[ -e /etc/motd ]] && chown root:root /etc/motd +[[ -e /etc/motd ]] && chmod u-x,go-wx /etc/motd [[ -f /var/lib/update-motd/motd ]] && chown root:root /var/lib/update-motd/motd [[ -f /var/lib/update-motd/motd ]] && chmod u-x,go-wx /var/lib/update-motd/motd \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.44-ensure-sctp-is-disabled.sh b/remediation-kits/system-configurations/4.44-ensure-sctp-is-disabled.sh index fbce061..6d5bee2 100644 --- a/remediation-kits/system-configurations/4.44-ensure-sctp-is-disabled.sh +++ b/remediation-kits/system-configurations/4.44-ensure-sctp-is-disabled.sh @@ -1,3 +1,7 @@ -printf " -install sctp /bin/true -" >> /etc/modprobe.d/sctp.conf \ No newline at end of file +modprobe -n -vq sctp + +if [[ $? -eq 0 ]]; then + : +else + echo -e "\ninstall sctp /bin/true" >> /etc/modprobe.d/sctp.conf +fi \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.45-ensure-dccp-is-disabled.sh b/remediation-kits/system-configurations/4.45-ensure-dccp-is-disabled.sh index fde1833..3a2db01 100644 --- a/remediation-kits/system-configurations/4.45-ensure-dccp-is-disabled.sh +++ b/remediation-kits/system-configurations/4.45-ensure-dccp-is-disabled.sh @@ -1,3 +1,7 @@ -printf " -install dccp /bin/true -" >> /etc/modprobe.d/dccp.conf \ No newline at end of file +modprobe -n -vq dccp + +if [[ $? -eq 0 ]]; then + : +else + echo -e "\ninstall dccp /bin/true" >> /etc/modprobe.d/dccp.conf +fi \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh b/remediation-kits/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh index 050e60a..5acd838 100644 --- a/remediation-kits/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh +++ b/remediation-kits/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh @@ -1,2 +1,2 @@ -chown root:root /etc/issue -chmod u-x,go-wx /etc/issue \ No newline at end of file +[[ -e /etc/issue ]] && chown root:root /etc/issue +[[ -e /etc/issue ]] && chmod u-x,go-wx /etc/issue \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh b/remediation-kits/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh index 8eb80a6..bf67354 100644 --- a/remediation-kits/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh +++ b/remediation-kits/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh @@ -1 +1,17 @@ -systemctl --now enable firewalld \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa firewalld)" ]; then + result=$(systemctl is-enabled firewalld) + if [[ $result == "enabled" ]] ; then + : + elif [[ $result == "masked" ]] ; then + systemctl --now unmask firewalld + systemctl --now enable firewalld + elif [[ $result == "disabled" ]] ; then + systemctl --now enable firewalld + else + : + fi +else + : +fi \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh b/remediation-kits/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh index 62b7171..f06a2bd 100644 --- a/remediation-kits/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh +++ b/remediation-kits/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh @@ -1,2 +1,2 @@ -chown root:root /etc/issue.net -chmod u-x,go-wx /etc/issue.net \ No newline at end of file +[[ -e /etc/issue.net ]] && chown chown root:root /etc/issue.net +[[ -e /etc/issue.net ]] && chown chmod u-x,go-wx /etc/issue.net \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.60-ensure-iptables-is-not-enabled.sh b/remediation-kits/system-configurations/4.60-ensure-iptables-is-not-enabled.sh index d3e81ef..4145f02 100644 --- a/remediation-kits/system-configurations/4.60-ensure-iptables-is-not-enabled.sh +++ b/remediation-kits/system-configurations/4.60-ensure-iptables-is-not-enabled.sh @@ -1 +1 @@ -systemctl --now mask iptables \ No newline at end of file +rpm -q iptables-services | grep -Psq "^iptables\-services.*" && systemctl is-enabled iptables | grep -Psiq "^enabled" && systemctl --now mask iptables.service \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.61-ensure-nftables-is-not-enabled.sh b/remediation-kits/system-configurations/4.61-ensure-nftables-is-not-enabled.sh index e4bb302..384e893 100644 --- a/remediation-kits/system-configurations/4.61-ensure-nftables-is-not-enabled.sh +++ b/remediation-kits/system-configurations/4.61-ensure-nftables-is-not-enabled.sh @@ -1 +1 @@ -systemctl --now mask nftables \ No newline at end of file +rpm -q nftables | grep -Psq "^nftables\-*" && systemctl is-enabled nftables | grep -Psiq "^enabled" && systemctl --now mask nftables \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked.sh b/remediation-kits/system-configurations/4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked.sh index a536a55..5be62a6 100644 --- a/remediation-kits/system-configurations/4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked.sh +++ b/remediation-kits/system-configurations/4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked.sh @@ -1 +1 @@ -systemctl --now mask firewalld \ No newline at end of file +rpm -q firewalld | grep -Psq "^firewalld\-" && systemctl is-enabled firewalld | grep -Psiq "^enabled" && systemctl --now mask firewalld \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.8-ensure-aide-is-installed.sh b/remediation-kits/system-configurations/4.8-ensure-aide-is-installed.sh index dae797c..d968bf5 100644 --- a/remediation-kits/system-configurations/4.8-ensure-aide-is-installed.sh +++ b/remediation-kits/system-configurations/4.8-ensure-aide-is-installed.sh @@ -1,3 +1,9 @@ -dnf install aide -y -aide --init -mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ ! "$(rpm -qa aide)" ]; then + dnf install aide -y + aide --init + mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz +else + : +fi \ No newline at end of file -- Gitee From a5ff32c635e2b82779263170c9ce55e6f00ff3a5 Mon Sep 17 00:00:00 2001 From: Yuqing Yang Date: Tue, 21 Nov 2023 14:46:40 +0800 Subject: [PATCH 2/3] The service restart command was added: remediation-kits/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh remediation-kits/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh remediation-kits/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh remediation-kits/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh remediation-kits/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh remediation-kits/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh remediation-kits/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh remediation-kits/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh remediation-kits/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh remediation-kits/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.sh remediation-kits/access-and-control/1.41-ensure-ssh-server-use-protocol_2.sh remediation-kits/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh remediation-kits/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.sh Signed-off-by: Yuqing Yang --- .../1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh | 2 ++ .../1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh | 2 ++ .../1.17-ensure-ssh-root-login-is-disabled.sh | 2 ++ .../1.18-ensure-ssh-permitemptypasswords-is-disabled.sh | 2 ++ .../1.19-ensure-ssh-permituserenvironment-is-disabled.sh | 2 ++ .../1.20-ensure-ssh-idle-timeout-interval-is-configured.sh | 2 ++ ...-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh | 2 ++ .../1.22-ensure-ssh-warning-banner-is-configured.sh | 2 ++ .../access-and-control/1.23-ensure-ssh-pam-is-enabled.sh | 4 +++- .../1.24-ensure-ssh-maxstartups-is-configured.sh | 4 +++- .../1.41-ensure-ssh-server-use-protocol_2.sh | 2 +- .../1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh | 2 ++ .../1.50-ensure-ssh-x11-forwarding-is-disabled.sh | 2 ++ 13 files changed, 27 insertions(+), 3 deletions(-) diff --git a/remediation-kits/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh b/remediation-kits/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh index c788cf6..ba8ecdf 100644 --- a/remediation-kits/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh +++ b/remediation-kits/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh @@ -1 +1,3 @@ grep -Eq "^(\s*)MaxAuthTries\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)MaxAuthTries\s+\S+(\s*#.*)?\s*$/\1MaxAuthTries 4\2/" /etc/ssh/sshd_config || echo "MaxAuthTries 4" >> /etc/ssh/sshd_config + +systemctl restart sshd.service \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh b/remediation-kits/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh index e656d0d..619ee2a 100644 --- a/remediation-kits/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh +++ b/remediation-kits/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh @@ -1 +1,3 @@ grep -Eq "^(\s*)HostbasedAuthentication\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)HostbasedAuthentication\s+\S+(\s*#.*)?\s*$/\1HostbasedAuthentication no\2/" /etc/ssh/sshd_config || echo "HostbasedAuthentication no" >> /etc/ssh/sshd_config + +systemctl restart sshd.service \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh b/remediation-kits/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh index 2907dce..d9028ae 100644 --- a/remediation-kits/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh +++ b/remediation-kits/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh @@ -1 +1,3 @@ grep -Eq "^(\s*)PermitRootLogin\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)PermitRootLogin\s+\S+(\s*#.*)?\s*$/\1PermitRootLogin no\2/" /etc/ssh/sshd_config || echo "PermitRootLogin no" >> /etc/ssh/sshd_config + +systemctl restart sshd.service \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh b/remediation-kits/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh index b74e7ab..c6d6962 100644 --- a/remediation-kits/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh +++ b/remediation-kits/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh @@ -1 +1,3 @@ grep -Eq "^(\s*)PermitEmptyPasswords\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)PermitEmptyPasswords\s+\S+(\s*#.*)?\s*$/\1PermitEmptyPasswords no\2/" /etc/ssh/sshd_config || echo "PermitEmptyPasswords no" >> /etc/ssh/sshd_config + +systemctl restart sshd.service \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh b/remediation-kits/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh index 26173ae..3c364d7 100644 --- a/remediation-kits/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh +++ b/remediation-kits/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh @@ -1 +1,3 @@ grep -Eq "^(\s*)PermitUserEnvironment\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)PermitUserEnvironment\s+\S+(\s*#.*)?\s*$/\1PermitUserEnvironment no\2/" /etc/ssh/sshd_config || echo "PermitUserEnvironment no" >> /etc/ssh/sshd_config + +systemctl restart sshd.service \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh b/remediation-kits/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh index ac8940f..7bb74ad 100644 --- a/remediation-kits/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh +++ b/remediation-kits/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh @@ -1,2 +1,4 @@ grep -Eq "^(\s*)ClientAliveInterval\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)ClientAliveInterval\s+\S+(\s*#.*)?\s*$/\1ClientAliveInterval 900\2/" /etc/ssh/sshd_config || echo "ClientAliveInterval 300" >> /etc/ssh/sshd_config grep -Eq "^(\s*)ClientAliveCountMax\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)ClientAliveCountMax\s+\S+(\s*#.*)?\s*$/\1ClientAliveCountMax 0\2/" /etc/ssh/sshd_config || echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config + +systemctl restart sshd.service \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh b/remediation-kits/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh index 65003ec..8c4a581 100644 --- a/remediation-kits/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh +++ b/remediation-kits/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh @@ -1 +1,3 @@ grep -Eq "^(\s*)LoginGraceTime\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)LoginGraceTime\s+\S+(\s*#.*)?\s*$/\1LoginGraceTime 60\2/" /etc/ssh/sshd_config || echo "LoginGraceTime 60" >> /etc/ssh/sshd_config + +systemctl restart sshd.service \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh b/remediation-kits/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh index 3b6a476..5f7d398 100644 --- a/remediation-kits/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh +++ b/remediation-kits/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh @@ -1 +1,3 @@ grep -Eq "^(\s*)Banner\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)Banner\s+\S+(\s*#.*)?\s*$/\1Banner \/etc\/issue.net\2/" /etc/ssh/sshd_config || echo "Banner /etc/issue.net" >> /etc/ssh/sshd_config + +systemctl restart sshd.service \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh b/remediation-kits/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh index d7662e4..5d593ab 100644 --- a/remediation-kits/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh +++ b/remediation-kits/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh @@ -1 +1,3 @@ -grep -Eiq '^\s*UsePAM\s+yes' /etc/ssh/sshd_config || echo "UsePAM yes" >> /etc/ssh/sshd_config \ No newline at end of file +grep -Eiq '^\s*UsePAM\s+yes' /etc/ssh/sshd_config || echo "UsePAM yes" >> /etc/ssh/sshd_config + +systemctl restart sshd.service \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.sh b/remediation-kits/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.sh index e5081a0..8b79b93 100644 --- a/remediation-kits/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.sh +++ b/remediation-kits/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.sh @@ -1 +1,3 @@ -grep -iq "MaxStartups" /etc/ssh/sshd_config && sed -i "/maxstartups/Id" /etc/ssh/sshd_config && echo "maxstartups 10:30:60" >> /etc/ssh/sshd_config || echo "maxstartups 10:30:60" >> /etc/ssh/sshd_config \ No newline at end of file +grep -iq "MaxStartups" /etc/ssh/sshd_config && sed -i "/maxstartups/Id" /etc/ssh/sshd_config && echo "maxstartups 10:30:60" >> /etc/ssh/sshd_config || echo "maxstartups 10:30:60" >> /etc/ssh/sshd_config + +systemctl restart sshd.service \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.41-ensure-ssh-server-use-protocol_2.sh b/remediation-kits/access-and-control/1.41-ensure-ssh-server-use-protocol_2.sh index e6123af..5c09b89 100755 --- a/remediation-kits/access-and-control/1.41-ensure-ssh-server-use-protocol_2.sh +++ b/remediation-kits/access-and-control/1.41-ensure-ssh-server-use-protocol_2.sh @@ -1,4 +1,4 @@ #!/bin/bash grep -qiP '^Protocol' /etc/ssh/sshd_config && sed -i "/^Protocol/cProtocol 2" /etc/ssh/sshd_config || echo -e "Protocol 2" >> /etc/ssh/sshd_config -systemctl restart sshd +systemctl restart sshd.service diff --git a/remediation-kits/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh b/remediation-kits/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh index c788cf6..ba8ecdf 100644 --- a/remediation-kits/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh +++ b/remediation-kits/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh @@ -1 +1,3 @@ grep -Eq "^(\s*)MaxAuthTries\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)MaxAuthTries\s+\S+(\s*#.*)?\s*$/\1MaxAuthTries 4\2/" /etc/ssh/sshd_config || echo "MaxAuthTries 4" >> /etc/ssh/sshd_config + +systemctl restart sshd.service \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.sh b/remediation-kits/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.sh index 3b3b369..669c26b 100644 --- a/remediation-kits/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.sh +++ b/remediation-kits/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.sh @@ -1 +1,3 @@ grep -Eq "^(\s*)X11Forwarding\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)X11Forwarding\s+\S+(\s*#.*)?\s*$/\1X11Forwarding no\2/" /etc/ssh/sshd_config || echo "X11Forwarding no" >> /etc/ssh/sshd_config + +systemctl restart sshd.service \ No newline at end of file -- Gitee From fbd3c67a4e13e2cf38ef789f0c9a60c095d504ca Mon Sep 17 00:00:00 2001 From: Yuqing Yang Date: Tue, 21 Nov 2023 14:48:27 +0800 Subject: [PATCH 3/3] bug fix: - remediation-kits/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh Add the installation of iptables-services. - scanners/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh Added the detection of iptables-services. - scanners/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh Update regular expressions to adapt to more situations. - remediation-kits/system-configurations/4.62-ensure-nftables-service-is-enabled.sh Fixed an issue where the service would not start again when masked. - remediation-kits/access-and-control/1.1-ensure-cron-daemon-is-enabled.sh Fixed an issue where the service would not start again when masked. - remediation-kits/logging-and-auditing/2.13-ensure-rsyslog-service-is-enabled.sh Fixed an issue where the service would not start again when masked. - remediation-kits/logging-and-auditing/2.20-ensure-audit-service-is-enabled.sh Fixed an issue where the service would not start again when masked. - remediation-kits/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh Fixed an issue where the service would not start again when masked. - remediation-kits/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh Add: augenrules --load - remediation-kits/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh Add: augenrules --load - remediation-kits/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh Add: augenrules --load - remediation-kits/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh Add: augenrules --load - remediation-kits/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh Add: augenrules --load Signed-off-by: Yuqing Yang --- ...o-collect-file-deletion-events-for-users.sh | 4 +++- ...m-management-scope-sudoers-are-collected.sh | 4 +++- ...ify-user-group-information-are-collected.sh | 4 +++- ...audit-logs-are-not-automatically-deleted.sh | 4 +++- .../2.29-ensure-sudo-log-are-collected.sh | 4 +++- ...8-ensure-a-firewall-package-is-installed.sh | 2 +- .../4.62-ensure-nftables-service-is-enabled.sh | 18 +++++++++++++++++- ...e-layout-randomization-(ASLR)-is-enabled.sh | 2 +- ...8-ensure-a-firewall-package-is-installed.sh | 2 +- 9 files changed, 35 insertions(+), 9 deletions(-) diff --git a/remediation-kits/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh b/remediation-kits/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh index ef817a2..d6778c2 100644 --- a/remediation-kits/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh +++ b/remediation-kits/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh @@ -4,4 +4,6 @@ if [[ `arch` == 'aarch64' ]] && [[ `uname -m` == 'aarch64' ]] ; then else grep -Pq "\-a\salways\,exit\s\-F\sarch=b(32|64)\s\-S\sunlink.*-k\sdelete" /etc/audit/rules.d/audit.rules || echo -e "\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n" >> /etc/audit/rules.d/audit.rules grep -Pq "\-a\salways\,exit\s\-F\sarch=b(32|64)\s\-S\sunlink.*-k\sdelete" /etc/audit/audit.rules || echo -e "\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n" >> /etc/audit/audit.rules -fi \ No newline at end of file +fi + +augenrules --load \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh b/remediation-kits/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh index d106118..ffc7842 100644 --- a/remediation-kits/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh +++ b/remediation-kits/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh @@ -1,4 +1,6 @@ grep -q "\-w /etc/sudoers -p wa -k scope -w /etc/sudoers.d/ -p wa -k scope" /etc/audit/rules.d/audit.rules || echo -e "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/rules.d/audit.rules grep -q "\-w /etc/sudoers -p wa -k scope --w /etc/sudoers.d/ -p wa -k scope" /etc/audit/audit.rules || echo -e "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/audit.rules +-w /etc/sudoers.d/ -p wa -k scope" /etc/audit/audit.rules || echo -e "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/audit.rules + +augenrules --load \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh b/remediation-kits/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh index fcf6eb1..7d679dd 100644 --- a/remediation-kits/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh +++ b/remediation-kits/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh @@ -7,4 +7,6 @@ grep -q "\-w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity --w /etc/security/opasswd -p wa -k identity" /etc/audit/rules.d/*.rules || echo -e "\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n" >> /etc/audit/audit.rules \ No newline at end of file +-w /etc/security/opasswd -p wa -k identity" /etc/audit/rules.d/*.rules || echo -e "\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n" >> /etc/audit/audit.rules + +augenrules --load \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh b/remediation-kits/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh index f97599e..08d7b60 100644 --- a/remediation-kits/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh +++ b/remediation-kits/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh @@ -1,3 +1,5 @@ #!/bin/bash -grep -Psq "^max_log_file_action\s*=.*" /etc/audit/auditd.conf && sed -i 's/^max_log_file_action.*/max_log_file_action = keep_logs/' /etc/audit/auditd.conf || echo "max_log_file_action = keep_logs" >> /etc/audit/auditd.conf \ No newline at end of file +grep -Psq "^max_log_file_action\s*=.*" /etc/audit/auditd.conf && sed -i 's/^max_log_file_action.*/max_log_file_action = keep_logs/' /etc/audit/auditd.conf || echo "max_log_file_action = keep_logs" >> /etc/audit/auditd.conf + +augenrules --load \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh b/remediation-kits/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh index 4785a8f..eb27c28 100644 --- a/remediation-kits/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh +++ b/remediation-kits/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh @@ -1 +1,3 @@ -grep -Psq "^Defaults\slogfile\=.*\.log$" /etc/sudoers || echo "Defaults logfile=/var/log/sudo.log" >> /etc/sudoers \ No newline at end of file +grep -Psq "^Defaults\slogfile\=.*\.log$" /etc/sudoers || echo "Defaults logfile=/var/log/sudo.log" >> /etc/sudoers + +auditctl -s | grep "enabled" \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh b/remediation-kits/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh index d8556ac..375556c 100644 --- a/remediation-kits/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh +++ b/remediation-kits/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh @@ -1 +1 @@ -dnf install firewalld nftables iptables -y \ No newline at end of file +dnf install firewalld nftables iptables iptables-services -y \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.62-ensure-nftables-service-is-enabled.sh b/remediation-kits/system-configurations/4.62-ensure-nftables-service-is-enabled.sh index ac348d0..326e27c 100644 --- a/remediation-kits/system-configurations/4.62-ensure-nftables-service-is-enabled.sh +++ b/remediation-kits/system-configurations/4.62-ensure-nftables-service-is-enabled.sh @@ -1 +1,17 @@ -systemctl --now enable nftables \ No newline at end of file +export LANG="en_US.UTF-8" + +if [ "$(rpm -qa nftables)" ]; then + result=$(systemctl is-enabled nftables) + if [[ $result == "enabled" ]] ; then + : + elif [[ $result == "masked" ]] ; then + systemctl --now unmask nftables + systemctl --now enable nftables + elif [[ $result == "disabled" ]] ; then + systemctl --now enable nftables + else + : + fi +else + : +fi \ No newline at end of file diff --git a/scanners/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh b/scanners/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh index ce6ffb4..0863d34 100644 --- a/scanners/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh +++ b/scanners/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh @@ -1,6 +1,6 @@ result=false -sysctl kernel.randomize_va_space|grep -Psq "^kernel\.randomize\_va\_space\s+=\s+2$" && grep -Psq "^kernel\.randomize_va_space\s+=\s+2" /run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf && result=true +sysctl kernel.randomize_va_space|grep -Psq "^kernel\.randomize\_va\_space\s+=\s+2$" && grep -Psq "^kernel\.randomize_va_space\s*=\s*2" /run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf && result=true if [ "$result" = true ] ; then echo "pass" diff --git a/scanners/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh b/scanners/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh index a222e41..3754a3c 100644 --- a/scanners/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh +++ b/scanners/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh @@ -1,6 +1,6 @@ result="" -rpm -qa | grep -Psq "^iptables\-.*" && result=true +rpm -qa | grep -Psq "^iptables\-.*" && rpm -qa | grep -Psq "^iptables\-services.*" && result=true [ -z "$result" ] && rpm -q nftables | grep -Psq "^nftables\-.*" && result=true [ -z "$result" ] && rpm -q firewalld | grep -Psq "^firewalld\-.*" && result=true -- Gitee