diff --git a/benchmarks/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.md b/benchmarks/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.md index ab89b9f44ec733d578e5520f68766b9037de6fda..fd558bb0f340e70d2ab1b4f87c4d485828973b59 100644 --- a/benchmarks/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.md +++ b/benchmarks/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.md @@ -42,9 +42,11 @@ LogLevel INFO 1. 执行以下命令,验证`SSH`的`LogLevel`配置是否正确: ```bash -# sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep loglevel -loglevel VERBOSE or loglevel INFO -# grep -i 'loglevel' /etc/ssh/sshd_config | grep -Evi '(VERBOSE|INFO)' +# sshd -T | grep -P "^loglevel\b" +loglevel VERBOSE +or +loglevel INFO +# grep -Pi '^\s*loglevel\b' /etc/ssh/sshd_config | grep -Pvi '(\bVERBOSE\b|\bINFO\b)' Nothing should be returned ``` diff --git a/benchmarks/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.md b/benchmarks/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.md index 4a90dae26d43d838418aee06bd6ca82edf520b15..37ca6ccfce949cf12c54cef582412633d550134a 100644 --- a/benchmarks/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.md +++ b/benchmarks/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.md @@ -31,9 +31,9 @@ IgnoreRhosts yes 1. 执行以下命令,验证`SSH`的`IgnoreRhosts`配置是否正确: ```bash -# sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep ignorerhosts +# sshd -T | grep -Pi "^ignorerhosts\b" ignorerhosts yes -# grep -Ei '^\s*ignorerhosts\s+no\b' /etc/ssh/sshd_config +# grep -Pi '^\s*ignorerhosts' /etc/ssh/sshd_config | grep -Pvi '\byes\b' Nothing is returned ``` diff --git a/benchmarks/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.md b/benchmarks/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.md index 7072746ba17d8051f71fa4be854301af31696306..77318b48d6b63679408fb82df8a4f6a601c5a7c8 100644 --- a/benchmarks/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.md +++ b/benchmarks/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.md @@ -29,9 +29,9 @@ HostbasedAuthentication no 1. 执行以下命令,验证`SSH`的`HostbasedAuthentication`配置是否正确: ```bash -# sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep hostbasedauthentication +# sshd -T | grep -Pi "^hostbasedauthentication\b" hostbasedauthentication no -# grep -Ei '^\s*HostbasedAuthentication\s+yes' /etc/ssh/sshd_config +# grep -Pi '^\s*hostbasedauthentication\b' /etc/ssh/sshd_config | grep -Pvi '\bno\b' Nothing is returned ``` diff --git a/benchmarks/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.md b/benchmarks/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.md index 19a92282aabbcd44d7f2a7c7e8219d6e63470353..95a11f63c1ac926b6c544eb4b2b4d8632d7a86d2 100644 --- a/benchmarks/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.md +++ b/benchmarks/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.md @@ -29,13 +29,12 @@ PermitEmptyPasswords no 1. 执行以下命令,验证`SSH`的`PermitEmptyPasswords`配置是否正确: ```bash -# sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep permitemptypasswords +# sshd -T | grep -Pi "^permitemptypasswords\b" permitemptypasswords no -# grep -Ei '^\s*PermitEmptyPasswords\s+yes' /etc/ssh/sshd_config +# grep -Pi '^\s*PermitEmptyPasswords\b' /etc/ssh/sshd_config | grep -Pvi '\bno\b' Nothing is returned ``` -如果第一条命令执行后返回`no`,且第二条命令执行后,没有返回任何结果,则视为通过此项检查。 +如果第一条命令执行后返回`permitemptypasswords no`,且第二条命令执行后,没有返回任何结果,则视为通过此项检查。 ## 参考 - diff --git a/benchmarks/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.md b/benchmarks/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.md index e8f16d503ba92523d455dd0bfa89be8d4e53588b..d5151908569b76fe05d16bfc8bb1977618afc3e0 100644 --- a/benchmarks/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.md +++ b/benchmarks/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.md @@ -28,13 +28,13 @@ PermitUserEnvironment no 1. 执行以下命令,验证`SSH`的`PermitUserEnvironment`配置是否正确: ```bash -# sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep permituserenvironment +# sshd -T | grep -Pi "^permituserenvironment\b" permituserenvironment no -# grep -Ei '^\s*PermitUserEnvironment\s+yes' /etc/ssh/sshd_config +# grep -Pi '^\s*PermitUserEnvironment\b' /etc/ssh/sshd_config | grep -Pvi '\bno\b' Nothing is returned ``` -如果第一条命令执行后返回`no`,且第二条命令执行后,没有返回任何结果,则视为通过此项检查。 +如果第一条命令执行后返回`permituserenvironment no`,且第二条命令执行后,没有返回任何结果,则视为通过此项检查。 ## 参考 diff --git a/benchmarks/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.md b/benchmarks/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.md index ee0e30292904f1b334d86af5174714bd5f5f0886..0dbb2785f283fe86fca0a4ac7f426373b78824ec 100644 --- a/benchmarks/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.md +++ b/benchmarks/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.md @@ -16,7 +16,7 @@ SSH 配置文件:`/etc/ssh/sshd_config`中的`MaxStartups`参数指定了 SSH * 10:等待认证阶段的最大并发连接数。若超过此数量,后面的认证请求连接将被拒绝。即:最多有10个人可以同时向 sshd 发起登录请求。 * 30:该参数是一个概率值(百分比的形式)。若设置了该参数,超过了上限(10)的连接,将会被随机拒绝,拒绝的比率是30%。即:超过了10个连接以后,后续的认证请求连接中,每3个中会有一个被随机拒绝。 -* 60:随着并发连接数的增加,这个拒绝连接的概率(30)也会逐步线性增加,当并发连接数达到最大值(60)后,后续的连接都将会被直接拒绝。 +* 60:随着并发连接数的增加,这个拒绝连接的概率(30)也会逐步线性增加,当并发连接数达到最大值(60)后,后续的连接都将会被直接拒绝。 **参数3需大于参数1,否则应用配置时将报错:Illegal MaxStartups spec.** 已通过认证、认证失败、或连接超时等,都会减少等待认证的并发连接数。 @@ -39,13 +39,13 @@ maxstartups 10:30:60 1. 执行以下命令,验证`SSH`的`MaxStartups`参数配置是否正确: ```bash -# sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -i maxstartups +# sshd -T | grep -Pi "^maxstartups\b" maxstartups 10:30:60 -# grep -Ei '^\s*maxstartups\s+(((1[1-9]|[1-9][0-9][0-9]+):([0-9]+):([0-9]+))|(([0-9]+):(3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):([0-9]+))|(([0-9]+):([0-9]+):(6[1-9]|[7-9][0-9]|[1-9][0-9][0-9]+)))' /etc/ssh/sshd_config -Nothing is returned +# grep -Pi '^\s*maxstartups\b' /etc/ssh/sshd_config +MaxStartups 10:30:60 ``` -如果第一条命令执行后返回`10:30:60`或更加严格的规则,且第二条命令执行后,没有返回任何结果,则视为通过此项检查。 +如执行后返回`10:30:60`或更加严格的规则,则视为通过此项检查。 ## 参考 diff --git a/benchmarks/access-and-control/1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.md b/benchmarks/access-and-control/1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.md index 3e910c5499a73673ed886f46fcc3586f95895cb1..1da8b897a2faeaa6fb3363913ec1eac255180852 100644 --- a/benchmarks/access-and-control/1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.md +++ b/benchmarks/access-and-control/1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.md @@ -33,7 +33,7 @@ 1. 执行以下命令,验证`SSH`的`CRYPTO_POLICY`配置是否正确: ```bash -# grep -i '^\s*CRYPTO_POLICY=' /etc/sysconfig/sshd +# grep -iP '^\s*CRYPTO_POLICY\b\s*\=' /etc/sysconfig/sshd Nothing is returned ``` diff --git a/benchmarks/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.md b/benchmarks/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.md index cd22cbdbfd2cfcb9f5ca0e11cb27b64ec7587946..6d8a9dd51460d0efd726e6a99dc09502fb157c7b 100644 --- a/benchmarks/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.md +++ b/benchmarks/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.md @@ -58,7 +58,7 @@ authselect enable-feature with-faillock /etc/pam.d/system-auth:auth required pam_faillock.so authfail deny=5 unlock_time=900 ``` -输出结果中应符合:`deny<=5`、`unlock_time<=900`。 +输出结果中应符合:`deny<=5`、`unlock_time>=900`。 ## 参考 diff --git a/benchmarks/access-and-control/1.41-ensure-ssh-server-use-protocol_2.md b/benchmarks/access-and-control/1.41-ensure-ssh-server-use-protocol_2.md index 197c6d39fed53dfdedbd8785f020325941712f1e..27bc9854bd815e00bb5e8931f475be687dfcf4b9 100644 --- a/benchmarks/access-and-control/1.41-ensure-ssh-server-use-protocol_2.md +++ b/benchmarks/access-and-control/1.41-ensure-ssh-server-use-protocol_2.md @@ -15,7 +15,7 @@ ssh配置中确保 protocol 2 ,存在该选项则修改为2,没有则添加 1.执行以下命令,修改或添加ssh配置文件中的Protocol配置: ```bash -# grep -qiP '^Protocol' /etc/ssh/sshd_config && sed -i "/^Protocol/cProtocol 2" /etc/ssh/sshd_config || echo -e "Protocol 2" >> /etc/ssh/sshd_config +# grep -qiP '^\s*Protocol\b' /etc/ssh/sshd_config && sed -i "/^\s*Protocol\b/cProtocol 2" /etc/ssh/sshd_config || echo -e "Protocol 2" >> /etc/ssh/sshd_config ``` 2.执行以下命令,重启sshd服务: @@ -29,7 +29,7 @@ ssh配置中确保 protocol 2 ,存在该选项则修改为2,没有则添加 查看ssh配置文件Protocol行内容 ```bash -# grep -R "^Protocol" /etc/ssh/sshd_config +# grep -Pi "^\s*Protocol\b" /etc/ssh/sshd_config Protocol 2 ``` diff --git a/benchmarks/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.md b/benchmarks/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.md index d34a4c591dfd0bedd29ffb5b9736f4eea5585049..0a6d1cb5480b53a57fb293e153de570ca596be0b 100644 --- a/benchmarks/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.md +++ b/benchmarks/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.md @@ -24,6 +24,8 @@ X11Forwarding no ``` +- `/etc/ssh/sshd_config`配置文件的`X11Forwarding`参数在未配置或注释的状态下,默认为`X11Forwarding no` + ## 扫描检测 确保`SSH`的`X11Forwarding`配置正确。 @@ -31,9 +33,9 @@ X11Forwarding no 1. 执行以下命令,验证`SSH`的`X11Forwarding`配置是否正确: ```bash -# sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -i x11forwarding +# sshd -T | grep -Pi "^\s*x11forwarding\b" x11forwarding no -# grep -Ei '^\s*x11forwarding\s+yes' /etc/ssh/sshd_config +# grep -Pi '^\s*x11forwarding\b' /etc/ssh/sshd_config | grep -Pvi '\bno\b' Nothing is returned ``` diff --git a/benchmarks/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.md b/benchmarks/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.md index 92fffe341c147640cf60a65411afcfeeedc8db53..031cddbdd504a6dd05668d97d56b27c4f8fad4da 100644 --- a/benchmarks/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.md +++ b/benchmarks/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.md @@ -14,11 +14,17 @@ rsyslog 服务会生成新的日志文件,以下配置的作用在于控制这 目标:正确配置 rsyslog 默认文件权限。 -1. 编辑`/etc/rsyslog.conf`和`/etc/rsyslog.d/*.conf`文件,将`$FileCreateMode`的值设置为`0640`或更低: +1. 检查`/etc/rsyslog.conf`或`/etc/rsyslog.d/*.conf`(如有配置)文件中的`$FileCreateMode`参数值,将其设置为`0640`或更低。 ```bash -# echo "\$FileCreateMode 0640" >> /etc/rsyslog.conf -# echo "\$FileCreateMode 0640" >> /etc/rsyslog.d/listen.conf +# grep -Ps "^\s*\\\$FileCreateMode" /etc/rsyslog.conf /etc/rsyslog.d/*.conf +/etc/rsyslog.conf: $FileCreateMode 0640 +``` + +2. 如未配置,则在`/etc/rsyslog.conf`中添加`$FileCreateMode`参数: + +```bash +echo "\$FileCreateMode 0640" >> /etc/rsyslog.conf ``` ## 扫描检测 diff --git a/benchmarks/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.md b/benchmarks/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.md index a60dc250e4c870d7ecc864230dc0677c03690625..ce0deb91ffa62593f60199528898b3e8c599cd2a 100644 --- a/benchmarks/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.md +++ b/benchmarks/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.md @@ -34,12 +34,17 @@ aarch64 - X86架构: ```bash -# echo -e "\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n" >> /etc/audit/rules.d/audit.rules +# echo -e "\n-a always,exit -F arch=b32 -S unlink,rename,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete\n-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete\n" >> /etc/audit/rules.d/audit.rules ``` - ARM架构: ```bash -# echo -e "\n-a always,exit -F arch=b64 -S unlinkat -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n" >> /etc/audit/rules.d/audit.rules +# echo -e "\n-a always,exit -F arch=b32 -S unlink,rename,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete\n-a always,exit -F arch=b64 -S unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete\n" >> /etc/audit/rules.d/audit.rules +``` + +执行以下命令,加载审计规则 +```bash +# augenrules --load ``` ## 扫描检测 @@ -50,38 +55,38 @@ aarch64 - X86架构: ```bash -# grep -P "\-a\salways\,exit\s\-F\sarch=b(32|64)\s\-S\sunlink\s\-S\sunlinkat\s\-S\srename\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/rules.d/*.rules /etc/audit/*.rules +# grep -P "^(?=^\s*-a\s+always,exit)(?=.*-F\s+arch=)(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat)(?=.*-F\s+auid>=1000)(?=.*-F\s+auid!=-1)" /etc/audit/rules.d/*.rules /etc/audit/*.rules -/etc/audit/rules.d/audit.rules:-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete -/etc/audit/rules.d/audit.rules:-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete -/etc/audit/audit.rules:-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete -/etc/audit/audit.rules:-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +/etc/audit/rules.d/audit.rules:-a always,exit -F arch=b32 -S unlink,rename,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete +/etc/audit/rules.d/audit.rules:-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete +/etc/audit/audit.rules:-a always,exit -F arch=b32 -S unlink,rename,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete +/etc/audit/audit.rules:-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete ``` - ARM架构: ```bash -# grep -P "\-a\salways\,exit\s\-F\sarch=b(32|64)\s\-S\sunlink.*-k\sdelete" /etc/audit/rules.d/*.rules /etc/audit/*.rules +# grep -P "^(?=^\s*-a\s+always,exit)(?=.*-F\s+arch=)(?=.*unlinkat)(?=.*renameat)(?=.*-F\s+auid>=1000)(?=.*-F\s+auid!=-1)" /etc/audit/rules.d/*.rules /etc/audit/*.rules -/etc/audit/rules.d/audit.rules:-a always,exit -F arch=b64 -S unlinkat -S renameat -F auid>=1000 -F auid!=4294967295 -k delete -/etc/audit/rules.d/audit.rules:-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete -/etc/audit/audit.rules:-a always,exit -F arch=b64 -S unlinkat -S renameat -F auid>=1000 -F auid!=4294967295 -k delete -/etc/audit/audit.rules:-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +/etc/audit/rules.d/audit.rules:-a always,exit -F arch=b32 -S unlink,rename,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete +/etc/audit/rules.d/audit.rules:-a always,exit -F arch=b64 -S unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete +/etc/audit/audit.rules:-a always,exit -F arch=b32 -S unlink,rename,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete +/etc/audit/audit.rules:-a always,exit -F arch=b64 -S unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete ``` 2. 执行以下命令,检查文件删除审计收集是否正确加载: - X86架构: ```bash -# auditctl -l | grep -P "^\-a\s+always,exit\s+\-F\s+arch=b64\s+\-S\s+rename,unlink,unlinkat,renameat\s+\-F\s+auid>=1000\s+\-F\s+auid!=-1\s+\-F\s+key=delete" && auditctl -l | grep -P "^\-a\s+always,exit\s+\-F\s+arch=b32\s+\-S\s+unlink,rename,unlinkat,renameat\s+\-F\s+auid>=1000\s+\-F\s+auid!=-1\s+\-F\s+key=delete" --a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete +# auditctl -l | grep -P "^(?=^\s*-a\s+always,exit)(?=.*-F\s+arch=)(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat)(?=.*-F\s+auid>=1000)" -a always,exit -F arch=b32 -S unlink,rename,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete +-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete ``` - ARM架构: ```bash -# auditctl -l | grep -P "^\-a\s+always,exit\s+\-F\s+arch=b64\s+\-S\s+unlinkat,renameat\s+-F\s+auid>=1000\s+-F\s+auid!=-1\s+-F\s+key=delete" && auditctl -l | grep -P "^\-a\s+always,exit\s+\-F\s+arch=b32\s+\-S\s+unlink,rename,unlinkat,renameat\s+\-F\s+auid>=1000\s+\-F\s+auid!=-1\s+\-F\s+key=delete" --a always,exit -F arch=b64 -S unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete +# auditctl -l | grep -P "^(?=^\s*-a\s+always,exit)(?=.*-F\s+arch=)(?=.*unlinkat)(?=.*renameat)(?=.*-F\s+auid>=1000)" -a always,exit -F arch=b32 -S unlink,rename,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete +-a always,exit -F arch=b64 -S unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete ``` 如输出结果符合预期,则视为通过此项检查。 diff --git a/benchmarks/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.md b/benchmarks/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.md index a2dde145924a24ee39977dfe8354f96931c161ca..bb6bb070d53b0a5594646a4ac190e526372ce527 100644 --- a/benchmarks/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.md +++ b/benchmarks/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.md @@ -18,6 +18,11 @@ # echo -e "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/rules.d/audit.rules ``` +执行以下命令,加载审计规则 +```bash +# augenrules --load +``` + ## 扫描检测 确保收集对系统管理范围(sudoers)的更改。 diff --git a/benchmarks/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.md b/benchmarks/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.md index f8288562b0881b66c041903a5205f8119e4e94ea..0406a482fa13811e40bf443a47e5d83432b8f652 100644 --- a/benchmarks/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.md +++ b/benchmarks/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.md @@ -18,6 +18,11 @@ # echo -e "-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n" >> /etc/audit/rules.d/audit.rules ``` +执行以下命令,加载审计规则 +```bash +# augenrules --load +``` + ## 扫描检测 确保收集修改用户/组信息的事件。 diff --git a/benchmarks/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.md b/benchmarks/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.md index 767267ed5cfcb9deace6f3f0de49f357ab1b97d7..377f5c48e1a0ea76d57afe825638512803efaa73 100644 --- a/benchmarks/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.md +++ b/benchmarks/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.md @@ -15,7 +15,7 @@ 1. 运行以下命令,在`/etc/audit/rules.d/stig.rules`文件中添加或更新审计规则: ```bash -# grep -qs "\-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd" /etc/audit/rules.d/stig.rules || echo -e "-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd" >> /etc/audit/rules.d/stig.rules +# grep -Ps "^\s*-a always,exit \-F path=/usr/bin/chsh \-F perm=x$" /etc/audit/rules.d/*.rules || echo -e "-a always,exit -S all -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F key=priv_cmd" >> /etc/audit/rules.d/stig.rules ``` 2. 执行以下命令,加载审计规则: @@ -30,8 +30,8 @@ ```bash # grep chsh /etc/audit/rules.d/*.rules /etc/audit/*.rules -/etc/audit/rules.d/stig.rules:-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd -/etc/audit/audit.rules:-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd +/etc/audit/rules.d/stig.rules:-a always,exit -S all -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=-1 -F key=priv_cmd +/etc/audit/audit.rules:-a always,exit -S all -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=-1 -F key=priv_cmd ``` 2. 执行以下命令,检测chsh命令的审计规则是否已正确加载: diff --git a/benchmarks/logging-and-auditing/2.27-ensure-that-the-firewall-logging-function-is-enabled.md b/benchmarks/logging-and-auditing/2.27-ensure-that-the-firewall-logging-function-is-enabled.md index c0dbbf438a8ffe2f700fc408a3ce3755e23c6462..4226e879b6a06922e4e536562475a36c6aa00eaf 100644 --- a/benchmarks/logging-and-auditing/2.27-ensure-that-the-firewall-logging-function-is-enabled.md +++ b/benchmarks/logging-and-auditing/2.27-ensure-that-the-firewall-logging-function-is-enabled.md @@ -14,6 +14,12 @@ 目标:开启防火墙日志记录功能 +**防火墙日志记录功能需开启firewalld服务,请在进行修复前检查firewalld服务是否正常运行。** +**如firewalld未启用,以下配置将无法生效。** +**可参考:** +**[4.58 确保已安装防火墙软件包](https://gitee.com/anolis/security-benchmark/blob/master/benchmarks/system-configurations/4.58-ensure-a-firewall-package-is-installed.md)** +**[4.59 确保防火墙服务已启用且运行状态正常](https://gitee.com/anolis/security-benchmark/blob/master/benchmarks/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.md)** + 1. 修改`firewalld`配置文件,添加或修改`LogDenied`参数,以开启防火墙日志功能。 ```bash @@ -32,10 +38,13 @@ systemctl restart firewalld.service 1. 使用以下命令,检查防火墙日志是否正确启用: ```bash -# firewall-cmd --get-log-denied +# firewall-cmd --get-log-denied 2>&1 | awk '{ if ($0 == "all") print; else print "fail"; }' all + +# grep -P "^\s*LogDenied=\s*" /etc/firewalld/firewalld.conf +LogDenied=all ``` -如执行结果为`all`则视为通过此项检查。 +如输出结果符合预期,则视为通过此项检查。 ## 参考 diff --git a/benchmarks/logging-and-auditing/2.29-ensure-sudo-log-are-collected.md b/benchmarks/logging-and-auditing/2.29-ensure-sudo-log-are-collected.md index 15054a8bf41d1303b4828097f1715712360713b9..397bf5511b906a9f7ddae925a3c05c59da489539 100644 --- a/benchmarks/logging-and-auditing/2.29-ensure-sudo-log-are-collected.md +++ b/benchmarks/logging-and-auditing/2.29-ensure-sudo-log-are-collected.md @@ -25,7 +25,7 @@ Defaults logfile=/var/log/sudo.log 1. 执行以下命令,检查审计规则是否正确写入配置文件: ```bash -# grep -Ps "^Defaults\slogfile\=.*\.log$" /etc/sudoers +# grep -P "^\s*Defaults\s+logfile\s*=\s*" /etc/sudoers Defaults logfile=/var/log/sudo.log ``` diff --git a/benchmarks/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.md b/benchmarks/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.md index 4d8a62eb96085c5526225a158dbc44e0b11856d0..0a17bd208950011c8796e4d7950dbde952cf55c8 100644 --- a/benchmarks/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.md +++ b/benchmarks/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.md @@ -31,16 +31,7 @@ 1. 执行以下命令,添加审计规则: ```bash -UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) -[ -n "${UID_MIN}" ] && printf " --a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod --a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod --a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod -" >> /etc/audit/rules.d/50-perm_mod.rules \ -|| printf "ERROR: Variable 'UID_MIN' is unset.\n" +# echo -e "-a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F key=perm_mod\n-a always,exit -F arch=b32 -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F key=perm_mod" >> /etc/audit/rules.d/50-perm_mod.rules ``` 2. 执行以下命令,加载审计规则: @@ -54,57 +45,29 @@ UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) 1. 执行以下命令,检查审计规则是否正确写入配置文件: ```bash -UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) -[ -n "${UID_MIN}" ] && awk "/^ *-a *always,exit/ \ -&&/ -F *arch=b[2346]{2}/ \ -&&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) \ -&&/ -S/ \ -&&/ -F *auid>=${UID_MIN}/ \ -&&(/chmod/||/fchmod/||/fchmodat/ \ - ||/chown/||/fchown/||/fchownat/||/lchown/ \ - ||/setxattr/||/lsetxattr/||/fsetxattr/ \ - ||/removexattr/||/lremovexattr/||/fremovexattr/) \ -&&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules /etc/audit/*.rules \ -|| printf "ERROR: Variable 'UID_MIN' is unset.\n" +# grep -P "^(?=^\s*-a\s+always,exit)(?=.*-F\s+arch=)(?=.*chmod)(?=.*fchmod)(?=.*chown)(?=.*fchown)(?=.*lchown)(?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr)(?=.*fchownat)(?=.*fchmodat)" /etc/audit/rules.d/*.rules /etc/audit/*.rules ``` - 预期输出结果 ``` --a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod +/etc/audit/rules.d/50-perm_mod.rules:-a always,exit -F arch=b32 -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod +/etc/audit/rules.d/50-perm_mod.rules:-a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod +/etc/audit/audit.rules:-a always,exit -F arch=b32 -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod +/etc/audit/audit.rules:-a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod ``` 2. 执行以下命令,审计规则是否正确加载: ```bash -UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) -[ -n "${UID_MIN}" ] && auditctl -l | awk "/^ *-a *always,exit/ \ -&&/ -F *arch=b[2346]{2}/ \ -&&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) \ -&&/ -S/ \ -&&/ -F *auid>=${UID_MIN}/ \ -&&(/chmod/||/fchmod/||/fchmodat/ \ - ||/chown/||/fchown/||/fchownat/||/lchown/ \ - ||/setxattr/||/lsetxattr/||/fsetxattr/ \ - ||/removexattr/||/lremovexattr/||/fremovexattr/) \ -&&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" \ -|| printf "ERROR: Variable 'UID_MIN' is unset.\n" +# auditctl -l | grep -P "^(?=^\s*-a\s+always,exit)(?=.*-F\s+arch=)(?=.*chmod)(?=.*fchmod)(?=.*chown)(?=.*fchown)(?=.*lchown)(?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr)(?=.*fchownat)(?=.*fchmodat)" ``` - 预期输出结果 ``` --a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod --a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod --a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod --a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=-1 -F key=perm_mod --a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=-1 -F key=perm_mod +-a always,exit -F arch=b32 -S chmod,lchown,fchmod,fchown,chown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod +-a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod ``` 如输出结果均符合预期,则视为通过此项检查。 diff --git a/benchmarks/services/3.26-disable-usb-storage.md b/benchmarks/services/3.26-disable-usb-storage.md index 5375fdd0d226a3c2760e2fb883144c813df68bba..239d821d166afce61f5210e5e32167e923e6b21f 100644 --- a/benchmarks/services/3.26-disable-usb-storage.md +++ b/benchmarks/services/3.26-disable-usb-storage.md @@ -45,7 +45,7 @@ install usb-storage /bin/true ```bash # modprobe -n -v usb-storage install /bin/true -# lsmod | grep usb-storage +# lsmod | grep -P "^usb(_|-)storage\b" ``` diff --git a/benchmarks/system-configurations/4.66-ensure-system-histsize-as-100-or-other.md b/benchmarks/system-configurations/4.66-ensure-system-histsize-as-100-or-other.md index 2ec80ce23f2043609af24abdccc513982f586d9b..920010b7467a9eff3a48aee16c4497a05a093bac 100644 --- a/benchmarks/system-configurations/4.66-ensure-system-histsize-as-100-or-other.md +++ b/benchmarks/system-configurations/4.66-ensure-system-histsize-as-100-or-other.md @@ -6,14 +6,22 @@ ## 描述 -建议系统限制查看历史命令的数量,建议50或100(参考三级标准) +HISTSIZE 是一个在 Unix 和类 Unix 系统(如 Linux)的 shell 环境中设置的变量,它定义了 shell 会话中命令历史记录的数量。具体来说,HISTSIZE 决定了在当前 shell 会话中可以保存和回顾的命令行的最大数量。 + +当用户在一个 shell 会话中输入命令时,这些命令会被保存在一个历史列表中,用户可以通过按上下箭头键来浏览这个列表,从而快速访问之前输入过的命令。HISTSIZE 变量的值就决定了这个历史列表的大小。 + +例如,如果 HISTSIZE 被设置为 100,那么 shell 会保存最近的 1000 条命令。当用户输入第 1001 条命令时,最早的那条命令将从历史记录中被移除,以确保历史列表的大小不会超过 100。 + +需要注意的是,HISTSIZE 只影响当前 shell 会话中的命令历史记录数量。如果想要永久保存命令历史记录,可以将它们添加到 .bash_history 文件或其他相应的历史文件中,这通常是通过设置另一个变量 HISTFILESIZE 来实现的。HISTFILESIZE 定义了保存在 .bash_history 文件中的命令的最大数量。 + +从安全性的角度来看,合理设置 HISTSIZE 的值是很重要的,以避免敏感信息(如密码、密钥等)被保存在历史记录中并被其他用户或进程访问。建议设置为100以下。(默认为1000) ## 修复建议 查看profile文件中环境变量HISTSIZE的值,运行以下命令设置历史命令记录数量为100并生效: ```bash -# grep -qiP "^HISTSIZE" /etc/profile && sed -i "/^HISTSIZE/cHISTSIZE=100" /etc/profile || echo -e "HISTSIZE=100" >> /etc/profile +# grep -qP "^HISTSIZE" /etc/profile && sed -i "/^HISTSIZE/cHISTSIZE=100" /etc/profile || echo -e "HISTSIZE=100" >> /etc/profile # source /etc/profile ``` @@ -27,10 +35,10 @@ 2.查看profile文件HISTSIZE设置的值: ```bash -# grep -iP "^HISTSIZE" /etc/profile +# grep -P "^HISTSIZE" /etc/profile HISTSIZE=100 ``` -如果检测1中输出为100,且检测2中输出为HISTSIZE=100,说明则通过检查,否则检测未通过。 +如以上输出的结果均小于等于100,则通过此项检查,否则检测未通过。 ## 参考 diff --git a/benchmarks/system-configurations/4.67-ensure-system-histfilesize-100.md b/benchmarks/system-configurations/4.67-ensure-system-histfilesize-100.md index fcd3c5cd378b16c529496e392ccdbacae4476b27..c2d8efc98cdd5858a629ee222a680611c7366734 100644 --- a/benchmarks/system-configurations/4.67-ensure-system-histfilesize-100.md +++ b/benchmarks/system-configurations/4.67-ensure-system-histfilesize-100.md @@ -6,31 +6,36 @@ ## 描述 -建议系统对bash_history文件保存命令条数进行限制 +`HISTFILESIZE` 是一个 shell 变量,它定义了保存在历史命令文件中的最大行数。历史命令默认保存在用户的家目录下的 `.bash_history` 文件中。当用户在 shell 中执行命令时,这些命令会被记录在这个文件中,以便用户可以在稍后的时间使用 history 命令查看它们。 +`HISTFILESIZE` 变量的值决定了 .bash_history 文件中可以保存的最大命令数量。如果 `.bash_history` 文件中的命令行数超过 `HISTFILESIZE`的值,那么最早的命令将被删除,以便为新的命令腾出空间。 + +限制命令历史的大小:较小的 `HISTFILESIZE` 值可以减少保存在 `.bash_history`文件中的敏感信息数量。例如,如果用户在命令行中输入了密码、密钥或其他敏感数据(尽管这通常是不建议的),那么这些数据可能会被记录在命令历史中。通过限制历史记录的大小,可以降低这些数据被未经授权的用户访问的风险。 + +建议将 `HISTFILESIZE` 的值配置为100以下(默认值为1000)。 ## 修复建议 -查看profile文件中环境变量HISTFILESIZE的值,运行以下命令设置历史命令保存条数为100并生效: +查看profile文件中环境变量`HISTFILESIZE`的值,运行以下命令设置历史命令保存条数为100并生效: ```bash -# grep -qiP "^HISTFILESIZE" /etc/profile && sed -i "/^HISTFILESIZE/cexport HISTFILESIZE=100" /etc/profile || echo -e "export HISTFILESIZE=100" >> /etc/profile +# grep -qP "^HISTFILESIZE" /etc/profile && sed -i "/^HISTFILESIZE/cHISTFILESIZE=100" /etc/profile || echo -e "HISTFILESIZE=100" >> /etc/profile # source /etc/profile ``` ## 扫描检测 -1.查看环境变量HISTFILESIZE设置的值: +1.查看环境变量`HISTFILESIZE`设置的值: ```bash # echo $HISTFILESIZE 100 ``` -2.查看profile文件HISTFILESIZE设置的值: +2.查看profile文件`HISTFILESIZE`设置的值: ```bash -# grep -iP "HISTFILESIZE" /etc/profile +# grep -P "^HISTFILESIZE" /etc/profile HISTFILESIZE=100 ``` -如果检测1中输出为100,且检测2中输出为HISTFILESIZE=100,说明则通过检查,否则检测未通过。 +如以上输出的结果均小于等于100,则通过此项检查,否则检测未通过。 ## 参考 diff --git a/remediation-kits/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh b/remediation-kits/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh index b687a2a6bc8bb0fe5bcceef364156e60248b450d..13eed9cfe39e6a59dbdc51a91f87158218d9a902 100644 --- a/remediation-kits/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh +++ b/remediation-kits/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh @@ -1,4 +1,4 @@ -grep -Eq "^(\s*)ClientAliveInterval\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)ClientAliveInterval\s+\S+(\s*#.*)?\s*$/\1ClientAliveInterval 900\2/" /etc/ssh/sshd_config || echo "ClientAliveInterval 300" >> /etc/ssh/sshd_config -grep -Eq "^(\s*)ClientAliveCountMax\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)ClientAliveCountMax\s+\S+(\s*#.*)?\s*$/\1ClientAliveCountMax 0\2/" /etc/ssh/sshd_config || echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config +grep -Pq "^(\s*)ClientAliveInterval\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)ClientAliveInterval\s+\S+(\s*#.*)?\s*$/\1ClientAliveInterval 900\2/" /etc/ssh/sshd_config || echo "ClientAliveInterval 900" >> /etc/ssh/sshd_config +grep -Pq "^(\s*)ClientAliveCountMax\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)ClientAliveCountMax\s+\S+(\s*#.*)?\s*$/\1ClientAliveCountMax 0\2/" /etc/ssh/sshd_config || echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config systemctl restart sshd \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.sh b/remediation-kits/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.sh index 69e213ec0d229f07b2ecec6a1a3ca24a0e27da34..e4ef60aa8f12f68c76dd957937e15b2d9704d5db 100644 --- a/remediation-kits/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.sh +++ b/remediation-kits/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.sh @@ -1,2 +1 @@ -grep -Psq "^\\\$FileCreateMode 0640" /etc/rsyslog.conf || echo "\$FileCreateMode 0640" >> /etc/rsyslog.conf -grep -Psq "^\\\$FileCreateMode 0640" /etc/rsyslog.d/listen.conf || echo "\$FileCreateMode 0640" >> /etc/rsyslog.d/listen.conf +grep -Psq "^\\\$FileCreateMode 0640" /etc/rsyslog.conf || echo "\$FileCreateMode 0640" >> /etc/rsyslog.conf \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh b/remediation-kits/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh index e79ad762beb5028672388d2e9623112713c1d51a..f52af7f34db59d7ec91422bc067541edc6b7a56a 100644 --- a/remediation-kits/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh +++ b/remediation-kits/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh @@ -1,7 +1,15 @@ -if [[ `arch` == 'aarch64' ]] && [[ `uname -m` == 'aarch64' ]] ; then - grep -Pq "\-a\salways\,exit\s\-F\sarch=b(32|64)\s\-S\sunlink.*-k\sdelete" /etc/audit/rules.d/audit.rules || echo -e "\n-a always,exit -F arch=b64 -S unlinkat -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n" >> /etc/audit/rules.d/audit.rules +Rule32="-a always,exit -F arch=b32 -S unlink,rename,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete" +x86Rule64="-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete" + +armRule64="-a always,exit -F arch=b64 -S unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete" + +checkRule="^(?=^\s*-a\s+always,exit)(?=.*-F\s+arch=b(64|32))(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat)(?=.*-F\s+auid>=1000)" +checkRuleArm="^(?=^\s*-a\s+always,exit)(?=.*-F\s+arch=b(64|32))(?=.*unlinkat)(?=.*renameat)(?=.*-F\s+auid>=1000)" + +if [[ $(arch) == 'aarch64' ]] && [[ $(uname -m) == 'aarch64' ]] ; then + grep -Psq "$checkRuleArm" /etc/audit/rules.d/audit.rules || echo -e "\n$Rule32\n$armRule64\n" >> /etc/audit/rules.d/audit.rules else - grep -Pq "\-a\salways\,exit\s\-F\sarch=b(32|64)\s\-S\sunlink.*-k\sdelete" /etc/audit/rules.d/audit.rules || echo -e "\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n" >> /etc/audit/rules.d/audit.rules + grep -Psq "$checkRule" /etc/audit/rules.d/audit.rules || echo -e "\n$Rule32\n$x86Rule64\n" >> /etc/audit/rules.d/audit.rules fi augenrules --load \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.sh b/remediation-kits/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.sh index fd6c681ad067d12b5d4c5834427ed92fd45a7554..1e3a00c7fedf9bba9f30090d7abfa972bb4bfd3d 100644 --- a/remediation-kits/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.sh +++ b/remediation-kits/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.sh @@ -1,3 +1,3 @@ #!/usr/bin/env bash -grep -qs "\-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd" /etc/audit/rules.d/stig.rules || echo -e "-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd" >> /etc/audit/rules.d/stig.rules -augenrules --load \ No newline at end of file +grep -Ps "^(?=^\s*-a\s+always,exit)(?=.*-S\s+all)(?=.*-F\s+path=/usr/bin/chsh)(?=.*-F\s+perm=x)(?=.*-F\s+auid>=1000)(?=.*-F\s+auid!=-1)" /etc/audit/rules.d/*.rules || echo -e "-a always,exit -S all -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=-1 -F key=priv_cmd" >> /etc/audit/rules.d/stig.rules +augenrules --load diff --git a/remediation-kits/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh b/remediation-kits/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh index eb27c28fc8d1354190ee84bec68def2232fe7c56..61db05a1a47b1be9f7e9607aa329f4717768f246 100644 --- a/remediation-kits/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh +++ b/remediation-kits/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh @@ -1,3 +1 @@ -grep -Psq "^Defaults\slogfile\=.*\.log$" /etc/sudoers || echo "Defaults logfile=/var/log/sudo.log" >> /etc/sudoers - -auditctl -s | grep "enabled" \ No newline at end of file +grep -Psq "^\s*Defaults\s+logfile\s*=\s*(/?)([a-zA-Z0-9_.-]+/?)*" /etc/sudoers || echo "Defaults logfile=/var/log/sudo.log" >> /etc/sudoers diff --git a/remediation-kits/logging-and-auditing/2.31-ensure-use-of-privileged-commands-are-collected.sh b/remediation-kits/logging-and-auditing/2.31-ensure-use-of-privileged-commands-are-collected.sh index 86bd65dd770946d7c6989a3fcd5834d2095e4470..a81c7b784cb5dc33419c47b479844bca510ccf39 100644 --- a/remediation-kits/logging-and-auditing/2.31-ensure-use-of-privileged-commands-are-collected.sh +++ b/remediation-kits/logging-and-auditing/2.31-ensure-use-of-privileged-commands-are-collected.sh @@ -1,3 +1,4 @@ +#! /bin/bash build_audit_rules() ( UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) diff --git a/remediation-kits/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.sh b/remediation-kits/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.sh index 91c3d4c13cc4f49db8ee74f0fa438af39b22ed8f..d9de6a41ace3ef64f0cca3c75c9fc0156e554017 100644 --- a/remediation-kits/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.sh +++ b/remediation-kits/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.sh @@ -1,8 +1,6 @@ -grep -Psq "^\-a\s+always,exit\s+\-F\s+arch=b64\s+\-S\s+chmod,fchmod,fchmodat\s+\-F\s+auid>=1000\s+\-F\s+auid!=unset\s+\-F\s+key=.*$" /etc/audit/rules.d/*.rules || echo "-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod" >> /etc/audit/rules.d/50-perm_mod.rules -grep -Psq "^\-a\s+always,exit\s+\-F\s+arch=b64\s+\-S\s+chown,fchown,lchown,fchownat\s+\-F\s+auid>=1000\s+\-F\s+auid!=unset\s+\-F\s+key=.*$" /etc/audit/rules.d/*.rules || echo "-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod" >> /etc/audit/rules.d/50-perm_mod.rules -grep -Psq "^\-a\s+always,exit\s+\-F\s+arch=b32\s+\-S\s+chmod,fchmod,fchmodat\s+\-F\s+auid>=1000\s+\-F\s+auid!=unset\s+\-F\s+key=.*$" /etc/audit/rules.d/*.rules || echo "-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod" >> /etc/audit/rules.d/50-perm_mod.rules -grep -Psq "^\-a\s+always,exit\s+\-F\s+arch=b32\s+\-S\s+lchown,fchown,chown,fchownat\s+\-F\s+auid>=1000\s+\-F\s+auid!=unset\s+\-F\s+key=.*$" /etc/audit/rules.d/*.rules || echo "-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod" >> /etc/audit/rules.d/50-perm_mod.rules -grep -Psq "^\-a\s+always,exit\s+\-F\s+arch=b64\s+\-S\s+setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr\s+\-F\s+auid>=1000\s+\-F\s+auid!=unset\s+\-F\s+key=.*$" /etc/audit/rules.d/*.rules || echo "-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" >> /etc/audit/rules.d/50-perm_mod.rules -grep -Psq "^\-a\s+always,exit\s+\-F\s+arch=b32\s+\-S\s+setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr\s+\-F\s+auid>=1000\s+\-F\s+auid!=unset\s+\-F\s+key=.*$" /etc/audit/rules.d/*.rules || echo "-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" >> /etc/audit/rules.d/50-perm_mod.rules +for BIT in b32 b64 ; do + checkRule="^(?=^\s*-a\s+always,exit)(?=.*-F\s+arch=$BIT)(?=.*chmod)(?=.*fchmod)(?=.*chown)(?=.*fchown)(?=.*lchown)(?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr)(?=.*fchownat)(?=.*fchmodat)" + grep -Pq $checkRule /etc/audit/rules.d/*.rules /etc/audit/*.rules || echo "-a always,exit -F arch=$BIT -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod" >> /etc/audit/rules.d/50-perm_mod.rules +done augenrules --load \ No newline at end of file diff --git a/remediation-kits/services/3.26-disable-usb-storage.sh b/remediation-kits/services/3.26-disable-usb-storage.sh index 22082803e6f69871f381e12e3205a3030db5ccee..d4d32184e171b403cb63cbb1d9a23a5b3ffc923f 100644 --- a/remediation-kits/services/3.26-disable-usb-storage.sh +++ b/remediation-kits/services/3.26-disable-usb-storage.sh @@ -1,2 +1,2 @@ grep -Psq "^install\s+usb\-storage\s+\/bin\/true$" /etc/modprobe.d/*.conf || echo "install usb-storage /bin/true" >> /etc/modprobe.d/usb_storage.conf -[[ $(lsmod | grep usb-storage) ]] && rmmod usb-storage +[[ $(lsmod | grep -P "^usb(_|-)storage\b") ]] && rmmod usb-storage diff --git a/scanners/access-and-control/1.1-ensure-cron-daemon-is-enabled.sh b/scanners/access-and-control/1.1-ensure-cron-daemon-is-enabled.sh index b801c6b86d980861da992f8a8d4681a8ef2985be..708f491c834d9a7dc2db5f46c493af2ce7c0cb74 100644 --- a/scanners/access-and-control/1.1-ensure-cron-daemon-is-enabled.sh +++ b/scanners/access-and-control/1.1-ensure-cron-daemon-is-enabled.sh @@ -1,5 +1,5 @@ result=$(systemctl is-enabled crond) -if [ $result = enabled ]; then +if [[ $result == "enabled" ]]; then echo "pass" else echo "fail" diff --git a/scanners/access-and-control/1.10-ensure-ssh-access-is-limited.sh b/scanners/access-and-control/1.10-ensure-ssh-access-is-limited.sh index b83cf91868e3c61a603589608a8a2fd5aedd19d4..e939fc41708f03435d680423923d6d292d885df0 100644 --- a/scanners/access-and-control/1.10-ensure-ssh-access-is-limited.sh +++ b/scanners/access-and-control/1.10-ensure-ssh-access-is-limited.sh @@ -1,8 +1,8 @@ result=false -sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Piq '^\h*(allow|deny)(users|groups)\h+\H+(\h+.*)?$' && grep -Piq '^\h*(allow|deny)(users|groups)\h+\H+(\h+.*)?$' /etc/ssh/sshd_config && result=true +sshd -T | grep -Piq '^(allow|deny)(users|groups)\s+.*' && grep -Piq '^\h*(allow|deny)(users|groups)\h+.*$' /etc/ssh/sshd_config && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/access-and-control/1.11-ensure-permissions-on-ssh-private-host-key-files-are-configured.sh b/scanners/access-and-control/1.11-ensure-permissions-on-ssh-private-host-key-files-are-configured.sh index 9737c3a62e218d6fec47560dc9855042f0c1c755..ab197fd6da5005a659db173d25a3699ded2d1900 100644 --- a/scanners/access-and-control/1.11-ensure-permissions-on-ssh-private-host-key-files-are-configured.sh +++ b/scanners/access-and-control/1.11-ensure-permissions-on-ssh-private-host-key-files-are-configured.sh @@ -4,7 +4,7 @@ result_ssh_keys=false find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec stat -c %G-%U-%a {} \; | grep -Piq "root\-root\-([7][1-7][1-7]|[0-7][1-7][1-7])" || result_root=true find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec stat -c %G-%U-%a {} \; | grep -Piq "ssh_keys\-root\-([7][5-7][1-7]|[0-7][5-7][1-7])" || result_ssh_keys=true -if [[ "$result_root" == true && "$result_ssh_keys" == true ]]; then +if [[ "$result_root" == "true" && "$result_ssh_keys" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/access-and-control/1.12-ensure-permissions-on-ssh-public-host-key-files-are-configured.sh b/scanners/access-and-control/1.12-ensure-permissions-on-ssh-public-host-key-files-are-configured.sh index 4a24cd5de8dc1f08053dcd676cab3dd54777f4f3..545fbba2a1acd133fc8643f75107bca0a3c6ac33 100644 --- a/scanners/access-and-control/1.12-ensure-permissions-on-ssh-public-host-key-files-are-configured.sh +++ b/scanners/access-and-control/1.12-ensure-permissions-on-ssh-public-host-key-files-are-configured.sh @@ -1,8 +1,8 @@ result=false -find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec stat -c %G-%U-%a {} \; | grep -Pi "root\-root\-([7][5-7][5-7]|[0-7][5-7][5-7])" || result=true +find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec stat -c %G-%U-%a {} \; | grep -Piq "root\-root\-([7][5-7][5-7]|[0-7][5-7][5-7])" || result=true -if [[ "$result" == true ]]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh b/scanners/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh index 77a57d69f8db33223319c6a771c3f8e3e3e4fa64..9756b8c4d7e75e82bdf92c961f3c3bdd1fe18f6f 100644 --- a/scanners/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh +++ b/scanners/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh @@ -1,9 +1,5 @@ -result=false +loadedSystemConfig=$(sshd -T | grep -Pi "^loglevel\s+(INFO|VERBOSE)$") +configFileSettings=$(grep -Pi '^\s*loglevel\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*loglevel\s+(INFO|VERBOSE)\b') -sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -q loglevel && grep -Eqi 'loglevel\s+(VERBOSE|INFO)' /etc/ssh/sshd_config && result=true - -if [ "$result" = true ]; then - echo "pass" -else - echo "fail" -fi \ No newline at end of file +[[ -z $loadedSystemConfig ]] && echo 'fail' && exit 1 +[[ -z $configFileSettings && -n $loadedSystemConfig ]] && echo 'pass' || echo 'fail' diff --git a/scanners/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh b/scanners/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh index 87e95ba0965adbc10033ce702093956ebcf4611b..2b29e1136a2390912c081f6a1edf10e18defd31e 100644 --- a/scanners/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh +++ b/scanners/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh @@ -1,9 +1,5 @@ -result=false +loadedSystemConfig=$(sshd -T | grep -Pi '^\s*maxauthtries\s+[0-4]$') +configFileSettings=$(grep -Pim1 '^\s*maxauthtries\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*maxauthtries\s+[0-4]{1}\b') -sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Eiq ^maxauthtries\\s+[0-4]$ && grep -Eiq '^\s*maxauthtries\s+[0-4]$' /etc/ssh/sshd_config && result=true - -if [ "$result" = true ]; then - echo "pass" -else - echo "fail" -fi \ No newline at end of file +[[ -z $loadedSystemConfig ]] && echo 'fail' && exit 1 +[[ -z $configFileSettings && -n $loadedSystemConfig ]] && echo 'pass' || echo 'fail' diff --git a/scanners/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh b/scanners/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh index 4b0c99d6406ef9b3de1e19e5a6b1d10afb38b6a3..8f30d5b62e11bf77203fe36150508e7db1f6e846 100644 --- a/scanners/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh +++ b/scanners/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh @@ -1,9 +1,5 @@ -result=false +loadedSystemConfig=$(sshd -T | grep -Pi "^ignorerhosts\s+yes$") +configFileSettings=$(grep -Pim1 '^\s*ignorerhosts\b' /etc/ssh/sshd_config | grep -Pvi '^\s*ignorerhosts\s+yes\b') -sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Eiq ^ignorerhosts\\s+yes && ! (grep -Eiq '^\s*ignorerhosts\s+no\b' /etc/ssh/sshd_config) && result=true - -if [ "$result" = true ]; then - echo "pass" -else - echo "fail" -fi \ No newline at end of file +[[ -z $loadedSystemConfig ]] && echo 'fail' && exit 1 +[[ -z $configFileSettings && -n $loadedSystemConfig ]] && echo 'pass' || echo 'fail' diff --git a/scanners/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh b/scanners/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh index 859d920684d2e297e4ed2b4392eab7d039e77864..e77578e780422962c841c7e0967a4963a3ef1803 100644 --- a/scanners/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh +++ b/scanners/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh @@ -1,9 +1,5 @@ -result=false +loadedSystemConfig=$(sshd -T | grep -Pi "^hostbasedauthentication\s+no$") +configFileSettings=$(grep -Pim1 '^\s*hostbasedauthentication\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*hostbasedauthentication\s+no\b') -sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Eiq ^hostbasedauthentication\\s+no && grep -Eiq 'hostbasedauthentication\s+no' /etc/ssh/sshd_config && result=true - -if [ "$result" = true ]; then - echo "pass" -else - echo "fail" -fi \ No newline at end of file +[[ -z $loadedSystemConfig ]] && echo 'fail' && exit 1 +[[ -z $configFileSettings && -n $loadedSystemConfig ]] && echo 'pass' || echo 'fail' diff --git a/scanners/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh b/scanners/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh index 3f73247d637989af88810b7e97ceb3d9bf525b93..ab9dc779fcec243ccd05db748a0eae8fd35dd2c2 100644 --- a/scanners/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh +++ b/scanners/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh @@ -1,9 +1,5 @@ -result=false +loadedSystemConfig=$(sshd -T | grep -Pi "^permitrootlogin\s+no$") +configFileSettings=$(grep -Pim1 '^\s*permitrootlogin\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*permitrootlogin\s+no\b') -sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Eiq ^permitrootlogin\\s+no && grep -Eiq 'permitrootlogin\s+no' /etc/ssh/sshd_config && result=true - -if [ "$result" = true ]; then - echo "pass" -else - echo "fail" -fi \ No newline at end of file +[[ -z $loadedSystemConfig ]] && echo 'fail' && exit 1 +[[ -z $configFileSettings && -n $loadedSystemConfig ]] && echo 'pass' || echo 'fail' diff --git a/scanners/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh b/scanners/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh index 0edb3863f3c396ea87e8d7985745c89668b3481a..80641bb30b4c36d8f828b3c2edf0d7fb7e6166d3 100644 --- a/scanners/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh +++ b/scanners/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh @@ -1,9 +1,5 @@ -result=false +loadedSystemConfig=$(sshd -T | grep -Pi "^permitemptypasswords\s+no$") +configFileSettings=$(grep -Pim1 '^\s*permitemptypasswords\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*permitemptypasswords\s+no\b') -sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Eiq ^permitemptypasswords\\s+no && ! (grep -Eiq '^\s*PermitEmptyPasswords\s+yes' /etc/ssh/sshd_config) && result=true - -if [ "$result" = true ]; then - echo "pass" -else - echo "fail" -fi \ No newline at end of file +[[ -z $loadedSystemConfig ]] && echo 'fail' && exit 1 +[[ -z $configFileSettings && -n $loadedSystemConfig ]] && echo 'pass' || echo 'fail' diff --git a/scanners/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh b/scanners/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh index 9dd6389f80a7093d140319312d980cc3bb528125..073bd98e6780da435441765c1a6f6a46f4044d83 100644 --- a/scanners/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh +++ b/scanners/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh @@ -1,9 +1,5 @@ -result=false +loadedSystemConfig=$(sshd -T | grep -Pi "^permituserenvironment\s+no$") +configFileSettings=$(grep -Pim1 '^\s*permituserenvironment\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*permituserenvironment\s+no\b') -sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Eiq ^permituserenvironment\\s+no && ! (grep -Eiq '^\s*PermitUserEnvironment\s+yes\b' /etc/ssh/sshd_config) && result=true - -if [ "$result" = true ]; then - echo "pass" -else - echo "fail" -fi \ No newline at end of file +[[ -z $loadedSystemConfig ]] && echo 'fail' && exit 1 +[[ -z $configFileSettings && -n $loadedSystemConfig ]] && echo 'pass' || echo 'fail' diff --git a/scanners/access-and-control/1.2-ensure-permissions-on-etc-crontab-are-configured.sh b/scanners/access-and-control/1.2-ensure-permissions-on-etc-crontab-are-configured.sh index 3a30bfc60e2d106b8700728f35e26ab1e0491507..0debad126c81bce671b9eb76dde45cc661ffd56f 100644 --- a/scanners/access-and-control/1.2-ensure-permissions-on-etc-crontab-are-configured.sh +++ b/scanners/access-and-control/1.2-ensure-permissions-on-etc-crontab-are-configured.sh @@ -2,7 +2,7 @@ result=false stat -c "%a-%U-%G" /etc/crontab | grep -Pq '^[0-6][0][0]\-root\-root$' && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh b/scanners/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh index f2db9f0f9596b37351749915a3272bce5b7c69e2..2cd6792c31aa8f8756304770bd997509ef2a4c9e 100644 --- a/scanners/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh +++ b/scanners/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh @@ -1,20 +1,19 @@ -result_client_alive_interval=0 -result_client_alive_countmax=0 -result_client_alive_interval_sshd_config=false -result_client_alive_countmax_sshd_config=false +checkPoint=false +loadedSystemConfig_clientalivecountmax=$(sshd -T | grep -Pi '^clientalivecountmax\s+[0]{1}$') +configFileSettings_clientalivecountmax=$(grep -Pim1 '^\s*ClientAliveCountMax\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*ClientAliveCountMax\s+[0]{1}\b') -val_clientaliveinterval=`sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep clientaliveinterval | cut -d ' ' -f 2` -result_client_alive_interval=`echo "$val_clientaliveinterval <= 900 && $val_clientaliveinterval != 0" | bc` - -val_clientalivecountmax=`sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep clientalivecountmax | cut -d ' ' -f 2` -result_client_alive_countmax=`echo "$val_clientalivecountmax == 0" | bc` +[[ -z $loadedSystemConfig_clientalivecountmax ]] && echo 'fail' && exit 1 +if [[ -z $configFileSettings_clientalivecountmax && -n $loadedSystemConfig_clientalivecountmax ]]; then + checkPoint=true +else + echo 'fail' + exit 1 +fi -grep -Ei '^\s*ClientAliveInterval\s+(0|9[0-9][1-9]|[1-9][0-9][0-9][0-9]+|1[6-9]m|[2-9][0-9]m|[1-9][0-9][0-9]+m)\b' /etc/ssh/sshd_config || result_client_alive_interval_sshd_config=true +[[ -z $configFileSettings_clientalivecountmax && -n $loadedSystemConfig_clientalivecountmax ]] && checkPoint=true || { echo 'fail'; exit 1; } -grep -Ei '^\s*ClientAliveCountMax\s+([1-9]|[1-9][0-9]+)\b' /etc/ssh/sshd_config || result_client_alive_countmax_sshd_config=true +loadedSystemConfig_clientaliveinterval=$(sshd -T | grep -Pi "^clientaliveinterval\b" | awk '{ if ($2 > 900) print 1; else print 0 }') +configFileSettings_clientaliveinterval=$(grep -Pim1 '^\s*clientaliveinterval\s+' /etc/ssh/sshd_config | awk '{ if ($2 > 900) print 1; else print 0 }') -if [[ $result_client_alive_interval -eq 1 && $result_client_alive_countmax -eq 1 && $result_client_alive_interval_sshd_config == true && $result_client_alive_countmax_sshd_config == true ]]; then - echo "pass" -else - echo "fail" -fi \ No newline at end of file +[[ $loadedSystemConfig_clientaliveinterval -ne 0 ]] && echo 'fail' && exit 1 +[[ $configFileSettings_clientaliveinterval -eq 0 && $loadedSystemConfig_clientaliveinterval -eq 0 && $checkPoint == "true" ]] && echo 'pass' || echo 'fail' diff --git a/scanners/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh b/scanners/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh index 0b2b4cdb34e7fee33c32d7ff7b898b176e3208d8..e57f146f2518f456c1ab65459396ec4213c2def6 100644 --- a/scanners/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh +++ b/scanners/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh @@ -1,13 +1,19 @@ -result_logingracetime=0 -result_LoginGraceTime_sshd_config=false +loadedSystemConfig=$(sshd -T | grep -Pi "^logingracetime\b" | awk '{ if ($2 > 60) print 1; else print 0 }') +configFileType=$(grep -Pim1 '^\s*logingracetime\s+[0-9]+' /etc/ssh/sshd_config | awk '{print $2}' | grep -Poi '[s|m]$' | tr 'A-Z' 'a-z') +configFileSettings=$(grep -Poim1 '^\s*logingracetime\s+[0-9]+' /etc/ssh/sshd_config | awk '{print $2}') -val_logingracetime=`sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep logingracetime | cut -d ' ' -f 2` -result_logingracetime=`echo "$val_logingracetime <= 60" | bc` +[[ $loadedSystemConfig -ne 0 ]] && echo 'fail' && exit 1 -grep -Ei '^\s*LoginGraceTime\s+(0|6[1-9]|[7-9][0-9]|[1-9][0-9][0-9]+|[^1]m)' /etc/ssh/sshd_config || result_LoginGraceTime_sshd_config=true - -if [[ $result_logingracetime -eq 1 && $result_LoginGraceTime_sshd_config == true ]]; then - echo "pass" +if [[ -z $configFileType && -z $configFileSettings ]]; then + [[ $loadedSystemConfig -eq 0 ]] && echo 'pass' || echo 'fail' + exit 0 +elif [[ $configFileType == 's' && -n $configFileSettings ]] || [[ -z $configFileType && -n $configFileSettings ]]; then + [[ $configFileSettings -le 60 ]] && echo 'pass' || echo 'fail' + exit 0 +elif [[ $configFileType == 'm' && -n $configFileSettings ]]; then + [[ $configFileSettings -le 1 ]] && echo 'pass' || echo 'fail' + exit 0 else - echo "fail" -fi \ No newline at end of file + echo 'fail' + exit 0 +fi diff --git a/scanners/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh b/scanners/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh index 7d12a00c1e6d096abf31a8129b16bb251babc2c4..ce0cfbd620fd7d73e9d07c01fca6aaa45ce15a19 100644 --- a/scanners/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh +++ b/scanners/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh @@ -1,8 +1,8 @@ -result=false -sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Piq ^banner\\s+\/etc\/issue.net && result=true +loadedSystemConfig=$(sshd -T | grep -Pi "^banner\s+none$") +configFileSettings=$(grep -Pim1 "^\s*Banner\s+.*$" /etc/ssh/sshd_config) -if [[ $result == true ]]; then - echo "pass" +if [[ -n $loadedSystemConfig && -n $configFileSettings ]]; then + echo 'fail' && exit 1 else - echo "fail" -fi \ No newline at end of file + echo 'pass' +fi diff --git a/scanners/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh b/scanners/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh index c772433b064fdad49f2abfe98540a4483ca524f5..e0bf8585398787ccfa833a1a831940974e2be1a0 100644 --- a/scanners/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh +++ b/scanners/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh @@ -1,8 +1,5 @@ -result=false -sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Eiq ^usepam\\s+yes && grep -Eiq '^\s*UsePAM\s+yes' /etc/ssh/sshd_config && result=true +loadedSystemConfig=$(sshd -T | grep -Pi "^usepam\s+yes$") +configFileSettings=$(grep -Pi '^\s*usepam\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*usepam\s+yes\b') -if [[ $result == true ]]; then - echo "pass" -else - echo "fail" -fi \ No newline at end of file +[[ -z $loadedSystemConfig ]] && echo 'fail' && exit 1 +[[ -z $configFileSettings && -n $loadedSystemConfig ]] && echo 'pass' || echo 'fail' diff --git a/scanners/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.sh b/scanners/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.sh index 773f2e68b26ada439afc8a28203b6e99d358d04e..e2a0e29e8de8ed85f5e7aa21466fe68561c41f19 100644 --- a/scanners/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.sh +++ b/scanners/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.sh @@ -1,11 +1,23 @@ -result_sshd_config=false -result_sshd=false +result=false -grep -Eiq '^\s*maxstartups\s+(((1[1-9]|[2-9][0-9]|[1-9][0-9][0-9]+):([0-9]+):([0-9]+))|(([0-9]+):(3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):([0-9]+))|(([0-9]+):([0-9]+):(6[1-9]|[7-9][0-9]|[1-9][0-9][0-9]+)))' /etc/ssh/sshd_config || result_sshd_config=true +maxstartups_first=$(sshd -T | grep -Pi "^\s*maxstartups\b" | awk '{print $2}' | awk -F: '{print $1}') +maxstartups_second=$(sshd -T | grep -Pi "^\s*maxstartups\b" | awk '{print $2}' | awk -F: '{print $2}') +maxstartups_third=$(sshd -T | grep -Pi "^\s*maxstartups\b" | awk '{print $2}' | awk -F: '{print $3}') -sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Eiq '^\s*maxstartups\s+(((1[1-9]|[2-9][0-9]|[1-9][0-9][0-9]+):([0-9]+):([0-9]+))|(([0-9]+):(3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):([0-9]+))|(([0-9]+):([0-9]+):(6[1-9]|[7-9][0-9]|[1-9][0-9][0-9]+)))' || result_sshd=true +if $(grep -Piq '^\s*maxstartups\s+[0-9]+\:[0-9]+\:[0-9]+\b' /etc/ssh/sshd_config); then + config_maxstartups_first=$(grep -Pim1 '^\s*maxstartups\b\s+[0-9]+\:[0-9]+\:[0-9]+\b' /etc/ssh/sshd_config | awk '{print $2}' | awk -F: '{print $1}') + config_maxstartups_second=$(grep -Pim1 '^\s*maxstartups\b\s+[0-9]+\:[0-9]+\:[0-9]+\b' /etc/ssh/sshd_config | awk '{print $2}' | awk -F: '{print $2}') + config_maxstartups_third=$(grep -Pim1 '^\s*maxstartups\b\s+[0-9]+\:[0-9]+\:[0-9]+\b' /etc/ssh/sshd_config | awk '{print $2}' | awk -F: '{print $3}') + [[ $maxstartups_first -le 10 ]] && [[ $maxstartups_second -ge 30 ]] && [[ $maxstartups_third -ge $maxstartups_first && $maxstartups_third -le 60 ]] && \ + [[ $config_maxstartups_first -le 10 ]] && [[ $config_maxstartups_second -ge 30 ]] && [[ $config_maxstartups_third -ge $config_maxstartups_first && $config_maxstartups_third -le 60 ]] && \ + result=true +else + [[ $maxstartups_first -le 10 ]] && [[ $maxstartups_second -ge 30 ]] && \ + # 参数3需大于等于参数1 + [[ $maxstartups_third -ge $maxstartups_first && $maxstartups_third -le 60 ]] && result=true +fi -if [[ $result_sshd_config == true && $result_sshd == true ]]; then +if [[ "$result" = true ]]; then echo "pass" else echo "fail" diff --git a/scanners/access-and-control/1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh b/scanners/access-and-control/1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh index 7e827ec69a70f6fc706c7cf28b53c29536dff165..4f6d3d8fa820720f5c9969e93451dafa6ff3a466 100644 --- a/scanners/access-and-control/1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh +++ b/scanners/access-and-control/1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh @@ -1,12 +1,5 @@ -result_sshd_config=false -result_sshd=false +loadedSystemConfig=$(sshd -T | grep -Pi "^MaxSessions\b" | awk '{ if ($2 > 10) print 1; else print 0 }') +configFileSettings=$(grep -Pim1 '^\s*MaxSessions\s+' /etc/ssh/sshd_config | awk '{ if ($2 > 10) print 1; else print 0 }') -grep -Ei '^\s*MaxSessions\s+(1[1-9]|[2-9][0-9]|[1-9][0-9][0-9]+)' /etc/ssh/sshd_config || result_sshd_config=true - -sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Ei '^\s*MaxSessions\s+(1[1-9]|[2-9][0-9]|[1-9][0-9][0-9]+)' || result_sshd=true - -if [[ $result_sshd_config == true && $result_sshd == true ]]; then - echo "pass" -else - echo "fail" -fi \ No newline at end of file +[[ $loadedSystemConfig -ne 0 ]] && echo 'fail' && exit 1 +[[ $configFileSettings -eq 0 && $loadedSystemConfig -eq 0 ]] && echo 'pass' || echo 'fail' diff --git a/scanners/access-and-control/1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.sh b/scanners/access-and-control/1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.sh index ab4f22579a6bf75f0a7fea598c6066144acc231a..853874e37a6964d44451910b61b0db608be53644 100644 --- a/scanners/access-and-control/1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.sh +++ b/scanners/access-and-control/1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.sh @@ -1,6 +1,6 @@ result=false -grep -i '^\s*CRYPTO_POLICY=' /etc/sysconfig/sshd || result=true +grep -iPq '^\s*CRYPTO_POLICY\s*\=' /etc/sysconfig/sshd || result=true if [[ $result == true ]]; then echo "pass" diff --git a/scanners/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh b/scanners/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh index e93bc67578fc452bd22a5fa5d03192ea421b061e..c14f970d1b645448871e0b61275bbb660ba6b17d 100644 --- a/scanners/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh +++ b/scanners/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh @@ -15,14 +15,14 @@ PAM_SYSTEM_AUTH="/etc/pam.d/system-auth" # 检查/etc/security/pwquality.conf文件中的条件 check_pwquality_conf() { # 检查minlen=14 - check_file_contains "$PWQUALITY_CONF" '^minlen(?: |)=(?: |)14' || return 1 + check_file_contains "$PWQUALITY_CONF" '^minlen(?: |)=(?: |)14\b' || return 1 # 检查minclass=4 或者所有credit设置为-1 - (check_file_contains "$PWQUALITY_CONF" '^minclass(?: |)=(?: |)4') || \ - (check_file_contains "$PWQUALITY_CONF" '^dcredit(?: |)=(?: |)-1' && \ - check_file_contains "$PWQUALITY_CONF" '^ucredit(?: |)=(?: |)-1' && \ - check_file_contains "$PWQUALITY_CONF" '^ocredit(?: |)=(?: |)-1' && \ - check_file_contains "$PWQUALITY_CONF" '^lcredit(?: |)=(?: |)-1') || return 1 + (check_file_contains "$PWQUALITY_CONF" '^minclass(?: |)=(?: |)4\b') || \ + (check_file_contains "$PWQUALITY_CONF" '^dcredit(?: |)=(?: |)-1\b' && \ + check_file_contains "$PWQUALITY_CONF" '^ucredit(?: |)=(?: |)-1\b' && \ + check_file_contains "$PWQUALITY_CONF" '^ocredit(?: |)=(?: |)-1\b' && \ + check_file_contains "$PWQUALITY_CONF" '^lcredit(?: |)=(?: |)-1\b') || return 1 return 0 } @@ -30,7 +30,7 @@ check_pwquality_conf() { # 检查/etc/pam.d/password-auth和/etc/pam.d/system-auth文件中的条件 check_pam_files() { local files=("$PAM_PASSWORD_AUTH" "$PAM_SYSTEM_AUTH") - local patterns=("enforce-for-root" "retry=\d+") + local patterns=("\benforce-for-root\b" "\bretry=\d+\b") for file in "${files[@]}"; do for pattern in "${patterns[@]}"; do diff --git a/scanners/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh b/scanners/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh index 20d2e089bc8fda51a5b36ff4e76fe577e99f6d37..8852beb93d83b3f7d33b272ea56dfcd9b96de9ac 100644 --- a/scanners/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh +++ b/scanners/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh @@ -1,9 +1,36 @@ -result=false +grep -Pi "^\s*auth\s+required\s+pam_faillock.so\b\s+.*" /etc/pam.d/password-auth | grep -Pqiv ".*\bdeny=[0-9]+\b\s+.*unlock_time=[0-9]+\b.*" && echo 'fail' && exit 1 +grep -Pi "^\s*auth\s+required\s+pam_faillock.so\b\s+.*" /etc/pam.d/system-auth | grep -Pqiv ".*\bdeny=[0-9]+\b\s+.*unlock_time=[0-9]+\b.*" && echo 'fail' && exit 1 -grep -Eiq "^\s*auth\s+required\s+.*\s+deny=[1-5]\s*.*$" /etc/pam.d/password-auth && grep -Eiq "^\s*auth\s+required\s+.*\s+unlock_time=(9[0-9][0-9]|[1-9][0-9][0-9][0-9])\s*.*$" /etc/pam.d/password-auth && grep -Eiq "^\s*auth\s+required\s+.*\s+deny=[1-5]\s*.*$" /etc/pam.d/system-auth && grep -Eiq "^\s*auth\s+required\s+.*\s+unlock_time=(9[0-9][0-9]|[1-9][0-9][0-9][0-9])\s*.*$" /etc/pam.d/system-auth && result=true +denyValuePassword=$(grep -Poi "^\s*auth\s+required\s+pam_faillock.so\s+.*\bdeny=[0-9]+\b" /etc/pam.d/password-auth | grep -Pio "\bdeny=[0-9]+\b" | awk -F= '{print $2}') +denyValueSystem=$(grep -Poi "^\s*auth\s+required\s+pam_faillock.so\s+.*\bdeny=[0-9]+\b" /etc/pam.d/system-auth | grep -Pio "\bdeny=[0-9]+\b" | awk -F= '{print $2}') +unlockValuePassword=$(grep -Poi "^\s*auth\s+required\s+pam_faillock.so\s+.*\bunlock_time=[0-9]+\b" /etc/pam.d/password-auth | grep -Pio "\bunlock_time=[0-9]+\b" | awk -F= '{print $2}') +unlockValueSystem=$(grep -Poi "^\s*auth\s+required\s+pam_faillock.so\s+.*\bunlock_time=[0-9]+\b" /etc/pam.d/system-auth | grep -Pio "\bunlock_time=[0-9]+\b" | awk -F= '{print $2}') -if [[ $result == true ]]; then - echo "pass" +if [[ -n $denyValuePassword && -n $denyValueSystem ]] ; then + for i in $denyValuePassword $denyValueSystem + do + if [[ $i -gt 5 ]]; then + echo 'fail' + exit 1 + fi + done else - echo "fail" -fi \ No newline at end of file + echo 'fail' + exit 1 +fi + + +if [[ -n $unlockValuePassword && -n $unlockValueSystem ]] ; then + for i in $unlockValuePassword $unlockValueSystem + do + if [[ $i -lt 900 ]]; then + echo 'fail' + exit 1 + fi + done +else + echo 'fail' + exit 1 +fi + +echo 'pass' diff --git a/scanners/access-and-control/1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh b/scanners/access-and-control/1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh index 8803947bb907e825d85be3155a86af55fd9d2e6d..ebcfa84c39ec196a5dbdd1a13c839326856b18ff 100644 --- a/scanners/access-and-control/1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh +++ b/scanners/access-and-control/1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh @@ -2,7 +2,7 @@ result=false stat -c "%a-%U-%G" /etc/cron.hourly | grep -Pq '^[0-7][0][0]\-root\-root$' && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh b/scanners/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh index 7d3b443e30c781ea4158d2cfbbef6b87f3ccd2fd..af6481d9c8d519a4f12d2066ab1000eb23037afb 100644 --- a/scanners/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh +++ b/scanners/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh @@ -1,8 +1,8 @@ result=false -grep -Eiq "^\s*password\s+sufficient\s+pam_unix.so\s+.*sha512\s*.*$" /etc/pam.d/password-auth && grep -Eiq "^\s*password\s+sufficient\s+pam_unix.so\s+.*sha512\s*.*$" /etc/pam.d/system-auth && result=true +grep -Eiq "^\s*\bpassword\s+\bsufficient\s+\bpam_unix.so\s+.*\bsha512\s*.*$" /etc/pam.d/password-auth && grep -Eiq "^\s*\bpassword\s+\bsufficient\s+\bpam_unix.so\s+.*\bsha512\s*.*$" /etc/pam.d/system-auth && result=true -if [[ $result == true ]]; then +if [[ $result == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/access-and-control/1.31-ensure-password-expiration-is-365-days-or-less.sh b/scanners/access-and-control/1.31-ensure-password-expiration-is-365-days-or-less.sh index 7cdce81ca3ade306518d4536f833f42fdacf59e6..b3378407e147392004bf51147674fa55bf7a0989 100644 --- a/scanners/access-and-control/1.31-ensure-password-expiration-is-365-days-or-less.sh +++ b/scanners/access-and-control/1.31-ensure-password-expiration-is-365-days-or-less.sh @@ -1,9 +1,8 @@ -result=false +loginPassMaxDaysVaule=$(grep -P "^\s*PASS_MAX_DAYS\s+[0-9]+\b" /etc/login.defs | awk '{ if ($2 <= 365) print $2;}') +userPassMaxDaysVaule=$(grep -P '^[^:]+:[^!*]' /etc/shadow | awk -F: '$5 == "" || $5 > 365 {print 1}') -grep -Eiq "^\s*PASS_MAX_DAYS\s+(36[0-5]|3[0-5][0-9]|[1-2][0-9][0-9]|[1-9][0-9]?)\s*(\s+#.*)?$" /etc/login.defs && grep -E '^[^:]+:[^!*]' /etc/shadow | cut -d: -f5 | grep -Eq "^(36[0-5]|3[0-5][0-9]|[1-2][0-9][0-9]|[1-9][0-9]?)\s*(\s+#.*)?$" && result=true - -if [[ $result == true ]]; then - echo "pass" +if [[ -n $loginPassMaxDaysVaule && -z $userPassMaxDaysVaule ]]; then + echo 'pass' else - echo "fail" -fi \ No newline at end of file + echo 'fail' +fi diff --git a/scanners/access-and-control/1.32-ensure-minimum-days-between-password-changes-is-7-or-more.sh b/scanners/access-and-control/1.32-ensure-minimum-days-between-password-changes-is-7-or-more.sh index 8daa8e1b7456c064f0f8a998fffa3757be726806..019a2355c3673c852a7f2069ab46a858ab02405d 100644 --- a/scanners/access-and-control/1.32-ensure-minimum-days-between-password-changes-is-7-or-more.sh +++ b/scanners/access-and-control/1.32-ensure-minimum-days-between-password-changes-is-7-or-more.sh @@ -1,11 +1,8 @@ -result_login_defs=false -result_shadow=false +loginPassMinDaysVaule=$(grep -P "^\s*PASS_MIN_DAYS\s+[0-9]+\b" /etc/login.defs | awk '{ if ($2 >= 7) print $2;}') +userPassMinDaysVaule=$(grep -P '^[^:]+:[^!*]' /etc/shadow | awk -F: '$4 == "" || $4 < 7 {print 1}') -grep -Piq "^\s*PASS_MIN_DAYS\s+([7-9]|[1-9][0-9]+)\s*(\s+#.*)?$" /etc/login.defs && result_login_defs=true -grep -Piq "^\S+:[^\!\*:]*:[^:]*:([0-6]|\-1):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*\s*$" /etc/shadow || result_shadow=true - -if [[ $result_login_defs == true && $result_shadow == true ]]; then - echo "pass" +if [[ -n $loginPassMinDaysVaule && -z $userPassMinDaysVaule ]]; then + echo 'pass' else - echo "fail" + echo 'fail' fi diff --git a/scanners/access-and-control/1.33-ensure-password-expiration-warning-days-is-7-or-more.sh b/scanners/access-and-control/1.33-ensure-password-expiration-warning-days-is-7-or-more.sh index 0581b9d2f8e645b43ddd801942087afc2b71f1bc..0acea60edc273b6c59da560b63c37bb17b4304de 100644 --- a/scanners/access-and-control/1.33-ensure-password-expiration-warning-days-is-7-or-more.sh +++ b/scanners/access-and-control/1.33-ensure-password-expiration-warning-days-is-7-or-more.sh @@ -1,11 +1,8 @@ -result_login_defs=false -result_shadow=false +loginPassWarnageVaule=$(grep -P "^\s*PASS_WARN_AGE\s+[0-9]+\b" /etc/login.defs | awk '{ if ($2 >= 7) print $2;}') +userPassWarnageVaule=$(grep -P '^[^:]+:[^!*]' /etc/shadow | awk -F: '$6 == "" || $6 < 7 {print 1}') -grep -Piq "^\s*PASS_WARN_AGE\s+([789]|[1-9][0-9]+)\s*(\s+#.*)?$" /etc/login.defs && result_login_defs=true -grep -Piq "^\S+:[^\!\*:]*:[^:]*:[^:]*:[^:]*:([0-6]|\-1):[^:]*:[^:]*:[^:]*\s*$" /etc/shadow || result_shadow=true - -if [[ $result_login_defs == true && $result_shadow == true ]]; then - echo "pass" +if [[ -n $loginPassWarnageVaule && -z $userPassWarnageVaule ]]; then + echo 'pass' else - echo "fail" + echo 'fail' fi diff --git a/scanners/access-and-control/1.34-ensure-inactive-password-lock-is-30-days-or-less.sh b/scanners/access-and-control/1.34-ensure-inactive-password-lock-is-30-days-or-less.sh index 911455e1bfe3069da5099e7831190c03eebcac59..0598ef6d19fe50ca992e048aa01f34a9bbc0bb2e 100644 --- a/scanners/access-and-control/1.34-ensure-inactive-password-lock-is-30-days-or-less.sh +++ b/scanners/access-and-control/1.34-ensure-inactive-password-lock-is-30-days-or-less.sh @@ -1,11 +1,8 @@ -result_useradd=false -result_shadow=false +inactiveVaule=$(grep -P "^\s*INACTIVE=[0-9]+\b" /etc/default/useradd | awk -F= '{ if ($2 <= 30) print $2;}') +userInactiveVaule=$(grep -P '^[^:]+:[^!*]' /etc/shadow | awk -F: '$7 == "" || $7 > 30 { print 1 }') -grep -Eiq "^\s*INACTIVE\s*=\s*(30|[1-2][0-9]|[1-9])\s*(\s+#.*)?$" /etc/default/useradd && result_useradd=true -grep -Eiq "^\S+:[^\!\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:([3-9][1-9].*):[^:]*:[^:]*\s*$" /etc/shadow || result_shadow=true - -if [[ $result_useradd == true && $result_shadow == true ]]; then - echo "pass" +if [[ -n $inactiveVaule && -z $userInactiveVaule ]]; then + echo 'pass' else - echo "fail" -fi \ No newline at end of file + echo 'fail' +fi diff --git a/scanners/access-and-control/1.37-ensure-default-user-shell-timeout-is-900-seconds-or-less.sh b/scanners/access-and-control/1.37-ensure-default-user-shell-timeout-is-900-seconds-or-less.sh index 189d2501cfe3520243e7929b55ea5bdc66298db8..f51d16af53dd866af1f7e29b4d89564f75390825 100644 --- a/scanners/access-and-control/1.37-ensure-default-user-shell-timeout-is-900-seconds-or-less.sh +++ b/scanners/access-and-control/1.37-ensure-default-user-shell-timeout-is-900-seconds-or-less.sh @@ -2,7 +2,7 @@ result=true [ -f /etc/bashrc ] && BRC="/etc/bashrc" for f in "$BRC" /etc/profile /etc/profile.d/*.sh ; do - val_TMOUT=$(grep -vP "^#.*" $f | grep -Pio "TMOUT=[0-9]+" | tail -1 | cut -d"=" -f 2) + val_TMOUT=$(grep -vP "^#.*" $f | grep -Pio "\bTMOUT=[0-9]+\b" | tail -1 | cut -d"=" -f 2) [[ -n $val_TMOUT ]] && ex_TMOUT=true if [[ -n $val_TMOUT ]] && [[ $val_TMOUT == 0 || $val_TMOUT -gt 900 ]] ; then result=false @@ -11,8 +11,8 @@ for f in "$BRC" /etc/profile /etc/profile.d/*.sh ; do fi done -if [[ $ex_TMOUT == true && $result == true ]]; then +if [[ $ex_TMOUT == "true" && $result == "true" ]]; then echo "pass" else echo "fail" -fi \ No newline at end of file +fi diff --git a/scanners/access-and-control/1.38-ensure-default-group-for-the-root-account-is-gid-0.sh b/scanners/access-and-control/1.38-ensure-default-group-for-the-root-account-is-gid-0.sh index cbfb0e354b261bd4d0bb6e729c1b941e612127ae..4f9bb38f47c24e6a7f32ca7be64cfa64888bcc63 100644 --- a/scanners/access-and-control/1.38-ensure-default-group-for-the-root-account-is-gid-0.sh +++ b/scanners/access-and-control/1.38-ensure-default-group-for-the-root-account-is-gid-0.sh @@ -2,7 +2,7 @@ result=false grep "^root:" /etc/passwd | cut -f4 -d: | grep -q 0 && result=true -if [[ $result == true ]]; then +if [[ $result == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/access-and-control/1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh b/scanners/access-and-control/1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh index 79b5731850bd635f94d23d6d996fdf089800944c..9db8477dfe709ce5fda385e95c885b8cc26fc604 100644 --- a/scanners/access-and-control/1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh +++ b/scanners/access-and-control/1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh @@ -2,7 +2,7 @@ result=false stat -c "%a-%U-%G" /etc/cron.daily | grep -Pq '^[0-7][0][0]\-root\-root$' && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/access-and-control/1.40-ensure-access-to-the-su-command-is-restricted.sh b/scanners/access-and-control/1.40-ensure-access-to-the-su-command-is-restricted.sh index 701f97a522a59a52609c1977595499541ab7eb59..7b557779bf434dc550c6321586a974b1cc0fb1b0 100644 --- a/scanners/access-and-control/1.40-ensure-access-to-the-su-command-is-restricted.sh +++ b/scanners/access-and-control/1.40-ensure-access-to-the-su-command-is-restricted.sh @@ -2,7 +2,7 @@ result=false grep -Eiq "^\s*auth\s+required\s+pam_wheel.so(\s+\S+)*\s+use_uid(\s+\S+)*\s*(\s+#.*)?$" /etc/pam.d/su && grep -Eiq "^wheel:x:10:" /etc/group && result=true -if [[ $result == true ]]; then +if [[ $result == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/access-and-control/1.41-ensure-ssh-server-use-protocol_2.sh b/scanners/access-and-control/1.41-ensure-ssh-server-use-protocol_2.sh index 8d72427d7e32c590ed5e94aca8ea092a587620ed..b10a2622a36c80f8cca6e92641eda0644915a547 100755 --- a/scanners/access-and-control/1.41-ensure-ssh-server-use-protocol_2.sh +++ b/scanners/access-and-control/1.41-ensure-ssh-server-use-protocol_2.sh @@ -1,15 +1,11 @@ -#!/bin/bash +result=false -PROTOCOL=`grep -R "^Protocol" /etc/ssh/sshd_config` +protocol_value=$(grep -Pim1 "^Protocol\s+" /etc/ssh/sshd_config | awk '{print $2}') -grep -R "^Protocol" /etc/ssh/sshd_config >/dev/null +[[ $protocol_value -eq 2 ]] && result=true -if [ $? == 0 ];then #0 have - if [[ $PROTOCOL =~ "2" ]];then - echo "pass" - else - echo "fail" - fi +if [[ "$result" == "true" ]]; then + echo "pass" else echo "fail" -fi +fi \ No newline at end of file diff --git a/scanners/access-and-control/1.42-ensure-that-the-password-expires-between-30-and-90-days.sh b/scanners/access-and-control/1.42-ensure-that-the-password-expires-between-30-and-90-days.sh index bdee637b88b7b72dae6521a1f8d9ea1e89675e54..f174ae83c75c69a11516b2db34c07ded686f6c60 100644 --- a/scanners/access-and-control/1.42-ensure-that-the-password-expires-between-30-and-90-days.sh +++ b/scanners/access-and-control/1.42-ensure-that-the-password-expires-between-30-and-90-days.sh @@ -1,16 +1,16 @@ val_Pass_Max_Days=99999 result_Pass_Max_Days_User=true -val_Pass_Max_Days=`grep -Ei "^\s*PASS_MAX_DAYS\s" /etc/login.defs | cut -f2` +val_Pass_Max_Days=`grep -Ei "^\s*\bPASS_MAX_DAYS\b\s" /etc/login.defs | cut -f2` result_Pass_Max_Days=`echo "$val_Pass_Max_Days >=30 && $val_Pass_Max_Days <= 90" | bc` result_Pass_Max_Days_User=true for i in `grep -E '^[^:]+:[^!*]' /etc/shadow | cut -d: -f5`; do - if [[ i -lt 30 ]] || [[ i -gt 90 ]] ; then + if [[ $i -lt 30 ]] || [[ $i -gt 90 ]] ; then result_Pass_Max_Days_User=false fi done -if [[ $result_Pass_Max_Days -eq 1 && $result_Pass_Max_Days_User == true ]]; then +if [[ $result_Pass_Max_Days -eq 1 && $result_Pass_Max_Days_User == "true" ]]; then echo 'pass' else echo 'fail' diff --git a/scanners/access-and-control/1.43-ensure-that-the-minimum-password-change-between-7-and-14-days.sh b/scanners/access-and-control/1.43-ensure-that-the-minimum-password-change-between-7-and-14-days.sh index 0a9bcf0da54c3a8de3a0ec24df46825ee72d1d14..b7f93ddcf07c5e5c036d787d30a9f412b0fa0ae9 100644 --- a/scanners/access-and-control/1.43-ensure-that-the-minimum-password-change-between-7-and-14-days.sh +++ b/scanners/access-and-control/1.43-ensure-that-the-minimum-password-change-between-7-and-14-days.sh @@ -1,16 +1,16 @@ val_Pass_Min_Days=0 result_Pass_Min_Days_User=true -val_Pass_Min_Days=`grep -Ei "^\s*PASS_Min_DAYS\s" /etc/login.defs | cut -f2` +val_Pass_Min_Days=`grep -Ei "^\s*\bPASS_Min_DAYS\b\s" /etc/login.defs | cut -f2` result_Pass_Min_Days=`echo "$val_Pass_Min_Days >=7 && $val_Pass_Min_Days <= 14" | bc` result_Pass_Min_Days_User=true for i in `grep -E ^[^:]+:[^\!*] /etc/shadow | cut -d: -f4`; do - if [[ i -lt 7 ]] || [[ i -gt 14 ]] ; then + if [[ $i -lt 7 ]] || [[ $i -gt 14 ]] ; then result_Pass_Min_Days_User=false fi done -if [[ $result_Pass_Min_Days -eq 1 && $result_Pass_Min_Days_User == true ]]; then +if [[ $result_Pass_Min_Days -eq 1 && $result_Pass_Min_Days_User == "true" ]]; then echo 'pass' else echo 'fail' diff --git a/scanners/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh b/scanners/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh index c4aaff338d60b50a08207b6f09a90ea07bce6988..2f69a055c6118a27a4b249286c8508179c50f947 100644 --- a/scanners/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh +++ b/scanners/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh @@ -4,18 +4,18 @@ result_Deny=true result_Unlock_Time=true for i in `grep -E '^\s*auth\s+required\s+pam_faillock.so\s+(preauth|authfail)\s+' /etc/pam.d/password-auth /etc/pam.d/system-auth | grep -Eio "deny=[0-9]+" | cut -d"=" -f 2`; do - if [[ i -lt 3 ]] || [[ i -gt 8 ]] ; then + if [[ $i -lt 3 ]] || [[ $i -gt 8 ]] ; then result_Deny=false fi done for i in `grep -E '^\s*auth\s+required\s+pam_faillock.so\s+(preauth|authfail)\s+' /etc/pam.d/password-auth /etc/pam.d/system-auth | grep -Eio "unlock_time=[0-9]+" | cut -d"=" -f 2`; do - if [[ i -lt 600 ]] || [[ i -gt 1800 ]] ; then + if [[ $i -lt 600 ]] || [[ $i -gt 1800 ]] ; then result_Unlock_Time=false fi done -if [[ -n $result_File_Password && -n $result_File_System && $result_Deny == true && $result_Unlock_Time == true ]]; then +if [[ -n $result_File_Password && -n $result_File_System && $result_Deny == "true" && $result_Unlock_Time == "true" ]]; then echo 'pass' else echo 'fail' diff --git a/scanners/access-and-control/1.46-ensure-default-user-shell-timeout-is-between-600-and-1800-seconds.sh b/scanners/access-and-control/1.46-ensure-default-user-shell-timeout-is-between-600-and-1800-seconds.sh index fce7aade7230f33130b0f4cf70d121ce15650f98..83d9899a4bef6dd10c18cd49760f7c3e9719e4e8 100644 --- a/scanners/access-and-control/1.46-ensure-default-user-shell-timeout-is-between-600-and-1800-seconds.sh +++ b/scanners/access-and-control/1.46-ensure-default-user-shell-timeout-is-between-600-and-1800-seconds.sh @@ -2,7 +2,7 @@ result=true [ -f /etc/bashrc ] && BRC="/etc/bashrc" for f in "$BRC" /etc/profile /etc/profile.d/*.sh ; do - val_TMOUT=$(grep -vP "^#.*" $f | grep -Pio "TMOUT=[0-9]+" | tail -1 | cut -d"=" -f 2) + val_TMOUT=$(grep -vP "^#.*" $f | grep -Pio "\bTMOUT=[0-9]+\b" | tail -1 | cut -d"=" -f 2) [[ -n $val_TMOUT ]] && ex_TMOUT=true if [[ -n $val_TMOUT ]] && [[ $val_TMOUT -lt 600 || $val_TMOUT -gt 1800 ]] ; then result=false @@ -11,7 +11,7 @@ for f in "$BRC" /etc/profile /etc/profile.d/*.sh ; do fi done -if [[ $ex_TMOUT == true && $result == true ]]; then +if [[ $ex_TMOUT == "true" && $result == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh b/scanners/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh index 6209ca7fb6cbf3cb79849c8fcc3ba66417f23c6a..ac88a2612939da42aad36f40f46ee445976d4087 100644 --- a/scanners/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh +++ b/scanners/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh @@ -1,9 +1,5 @@ -result=false +loadedSystemConfig=$(sshd -T | grep -Pi '^\s*maxauthtries\b' | awk '{ if ($2 > 5 || $2 < 3) print 1; else print 0 }') +configFileSettings=$(grep -Pim1 '^\s*maxauthtries\s+' /etc/ssh/sshd_config | awk '{ if ($2 > 5 || $2 < 3) print 1; else print 0 }') -sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Eiq ^maxauthtries\\s+[3-5]$ && grep -Eiq '^\s*maxauthtries\s+[3-5]$' /etc/ssh/sshd_config && result=true - -if [ "$result" = true ]; then - echo "pass" -else - echo "fail" -fi \ No newline at end of file +[[ $loadedSystemConfig -ne 0 ]] && echo 'fail' && exit 1 +[[ $configFileSettings -eq 0 && $loadedSystemConfig -eq 0 ]] && echo 'pass' || echo 'fail' diff --git a/scanners/access-and-control/1.49-lock-or-delete-the-shutdown-and-halt-users.sh b/scanners/access-and-control/1.49-lock-or-delete-the-shutdown-and-halt-users.sh index d5adb05986ac620b5bbc99b9dea1776a2b57e960..3b3b272973757a7b8f3bbb49c11942c2d744fefb 100644 --- a/scanners/access-and-control/1.49-lock-or-delete-the-shutdown-and-halt-users.sh +++ b/scanners/access-and-control/1.49-lock-or-delete-the-shutdown-and-halt-users.sh @@ -1,8 +1,23 @@ +export LANG="en_US.UTF-8" +shutdownCheck=$(grep -P "^shutdown\b" /etc/shadow) +haltCheck=$(grep -P "^halt\b" /etc/shadow) result=false -passwd -S shutdown | grep -Eq "shutdown\s+LK" && passwd -S halt | grep -Eq "halt\s+LK" && result=true +if [[ $shutdownCheck ]]; then + passwd -S shutdown | grep -Pq "^shutdown\s+LK" + result="shutdownpass" +else + result="shutdownpass" +fi + +if [[ $haltCheck ]]; then + passwd -S halt | grep -Pq "^halt\s+LK" + result="${result}haltpass" +else + result="${result}haltpass" +fi -if [ "$result" = true ]; then +if [[ "$result" == "shutdownpasshaltpass" ]]; then echo "pass" else echo "fail" diff --git a/scanners/access-and-control/1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh b/scanners/access-and-control/1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh index 7719f2f1509927d7150f40a7bef56defe3c1bdb1..0648967e750cd6f7241392f428eedf38641d6cc3 100644 --- a/scanners/access-and-control/1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh +++ b/scanners/access-and-control/1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh @@ -2,7 +2,7 @@ result=false stat -c "%a-%U-%G" /etc/cron.weekly | grep -Pq '^[0-7][0][0]\-root\-root$' && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.sh b/scanners/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.sh index a05410c77b69298cda3dce43eef02ef623a5b930..85f8e6ac5f86a7fb61166577b0c22793e96345f4 100644 --- a/scanners/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.sh +++ b/scanners/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.sh @@ -1,9 +1,5 @@ -result=false +loadedSystemConfig=$(sshd -T | grep -Pi "^x11forwarding\s+no$") +configFileSettings=$(grep -Pim1 '^\s*x11forwarding\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*x11forwarding\s+no\b') -sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -qi x11forwarding && grep -Eqi '^\s*x11forwarding\s+no' /etc/ssh/sshd_config && result=true - -if [ "$result" = true ]; then - echo "pass" -else - echo "fail" -fi +[[ -z $loadedSystemConfig ]] && echo 'fail' && exit 1 +[[ -z $configFileSettings && -n $loadedSystemConfig ]] && echo 'pass' || echo 'fail' diff --git a/scanners/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh b/scanners/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh index bd23f6e4a43d8d5771db9ef4cbe2b7895f0c24ad..8a98570717284678f12962594c0b8b3569539a3d 100644 --- a/scanners/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh +++ b/scanners/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh @@ -1,9 +1,9 @@ result=false -modprobe -n -v udf | grep -q "^install" && test -z "$(lsmod | grep -e udf)" && grep -E -q "^blacklist[[:blank:]]*udf" /etc/modprobe.d/* && result=true +modprobe -n -v udf | grep -Pq "^install\s+\/bin/false\b" && test -z "$(lsmod | grep -P "^udf\b")" && grep -Pq "^blacklist\s*udf\b" /etc/modprobe.d/* && result=true -if [ "$result" == true ]; then - echo "pass" +if [[ "$result" == "true" ]]; then + echo "pass" else - echo "fail" + echo "fail" fi diff --git a/scanners/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh b/scanners/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh index 0b6e13e72dd91ed7f8d652345b62baba7024ba61..02544269ec2872c464eceb02d9d97cfd00ab373c 100644 --- a/scanners/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh +++ b/scanners/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh @@ -1,9 +1,9 @@ result=false -modprobe -n -v cramfs | grep -q "^install" && test -z "$(lsmod | grep -e cramfs)" && grep -E -q "^blacklist[[:blank:]]*cramfs" /etc/modprobe.d/* && result=true +modprobe -n -v cramfs | grep -Pq "^install\s+\/bin/false\b" && test -z "$(lsmod | grep -P "^cramfs\b")" && grep -Pq "^blacklist\b\s*cramfs\b" /etc/modprobe.d/* && result=true -if [ "$result" == true ]; then - echo "pass" +if [[ "$result" == "true" ]]; then + echo "pass" else - echo "fail" + echo "fail" fi \ No newline at end of file diff --git a/scanners/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.sh b/scanners/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.sh index 1f2d07f706508a7f325537da75d0075414e3c654..06f19b6a102393364a10962429e70173a2ad338b 100644 --- a/scanners/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.sh +++ b/scanners/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.sh @@ -1,6 +1,6 @@ result=false -echo $(modprobe -n -v squashfs) | grep -Psq "^install\s+\/bin\/false$" && test -z "$(lsmod | grep -e squashfs)" && grep -E -q "^blacklist\s+squashfs" /etc/modprobe.d/* && result=true -if [ "$result" = true ]; then +echo $(modprobe -n -v squashfs) | grep -Psq "^install\s+\/bin/false\b" && test -z "$(lsmod | grep -P "^squashfs\b")" && grep -Pq "^blacklist\s+squashfs\b" /etc/modprobe.d/* && result=true +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/access-and-control/1.54-lock-the-bin-and-adm-users.sh b/scanners/access-and-control/1.54-lock-the-bin-and-adm-users.sh index 71fc6e06c60644bcc70628d02fcd78a396a61ea1..0b37fde39765feeae5d81009b2ba43ed548efc21 100644 --- a/scanners/access-and-control/1.54-lock-the-bin-and-adm-users.sh +++ b/scanners/access-and-control/1.54-lock-the-bin-and-adm-users.sh @@ -1,8 +1,15 @@ +export LANG="en_US.UTF-8" +shutdownCheck=$(grep -P "^bin\b" /etc/shadow) result=false -passwd -S bin | grep -Eq "bin\s+LK" && passwd -S adm | grep -Eq "adm\s+LK" && result=true +if [[ $shutdownCheck ]]; then + passwd -S bin | grep -Pq "\bbin\b\s+LK" + result="true" +else + result="true" +fi -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/access-and-control/1.6-ensure-permissions-on-etc-cron.monthly-are-configured.sh b/scanners/access-and-control/1.6-ensure-permissions-on-etc-cron.monthly-are-configured.sh index 9015c1ddd88177b6d9932018377917aa1e3d9009..e3faeef90c43860156b581cae5931e270c021792 100644 --- a/scanners/access-and-control/1.6-ensure-permissions-on-etc-cron.monthly-are-configured.sh +++ b/scanners/access-and-control/1.6-ensure-permissions-on-etc-cron.monthly-are-configured.sh @@ -2,7 +2,7 @@ result=false stat -c "%a-%U-%G" /etc/cron.monthly | grep -Pq '^[0-7][0][0]\-root\-root$' && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/access-and-control/1.7-ensure-permissions-on-etc-cron.d-are-configured.sh b/scanners/access-and-control/1.7-ensure-permissions-on-etc-cron.d-are-configured.sh index e04716e4079b0ebb34e35e501969bff1521832ce..dd2a6c9f04a9fc9685ba1bccdc352cb3eb0c8150 100644 --- a/scanners/access-and-control/1.7-ensure-permissions-on-etc-cron.d-are-configured.sh +++ b/scanners/access-and-control/1.7-ensure-permissions-on-etc-cron.d-are-configured.sh @@ -2,7 +2,7 @@ result=false stat -c "%a-%U-%G" /etc/cron.d | grep -Pq '^[0-7][0][0]\-root\-root$' && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/access-and-control/1.8-ensure-at-cron-is-restricted-to-authorized-users.sh b/scanners/access-and-control/1.8-ensure-at-cron-is-restricted-to-authorized-users.sh index da68eef966a6ced7bf00d585dfe7317e6476ae24..1b70bfc453e468efc14de96596d2e3eba4f3c931 100644 --- a/scanners/access-and-control/1.8-ensure-at-cron-is-restricted-to-authorized-users.sh +++ b/scanners/access-and-control/1.8-ensure-at-cron-is-restricted-to-authorized-users.sh @@ -3,18 +3,18 @@ result_at_deny=false result_cron_allow=false result_at_allow=false -[ -e /etc/cron.deny ] || result_cron_deny=true -[ -e /etc/at.deny ] || result_at_deny=true +[[ -e /etc/cron.deny ]] || result_cron_deny=true +[[ -e /etc/at.deny ]] || result_at_deny=true -if [ -e /etc/cron.allow ] ; then +if [[ -e /etc/cron.allow ]] ; then stat -c "%a-%U-%G" /etc/cron.allow | grep -Pq '^[0-6][0][0]\-root\-root$' && result_cron_allow=true fi -if [ -e /etc/at.allow ] ; then +if [[ -e /etc/at.allow ]] ; then stat -c "%a-%U-%G" /etc/at.allow | grep -Pq '^[0-6][0][0]\-root\-root$' && result_at_allow=true fi -if [[ "$result_cron_deny" == true && "$result_at_deny" == true && "$result_cron_allow" == true && "$result_at_allow" == true ]] ; then +if [[ "$result_cron_deny" == "true" && "$result_at_deny" == "true" && "$result_cron_allow" == "true" && "$result_at_allow" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/access-and-control/1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh b/scanners/access-and-control/1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh index 951aaf1aad7e13a217c9e96d3e438e87cca023cc..f36559d116e8fd40764a09d9de125a8834879666 100644 --- a/scanners/access-and-control/1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh +++ b/scanners/access-and-control/1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh @@ -2,7 +2,7 @@ result=false stat -c "%a-%U-%G" /etc/ssh/sshd_config | grep -Pq '^[0-7][0][0]\-root\-root$' && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/logging-and-auditing/2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.sh b/scanners/logging-and-auditing/2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.sh index d0d33c392c1aabd6a7bceba2bfa24c7bca1dce68..9d01c4e4f6b2ba58cddf9f93d162f1efb11584ca 100644 --- a/scanners/logging-and-auditing/2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.sh +++ b/scanners/logging-and-auditing/2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.sh @@ -3,9 +3,9 @@ result=false log_path=$(dirname "$(awk -F = '/^\s*log_file\s*=\s*\S+/ {print $2}' /etc/audit/auditd.conf)") output="$(find $log_path -maxdepth 1 -type f \( ! -perm 600 -a ! -perm 0400 -a ! -perm 0200 -a ! -perm 0000 \))" -[ -z "$output" ] && result=true +[[ -z "$output" ]] && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/logging-and-auditing/2.10-ensure-audit-tools-are-group-owned-by-root.sh b/scanners/logging-and-auditing/2.10-ensure-audit-tools-are-group-owned-by-root.sh index a4502fc2b0c6e8a32732b46d365f398a0ac0a886..685e5c782c61bdedbd9a3b2b5a51958e8d925e37 100644 --- a/scanners/logging-and-auditing/2.10-ensure-audit-tools-are-group-owned-by-root.sh +++ b/scanners/logging-and-auditing/2.10-ensure-audit-tools-are-group-owned-by-root.sh @@ -1,19 +1,7 @@ -result_auditctl=false -result_aureport=false -result_ausearch=false -result_autrace=false -result_auditd=false -result_augenrules=false +result=0 +for i in $(stat -c "%G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules) +do + echo $i | grep -Eq '^root$' && ((result++)) +done -stat -c "%G" /sbin/auditctl | grep -Eq 'root' && result_auditctl=true -stat -c "%G" /sbin/aureport | grep -Eq 'root' && result_aureport=true -stat -c "%G" /sbin/ausearch | grep -Eq 'root' && result_ausearch=true -stat -c "%G" /sbin/autrace | grep -Eq 'root' && result_autrace=true -stat -c "%G" /sbin/auditd | grep -Eq 'root' && result_auditd=true -stat -c "%G" /sbin/augenrules | grep -Eq 'root' && result_augenrules=true - -if [ "$result_auditctl" = true ] && [ "$result_aureport" = true ] && [ "$result_ausearch" = true ] && [ "$result_autrace" = true ] && [ "$result_auditd" = true ] && [ "$result_augenrules" = true ]; then - echo "pass" -else - echo "fail" -fi \ No newline at end of file +[[ $result -eq 6 ]] && echo 'pass' || echo 'fail' \ No newline at end of file diff --git a/scanners/logging-and-auditing/2.11-ensure-cryptographic-mechanisms-are-used-to-protect-the-integrity-of-audit-tools.sh b/scanners/logging-and-auditing/2.11-ensure-cryptographic-mechanisms-are-used-to-protect-the-integrity-of-audit-tools.sh index 533a5d15a1acf30c527a02bbc0d1e608e7b1a001..451fb7b2aa0fc5969b237c495bd0e1e887598750 100644 --- a/scanners/logging-and-auditing/2.11-ensure-cryptographic-mechanisms-are-used-to-protect-the-integrity-of-audit-tools.sh +++ b/scanners/logging-and-auditing/2.11-ensure-cryptographic-mechanisms-are-used-to-protect-the-integrity-of-audit-tools.sh @@ -1,13 +1,14 @@ -result=false - -if [ -a /etc/aide/aide.conf ]; then - cat /etc/aide/aide.conf | grep -Pq ^\/sbin\/auditctl\\s\+p\\+i\\+n\\+u\\+g\\+s\\+b\\+acl\\+xattrs\\+sha512 && cat /etc/aide/aide.conf | grep -Pq ^\/sbin\/auditd\\s\+p\\+i\\+n\\+u\\+g\\+s\\+b\\+acl\\+xattrs\\+sha512 && cat /etc/aide/aide.conf | grep -Pq ^\/sbin\/ausearch\\s\+p\\+i\\+n\\+u\\+g\\+s\\+b\\+acl\\+xattrs\\+sha512 && cat /etc/aide/aide.conf | grep -Pq ^\/sbin\/aureport\\s\+p\\+i\\+n\\+u\\+g\\+s\\+b\\+acl\\+xattrs\\+sha512 && cat /etc/aide/aide.conf | grep -Pq ^\/sbin\/autrace\\s\+p\\+i\\+n\\+u\\+g\\+s\\+b\\+acl\\+xattrs\\+sha512 && cat /etc/aide/aide.conf | grep -Pq ^\/sbin\/augenrules\\s\+p\\+i\\+n\\+u\\+g\\+s\\+b\\+acl\\+xattrs\\+sha512 && result=true - - if [[ $result == true ]]; then - echo "pass" - else - echo "fail" - fi +if [[ -e /etc/aide/aide.conf ]]; then + checkContent="p\+i\+n\+u\+g\+s\+b\+acl\+xattrs\+sha512\b$" + lineNumber=$(grep -Ecs -e "^/sbin/auditctl\s+$checkContent" \ + -e "^/sbin/auditd\s+$checkContent" \ + -e "^/sbin/ausearch\s+$checkContent" \ + -e "^/sbin/aureport\s+$checkContent" \ + -e "^/sbin/autrace\s+$checkContent" \ + -e "^/sbin/augenrules\s+$checkContent" \ + /etc/aide/aide.conf) + [[ -n $lineNumber && $lineNumber -eq 6 ]] && echo 'pass' || echo 'fail' else - echo "fail" -fi \ No newline at end of file + echo 'fail' + exit 1 +fi diff --git a/scanners/logging-and-auditing/2.12-ensure-rsyslog-is-installed.sh b/scanners/logging-and-auditing/2.12-ensure-rsyslog-is-installed.sh index 9af10f6bb7527bc63c1aeb5e9cf8b0bfaf3ec404..fae435ed294d336b3c45bf5472784f2f01a3fef5 100644 --- a/scanners/logging-and-auditing/2.12-ensure-rsyslog-is-installed.sh +++ b/scanners/logging-and-auditing/2.12-ensure-rsyslog-is-installed.sh @@ -1,5 +1 @@ -if [ "$(rpm -qa rsyslog)" ]; then - echo "pass" -else - echo "fail" -fi \ No newline at end of file +rpm -q rsyslog >/dev/null 2>&1 && echo 'pass' || echo 'fail' \ No newline at end of file diff --git a/scanners/logging-and-auditing/2.13-ensure-rsyslog-service-is-enabled.sh b/scanners/logging-and-auditing/2.13-ensure-rsyslog-service-is-enabled.sh index 76398943e30e734042f8a523311a8f556d7dd339..72814464d912331fbf072a64f49fb3ba17d203c7 100644 --- a/scanners/logging-and-auditing/2.13-ensure-rsyslog-service-is-enabled.sh +++ b/scanners/logging-and-auditing/2.13-ensure-rsyslog-service-is-enabled.sh @@ -1,6 +1,6 @@ -if [ "$(rpm -qa rsyslog)" ]; then +if rpm -q rsyslog >/dev/null 2>&1 ; then result=$(systemctl is-enabled rsyslog) - if [ $result = enabled ]; then + if [[ $result == "enabled" ]]; then echo "pass" else echo "fail" diff --git a/scanners/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.sh b/scanners/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.sh index b70ed6cb33459bfa0ab129f28bb0596b928eff66..adeaa1cd48e71908582c4b1ca49bd9d20d16b424 100644 --- a/scanners/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.sh +++ b/scanners/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.sh @@ -1,18 +1,15 @@ -#!/usr/bin/env bash -result=0 +value=$(grep -P "^\s*\\\$FileCreateMode\s+[0-9]{4}\s*$" /etc/rsyslog.conf /etc/rsyslog.d/*.conf | grep -o [0-9]*) -for p in `find /etc/rsyslog.conf ; find /etc/rsyslog.d/ -name *.conf` ; do - [[ -f $p ]] && file_path=$file_path" ${p}" -done - -if [[ -n $file_path ]] && [[ -n $(sed -rn 's/^\$FileCreateMode\s*//gp' $file_path) ]]; then - for num in $(sed -rn 's/^\$FileCreateMode\s*//gp' $file_path); do - result=0 - echo $num | grep -Pq '[0][0-6][0-4][0]' && result=1 - [[ $result == 0 ]] && echo 'fail' && break +if [[ -n $value ]]; then + for i in $value ; do + if echo $i | grep -vsq [0][0-6][0-4][0] ; then + echo 'fail' + exit 1 + fi done else echo 'fail' + exit 1 fi -[[ $result == 1 ]] && echo 'pass' +echo 'pass' \ No newline at end of file diff --git a/scanners/logging-and-auditing/2.15-ensure-rsyslog-is-configured-to-send-logs-to-a-remote-log-host.sh b/scanners/logging-and-auditing/2.15-ensure-rsyslog-is-configured-to-send-logs-to-a-remote-log-host.sh index a92de9823e550e4e165da9fb041c95c484655b12..c211841c2e8a8b1ad32f9eeeff852cc64c358c64 100644 --- a/scanners/logging-and-auditing/2.15-ensure-rsyslog-is-configured-to-send-logs-to-a-remote-log-host.sh +++ b/scanners/logging-and-auditing/2.15-ensure-rsyslog-is-configured-to-send-logs-to-a-remote-log-host.sh @@ -1,18 +1,9 @@ -result_rsyslog=false -result_rsyslog_d=false -conf_file_path=`find /etc/rsyslog.d/ -name *.conf` +result=false -if [[ -a /etc/rsyslog.conf && -a $conf_file_path ]]; then - grep -q "^*.*[^I][^I]*@" /etc/rsyslog.conf && result_rsyslog=true - grep -q "^*.*[^I][^I]*@" /etc/rsyslog.d/*.conf && result_rsyslog_d=true -elif [[ -a /etc/rsyslog.conf ]]; then - grep -q "^*.*[^I][^I]*@" /etc/rsyslog.conf && result_rsyslog=true -elif [[ -a $conf_file_path ]]; then - grep -q "^*.*[^I][^I]*@" /etc/rsyslog.d/*.conf && result_rsyslog_d=true -fi +grep -Psq "^\*\.\*\s*\@{1,2}.*" /etc/rsyslog.conf /etc/rsyslog.d/*.conf && result=true -if [[ $result_rsyslog == true || $result_rsyslog_d == true ]]; then +if [[ $result == "true" ]]; then echo "pass" else echo "fail" -fi \ No newline at end of file +fi diff --git a/scanners/logging-and-auditing/2.16-ensure-journald-is-configured-to-send-logs-to-rsyslog.sh b/scanners/logging-and-auditing/2.16-ensure-journald-is-configured-to-send-logs-to-rsyslog.sh index 220ba5510bb6167c5bbf7592039674957d8cfe15..84c7445fefa703d0cd03acc09b99e9b80b423a4f 100644 --- a/scanners/logging-and-auditing/2.16-ensure-journald-is-configured-to-send-logs-to-rsyslog.sh +++ b/scanners/logging-and-auditing/2.16-ensure-journald-is-configured-to-send-logs-to-rsyslog.sh @@ -1,8 +1,8 @@ result=false -if [[ -a /etc/systemd/journald.conf ]]; then - grep -qe ^\s*ForwardToSyslog /etc/systemd/journald.conf && result=true - if [[ $result == true ]]; then +if [[ -e /etc/systemd/journald.conf ]]; then + grep -Pq "^\s*ForwardToSyslog\=yes$" /etc/systemd/journald.conf && result=true + if [[ $result == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/logging-and-auditing/2.17-ensure-journald-is-configured-to-compress-large-log-files.sh b/scanners/logging-and-auditing/2.17-ensure-journald-is-configured-to-compress-large-log-files.sh index 821206e85a8fd9aa3df2b3112bace60b4a882f57..fde67760b6e44697a3a98db6653a35c1e095baf8 100644 --- a/scanners/logging-and-auditing/2.17-ensure-journald-is-configured-to-compress-large-log-files.sh +++ b/scanners/logging-and-auditing/2.17-ensure-journald-is-configured-to-compress-large-log-files.sh @@ -1,8 +1,8 @@ result=false -if [[ -a /etc/systemd/journald.conf ]]; then - grep -qe ^\s*Compress /etc/systemd/journald.conf && result=true - if [[ $result == true ]]; then +if [[ -e /etc/systemd/journald.conf ]]; then + grep -Pq "^\s*Compress\=yes$" /etc/systemd/journald.conf && result=true + if [[ $result == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/logging-and-auditing/2.18-ensure-journald-is-configured-to-write-logfiles-to-persistent-disk.sh b/scanners/logging-and-auditing/2.18-ensure-journald-is-configured-to-write-logfiles-to-persistent-disk.sh index ef080c1631f4ed3f886e848ac09445786e739a84..63f439968f50a601da131eec760b7f6742d81947 100644 --- a/scanners/logging-and-auditing/2.18-ensure-journald-is-configured-to-write-logfiles-to-persistent-disk.sh +++ b/scanners/logging-and-auditing/2.18-ensure-journald-is-configured-to-write-logfiles-to-persistent-disk.sh @@ -1,8 +1,8 @@ result=false -if [[ -a /etc/systemd/journald.conf ]]; then - grep -qe ^\s*Storage /etc/systemd/journald.conf && result=true - if [[ $result == true ]]; then +if [[ -e /etc/systemd/journald.conf ]]; then + grep -P "^Storage\=persistent$" /etc/systemd/journald.conf && result=true + if [[ $result == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/logging-and-auditing/2.19-ensure-audit-is-installed.sh b/scanners/logging-and-auditing/2.19-ensure-audit-is-installed.sh index 766b35c44f3e5d3bde84e1011c809fe86f91371f..dcd71daa59ad2d57cc02dc6da1b603c0e58b9e36 100644 --- a/scanners/logging-and-auditing/2.19-ensure-audit-is-installed.sh +++ b/scanners/logging-and-auditing/2.19-ensure-audit-is-installed.sh @@ -1,5 +1 @@ -if [ "$(rpm -qa audit)" ] && [ "$(rpm -qa audit-libs)" ]; then - echo "pass" -else - echo "fail" -fi +rpm -q audit >/dev/null 2>&1 && rpm -q audit-libs >/dev/null 2>&1 && echo 'pass' || echo 'fail' \ No newline at end of file diff --git a/scanners/logging-and-auditing/2.2-ensure-only-authorized-users-own-audit-log-files.sh b/scanners/logging-and-auditing/2.2-ensure-only-authorized-users-own-audit-log-files.sh index 2a405298392d31a16163a2733d68db8415d79a9c..0d051e7a7d95ed0f898e61f2b9aebd0a9e78f85c 100644 --- a/scanners/logging-and-auditing/2.2-ensure-only-authorized-users-own-audit-log-files.sh +++ b/scanners/logging-and-auditing/2.2-ensure-only-authorized-users-own-audit-log-files.sh @@ -3,9 +3,9 @@ result=false log_path=$(dirname "$(awk -F = '/^\s*log_file\s*=\s*\S+/ {print $2}' /etc/audit/auditd.conf)") output="$(find $log_path -maxdepth 1 -type f ! -user root)" -[ -z "$output" ] && result=true +[[ -z "$output" ]] && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/logging-and-auditing/2.20-ensure-audit-service-is-enabled.sh b/scanners/logging-and-auditing/2.20-ensure-audit-service-is-enabled.sh index e9e614d2238c48ab287e9a8c242e678d424a708e..7d1e1fe51bc4551348f09e36b9012bbd007ca48d 100644 --- a/scanners/logging-and-auditing/2.20-ensure-audit-service-is-enabled.sh +++ b/scanners/logging-and-auditing/2.20-ensure-audit-service-is-enabled.sh @@ -1,10 +1,10 @@ -if [ "$(rpm -qa audit audit-libs)" ]; then - result=$(systemctl is-enabled auditd ) - if [ $result = enabled ]; then +if rpm -q audit >/dev/null 2>&1 && rpm -q audit-libs >/dev/null 2>&1 ; then + result=$(systemctl is-enabled auditd) + if [[ $result == "enabled" ]]; then echo "pass" else echo "fail" fi else - echo "pass" + echo "fail" fi diff --git a/scanners/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh b/scanners/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh index 0e21b4f45a2c766542cebcef0c628991d69959bd..ea181cc982fd748a48688c9ae0fd46c7cfe2aeb6 100644 --- a/scanners/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh +++ b/scanners/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh @@ -1,22 +1,40 @@ -fileResult=false -curResult=false +#!/bin/bash -if [[ `arch` == 'aarch64' ]] && [[ `uname -m` == 'aarch64' ]] ; then -grep -Pq "\-a\salways\,exit\s\-F\sarch=b64\s\-S\sunlinkat\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/rules.d/*.rules /etc/audit/*.rules && grep -Pq "\-a\salways\,exit\s\-F\sarch=b32\s\-S\sunlink\s\-S\sunlinkat\s\-S\srename\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/rules.d/*.rules /etc/audit/*.rules && fileResult=true -else -grep -Pq "\-a\salways\,exit\s\-F\sarch=b64\s\-S\sunlink\s\-S\sunlinkat\s\-S\srename\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/rules.d/*.rules /etc/audit/*.rules && grep -Pq "\-a\salways\,exit\s\-F\sarch=b32\s\-S\sunlink\s\-S\sunlinkat\s\-S\srename\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/rules.d/*.rules /etc/audit/*.rules && fileResult=true -fi +result='true' +check_rule() { + if [[ $1 == "x86" ]]; then + checkRule="^(?=^\s*-a\s+always,exit)(?=.*-F\s+arch=$2)(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat)(?=.*-F\s+auid>=1000)(?=.*-F\s+auid!=-1)" + elif [[ $1 == "arm" ]]; then + checkRule="^(?=^\s*-a\s+always,exit)(?=.*-F\s+arch=$2)(?=.*unlinkat)(?=.*renameat)(?=.*-F\s+auid>=1000)(?=.*-F\s+auid!=-1)" + fi + check_audit $checkRule +} +check_audit() { + grep -Psq "$1" /etc/audit/rules.d/*.rules /etc/audit/*.rules && auditctl -l | grep -Pq "$1" + if [[ $? -ne 0 ]]; then + result='false' + fi +} -if [[ `arch` == 'aarch64' ]] && [[ `uname -m` == 'aarch64' ]] ; then -auditctl -l | grep -Pq "^\-a\s+always,exit\s+\-F\s+arch=b64\s+\-S\s+unlinkat,renameat\s+-F\s+auid>=1000\s+-F\s+auid!=-1\s+-F\s+key=delete" && auditctl -l | grep -Pq "^\-a\s+always,exit\s+\-F\s+arch=b32\s+\-S\s+unlink,rename,unlinkat,renameat\s+\-F\s+auid>=1000\s+\-F\s+auid!=-1\s+\-F\s+key=delete" && curResult=true +if [[ $(getconf LONG_BIT) -eq 64 && $(arch) =~ ^x86 ]]; then + for BIT in "b64" "b32"; do + check_rule "x86" "$BIT" + done +elif [[ $(getconf LONG_BIT) -eq 32 && $(arch) =~ ^x86 ]]; then + BIT='b32' + check_rule "x86" "$BIT" +elif [[ $(getconf LONG_BIT) -eq 64 && $(arch) =~ ^aarch ]]; then + for BIT in "b64" "b32"; do + check_rule "arm" "$BIT" + done +elif [[ $(getconf LONG_BIT) -eq 32 && $(arch) =~ ^aarch ]]; then + BIT='b32' + check_rule "arm" "$BIT" else -auditctl -l | grep -Pq "^\-a\s+always,exit\s+\-F\s+arch=b64\s+\-S\s+rename,unlink,unlinkat,renameat\s+\-F\s+auid>=1000\s+\-F\s+auid!=-1\s+\-F\s+key=delete" && auditctl -l | grep -Pq "^\-a\s+always,exit\s+\-F\s+arch=b32\s+\-S\s+unlink,rename,unlinkat,renameat\s+\-F\s+auid>=1000\s+\-F\s+auid!=-1\s+\-F\s+key=delete" && curResult=true + echo 'fail' + exit 1 fi -if [[ $fileResult = true && $curResult == true ]]; then - echo "pass" -else - echo "fail" -fi \ No newline at end of file +[[ $result == "true" ]] && echo 'pass' || echo 'fail' diff --git a/scanners/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh b/scanners/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh index b35203f85544a9dde8cab7a01f2bf32e8fcc3702..cdff2c59235800fff58094b7d112659b2c489a06 100644 --- a/scanners/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh +++ b/scanners/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh @@ -3,7 +3,7 @@ result=false grep -q "\-w /etc/sudoers -p wa -k scope -w /etc/sudoers.d/ -p wa -k scope" /etc/audit/rules.d/*.rules /etc/audit/*.rules && auditctl -l | grep -Pq "^\-w\s+\/etc\/sudoers\s+\-p\s+wa\s+\-k\s+scope" && auditctl -l | grep -Pq "^\-w\s+\/etc\/sudoers.d\s+\-p\s+wa\s+\-k\s+scope" && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh b/scanners/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh index 7aa077fbb6e074e8eb6101a9b4ab7a07b61d2535..fcbd3e8d99d843c4790c4baf489605173ba333ea 100644 --- a/scanners/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh +++ b/scanners/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh @@ -1,17 +1,15 @@ -result=false +result=true -grep -q "\-w /etc/group -p wa -k identity --w /etc/passwd -p wa -k identity --w /etc/gshadow -p wa -k identity --w /etc/shadow -p wa -k identity --w /etc/security/opasswd -p wa -k identity" /etc/audit/rules.d/*.rules /etc/audit/*.rules && auditctl -l | grep -q "\-w /etc/group -p wa -k identity --w /etc/passwd -p wa -k identity --w /etc/gshadow -p wa -k identity --w /etc/shadow -p wa -k identity --w /etc/security/opasswd -p wa -k identity" && result=true +checkFile=$(echo "/etc/group" "/etc/passwd" "/etc/gshadow" "/etc/shadow " "/etc/security/opasswd") -if [ "$result" = true ]; then +for f in $checkFile ; do + checkRule="^\s*-w\s+${f}\s+-p\s+wa\s+-k\s+.*$" + grep -Pq $checkRule /etc/audit/rules.d/*.rules /etc/audit/*.rules && auditctl -l | grep -Pq $checkRule + [[ $? -ne 0 ]] && result=false +done + +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" -fi \ No newline at end of file +fi diff --git a/scanners/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.sh b/scanners/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.sh index 2f0e2fb79e9d97092070e4ba38b6153a57b0763a..8b35c1f0a13c51e395a549c09cdd9e4f2687aade 100644 --- a/scanners/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.sh +++ b/scanners/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.sh @@ -1,10 +1,11 @@ #!/usr/bin/env bash result=false +checkRule="^(?=^\s*-a\s+always,exit)(?=.*-S\s+all)(?=.*-F\s+path=/usr/bin/chsh)(?=.*-F\s+perm=x)(?=.*-F\s+auid>=1000)(?=.*-F\s+auid!=-1)" -auditctl -l | grep -Pq "^\-a\s+always,exit\s+-S\s+all\s+-F\s+path=/usr/bin/chsh\s+-F\s+perm=x\s+-F\s+auid>=1000\s+-F\s+auid!=-1 -F\s+key=.*$" && grep -Pq "^\-a\s+always,exit\s+\-F\s+path=/usr/bin/chsh\s+\-F\s+perm=x\s+\-F\s+auid>=1000\s+\-F\s+auid!=4294967295\s+\-k\s.*$" /etc/audit/rules.d/*.rules /etc/audit/*.rules && result=true +auditctl -l | grep -Pq "$checkRule" && grep -Pq "$checkRule" /etc/audit/rules.d/*.rules /etc/audit/*.rules && result=true -if [ "$result" == true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" -fi \ No newline at end of file +fi diff --git a/scanners/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.sh b/scanners/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.sh index 95b17a9b227b61641a7cac71b3d19d3d4c11dba4..ca00b10900a75b90964a5cf2e61129a41f0a925e 100644 --- a/scanners/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.sh +++ b/scanners/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.sh @@ -1,3 +1,3 @@ checkResult=$(augenrules --check) -echo $checkResult | grep -Psiq "No\s+change" && echo 'pass' || echo 'fail' \ No newline at end of file +echo $checkResult | grep -Psiq "\bNo\s+change$" && echo 'pass' || echo 'fail' \ No newline at end of file diff --git a/scanners/logging-and-auditing/2.27-ensure-that-the-firewall-logging-function-is-enabled.sh b/scanners/logging-and-auditing/2.27-ensure-that-the-firewall-logging-function-is-enabled.sh index 380a233ce7b2496d0a43a568a7ba52c5265314c0..b53d3e6267ba7a4f9b3e0d89ed9ff56b24409251 100644 --- a/scanners/logging-and-auditing/2.27-ensure-that-the-firewall-logging-function-is-enabled.sh +++ b/scanners/logging-and-auditing/2.27-ensure-that-the-firewall-logging-function-is-enabled.sh @@ -1,2 +1,8 @@ -fwDenied=$(firewall-cmd --get-log-denied) -( [[ $fwDenied == 'all' ]] && echo 'pass' ) || echo 'fail' \ No newline at end of file +fwDenied=$(firewall-cmd --get-log-denied 2>&1) +fwDeniedFile=$(grep -Pm1 "^\s*LogDenied=all\s*$" /etc/firewalld/firewalld.conf | grep -Po "LogDenied=all") + +if [[ $fwDenied == "all" && $fwDeniedFile == "LogDenied=all" ]]; then + echo 'pass' +else + echo 'fail' +fi diff --git a/scanners/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh b/scanners/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh index 710450699b1e13c3126c4e2efa0a33bfcbc31f0a..5347af972818e08e1fae7b292fa7d0aa6fd01d66 100644 --- a/scanners/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh +++ b/scanners/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh @@ -1 +1 @@ -( grep -Psq "^Defaults\slogfile\=.*\.log$" /etc/sudoers && echo 'pass' ) || echo 'fail' \ No newline at end of file +( awk '/Defaults\s+logfile\s*/ {line = $0; nr = NR} END {if (nr) print line}' /etc/sudoers | grep -Psq "^\s*Defaults\s+logfile\s*=\s*(/?)([a-zA-Z0-9_.-]+/?)*" && echo 'pass' ) || echo 'fail' diff --git a/scanners/logging-and-auditing/2.3-ensure-only-authorized-groups-ownership-of-audit-log-files.sh b/scanners/logging-and-auditing/2.3-ensure-only-authorized-groups-ownership-of-audit-log-files.sh index 03c305912c41475ac3776d575d29e187c429cc7c..a9d59db8e95888895277b2c1e174e7304bde571f 100644 --- a/scanners/logging-and-auditing/2.3-ensure-only-authorized-groups-ownership-of-audit-log-files.sh +++ b/scanners/logging-and-auditing/2.3-ensure-only-authorized-groups-ownership-of-audit-log-files.sh @@ -3,9 +3,9 @@ result=false log_path=$(dirname "$(awk -F = '/^\s*log_file\s*=\s*\S+/ {print $2}' /etc/audit/auditd.conf)") output="$(find $log_path -maxdepth 1 -type f \( ! -group root -a ! -group adm \))" -[ -z "$output" ] && result=true +[[ -z "$output" ]] && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/logging-and-auditing/2.30-ensure-events-that-modify-the-sudo-log-file-are-collected.sh b/scanners/logging-and-auditing/2.30-ensure-events-that-modify-the-sudo-log-file-are-collected.sh index fe34a7df2133a7a1e4dc519befa1fcc1d8374568..9d455f7c55af82f9a6881206e709eebdf8ee3699 100644 --- a/scanners/logging-and-auditing/2.30-ensure-events-that-modify-the-sudo-log-file-are-collected.sh +++ b/scanners/logging-and-auditing/2.30-ensure-events-that-modify-the-sudo-log-file-are-collected.sh @@ -2,4 +2,4 @@ sudoLogFilePath=$(grep -r logfile /etc/sudoers* | sed -e 's/.*logfile=//;s/,? .* sudoLogRunning=$(auditctl -l | awk "/^ *-w/ &&/"${sudoLogFilePath}"/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)") sudoLogdisk=$(awk "/^ *-w/ &&/"${sudoLogFilePath}"/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules /etc/audit/*.rules) -([ -n "${sudoLogFilePath}" ] && [ -n "${sudoLogRunning}" ] && [ -n "${sudoLogdisk}" ] && echo 'pass') || echo 'fail' \ No newline at end of file +([[ -n "${sudoLogFilePath}" ]] && [[ -n "${sudoLogRunning}" ]] && [[ -n "${sudoLogdisk}" ]] && echo 'pass') || echo 'fail' \ No newline at end of file diff --git a/scanners/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.sh b/scanners/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.sh index 7140ac52a74c04cad1094c1787c6709a828bc288..9409d64f75d7386b6175f90adaf1711b7b2ecb7e 100644 --- a/scanners/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.sh +++ b/scanners/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.sh @@ -1,17 +1,13 @@ -curResult=false -diskResult=false -# $curLine == Number of compliant audit rules that have been loaded. -curLine=$(auditctl -l | awk "/^ *-a *always,exit/ &&/ -F *arch=b[2346]{2}/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -S/ &&/ -F *auid>=${UID_MIN}/ &&(/chmod/||/fchmod/||/fchmodat/ ||/chown/||/fchown/||/fchownat/||/lchown/ ||/setxattr/||/lsetxattr/||/fsetxattr/ ||/removexattr/||/lremovexattr/||/fremovexattr/) &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" | wc -l) +result=true -# In this benchmark, the number of audit rule entries that need to be loaded is 6. -[[ $curLine == 6 ]] && curResult=true +for BIT in b32 b64 ; do + checkRule="^(?=^\s*-a\s+always,exit)(?=.*-F\s+arch=$BIT)(?=.*chmod)(?=.*fchmod)(?=.*chown)(?=.*fchown)(?=.*lchown)(?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr)(?=.*fchownat)(?=.*fchmodat)" + grep -Pq $checkRule /etc/audit/rules.d/*.rules /etc/audit/*.rules && auditctl -l | grep -Pq $checkRule + [[ $? -ne 0 ]] && result=false +done -grep -Psq "^\-a\s+always,exit\s+\-F\s+arch=b64\s+\-S\s+chmod,fchmod,fchmodat\s+\-F\s+auid>=1000\s+\-F\s+auid!=unset\s+\-F\s+key=.*$" /etc/audit/rules.d/*.rules /etc/audit/*.rules \ -&& grep -Psq "^\-a\s+always,exit\s+\-F\s+arch=b64\s+\-S\s+chown,fchown,lchown,fchownat\s+\-F\s+auid>=1000\s+\-F\s+auid!=unset\s+\-F\s+key=.*$" /etc/audit/rules.d/*.rules /etc/audit/*.rules \ -&& grep -Psq "^\-a\s+always,exit\s+\-F\s+arch=b32\s+\-S\s+chmod,fchmod,fchmodat\s+\-F\s+auid>=1000\s+\-F\s+auid!=unset\s+\-F\s+key=.*$" /etc/audit/rules.d/*.rules /etc/audit/*.rules \ -&& grep -Psq "^\-a\s+always,exit\s+\-F\s+arch=b32\s+\-S\s+lchown,fchown,chown,fchownat\s+\-F\s+auid>=1000\s+\-F\s+auid!=unset\s+\-F\s+key=.*$" /etc/audit/rules.d/*.rules /etc/audit/*.rules \ -&& grep -Psq "^\-a\s+always,exit\s+\-F\s+arch=b64\s+\-S\s+setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr\s+\-F\s+auid>=1000\s+\-F\s+auid!=unset\s+\-F\s+key=.*$" /etc/audit/rules.d/*.rules /etc/audit/*.rules \ -&& grep -Psq "^\-a\s+always,exit\s+\-F\s+arch=b32\s+\-S\s+setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr\s+\-F\s+auid>=1000\s+\-F\s+auid!=unset\s+\-F\s+key=.*$" /etc/audit/rules.d/*.rules /etc/audit/*.rules \ -&& diskResult=true - -[[ $curResult == 'true' ]] && [[ $diskResult == 'true' ]] && echo 'pass' || echo 'fail' \ No newline at end of file +if [[ "$result" == "true" ]]; then + echo "pass" +else + echo "fail" +fi diff --git a/scanners/logging-and-auditing/2.4-ensure-the-audit-log-directory-is-0750-or-more-restrictive.sh b/scanners/logging-and-auditing/2.4-ensure-the-audit-log-directory-is-0750-or-more-restrictive.sh index 73368129255e787b1e328bdaa07c8ff18f92f511..ce499d34c5036e187705ab31828c8a64ea785820 100644 --- a/scanners/logging-and-auditing/2.4-ensure-the-audit-log-directory-is-0750-or-more-restrictive.sh +++ b/scanners/logging-and-auditing/2.4-ensure-the-audit-log-directory-is-0750-or-more-restrictive.sh @@ -4,7 +4,7 @@ log_path=$(dirname "$(awk -F = '/^\s*log_file\s*=\s*\S+/ {print $2}' /etc/audit/ stat -c "%a" "$log_path" | grep -Eq '^[0-7][0,1,4,5]0\s*$' && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/logging-and-auditing/2.8-ensure-audit-tools-are-mode-of-0755-or-more-restrictive.sh b/scanners/logging-and-auditing/2.8-ensure-audit-tools-are-mode-of-0755-or-more-restrictive.sh index c7e78840684e010aba79a85efb662533a86d4b71..4b2cec38074ecaf6352d57204f40681da0018fef 100644 --- a/scanners/logging-and-auditing/2.8-ensure-audit-tools-are-mode-of-0755-or-more-restrictive.sh +++ b/scanners/logging-and-auditing/2.8-ensure-audit-tools-are-mode-of-0755-or-more-restrictive.sh @@ -1,19 +1,7 @@ -result_auditctl=false -result_aureport=false -result_ausearch=false -result_autrace=false -result_auditd=false -result_augenrules=false +result=0 +for i in $(stat -c "%a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules) +do + echo $i | grep -Eq '^[0-7][0,1,4,5][0,1,4,5]\s*$' && ((result++)) +done -stat -c "%a" /sbin/auditctl | grep -Eq '^[0-7][0,1,4,5][0,1,4,5]\s*$' && result_auditctl=true -stat -c "%a" /sbin/aureport | grep -Eq '^[0-7][0,1,4,5][0,1,4,5]\s*$' && result_aureport=true -stat -c "%a" /sbin/ausearch | grep -Eq '^[0-7][0,1,4,5][0,1,4,5]\s*$' && result_ausearch=true -stat -c "%a" /sbin/autrace | grep -Eq '^[0-7][0,1,4,5][0,1,4,5]\s*$' && result_autrace=true -stat -c "%a" /sbin/auditd | grep -Eq '^[0-7][0,1,4,5][0,1,4,5]\s*$' && result_auditd=true -stat -c "%a" /sbin/augenrules | grep -Eq '^[0-7][0,1,4,5][0,1,4,5]\s*$' && result_augenrules=true - -if [ "$result_auditctl" = true ] && [ "$result_aureport" = true ] && [ "$result_ausearch" = true ] && [ "$result_autrace" = true ] && [ "$result_auditd" = true ] && [ "$result_augenrules" = true ]; then - echo "pass" -else - echo "fail" -fi \ No newline at end of file +[[ $result -eq 6 ]] && echo 'pass' || echo 'fail' \ No newline at end of file diff --git a/scanners/logging-and-auditing/2.9-ensure-audit-tools-are-owned-by-root.sh b/scanners/logging-and-auditing/2.9-ensure-audit-tools-are-owned-by-root.sh index 0b6555cac6042ad6f6d1836bdcfde72f9f411889..2c92a494e639dd5085645854edbb801760eb3e21 100644 --- a/scanners/logging-and-auditing/2.9-ensure-audit-tools-are-owned-by-root.sh +++ b/scanners/logging-and-auditing/2.9-ensure-audit-tools-are-owned-by-root.sh @@ -1,19 +1,7 @@ -result_auditctl=false -result_aureport=false -result_ausearch=false -result_autrace=false -result_auditd=false -result_augenrules=false +result=0 +for i in $(stat -c "%U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules) +do + echo $i | grep -Eq '^root$' && ((result++)) +done -stat -c "%U" /sbin/auditctl | grep -Eq 'root' && result_auditctl=true -stat -c "%U" /sbin/aureport | grep -Eq 'root' && result_aureport=true -stat -c "%U" /sbin/ausearch | grep -Eq 'root' && result_ausearch=true -stat -c "%U" /sbin/autrace | grep -Eq 'root' && result_autrace=true -stat -c "%U" /sbin/auditd | grep -Eq 'root' && result_auditd=true -stat -c "%U" /sbin/augenrules | grep -Eq 'root' && result_augenrules=true - -if [ "$result_auditctl" = true ] && [ "$result_aureport" = true ] && [ "$result_ausearch" = true ] && [ "$result_autrace" = true ] && [ "$result_auditd" = true ] && [ "$result_augenrules" = true ]; then - echo "pass" -else - echo "fail" -fi \ No newline at end of file +[[ $result -eq 6 ]] && echo 'pass' || echo 'fail' \ No newline at end of file diff --git a/scanners/mandatory-access-control/5.1-ensure-selinux-is-installed.sh b/scanners/mandatory-access-control/5.1-ensure-selinux-is-installed.sh index d489e1e508ce45fc60d6efa99873e55c907a8857..fd1d6b97920ea9b2183808bbd1f719f5b822772f 100644 --- a/scanners/mandatory-access-control/5.1-ensure-selinux-is-installed.sh +++ b/scanners/mandatory-access-control/5.1-ensure-selinux-is-installed.sh @@ -1,4 +1,4 @@ -if [ "$(rpm -qa libselinux)" ] && [ "$(rpm -qa selinux-policy-mls)" ] && [ "$(rpm -qa selinux-policy-targeted )" ]; then +if [[ "$(rpm -qa libselinux)" ]] && [[ "$(rpm -qa selinux-policy-mls)" ]] && [[ "$(rpm -qa selinux-policy-targeted )" ]]; then echo "pass" else echo "fail" diff --git a/scanners/mandatory-access-control/5.2-ensure-selinux-policy-is-configured.sh b/scanners/mandatory-access-control/5.2-ensure-selinux-policy-is-configured.sh index e91fe530faed52c3d3d623885e3acdcd985abd90..fc7f43e6e96d440a1a86bee40bbb648d5dabeb14 100755 --- a/scanners/mandatory-access-control/5.2-ensure-selinux-policy-is-configured.sh +++ b/scanners/mandatory-access-control/5.2-ensure-selinux-policy-is-configured.sh @@ -4,14 +4,14 @@ export LANG="en_US.UTF-8" SELINUX=`grep -E "^\s*SELINUX=disabled\b" /etc/selinux/config` SELINUX_R=`echo $?` # include 0 -if [ $SELINUX_R != 0 ];then +if [[ $SELINUX_R -ne 0 ]];then SELINUXTYPE=`grep -E "^\s*SELINUXTYPE=mls\b" /etc/selinux/config` SELINUXTYPE_R=`echo $?` # include 0 else SELINUXTYPE_R=1 fi -if [[ `sestatus | grep Loaded` =~ "mls" ]] && [ $SELINUXTYPE_R == 0 ];then +if [[ `sestatus | grep Loaded` =~ "mls" ]] && [[ $SELINUXTYPE_R -eq 0 ]];then echo "pass"; else echo "fail"; diff --git a/scanners/mandatory-access-control/5.4-ensure-the-selinux-mode-is-enforcing.sh b/scanners/mandatory-access-control/5.4-ensure-the-selinux-mode-is-enforcing.sh index 83946e035d11940ad3e20652d77a882de0a35109..957015b6b7ac88d0df2ce2b17d853817bf41d60e 100755 --- a/scanners/mandatory-access-control/5.4-ensure-the-selinux-mode-is-enforcing.sh +++ b/scanners/mandatory-access-control/5.4-ensure-the-selinux-mode-is-enforcing.sh @@ -2,7 +2,7 @@ TYPE=`grep -Ei "^\s*SELINUX=enforcing" /etc/selinux/config` TYPE_R=`echo $?` # include 0 -if [ `getenforce` == "Enforcing" ] && [ $TYPE_R == 0 ];then +if [[ `getenforce` == "Enforcing" ]] && [[ $TYPE_R == 0 ]];then echo "pass"; else echo "fail"; diff --git a/scanners/mandatory-access-control/5.9-ensure-setroubleshoot-is-not-installed.sh b/scanners/mandatory-access-control/5.9-ensure-setroubleshoot-is-not-installed.sh index e012fe2b21787e2e684194141620199fa4ebed1a..73f19a0df542df63e428634ab5c7837724901f97 100644 --- a/scanners/mandatory-access-control/5.9-ensure-setroubleshoot-is-not-installed.sh +++ b/scanners/mandatory-access-control/5.9-ensure-setroubleshoot-is-not-installed.sh @@ -5,7 +5,7 @@ result=false rpm -q setroubleshoot | grep -Psiq "^package\s+setroubleshoot\s+is\s+not\s+installed$" && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.1-disable-http-server.sh b/scanners/services/3.1-disable-http-server.sh index a5318fe10402393a4b4fe7bc3d3d8af652e6bc43..c4c6f1f70a231d662eed6982c1548a21fc4e65eb 100755 --- a/scanners/services/3.1-disable-http-server.sh +++ b/scanners/services/3.1-disable-http-server.sh @@ -1,6 +1,6 @@ -if [ "$(rpm -qa httpd)" ]; then +if [[ "$(rpm -qa httpd)" ]]; then result=$(systemctl is-enabled httpd) - if [ $result != enabled ]; then + if [[ $result != enabled ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.10-disable-rsync-server.sh b/scanners/services/3.10-disable-rsync-server.sh index b1461265a3758d8319bdf5ed9ee0d7c0000ae1c6..7a7125c0ed497e01fcea75b56e9661a9b85cae9a 100644 --- a/scanners/services/3.10-disable-rsync-server.sh +++ b/scanners/services/3.10-disable-rsync-server.sh @@ -1,6 +1,6 @@ -if [ "$(rpm -qa rsync-daemon)" ]; then +if [[ "$(rpm -qa rsync-daemon)" ]]; then result=$(systemctl is-enabled rsyncd) - if [ $result != enabled ]; then + if [[ $result != enabled ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.11-disable-avahi-server.sh b/scanners/services/3.11-disable-avahi-server.sh index ecc6bdbe45fa079a19d838ebc6f0e1d344eee750..4919b1b61789a698d6b2b7e9ef180a1cd0a89f86 100644 --- a/scanners/services/3.11-disable-avahi-server.sh +++ b/scanners/services/3.11-disable-avahi-server.sh @@ -1,7 +1,7 @@ -if [ "$(rpm -qa avahi)" ]; then +if [[ "$(rpm -qa avahi)" ]]; then result=$(systemctl is-enabled avahi-daemon.socket) result2=$(systemctl is-enabled avahi-daemon) - if [ $result != enabled ] && [ $result2 != enabled ]; then + if [[ $result != enabled ]] && [[ $result2 != enabled ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.12-disable-snmp-server.sh b/scanners/services/3.12-disable-snmp-server.sh index 024df3d7588fe05e7e2436fbd7542e7b88a8d77b..85f1ff20c985d6399dc982510956e4d587fa3933 100644 --- a/scanners/services/3.12-disable-snmp-server.sh +++ b/scanners/services/3.12-disable-snmp-server.sh @@ -1,6 +1,6 @@ -if [ "$(rpm -qa net-snmp)" ]; then +if [[ "$(rpm -qa net-snmp)" ]]; then result=$(systemctl is-enabled snmpd) - if [ $result != enabled ]; then + if [[ $result != enabled ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.13-disable-http-proxy-server.sh b/scanners/services/3.13-disable-http-proxy-server.sh index a16aa021c34d57e305d0e8c5f4f64ed3afe9740f..13de594daecd23a527f929cf2bea1125537c7a23 100644 --- a/scanners/services/3.13-disable-http-proxy-server.sh +++ b/scanners/services/3.13-disable-http-proxy-server.sh @@ -1,6 +1,6 @@ -if [ "$(rpm -qa squid)" ]; then +if [[ "$(rpm -qa squid)" ]]; then result=$(systemctl is-enabled squid) - if [ $result != enabled ]; then + if [[ $result != enabled ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.14-disable-samba.sh b/scanners/services/3.14-disable-samba.sh index 7971cb5ca2bf92fbc5959d802083871e6bbf2ba0..e4bd3fa6570e25e258172ec4e1c291dc7ffe74b3 100644 --- a/scanners/services/3.14-disable-samba.sh +++ b/scanners/services/3.14-disable-samba.sh @@ -1,6 +1,6 @@ -if [ "$(rpm -qa samba)" ]; then +if [[ "$(rpm -qa samba)" ]]; then result=$(systemctl is-enabled smb) - if [ $result != enabled ]; then + if [[ $result != enabled ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.15-disable-imap-and-pop3-server.sh b/scanners/services/3.15-disable-imap-and-pop3-server.sh index 4ab5ad8cc2dd2eded6ebefcadc82cb1220a34e41..fd49de54b1fd60153ab5206854c339efb5fc4198 100644 --- a/scanners/services/3.15-disable-imap-and-pop3-server.sh +++ b/scanners/services/3.15-disable-imap-and-pop3-server.sh @@ -1,6 +1,6 @@ -if [ "$(rpm -qa dovecot)" ]; then +if [[ "$(rpm -qa dovecot)" ]]; then result=$(systemctl is-enabled dovecot) - if [ $result != enabled ]; then + if [[ $result != enabled ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.16-disable-smtp-protocol.sh b/scanners/services/3.16-disable-smtp-protocol.sh index 9a9a4222e34a7a09d0220c27b7ced3686114143a..c77a750f2f17123713dac728645e40659dc9edcb 100644 --- a/scanners/services/3.16-disable-smtp-protocol.sh +++ b/scanners/services/3.16-disable-smtp-protocol.sh @@ -1,6 +1,6 @@ -if [ "$(rpm -qa postfix)" ]; then - result=$(systemctl is-enabled postfix.service) - if [ $result != enabled ]; then +if [[ "$(rpm -qa postfix)" ]]; then + result=$(systemctl is-enabled postfix.service) + if [[ $result != enabled ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.17-disable-or-uninstall-the-telnet.sh b/scanners/services/3.17-disable-or-uninstall-the-telnet.sh index 1ca6133337e0aa174c3aa8b760a80cfef9f8da1a..2994e00d7df81ee6c1b4c126ceb7ce88b5453cd9 100644 --- a/scanners/services/3.17-disable-or-uninstall-the-telnet.sh +++ b/scanners/services/3.17-disable-or-uninstall-the-telnet.sh @@ -1,5 +1,5 @@ #!/usr/bin/env bash -if [ "$(rpm -qa | grep telnet)" ]; then +if [[ "$(rpm -qa | grep telnet)" ]]; then result=$(systemctl is-enabled telnet.socket) if [[ $result != enabled ]]; then echo "pass" diff --git a/scanners/services/3.18-uninstall-the-avahi-server.sh b/scanners/services/3.18-uninstall-the-avahi-server.sh index ee9cddab00ca166b1043e7e98837b6cfa0aa9925..32bfe74c56896103eed87adfad236990ceeed598 100644 --- a/scanners/services/3.18-uninstall-the-avahi-server.sh +++ b/scanners/services/3.18-uninstall-the-avahi-server.sh @@ -3,7 +3,7 @@ result=false rpm -q avahi | grep -Psiq "^package\s+avahi\s+is\s+not\s+installed$" && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.19-uninstall-the-kexec-tools.sh b/scanners/services/3.19-uninstall-the-kexec-tools.sh index 6e86439ccbf3e6be764b40a0121f824e6bf14227..6ebc164f93604aed8cfae857dc52e3826e7cfeda 100644 --- a/scanners/services/3.19-uninstall-the-kexec-tools.sh +++ b/scanners/services/3.19-uninstall-the-kexec-tools.sh @@ -3,7 +3,7 @@ result=false rpm -q kexec-tools | grep -Psiq "^package\s+kexec-tools\s+is\s+not\s+installed$" && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.2-disable-ftp-server.sh b/scanners/services/3.2-disable-ftp-server.sh index a0657685afc3bcdfc38271dad3639158697c304f..ea33f1071d43ba2134e7182abba10e0d765e9de4 100644 --- a/scanners/services/3.2-disable-ftp-server.sh +++ b/scanners/services/3.2-disable-ftp-server.sh @@ -1,6 +1,6 @@ -if [ "$(rpm -qa vsftpd)" ]; then +if [[ "$(rpm -qa vsftpd)" ]]; then result=$(systemctl is-enabled vsftpd) - if [ $result != enabled ]; then + if [[ $result != enabled ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.20-uninstall-the-firstboot.sh b/scanners/services/3.20-uninstall-the-firstboot.sh index d58166d7f1819308065ad8eff91ee636f9e70de8..a3a54b295035ae178fbaf660f830321f068d98cc 100644 --- a/scanners/services/3.20-uninstall-the-firstboot.sh +++ b/scanners/services/3.20-uninstall-the-firstboot.sh @@ -3,7 +3,7 @@ result=false rpm -q firstboot | grep -Psiq "^package\s+firstboot\s+is\s+not\s+installed$" && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.21-uninstall-the-wpa_supplicant.sh b/scanners/services/3.21-uninstall-the-wpa_supplicant.sh index 184459907a7aefa648d88e27a6249ef79674bc2d..596dd2c311095e44d789a4c834e4e3528453b3de 100644 --- a/scanners/services/3.21-uninstall-the-wpa_supplicant.sh +++ b/scanners/services/3.21-uninstall-the-wpa_supplicant.sh @@ -3,7 +3,7 @@ result=false rpm -q wpa_supplicant | grep -Psiq "^package\s+wpa_supplicant\s+is\s+not\s+installed$" && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.22-ensure-NIS-Client-is-not-installed.sh b/scanners/services/3.22-ensure-NIS-Client-is-not-installed.sh index 6d621a15c2d6eaa6062e049eaa9f4af5995587fa..34ef54080d3806f9b3b566f6bb3b6ead8040706b 100644 --- a/scanners/services/3.22-ensure-NIS-Client-is-not-installed.sh +++ b/scanners/services/3.22-ensure-NIS-Client-is-not-installed.sh @@ -4,7 +4,7 @@ result=false rpm -q ypbind | grep -Psiq "^package\s+ypbind\s+is\s+not\s+installed$" && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.23-disable-rsh.sh b/scanners/services/3.23-disable-rsh.sh index 5b720fca1c3a722d3853f97aa3e14d4818059b8e..f5410bab645184522683b60985c7b02c68321d62 100644 --- a/scanners/services/3.23-disable-rsh.sh +++ b/scanners/services/3.23-disable-rsh.sh @@ -1,6 +1,6 @@ -if [ "$(rpm -qa rsh)" ]; then +if [[ "$(rpm -qa rsh-server)" ]]; then result=$(systemctl is-enabled rsh.socket) - if [ $result != enabled ]; then + if [[ $result != enabled ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.24-disable-ntalk.sh b/scanners/services/3.24-disable-ntalk.sh index ac540854101dfcee92d39837453246e76e6cb730..2af51e84215b3b6131e2fd94d4e7d3bd6adc91f0 100644 --- a/scanners/services/3.24-disable-ntalk.sh +++ b/scanners/services/3.24-disable-ntalk.sh @@ -1,6 +1,6 @@ -if [ "$(rpm -qa ntalk)" ]; then +if [[ "$(rpm -qa ntalk)" ]]; then result=$(systemctl is-enabled ntalk.socket) - if [ $result != enabled ]; then + if [[ $result != enabled ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.25-ensure-xinetd-is-not-installed.sh b/scanners/services/3.25-ensure-xinetd-is-not-installed.sh index 9ff4bcb72553654f1bfae464da33bd89588ce6fe..69c8df1805a4517033bc8bdf783c44e97be4ff5e 100644 --- a/scanners/services/3.25-ensure-xinetd-is-not-installed.sh +++ b/scanners/services/3.25-ensure-xinetd-is-not-installed.sh @@ -4,7 +4,7 @@ result=false rpm -q xinetd | grep -Psiq "^package\s+xinetd\s+is\s+not\s+installed$" && result=true -if [ "$result" == true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.26-disable-usb-storage.sh b/scanners/services/3.26-disable-usb-storage.sh index 848eb82580af9c613b5f794acd76df06a6e404c5..2b00572450f4a7cdb60f738c7411f464061874ea 100644 --- a/scanners/services/3.26-disable-usb-storage.sh +++ b/scanners/services/3.26-disable-usb-storage.sh @@ -1,8 +1,8 @@ result=true echo $(modprobe -n -v usb-storage) | grep -Psq "^install\s+\/bin\/true$" || result=false -lsmod | grep -q "usb-storage" && result=false +lsmod | grep -Pq "^usb(_|-)storage\b" && result=false -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.27-ensure-time-synchronization-is-installed.sh b/scanners/services/3.27-ensure-time-synchronization-is-installed.sh index 0281f856d64fefdc8728e9f0bc92d8b785bc51e9..59e09c8cc00fb567567aedf6f2e9e7f57b81ce69 100644 --- a/scanners/services/3.27-ensure-time-synchronization-is-installed.sh +++ b/scanners/services/3.27-ensure-time-synchronization-is-installed.sh @@ -1,10 +1,10 @@ #!/usr/bin/env bash result=false -rpm -q chrony | grep -Psiq "chrony\-" && result=true +rpm -q chrony | grep -Psiq "^chrony\-" && result=true -if [ "$result" = true ]; then - echo "pass" +if [[ "$result" == "true" ]]; then + echo "pass" else - echo "fail" + echo "fail" fi diff --git a/scanners/services/3.3-disable-dns-server.sh b/scanners/services/3.3-disable-dns-server.sh index 665b8a327e81ad6b8857d24b16337b9a4c815cc5..9535028c5b451b420d136bd0c4d4a0fdab7d0928 100644 --- a/scanners/services/3.3-disable-dns-server.sh +++ b/scanners/services/3.3-disable-dns-server.sh @@ -1,6 +1,6 @@ -if [ "$(rpm -qa bind)" ]; then +if [[ "$(rpm -qa bind)" ]]; then result=$(systemctl is-enabled named) - if [ $result != enabled ]; then + if [[ $result != enabled ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.4-disable-nfs.sh b/scanners/services/3.4-disable-nfs.sh index 30792137ade628f45e670411e86e6e84466f7d64..d0c5fa52f0b8786a01bab8148526b3bd335be2c8 100644 --- a/scanners/services/3.4-disable-nfs.sh +++ b/scanners/services/3.4-disable-nfs.sh @@ -1,6 +1,6 @@ -if [ "$(rpm -qa nfs-utils)" ]; then +if [[ "$(rpm -qa nfs-utils)" ]]; then result=$(systemctl is-enabled nfs-server) - if [ $result != enabled ]; then + if [[ $result != enabled ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.5-disable-rpc.sh b/scanners/services/3.5-disable-rpc.sh index fb823d15fc23bb21fca99bb3e5891a8034084750..b775bc749bbb158604dfb4b9918550e389d0e705 100644 --- a/scanners/services/3.5-disable-rpc.sh +++ b/scanners/services/3.5-disable-rpc.sh @@ -1,6 +1,6 @@ -if [ "$(rpm -qa rpcbind)" ]; then +if [[ "$(rpm -qa rpcbind)" ]]; then result=$(systemctl is-enabled rpcbind) - if [ $result != enabled ]; then + if [[ $result != enabled ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.6-disable-ldap-server.sh b/scanners/services/3.6-disable-ldap-server.sh index f92700536f85d716dda5304a075b736cef1e96ff..3f70aa559ce102223e512497d13d8b685c5c9eb0 100644 --- a/scanners/services/3.6-disable-ldap-server.sh +++ b/scanners/services/3.6-disable-ldap-server.sh @@ -1,6 +1,6 @@ -if [ "$(rpm -qa openldap-servers)" ]; then +if [[ "$(rpm -qa openldap-servers)" ]]; then result=$(systemctl is-enabled slapd) - if [ $result != enabled ]; then + if [[ $result != enabled ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.7-disable-dhcp-server.sh b/scanners/services/3.7-disable-dhcp-server.sh index c812c4ae591ef9089e30f39dbf2c797cd3947be7..4309c706c9c31af27a8159601f7e2b2a81fa77ea 100644 --- a/scanners/services/3.7-disable-dhcp-server.sh +++ b/scanners/services/3.7-disable-dhcp-server.sh @@ -1,6 +1,6 @@ -if [ "$(rpm -qa dhcp-server)" ]; then +if [[ "$(rpm -qa dhcp-server)" ]]; then result=$(systemctl is-enabled dhcpd) - if [ $result != enabled ]; then + if [[ $result != enabled ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.8-disable-cups.sh b/scanners/services/3.8-disable-cups.sh index 56499c001be07997182f64aaf2421658dfd0da04..89e4ce3506c7b0810d354b0273f3a0db2d91a35f 100644 --- a/scanners/services/3.8-disable-cups.sh +++ b/scanners/services/3.8-disable-cups.sh @@ -1,6 +1,6 @@ -if [ "$(rpm -qa cups)" ]; then +if [[ "$(rpm -qa cups)" ]]; then result=$(systemctl is-enabled cups) - if [ $result != enabled ]; then + if [[ $result != enabled ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.9-disable-nis-server.sh b/scanners/services/3.9-disable-nis-server.sh index 18ed619eeef9a9746c23a4940c99f6fec824a792..e3b8dd386d2323e5a31f9cb83d542506f4a5b904 100644 --- a/scanners/services/3.9-disable-nis-server.sh +++ b/scanners/services/3.9-disable-nis-server.sh @@ -1,6 +1,6 @@ -if [ "$(rpm -qa ypserv)" ]; then +if [[ "$(rpm -qa ypserv)" ]]; then result=$(systemctl is-enabled ypserv) - if [ $result != enabled ]; then + if [[ $result != enabled ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.1-ensure-message-of-the-day-is-configured-properly.sh b/scanners/system-configurations/4.1-ensure-message-of-the-day-is-configured-properly.sh index 692aceffe51a3e74c8142105e5ac10e879c70257..689f983ee9f97999723c8ff3fb51cf90c1e1d2c9 100644 --- a/scanners/system-configurations/4.1-ensure-message-of-the-day-is-configured-properly.sh +++ b/scanners/system-configurations/4.1-ensure-message-of-the-day-is-configured-properly.sh @@ -2,7 +2,7 @@ result=false grep -Eiq "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/motd || result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.10-ensure-bootloader-password-is-set.sh b/scanners/system-configurations/4.10-ensure-bootloader-password-is-set.sh index f5c1175d309737712823e1c4ef5608d38becf7a0..e46ce76dbf416dc9a9d3ff4dc39b97393edebba7 100644 --- a/scanners/system-configurations/4.10-ensure-bootloader-password-is-set.sh +++ b/scanners/system-configurations/4.10-ensure-bootloader-password-is-set.sh @@ -1,8 +1,8 @@ result=false -if [ -e /boot/grub2/user.cfg ]; then +if [[ -e /boot/grub2/user.cfg ]]; then grep -Pq '^\h*GRUB2_PASSWORD\h*=\h*.+$' /boot/grub2/user.cfg && result=true - if [ "$result" = true ] ; then + if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh b/scanners/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh index ba4424975d7c7f605b957af73ce5d8d4d334b681..892913cb75f335c6006818fe45aa0050bb0d2aba 100644 --- a/scanners/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh +++ b/scanners/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh @@ -2,7 +2,7 @@ result=false grep -Pq "^\s*ExecStart=-/usr/lib/systemd/systemd-sulogin-shell(\s+emergency|\s*)\s*(\s+#.*)?$" /usr/lib/systemd/system/emergency.service && grep -Pq "^\s*ExecStart=-/usr/lib/systemd/systemd-sulogin-shell(\s+rescue\s*|\s*)\s*(\s+#.*)?$" /usr/lib/systemd/system/rescue.service && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.13-ensure-core-dumps-are-restricted.sh b/scanners/system-configurations/4.13-ensure-core-dumps-are-restricted.sh index 1eefaaec8c3f18efd1d99a348f8a19e41bc1b256..32bd3aa0f4af5a2f0611a337765be6ac4e591b0b 100644 --- a/scanners/system-configurations/4.13-ensure-core-dumps-are-restricted.sh +++ b/scanners/system-configurations/4.13-ensure-core-dumps-are-restricted.sh @@ -2,7 +2,7 @@ result=false grep -Pq "^\s*\*\s+hard\s+core\s+0\s*(\s+#.*)?$" /etc/security/limits.conf && grep -Pq "^\s*fs\.suid_dumpable\s*=\s*0\s*(\s+#.*)?$" /etc/sysctl.conf /etc/sysctl.d/* && sysctl fs.suid_dumpable|grep -Pq "fs\.suid\_dumpable\s+=\s+0" && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh b/scanners/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh index 0863d3460d58f6932b9a0ddef78afe093f5bb29d..4feb08ed655afde848c6d7462bafaaff6554c22b 100644 --- a/scanners/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh +++ b/scanners/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh @@ -1,9 +1,9 @@ result=false -sysctl kernel.randomize_va_space|grep -Psq "^kernel\.randomize\_va\_space\s+=\s+2$" && grep -Psq "^kernel\.randomize_va_space\s*=\s*2" /run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf && result=true +sysctl kernel.randomize_va_space|grep -Psq "^kernel\.randomize\_va\_space\s+=\s+2$" && [[ -z $(grep -Phs "^kernel\.randomize_va_space\s*=\s*" /run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf | grep -Psv "^kernel\.randomize_va_space\s*=\s*2\b$") ]] && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" -fi \ No newline at end of file +fi diff --git a/scanners/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh b/scanners/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh index 627169ac6469d13438b4f4ef1558e6b39de6876a..da8c820af33f86f68a5f7169b01a782bfb65e472 100644 --- a/scanners/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh +++ b/scanners/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh @@ -2,7 +2,7 @@ result=false grep -Eiq '^\s*LEGACY\s*(\s+#.*)?$' /etc/crypto-policies/config || result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.16-ensure-sticky-bit-is-set-on-all-world-writable-directories.sh b/scanners/system-configurations/4.16-ensure-sticky-bit-is-set-on-all-world-writable-directories.sh index e1e8c4663c9b48419ec0b2f50cf02ac0a1a6c944..adfc90f464359cbab967e288e227f42540977e9c 100644 --- a/scanners/system-configurations/4.16-ensure-sticky-bit-is-set-on-all-world-writable-directories.sh +++ b/scanners/system-configurations/4.16-ensure-sticky-bit-is-set-on-all-world-writable-directories.sh @@ -1,6 +1,6 @@ result=`df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null` -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.17-ensure-permissions-on-etc-passwd-are-configured.sh b/scanners/system-configurations/4.17-ensure-permissions-on-etc-passwd-are-configured.sh index ebf9c80b94a8d6670c7482f623eada7edb1b11a6..07f1178f1ff7214ec4bd27d59941821ebd8082f1 100644 --- a/scanners/system-configurations/4.17-ensure-permissions-on-etc-passwd-are-configured.sh +++ b/scanners/system-configurations/4.17-ensure-permissions-on-etc-passwd-are-configured.sh @@ -2,7 +2,7 @@ result=false stat -c "%a-%U-%G" /etc/passwd | grep -Pq '^[0-6][0-4][0-4]\-root\-root$' && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.18-ensure-permissions-on-etc-shadow-are-configured.sh b/scanners/system-configurations/4.18-ensure-permissions-on-etc-shadow-are-configured.sh index 051fee189bc251c0a2741a13fc4607ea5fc52596..10a26c34196533708efae8bd0c7cd6870b6f6fb9 100644 --- a/scanners/system-configurations/4.18-ensure-permissions-on-etc-shadow-are-configured.sh +++ b/scanners/system-configurations/4.18-ensure-permissions-on-etc-shadow-are-configured.sh @@ -2,7 +2,7 @@ result=false stat -c "%a-%U-%G" /etc/shadow | grep -Pq '^[0]\-root\-root$' && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.19-ensure-permissions-on-etc-group-are-configured.sh b/scanners/system-configurations/4.19-ensure-permissions-on-etc-group-are-configured.sh index f8268795f6d5f6fca8ba3eb010e01f7fa21dd7c0..4dae52514ac8d4b5f19a7392440ba5343ed05fcc 100644 --- a/scanners/system-configurations/4.19-ensure-permissions-on-etc-group-are-configured.sh +++ b/scanners/system-configurations/4.19-ensure-permissions-on-etc-group-are-configured.sh @@ -2,7 +2,7 @@ result=false stat -c "%a-%U-%G" /etc/group | grep -Pq '^[0-6][0-4][0-4]\-root\-root$' && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.2-ensure-local-login-warning-banner-is-configured-properly.sh b/scanners/system-configurations/4.2-ensure-local-login-warning-banner-is-configured-properly.sh index deb8015dc2779d607a4cfc6c678e6f369f22043d..bc3ee42f0b87af7e48614381608dda04d5e0b90f 100644 --- a/scanners/system-configurations/4.2-ensure-local-login-warning-banner-is-configured-properly.sh +++ b/scanners/system-configurations/4.2-ensure-local-login-warning-banner-is-configured-properly.sh @@ -2,7 +2,7 @@ result=false grep -Eiq "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/issue || result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.20-ensure-permissions-on-etc-gshadow-are-configured.sh b/scanners/system-configurations/4.20-ensure-permissions-on-etc-gshadow-are-configured.sh index 05dcadb6c7a1f37bbd84a4ecb2067f9c5579f2d6..cec1409b5312d1bbf4403ed96da8af5e92eb6352 100644 --- a/scanners/system-configurations/4.20-ensure-permissions-on-etc-gshadow-are-configured.sh +++ b/scanners/system-configurations/4.20-ensure-permissions-on-etc-gshadow-are-configured.sh @@ -2,7 +2,7 @@ result=false stat -c "%a-%U-%G" /etc/gshadow | grep -Pq '^[0]\-root\-root$' && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.21-ensure-permissions-on-etc-passwd--are-configured.sh b/scanners/system-configurations/4.21-ensure-permissions-on-etc-passwd--are-configured.sh index 8a3349897c4dd5bd42350315bc99d2d1f63f4a1c..21944a03dda6a75f023d32eb621d49d464eb05f2 100644 --- a/scanners/system-configurations/4.21-ensure-permissions-on-etc-passwd--are-configured.sh +++ b/scanners/system-configurations/4.21-ensure-permissions-on-etc-passwd--are-configured.sh @@ -2,7 +2,7 @@ result=false stat -c "%a-%U-%G" /etc/passwd- | grep -Pq '^[0-6][0-4][0-4]\-root\-root$' && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.22-ensure-permissions-on-etc-shadow--are-configured.sh b/scanners/system-configurations/4.22-ensure-permissions-on-etc-shadow--are-configured.sh index b6ffb576826c2df55ccc94815d38e6a583c7616e..57c35620eb8c18a96a884be7ff0809aae3966b1f 100644 --- a/scanners/system-configurations/4.22-ensure-permissions-on-etc-shadow--are-configured.sh +++ b/scanners/system-configurations/4.22-ensure-permissions-on-etc-shadow--are-configured.sh @@ -2,7 +2,7 @@ result=false stat -c "%a-%U-%G" /etc/shadow- | grep -Pq '^[0]\-root\-root$' && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.23-ensure-permissions-on-etc-group--are-configured.sh b/scanners/system-configurations/4.23-ensure-permissions-on-etc-group--are-configured.sh index 283c77154bf502872bfb94a4b809390e05b3f8de..ce4a660b096b6515b01482669131f9945bf52a39 100644 --- a/scanners/system-configurations/4.23-ensure-permissions-on-etc-group--are-configured.sh +++ b/scanners/system-configurations/4.23-ensure-permissions-on-etc-group--are-configured.sh @@ -2,7 +2,7 @@ result=false stat -c "%a-%U-%G" /etc/group- | grep -Pq '^[0-6][0-4][0-4]\-root\-root$' && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.24-ensure-permissions-on-etc-gshadow--are-configured.sh b/scanners/system-configurations/4.24-ensure-permissions-on-etc-gshadow--are-configured.sh index eced746311a636d5aed708e7fc6c707d532267f8..6935dc97dc53143e9df01f0cbe752b40a896e41e 100644 --- a/scanners/system-configurations/4.24-ensure-permissions-on-etc-gshadow--are-configured.sh +++ b/scanners/system-configurations/4.24-ensure-permissions-on-etc-gshadow--are-configured.sh @@ -2,7 +2,7 @@ result=false stat -c "%a-%U-%G" /etc/gshadow- | grep -Pq '^[0]\-root\-root$' && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.25-ensure-no-world-writable-files-exist.sh b/scanners/system-configurations/4.25-ensure-no-world-writable-files-exist.sh index ae26bfc0b002c38701283539cab8e05663588a0e..2767e90d173f7a79e6c80dde3d721cc41235d6de 100644 --- a/scanners/system-configurations/4.25-ensure-no-world-writable-files-exist.sh +++ b/scanners/system-configurations/4.25-ensure-no-world-writable-files-exist.sh @@ -1,6 +1,6 @@ result=`df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002` -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.26-ensure-no-unowned-files-or-directories-exist.sh b/scanners/system-configurations/4.26-ensure-no-unowned-files-or-directories-exist.sh index a556bacc75d66a75317363ede23985861af32a3f..b30007f1837c9b8b99224cbc7033e5cb4620099c 100644 --- a/scanners/system-configurations/4.26-ensure-no-unowned-files-or-directories-exist.sh +++ b/scanners/system-configurations/4.26-ensure-no-unowned-files-or-directories-exist.sh @@ -1,6 +1,6 @@ result=`df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser` -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.27-ensure-no-ungrouped-files-or-directories-exist.sh b/scanners/system-configurations/4.27-ensure-no-ungrouped-files-or-directories-exist.sh index b1710521a56b85f5f170ea6ebe608e2f8fd8d8a1..3367243fc4b33d27fd1f7642c8dfa17ab004f0c4 100644 --- a/scanners/system-configurations/4.27-ensure-no-ungrouped-files-or-directories-exist.sh +++ b/scanners/system-configurations/4.27-ensure-no-ungrouped-files-or-directories-exist.sh @@ -1,6 +1,6 @@ result=`df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup` -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.28-ensure-no-password-fields-are-not-empty.sh b/scanners/system-configurations/4.28-ensure-no-password-fields-are-not-empty.sh index db65d58b34fe4c7052a4d82db910722f69f00c2c..19b6df507e1029c667702f26a52a7e50592c0afa 100644 --- a/scanners/system-configurations/4.28-ensure-no-password-fields-are-not-empty.sh +++ b/scanners/system-configurations/4.28-ensure-no-password-fields-are-not-empty.sh @@ -1,6 +1,6 @@ result=`awk -F: '($2 == "" ) { print $1 " does not have a password "}' /etc/shadow` -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.29-ensure-root-path-integrity.sh b/scanners/system-configurations/4.29-ensure-root-path-integrity.sh index bf985ff9f10b84cdc8470269d3774e092a818b09..40ff5e5b038b6a589516f96f28d38f1fff4dc143 100644 --- a/scanners/system-configurations/4.29-ensure-root-path-integrity.sh +++ b/scanners/system-configurations/4.29-ensure-root-path-integrity.sh @@ -13,7 +13,7 @@ for x in $(echo "$RPCV" | tr ":" " "); do fi done` -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.3-ensure-remote-login-warning-banner-is-configured-properly.sh b/scanners/system-configurations/4.3-ensure-remote-login-warning-banner-is-configured-properly.sh index f45ba4556d179604f1f36dadc220cec5a33ac7ff..12f68026e415a02f86fba840b6c74bd9e26dfa0f 100644 --- a/scanners/system-configurations/4.3-ensure-remote-login-warning-banner-is-configured-properly.sh +++ b/scanners/system-configurations/4.3-ensure-remote-login-warning-banner-is-configured-properly.sh @@ -2,7 +2,7 @@ result=false grep -Eiq "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/issue.net || result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.30-ensure-root-is-the-only-uid-0-account.sh b/scanners/system-configurations/4.30-ensure-root-is-the-only-uid-0-account.sh index 741be6ad6ca98aac98580f943433322a4b12e93b..5164024e0951d5ed45763e11b3bedfb8dfeb9394 100644 --- a/scanners/system-configurations/4.30-ensure-root-is-the-only-uid-0-account.sh +++ b/scanners/system-configurations/4.30-ensure-root-is-the-only-uid-0-account.sh @@ -1,6 +1,6 @@ result=`awk -F: '($3 == 0) { print $1 }' /etc/passwd` -if [ "$result" == "root" ] ; then +if [[ "$result" == "root" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.31-ensure-users-home-directories-permissions-are-750-or-more-restrictive.sh b/scanners/system-configurations/4.31-ensure-users-home-directories-permissions-are-750-or-more-restrictive.sh index 882905fe526e5abe0f05a7367d2fb755cbd4fabb..328731779214db20deb98d7d92ac6d3c7d95aa05 100644 --- a/scanners/system-configurations/4.31-ensure-users-home-directories-permissions-are-750-or-more-restrictive.sh +++ b/scanners/system-configurations/4.31-ensure-users-home-directories-permissions-are-750-or-more-restrictive.sh @@ -5,17 +5,17 @@ dir="" for i in $(awk -F: '($1!~/(halt|sync|shutdown)/ && $7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) {print $1":"$6}' /etc/passwd); do user=$(echo "$i" | cut -d: -f1) dir=$(echo "$i" | cut -d: -f2) - if [ ! -d "$dir" ]; then - [ -z "$result" ] && result="false" + if [[ ! -d "$dir" ]]; then + [[ -z "$result" ]] && result="false" else dirperm=$(stat -L -c "%A" "$dir") - if [ "$(echo "$dirperm" | cut -c6)" != "-" ] || [ "$(echo "$dirperm" | cut -c8)" != "-" ] || [ "$(echo "$dirperm" | cut -c9)" != "-" ] || [ "$(echo "$dirperm" | cut -c10)" != "-" ]; then - [ -z "$result" ] && result="false" + if [[ "$(echo "$dirperm" | cut -c6)" != "-" ]] || [[ "$(echo "$dirperm" | cut -c8)" != "-" ]] || [[ "$(echo "$dirperm" | cut -c9)" != "-" ]] || [[ "$(echo "$dirperm" | cut -c10)" != "-" ]]; then + [[ -z "$result" ]] && result="false" fi fi done -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.32-ensure-users-own-their-home-directories.sh b/scanners/system-configurations/4.32-ensure-users-own-their-home-directories.sh index e6480c445c616fe8d757f14a5a29a5873684f55b..222816eeb747ed779db63a9bd001282300246d56 100644 --- a/scanners/system-configurations/4.32-ensure-users-own-their-home-directories.sh +++ b/scanners/system-configurations/4.32-ensure-users-own-their-home-directories.sh @@ -5,17 +5,17 @@ dir="" for i in $( awk -F: '($1!~/(halt|sync|shutdown|nfsnobody)/ && $7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) {print $1":"$6}' /etc/passwd); do user=$(echo "$i" | cut -d: -f1) dir=$(echo "$i" | cut -d: -f2) - if [ ! -d "$dir" ]; then - [ -z "$result" ] && result="false" + if [[ ! -d "$dir" ]]; then + [[ -z "$result" ]] && result="false" else owner="$(stat -L -c "%U" "$dir")" - if [ "$owner" != "$user" ] && [ "$owner" != "root" ]; then - [ -z "$result" ] && result="false" + if [[ "$owner" != "$user" ]] && [[ "$owner" != "root" ]]; then + [[ -z "$result" ]] && result="false" fi fi done -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.33-ensure-users-dot-files-are-not-group-or-world-writable.sh b/scanners/system-configurations/4.33-ensure-users-dot-files-are-not-group-or-world-writable.sh index 7b4152256f62e81509777290961ba234f6f4e98c..14fefaa2f2e47659f96263630d2d85ba35ec00a7 100644 --- a/scanners/system-configurations/4.33-ensure-users-dot-files-are-not-group-or-world-writable.sh +++ b/scanners/system-configurations/4.33-ensure-users-dot-files-are-not-group-or-world-writable.sh @@ -5,21 +5,21 @@ dir="" for i in $(awk -F: '($1!~/(halt|sync|shutdown)/ && $7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) {print $1":"$6}' /etc/passwd); do user=$(echo "$i" | cut -d: -f1) dir=$(echo "$i" | cut -d: -f2) - if [ ! -d "$dir" ]; then - [ -z "$result" ] && result="false" + if [[ ! -d "$dir" ]]; then + [[ -z "$result" ]] && result="false" else for file in "$dir"/.*; do - if [ ! -h "$file" ] && [ -f "$file" ]; then + if [[ ! -h "$file" ]] && [[ -f "$file" ]]; then fileperm=$(stat -L -c "%A" "$file") - if [ "$(echo "$fileperm" | cut -c6)" != "-" ] || [ "$(echo "$fileperm" | cut -c9)" != "-" ]; then - [ -z "$result" ] && result="false" + if [[ "$(echo "$fileperm" | cut -c6)" != "-" ]] || [[ "$(echo "$fileperm" | cut -c9)" != "-" ]]; then + [[ -z "$result" ]] && result="false" fi fi done fi done -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.34-ensure-no-users-have-.forward-files.sh b/scanners/system-configurations/4.34-ensure-no-users-have-.forward-files.sh index 4e5bf8b7f7c05c53dc05503f261794878cd15991..1bb8ff6728edc8dffc92f58aaf00cbc50be90a87 100644 --- a/scanners/system-configurations/4.34-ensure-no-users-have-.forward-files.sh +++ b/scanners/system-configurations/4.34-ensure-no-users-have-.forward-files.sh @@ -5,17 +5,17 @@ dir="" for i in $(awk -F: '($1!~/(halt|sync|shutdown)/ && $7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) {print $1":"$6}' /etc/passwd); do user=$(echo "$i" | cut -d: -f1) dir=$(echo "$i" | cut -d: -f2) - if [ ! -d "$dir" ]; then - [ -z "$result" ] && result="false" + if [[ ! -d "$dir" ]]; then + [[ -z "$result" ]] && result="false" else file="$dir/.forward" - if [ ! -h "$file" ] && [ -f "$file" ]; then - [ -z "$result" ] && result="false" + if [[ ! -h "$file" ]] && [[ -f "$file" ]]; then + [[ -z "$result" ]] && result="false" fi fi done -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.35-ensure-no-users-have-.netrc-files.sh b/scanners/system-configurations/4.35-ensure-no-users-have-.netrc-files.sh index e8d10dbee7bfd00311f6b3ad88934f7b5811fdd1..3758ea525f7ad263ebaf346a1052792b47e25168 100644 --- a/scanners/system-configurations/4.35-ensure-no-users-have-.netrc-files.sh +++ b/scanners/system-configurations/4.35-ensure-no-users-have-.netrc-files.sh @@ -5,17 +5,17 @@ dir="" for i in $(awk -F: '($1!~/(halt|sync|shutdown)/ && $7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) {print $1":"$6}' /etc/passwd); do user=$(echo "$i" | cut -d: -f1) dir=$(echo "$i" | cut -d: -f2) - if [ ! -d "$dir" ]; then - [ -z "$result" ] && result="false" + if [[ ! -d "$dir" ]]; then + [[ -z "$result" ]] && result="false" else file="$dir/.netrc" - if [ ! -h "$file" ] && [ -f "$file" ]; then - [ -z "$result" ] && result="false" + if [[ ! -h "$file" ]] && [[ -f "$file" ]]; then + [[ -z "$result" ]] && result="false" fi fi done -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.36-ensure-users-.netrc-files-are-not-group-or-world-accessible.sh b/scanners/system-configurations/4.36-ensure-users-.netrc-files-are-not-group-or-world-accessible.sh index a71fc34b1f4648f2f1eca23dd669c5f44824d005..cd387634190632e2e0625b46afdffce87e803817 100644 --- a/scanners/system-configurations/4.36-ensure-users-.netrc-files-are-not-group-or-world-accessible.sh +++ b/scanners/system-configurations/4.36-ensure-users-.netrc-files-are-not-group-or-world-accessible.sh @@ -5,19 +5,19 @@ dir="" for i in $(awk -F: '($1!~/(halt|sync|shutdown)/ && $7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) {print $1":"$6}' /etc/passwd); do user=$(echo "$i" | cut -d: -f1) dir=$(echo "$i" | cut -d: -f2) - if [ ! -d "$dir" ]; then - [ -z "$result" ] && result="false" + if [[ ! -d "$dir" ]]; then + [[ -z "$result" ]] && result="false" else file="$dir/.netrc" - if [ ! -h "$file" ] && [ -f "$file" ]; then + if [[ ! -h "$file" ]] && [[ -f "$file" ]]; then if stat -L -c "%A" "$file" | cut -c4-10 | grep -Eq '[^-]+'; then - [ -z "$result" ] && result="false" + [[ -z "$result" ]] && result="false" fi fi fi done -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.37-ensure-no-users-have-.rhosts-files.sh b/scanners/system-configurations/4.37-ensure-no-users-have-.rhosts-files.sh index aa3f13ce9cb031779b8276da49a09d3c5c34a3bb..a7ea78218a1c597fc1e42ce77c955eca7a30861b 100644 --- a/scanners/system-configurations/4.37-ensure-no-users-have-.rhosts-files.sh +++ b/scanners/system-configurations/4.37-ensure-no-users-have-.rhosts-files.sh @@ -5,17 +5,17 @@ dir="" for i in $(awk -F: '($1!~/(halt|sync|shutdown)/ && $7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) {print $1":"$6}' /etc/passwd); do user=$(echo "$i" | cut -d: -f1) dir=$(echo "$i" | cut -d: -f2) - if [ ! -d "$dir" ]; then - [ -z "$result" ] && result="false" + if [[ ! -d "$dir" ]]; then + [[ -z "$result" ]] && result="false" else file="$dir/.rhosts" - if [ ! -h "$file" ] && [ -f "$file" ]; then - [ -z "$result" ] && result="false" + if [[ ! -h "$file" ]] && [ -f "$file" ]; then + [[ -z "$result" ]] && result="false" fi fi done -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.38-ensure-all-groups-in-etc-passwd-exist-in-etc-group.sh b/scanners/system-configurations/4.38-ensure-all-groups-in-etc-passwd-exist-in-etc-group.sh index 24d954cf629b34483858f7bba4411f84974e7c8b..d59409dda52d5665a456e45ecdd0d6578ef2b7e7 100644 --- a/scanners/system-configurations/4.38-ensure-all-groups-in-etc-passwd-exist-in-etc-group.sh +++ b/scanners/system-configurations/4.38-ensure-all-groups-in-etc-passwd-exist-in-etc-group.sh @@ -2,12 +2,12 @@ result="" for i in $(cut -s -d: -f4 /etc/passwd | sort -u ); do grep -q -P "^.*?:[^:]*:$i:" /etc/group - if [ $? -ne 0 ]; then - [ -z "$result" ] && result="false" + if [[ $? -ne 0 ]]; then + [[ -z "$result" ]] && result="false" fi done -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.39-ensure-no-duplicate-uids-exist.sh b/scanners/system-configurations/4.39-ensure-no-duplicate-uids-exist.sh index e636d79deeb3785b71eb9a963113ed306ae9ff70..f73ae43b70e3367cc8bdddf02bae3fbeacf84b13 100644 --- a/scanners/system-configurations/4.39-ensure-no-duplicate-uids-exist.sh +++ b/scanners/system-configurations/4.39-ensure-no-duplicate-uids-exist.sh @@ -1,12 +1,12 @@ result="" for i in $(cut -f3 -d":" /etc/passwd | sort -n | uniq -d); do -if [ -n "$i" ]; then +if [[ -n "$i" ]]; then result="false" fi done -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh b/scanners/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh index dd58a16dd1e6c79731f581e33c4f08a424ac0b75..a227acd7efe812c846e7c794610d782b04025474 100644 --- a/scanners/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh +++ b/scanners/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh @@ -8,7 +8,7 @@ elif [[ -h /etc/motd ]] && [[ -f /var/lib/update-motd/motd ]] ; then stat -c "%a-%U-%G" /var/lib/update-motd/motd | grep -Pq '^[0-6][0-4][0-4]\-root\-root$' && stat -c "%U-%G" /etc/motd | grep -Pq '^root\-root$' && result=true fi -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.40-ensure-no-duplicate-gids-exist.sh b/scanners/system-configurations/4.40-ensure-no-duplicate-gids-exist.sh index 3c57362fa10fb260d250cd5ea67eb37d9b15e6a2..2418ea0903021fdc86dc7da77ef80d82f1fa3306 100644 --- a/scanners/system-configurations/4.40-ensure-no-duplicate-gids-exist.sh +++ b/scanners/system-configurations/4.40-ensure-no-duplicate-gids-exist.sh @@ -1,12 +1,12 @@ result="" for i in $(cut -d: -f3 /etc/group | sort | uniq -d); do -if [ -n "$i" ]; then +if [[ -n "$i" ]]; then result="false" fi done -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.41-ensure-no-duplicate-user-names-exist.sh b/scanners/system-configurations/4.41-ensure-no-duplicate-user-names-exist.sh index ffe873c416ff77d255981c44e0e1bf1c40404705..8406358aa679b77ac55e6c2b06e47f19dd6b1487 100644 --- a/scanners/system-configurations/4.41-ensure-no-duplicate-user-names-exist.sh +++ b/scanners/system-configurations/4.41-ensure-no-duplicate-user-names-exist.sh @@ -1,12 +1,12 @@ result="" for i in $(cut -d: -f1 /etc/passwd | sort | uniq -d); do -if [ -n "$i" ]; then +if [[ -n "$i" ]]; then result="false" fi done -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.42-ensure-no-duplicate-group-names-exist.sh b/scanners/system-configurations/4.42-ensure-no-duplicate-group-names-exist.sh index 847a69e8bbd3c4612f81ccc147bf2667a8d92bd6..f1e063a16ea6acf68c0193f6d47ee13f5b90d8b6 100644 --- a/scanners/system-configurations/4.42-ensure-no-duplicate-group-names-exist.sh +++ b/scanners/system-configurations/4.42-ensure-no-duplicate-group-names-exist.sh @@ -1,12 +1,12 @@ result="" for i in $(cut -d: -f1 /etc/group | sort | uniq -d); do -if [ -n "$i" ]; then +if [[ -n "$i" ]]; then result="false" fi done -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.43-ensure-all-users-home-directories-exist.sh b/scanners/system-configurations/4.43-ensure-all-users-home-directories-exist.sh index e34dc1f3ca6117f21948a56dacbf2a4c819669a2..e42dd4941bd946e8957a0098007158c7eadbc8d8 100644 --- a/scanners/system-configurations/4.43-ensure-all-users-home-directories-exist.sh +++ b/scanners/system-configurations/4.43-ensure-all-users-home-directories-exist.sh @@ -5,12 +5,12 @@ dir="" for i in $( awk -F: '($1!~/(halt|sync|shutdown|nfsnobody)/ && $7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) {print $1":"$6}' /etc/passwd); do user=$(echo "$i" | cut -d: -f1) dir=$(echo "$i" | cut -d: -f2) - if [ ! -d "$dir" ]; then - [ -z "$result" ] && result="false" + if [[ ! -d "$dir" ]]; then + [[ -z "$result" ]] && result="false" fi done -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.44-ensure-sctp-is-disabled.sh b/scanners/system-configurations/4.44-ensure-sctp-is-disabled.sh index c8a4e6b3dd532888e660bf00f5f554751720f558..f9cd7d651bc13bd7ea5bf793b27aae9624857833 100644 --- a/scanners/system-configurations/4.44-ensure-sctp-is-disabled.sh +++ b/scanners/system-configurations/4.44-ensure-sctp-is-disabled.sh @@ -1,9 +1,9 @@ result=false modprobe -n -vq sctp && result="" -lsmod | grep -q sctp || { [ -z "$result" ] && result=true ; } +lsmod | grep -q sctp || { [[ -z "$result" ]] && result=true ; } -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.45-ensure-dccp-is-disabled.sh b/scanners/system-configurations/4.45-ensure-dccp-is-disabled.sh index 403c4086352613e82861bbccda04eb5c961b8b0f..134d90da22ac0e8f0891317877adb1d875e85353 100644 --- a/scanners/system-configurations/4.45-ensure-dccp-is-disabled.sh +++ b/scanners/system-configurations/4.45-ensure-dccp-is-disabled.sh @@ -1,9 +1,9 @@ result=false modprobe -n -vq dccp && result="" -lsmod | grep -q dccp || { [ -z "$result" ] && result=true ; } +lsmod | grep -q dccp || { [[ -z "$result" ]] && result=true ; } -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.46-ensure-wireless-interfaces-are-disabled.sh b/scanners/system-configurations/4.46-ensure-wireless-interfaces-are-disabled.sh index 6c3d54cad1353b6012fb53faa49ac469529f7df5..aa1406b19645b80346fac2d491f456c7aedf673a 100644 --- a/scanners/system-configurations/4.46-ensure-wireless-interfaces-are-disabled.sh +++ b/scanners/system-configurations/4.46-ensure-wireless-interfaces-are-disabled.sh @@ -6,7 +6,7 @@ if command -v nmcli >/dev/null 2>&1 ; then else echo "fail" fi -elif [ -n "$(find /sys/class/net/*/ -type d -name wireless)" ]; then +elif [[ -n "$(find /sys/class/net/*/ -type d -name wireless)" ]]; then t=0 mname=$(for driverdir in $(find /sys/class/net/*/ -type d -name wireless | xargs -0 dirname); do basename "$(readlink -f "$driverdir"/device/driver/module)";done | sort -u) for dm in $mname; do @@ -17,8 +17,8 @@ elif [ -n "$(find /sys/class/net/*/ -type d -name wireless)" ]; then fi done -[ "$t" -eq 0 ] && echo "pass" -[ "$t" -eq 1 ] && echo "fail" +[[ "$t" -eq 0 ]] && echo "pass" +[[ "$t" -eq 1 ]] && echo "fail" else echo "pass" fi \ No newline at end of file diff --git a/scanners/system-configurations/4.47-ensure-ip-forwarding-is-disabled.sh b/scanners/system-configurations/4.47-ensure-ip-forwarding-is-disabled.sh index 9e8813c5ebb64e137865b903d63fef784d2024c8..07f1c74de5418751ffdef7d3fd6877afe033aa08 100644 --- a/scanners/system-configurations/4.47-ensure-ip-forwarding-is-disabled.sh +++ b/scanners/system-configurations/4.47-ensure-ip-forwarding-is-disabled.sh @@ -1,10 +1,10 @@ result=false sysctl net.ipv4.ip_forward | grep -Psq "^net\.ipv4\.ip\_forward\s+=\s+0$" && sysctl net.ipv6.conf.all.forwarding | grep -Psq "^net\.ipv6\.conf\.all\.forwarding\s+=\s+0$" && result="" -[ -z "$result" ] && result=`grep -E -s "^\s*net\.ipv4\.ip_forward\s*=\s*1" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf` -[ -z "$result" ] && result=`grep -E -s "^\s*net\.ipv6\.conf\.all\.forwarding\s*=\s*1" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf` +[[ -z "$result" ]] && result=`grep -E -s "^\s*net\.ipv4\.ip_forward\s*=\s*1" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf` +[[ -z "$result" ]] && result=`grep -E -s "^\s*net\.ipv6\.conf\.all\.forwarding\s*=\s*1" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf` -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.48-ensure-packet-redirect-sending-is-disabled.sh b/scanners/system-configurations/4.48-ensure-packet-redirect-sending-is-disabled.sh index a442f74a3606ef358ea2449ac7a0c379f6dc1c90..48190453638a4b6a045ccba53d4930385a06e9a4 100644 --- a/scanners/system-configurations/4.48-ensure-packet-redirect-sending-is-disabled.sh +++ b/scanners/system-configurations/4.48-ensure-packet-redirect-sending-is-disabled.sh @@ -2,7 +2,7 @@ result=false sysctl net.ipv4.conf.all.send_redirects | grep -Psq "^net\.ipv4\.conf\.all\.send\_redirects\s+=\s+0$" && sysctl net.ipv4.conf.default.send_redirects | grep -Psq "^net\.ipv4\.conf\.default\.send\_redirects\s+=\s+0$" && grep -Psq "net\.ipv4\.conf\.all\.send_redirects" /etc/sysctl.conf /etc/sysctl.d/* && grep -Psq "net\.ipv4\.conf\.default\.send_redirects" /etc/sysctl.conf /etc/sysctl.d/* && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.49-ensure-source-routed-packets-are-not-accepted.sh b/scanners/system-configurations/4.49-ensure-source-routed-packets-are-not-accepted.sh index d283245c55b24f35c7f39782a8c0c6af6bbda646..5795b4fcae79db963732662bdd6c653afea91dda 100644 --- a/scanners/system-configurations/4.49-ensure-source-routed-packets-are-not-accepted.sh +++ b/scanners/system-configurations/4.49-ensure-source-routed-packets-are-not-accepted.sh @@ -2,7 +2,7 @@ result=false sysctl net.ipv4.conf.all.accept_source_route | grep -Psq "^net\.ipv4\.conf\.all\.accept_source_route\s+=\s+0$" && sysctl net.ipv4.conf.default.accept_source_route | grep -Psq "^net\.ipv4\.conf\.default\.accept_source_route\s+=\s+0$" && grep -q "net\.ipv4\.conf\.all\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/* && grep -q "net\.ipv4\.conf\.default\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/* && sysctl net.ipv6.conf.all.accept_source_route | grep -Psq "^net\.ipv6\.conf\.all\.accept_source_route\s+=\s+0$" && sysctl net.ipv6.conf.default.accept_source_route | grep -Psq "^net\.ipv6\.conf\.default\.accept_source_route\s+=\s+0$" && grep -q "net\.ipv6\.conf\.all\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/* && grep -q "net\.ipv6\.conf\.default\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/* && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh b/scanners/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh index 95edca7aa3671c5c51e8f470bcb092ff1306cb46..3f24a2aebcda4d579dd798204374c44f4f1b0991 100644 --- a/scanners/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh +++ b/scanners/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh @@ -2,7 +2,7 @@ result=false stat -c "%a-%U-%G" /etc/issue | grep -Pq '^[0-6][0-4][0-4]\-root\-root$' && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.50-ensure-icmp-redirects-are-not-accepted.sh b/scanners/system-configurations/4.50-ensure-icmp-redirects-are-not-accepted.sh index 05e769950c1759b6bc4171086610405a8731c28b..9853da28c85ce2e64dec3a6da9f5e246d4ea1d0d 100644 --- a/scanners/system-configurations/4.50-ensure-icmp-redirects-are-not-accepted.sh +++ b/scanners/system-configurations/4.50-ensure-icmp-redirects-are-not-accepted.sh @@ -2,7 +2,7 @@ result=false sysctl net.ipv4.conf.all.accept_redirects | grep -Psq "^net\.ipv4\.conf\.all\.accept_redirects\s+=\s+0$" && sysctl net.ipv4.conf.default.accept_redirects | grep -Psq "^net\.ipv4\.conf\.default\.accept_redirects\s+=\s+0$" && grep -q "net\.ipv4\.conf\.all\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/* && grep -q "net\.ipv4\.conf\.default\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/* && sysctl net.ipv6.conf.all.accept_redirects | grep -Psq "^net\.ipv6\.conf\.all\.accept_redirects\s+=\s+0$" && sysctl net.ipv6.conf.default.accept_redirects | grep -Psq "^net\.ipv6\.conf\.default\.accept_redirects\s+=\s+0$" && grep -q "net\.ipv6\.conf\.all\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/* && grep -q "net\.ipv6\.conf\.default\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/* && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.51-ensure-secure-icmp-redirects-are-not-accepted.sh b/scanners/system-configurations/4.51-ensure-secure-icmp-redirects-are-not-accepted.sh index 3d2cc7cd960985808a335c85a77c32f6958e0c0a..29b55a6ed8961c42affcf46080623c2f77fc38c8 100644 --- a/scanners/system-configurations/4.51-ensure-secure-icmp-redirects-are-not-accepted.sh +++ b/scanners/system-configurations/4.51-ensure-secure-icmp-redirects-are-not-accepted.sh @@ -2,7 +2,7 @@ result=false sysctl net.ipv4.conf.all.secure_redirects | grep -Psq "^net\.ipv4\.conf\.all\.secure_redirects\s+=\s+0$" && sysctl net.ipv4.conf.default.secure_redirects | grep -Psq "^net\.ipv4\.conf\.default\.secure_redirects\s+=\s+0$" && grep -q "net\.ipv4\.conf\.all\.secure_redirects" /etc/sysctl.conf /etc/sysctl.d/* && grep -q "net\.ipv4\.conf\.default\.secure_redirects" /etc/sysctl.conf /etc/sysctl.d/* && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.52-ensure-suspicious-packets-are-logged.sh b/scanners/system-configurations/4.52-ensure-suspicious-packets-are-logged.sh index a9e233c6d81329562deb19cc8811dbaca4191102..40ca3fefa931de290eac4f4b82785d328be562b8 100644 --- a/scanners/system-configurations/4.52-ensure-suspicious-packets-are-logged.sh +++ b/scanners/system-configurations/4.52-ensure-suspicious-packets-are-logged.sh @@ -2,7 +2,7 @@ result=false sysctl net.ipv4.conf.all.log_martians | grep -Psq "^net\.ipv4\.conf\.all\.log_martians\s+=\s+1$" && sysctl net.ipv4.conf.default.log_martians | grep -Psq "^net\.ipv4\.conf\.default\.log_martians\s+=\s+1$" && grep -q "net\.ipv4\.conf\.all\.log_martians" /etc/sysctl.conf /etc/sysctl.d/* && grep -q "net\.ipv4\.conf\.default\.log_martians" /etc/sysctl.conf /etc/sysctl.d/* && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.sh b/scanners/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.sh index 1b00d61d5fc4134d49cd7d99f1c354255986e9e3..fb1cace282f3c503087d52a708c93b6aeba7f568 100644 --- a/scanners/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.sh +++ b/scanners/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.sh @@ -1,9 +1,9 @@ result=false result=`grep -E -s "^\s*net\.ipv4\.icmp_echo_ignore_broadcasts\s*=\s*0" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf` -[ -z "$result" ] && sysctl net.ipv4.icmp_echo_ignore_broadcasts | grep -Psq "^net\.ipv4\.icmp_echo_ignore_broadcasts\s+=\s+1$" && result=true +[[ -z "$result" ]] && sysctl net.ipv4.icmp_echo_ignore_broadcasts | grep -Psq "^net\.ipv4\.icmp_echo_ignore_broadcasts\s+=\s+1$" && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.sh b/scanners/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.sh index d2b6bfd97b9057c846e164999a15b82345bef20d..63c314a44e764f6531fcf7670f1886e0ffc666a5 100644 --- a/scanners/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.sh +++ b/scanners/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.sh @@ -1,9 +1,9 @@ result=false result=`grep -E -s "^\s*net\.ipv4\.icmp_ignore_bogus_error_responses\s*=\s*0" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf` -[ -z "$result" ] && sysctl net.ipv4.icmp_ignore_bogus_error_responses | grep -Psq "^net\.ipv4\.icmp_ignore_bogus_error_responses\s+=\s+1$" && result=true +[[ -z "$result" ]] && sysctl net.ipv4.icmp_ignore_bogus_error_responses | grep -Psq "^net\.ipv4\.icmp_ignore_bogus_error_responses\s+=\s+1$" && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.55-ensure-reverse-path-filtering-is-enabled.sh b/scanners/system-configurations/4.55-ensure-reverse-path-filtering-is-enabled.sh index 904b893426a8ceb7b0df4f52571a7cd4f74c9e68..7deb0cf0979169ae9e92d255ea351f61540c79d8 100644 --- a/scanners/system-configurations/4.55-ensure-reverse-path-filtering-is-enabled.sh +++ b/scanners/system-configurations/4.55-ensure-reverse-path-filtering-is-enabled.sh @@ -1,9 +1,9 @@ result=false result=`grep -E -s "^\s*net\.ipv4\.conf\.all\.rp_filter\s*=\s*0" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf` -[ -z "$result" ] && sysctl net.ipv4.conf.all.rp_filter | grep -Psq "^net\.ipv4\.conf\.all\.rp_filter\s+=\s+1$" && sysctl net.ipv4.conf.default.rp_filter | grep -Psq "^net\.ipv4\.conf\.default\.rp_filter\s+=\s+1$" && grep -E -sq "^\s*net\.ipv4\.conf\.default\.rp_filter\s*=\s*1" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf && result=true +[[ -z "$result" ]] && sysctl net.ipv4.conf.all.rp_filter | grep -Psq "^net\.ipv4\.conf\.all\.rp_filter\s+=\s+1$" && sysctl net.ipv4.conf.default.rp_filter | grep -Psq "^net\.ipv4\.conf\.default\.rp_filter\s+=\s+1$" && grep -E -sq "^\s*net\.ipv4\.conf\.default\.rp_filter\s*=\s*1" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.56-ensure-tcp-syn-cookies-is-enabled.sh b/scanners/system-configurations/4.56-ensure-tcp-syn-cookies-is-enabled.sh index 4e53ba18436dba79d9d75b361bfcdc53580c380f..56013846bb857fbfb57df96681d5317cab12ab2a 100644 --- a/scanners/system-configurations/4.56-ensure-tcp-syn-cookies-is-enabled.sh +++ b/scanners/system-configurations/4.56-ensure-tcp-syn-cookies-is-enabled.sh @@ -1,9 +1,9 @@ result=false result=`grep -E -r "^\s*net\.ipv4\.tcp_syncookies\s*=\s*[02]" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf` -[ -z "$result" ] && sysctl net.ipv4.tcp_syncookies | grep -Psq "^net\.ipv4\.tcp_syncookies\s+=\s+1$" && result=true +[[ -z "$result" ]] && sysctl net.ipv4.tcp_syncookies | grep -Psq "^net\.ipv4\.tcp_syncookies\s+=\s+1$" && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.57-ensure-ipv6-router-advertisements-are-not-accepted.sh b/scanners/system-configurations/4.57-ensure-ipv6-router-advertisements-are-not-accepted.sh index 7aed531c7a6559488bd67bf0412298cc6e3b9d89..6eb63572aec66300c8bbdf317fc5aa2a14498fcf 100644 --- a/scanners/system-configurations/4.57-ensure-ipv6-router-advertisements-are-not-accepted.sh +++ b/scanners/system-configurations/4.57-ensure-ipv6-router-advertisements-are-not-accepted.sh @@ -2,7 +2,7 @@ result=false sysctl net.ipv6.conf.all.accept_ra | grep -Psq "^net\.ipv6\.conf\.all.accept_ra\s+=\s+0$" && sysctl net.ipv6.conf.default.accept_ra | grep -Psq "^net\.ipv6\.conf\.default\.accept_ra\s+=\s+0$" && grep -q "net\.ipv6\.conf\.all\.accept_ra" /etc/sysctl.conf /etc/sysctl.d/* && grep -q "net\.ipv6\.conf\.default\.accept_ra" /etc/sysctl.conf /etc/sysctl.d/* && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh b/scanners/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh index 3754a3ccbdc098ae9e75991e5a304f5222051533..783c1a23a29005a7d4d05bb8bef75699772f1451 100644 --- a/scanners/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh +++ b/scanners/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh @@ -1,10 +1,10 @@ result="" rpm -qa | grep -Psq "^iptables\-.*" && rpm -qa | grep -Psq "^iptables\-services.*" && result=true -[ -z "$result" ] && rpm -q nftables | grep -Psq "^nftables\-.*" && result=true -[ -z "$result" ] && rpm -q firewalld | grep -Psq "^firewalld\-.*" && result=true +[[ -z "$result" ]] && rpm -q nftables | grep -Psq "^nftables\-.*" && result=true +[[ -z "$result" ]] && rpm -q firewalld | grep -Psq "^firewalld\-.*" && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh b/scanners/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh index ba60bf34df155db7d70dd027e7f7abdc1376ae03..088b0948ed7ae4bd6688deabdfbfc7105e6d25fd 100644 --- a/scanners/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh +++ b/scanners/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh @@ -2,7 +2,7 @@ result=false [[ $(systemctl list-unit-files | grep firewalld) ]] && systemctl is-enabled firewalld | grep -Psq "^enabled$" && firewall-cmd --state -q && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh b/scanners/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh index ee5dfd4812c94bc2a7e6b4683a665a4254a66b0c..2b18f4789aa10c9404f613ed5ceb77e456e4b05e 100644 --- a/scanners/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh +++ b/scanners/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh @@ -2,7 +2,7 @@ result=false stat -c "%a-%U-%G" /etc/issue.net | grep -Pq '^[0-6][0-4][0-4]\-root\-root$' && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.60-ensure-iptables-is-not-enabled.sh b/scanners/system-configurations/4.60-ensure-iptables-is-not-enabled.sh index d4e3483f0828bab2f4e94c49fb593c30d05c90d9..df2ec0465c81958b65d7fc950f6a11de10b61a09 100644 --- a/scanners/system-configurations/4.60-ensure-iptables-is-not-enabled.sh +++ b/scanners/system-configurations/4.60-ensure-iptables-is-not-enabled.sh @@ -5,7 +5,7 @@ result="" rpm -q iptables-services | grep -Psq "^iptables\-services.*" || result=true [[ -z "$result" ]] && systemctl is-enabled iptables | grep -Psiq "(disabled|masked)" && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.61-ensure-nftables-is-not-enabled.sh b/scanners/system-configurations/4.61-ensure-nftables-is-not-enabled.sh index f4b89a9272450a83fd980b3dce4115d979f5e41e..c100d5ed0ab7ea943325baf5dea8d3539d1f1e67 100644 --- a/scanners/system-configurations/4.61-ensure-nftables-is-not-enabled.sh +++ b/scanners/system-configurations/4.61-ensure-nftables-is-not-enabled.sh @@ -5,7 +5,7 @@ result="" rpm -q nftables | grep -Psq "^nftables\-.*" || result=true [[ -z "$result" ]] && systemctl is-enabled nftables | grep -Psiq "(disabled|masked)" && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.62-ensure-nftables-service-is-enabled.sh b/scanners/system-configurations/4.62-ensure-nftables-service-is-enabled.sh index 047efba87110d9c2d922dafe4eeab4e193a6849e..766737e333791d43051f18001765312465ebb043 100644 --- a/scanners/system-configurations/4.62-ensure-nftables-service-is-enabled.sh +++ b/scanners/system-configurations/4.62-ensure-nftables-service-is-enabled.sh @@ -2,7 +2,7 @@ result=false rpm -q nftables | grep -Psq "^nftables\-.*" && systemctl is-enabled nftables | grep -Psiq "^enabled$" && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.63-ensure-iptables-packages-are-installed.sh b/scanners/system-configurations/4.63-ensure-iptables-packages-are-installed.sh index d9039ebf53494749ae7e97210a5c0409c6ac06ae..50f695245c8ac509474926d7e0a4832b6e7b34ba 100644 --- a/scanners/system-configurations/4.63-ensure-iptables-packages-are-installed.sh +++ b/scanners/system-configurations/4.63-ensure-iptables-packages-are-installed.sh @@ -2,7 +2,7 @@ result=false rpm -qa | grep -Psq "^iptables\-.*" && rpm -q iptables-services | grep -Psq "^iptables\-services\-.*" && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.64-ensure-nftables-is-not-installed.sh b/scanners/system-configurations/4.64-ensure-nftables-is-not-installed.sh index fda3fa813a9ef155ddc0fcbaaf28283245e0f45b..7bc4cd05550e4ca2fdd0632955ad2ac66649ab4e 100644 --- a/scanners/system-configurations/4.64-ensure-nftables-is-not-installed.sh +++ b/scanners/system-configurations/4.64-ensure-nftables-is-not-installed.sh @@ -3,7 +3,7 @@ result=false rpm -q nftables | grep -Psiq "^package\s+nftables\s+is\s+not\s+installed$" && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked.sh b/scanners/system-configurations/4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked.sh index b119582babc9bc2b8ddc4c8f18c10fe9f8911820..de4d417fd18035dffa72ba3e105844a1e8c5038e 100644 --- a/scanners/system-configurations/4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked.sh +++ b/scanners/system-configurations/4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked.sh @@ -2,9 +2,9 @@ export LANG="en_US.UTF-8" result="" rpm -q firewalld | grep -Psiq "^package\s+firewalld\s+is\s+not\s+installed$" && result=true -[ -z "$result" ] && systemctl is-enabled firewalld | grep -Psiq "(disabled|masked)" && result=true +[[ -z "$result" ]] && systemctl is-enabled firewalld | grep -Psiq "(disabled|masked)" && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.66-ensure-system-histsize-as-100-or-other.sh b/scanners/system-configurations/4.66-ensure-system-histsize-as-100-or-other.sh index e05da358cd164d979994a934ed7320c9a6da29af..6e64dec127f3d9b41745b15c0d36a86ca3fbfbc9 100755 --- a/scanners/system-configurations/4.66-ensure-system-histsize-as-100-or-other.sh +++ b/scanners/system-configurations/4.66-ensure-system-histsize-as-100-or-other.sh @@ -1,10 +1,6 @@ #!/bin/bash source /etc/profile -HIST=`echo $HISTSIZE` -HIST_FILE=`grep -iP "^HISTSIZE" /etc/profile` +HIST=$(echo $HISTSIZE | awk '($1 > 100 || $1 == "" ) {print 1}') +HIST_FILE=$(grep -P "^HISTSIZE\b\=[0-9]+\b" /etc/profile | grep -Po "\b[0-9]+\b" | awk '($1 > 100 || $1 == "" ) {print 1}') -if [[ $HIST == "100" ]] && [[ $HIST_FILE == "HISTSIZE=100" ]];then - echo "pass" -else - echo "fail" -fi +[[ -z $HIST && -z $HIST_FILE ]] && echo 'pass' || echo 'fail' \ No newline at end of file diff --git a/scanners/system-configurations/4.67-ensure-system-histfilesize-100.sh b/scanners/system-configurations/4.67-ensure-system-histfilesize-100.sh index d8c3b930be9b361fcf20d91f7192690540a32514..d425e99eabb86ba2db417d86cc33b22ad4900a4e 100755 --- a/scanners/system-configurations/4.67-ensure-system-histfilesize-100.sh +++ b/scanners/system-configurations/4.67-ensure-system-histfilesize-100.sh @@ -1,10 +1,6 @@ #!/bin/bash source /etc/profile -HIST=`echo $HISTFILESIZE` -HIST_FILE=`grep -iP "^HISTFILESIZE" /etc/profile` +HIST=$(echo $HISTFILESIZE | awk '($1 > 100 || $1 == "" ) {print 1}') +HIST_FILE=$(grep -P "^HISTFILESIZE\b\=[0-9]+\b" /etc/profile | grep -Po "\b[0-9]+\b" | awk '($1 > 100 || $1 == "" ) {print 1}') -if [[ $HIST == "100" ]] && [[ $HIST_FILE == "HISTFILESIZE=100" ]];then - echo "pass" -else - echo "fail" -fi +[[ -z $HIST && -z $HIST_FILE ]] && echo 'pass' || echo 'fail' \ No newline at end of file diff --git a/scanners/system-configurations/4.68-ensure-permissions-TMP-is-correct.sh b/scanners/system-configurations/4.68-ensure-permissions-TMP-is-correct.sh index 34ab3ca92a9c6f02571a6fa93fe9033828746246..7cfb93d85db8968119946805823fbc53dc78d716 100644 --- a/scanners/system-configurations/4.68-ensure-permissions-TMP-is-correct.sh +++ b/scanners/system-configurations/4.68-ensure-permissions-TMP-is-correct.sh @@ -2,7 +2,7 @@ ls -l / | grep tmp | grep rwt >> /dev/null -if [ $? == 0 ];then +if [[ $? == 0 ]];then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh b/scanners/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh index 9f9867416d29e6fa951e6f6e72cd88aea66bd100..14d7931e018f31f921d177fc71c185eb8e1907f7 100644 --- a/scanners/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh +++ b/scanners/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh @@ -4,7 +4,7 @@ result=true grep -Eisq '^\s*Enable\s*=\s*true' /etc/gdm/custom.conf && result=false -if [ "$result" == true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.8-ensure-aide-is-installed.sh b/scanners/system-configurations/4.8-ensure-aide-is-installed.sh index 4457216baf4dff6ac3a46c2b533e5834d26c0248..6e0624b668f72b7c5f975d3bbb9c2caa7c6ed8a9 100644 --- a/scanners/system-configurations/4.8-ensure-aide-is-installed.sh +++ b/scanners/system-configurations/4.8-ensure-aide-is-installed.sh @@ -2,7 +2,7 @@ result=false rpm -q aide | grep -Piq aide-.* && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh b/scanners/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh index 5b5bf0a6782b70d23c86972339d8cc68c18eba2f..9f6097f6dc8de4c357b8f380612c446428d9ebf9 100644 --- a/scanners/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh +++ b/scanners/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh @@ -1,8 +1,8 @@ result=false -if [ -e /var/spool/cron/root ]; then +if [[ -e /var/spool/cron/root ]]; then grep -Piq "^([-0-9*\/,A-Za-z]+\s+){5}([^#\n\r]+\h+)?\/usr\/sbin\/aide\h+([^#\n\r]+\h+)?--(check|update)\b.*$" /var/spool/cron/root && result=true - if [ "$result" = true ] ; then + if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail"