From 3ecbf8dac6c9c58c132385480e62b5eade9e5f77 Mon Sep 17 00:00:00 2001 From: YuQing Yang Date: Thu, 29 Feb 2024 17:40:27 +0800 Subject: [PATCH 1/2] sshd_config related rule script optimization and bug fixes Fixes: #I94I8C Benchmarks 1.13 Modified the regular expression of the detection script, added \b anchor to fix the issue where parameters followed by non-compliant characters can still pass, making the check more rigorous. 1.15 Modified the regular expression of the detection script, added \b anchor to fix the issue where parameters followed by non-compliant characters can still pass, making the check more rigorous. 1.16 Modified the regular expression of the detection script, added \b anchor to fix the issue where parameters followed by non-compliant characters can still pass, making the check more rigorous. 1.18 Fixed the description error in detection output; modified the regular expression of the detection script, added \b anchor to fix the issue where parameters followed by non-compliant characters can still pass, making the check more rigorous. 1.19 Fixed the description error in detection output; modified the regular expression of the detection script, added \b anchor to fix the issue where parameters followed by non-compliant characters can still pass, making the check more rigorous. 1.24 Added parameter descriptions; modified the detection script to make the check more rigorous. 1.41 Modified the detection script to make the check more rigorous. 1.50 Modified the regular expression of the detection script, added \b anchor to fix the issue where parameters followed by non-compliant characters can still pass, making the check more rigorous. Remediation Kits 1.20 Fixed a numerical bug. Scanners 1.13 Rewrote the detection script to accommodate various scenarios such as default, empty configuration, and error configuration. 1.14 Rewrote the detection script to optimize numerical comparison code and accommodate various scenarios such as default, empty configuration, and error configuration. 1.15 Rewrote the detection script to accommodate various scenarios such as default, empty configuration, and error configuration. 1.16 Rewrote the detection script to accommodate various scenarios such as default, empty configuration, and error configuration. 1.17 Rewrote the detection script to accommodate various scenarios such as default, empty configuration, and error configuration. 1.18 Rewrote the detection script to accommodate various scenarios such as default, empty configuration, and error configuration. 1.19 Rewrote the detection script to accommodate various scenarios such as default, empty configuration, and error configuration. 1.20 Rewrote the detection script to accommodate various scenarios such as default, empty configuration, and error configuration. 1.21 Rewrote the detection script to support the configuration format of parameter minutes "xm"; optimized numerical comparison code; accommodated various scenarios such as default, empty configuration, and error configuration. 1.22 Rewrote the detection script to accommodate various scenarios such as default, empty configuration, and error configuration. 1.23 Rewrote the detection script to accommodate various scenarios such as default, empty configuration, and error configuration. 1.24 Rewrote the detection script to add judgments for illegal parameters (parameter 3 cannot be less than parameter 1); optimized numerical comparison code; accommodated various scenarios such as default, empty configuration, and error configuration. 1.25 Rewrote the detection script to optimize numerical comparison code and accommodate various scenarios such as default, empty configuration, and error configuration. 1.41 Rewrote the detection script to optimize numerical comparison code. 1.47 Rewrote the detection script to optimize numerical comparison code and accommodate various scenarios such as default, empty configuration, and error configuration. 1.50 Rewrote the detection script to accommodate various scenarios such as default, empty configuration, and error configuration. Signed-off-by: YuQing Yang --- ...1.13-ensure-ssh-loglevel-is-appropriate.md | 8 +++-- ...1.15-ensure-ssh-ignorerhosts-is-enabled.md | 4 +-- ...ssh-hostbasedauthentication-is-disabled.md | 4 +-- ...re-ssh-permitemptypasswords-is-disabled.md | 7 ++--- ...e-ssh-permituserenvironment-is-disabled.md | 6 ++-- ...24-ensure-ssh-maxstartups-is-configured.md | 10 +++--- .../1.41-ensure-ssh-server-use-protocol_2.md | 4 +-- ...0-ensure-ssh-x11-forwarding-is-disabled.md | 6 ++-- ...ssh-idle-timeout-interval-is-configured.sh | 4 +-- ...1.13-ensure-ssh-loglevel-is-appropriate.sh | 12 +++---- ...re-ssh-maxauthtries-is-set-to-4-or-less.sh | 12 +++---- ...1.15-ensure-ssh-ignorerhosts-is-enabled.sh | 12 +++---- ...ssh-hostbasedauthentication-is-disabled.sh | 12 +++---- .../1.17-ensure-ssh-root-login-is-disabled.sh | 12 +++---- ...re-ssh-permitemptypasswords-is-disabled.sh | 12 +++---- ...e-ssh-permituserenvironment-is-disabled.sh | 12 +++---- ...ssh-idle-timeout-interval-is-configured.sh | 31 +++++++++---------- ...ngracetime-is-set-to-one-minute-or-less.sh | 26 ++++++++++------ ...ensure-ssh-warning-banner-is-configured.sh | 11 +++---- .../1.23-ensure-ssh-pam-is-enabled.sh | 11 +++---- ...24-ensure-ssh-maxstartups-is-configured.sh | 22 ++++++++++--- ...re-ssh-maxsessions-is-set-to-10-or-less.sh | 15 +++------ .../1.41-ensure-ssh-server-use-protocol_2.sh | 16 ++++------ ...-maxauthtries-is-set-to-between-3-and-5.sh | 12 +++---- ...0-ensure-ssh-x11-forwarding-is-disabled.sh | 12 +++---- 25 files changed, 131 insertions(+), 162 deletions(-) diff --git a/benchmarks/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.md b/benchmarks/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.md index ab89b9f..fd558bb 100644 --- a/benchmarks/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.md +++ b/benchmarks/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.md @@ -42,9 +42,11 @@ LogLevel INFO 1. 执行以下命令,验证`SSH`的`LogLevel`配置是否正确: ```bash -# sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep loglevel -loglevel VERBOSE or loglevel INFO -# grep -i 'loglevel' /etc/ssh/sshd_config | grep -Evi '(VERBOSE|INFO)' +# sshd -T | grep -P "^loglevel\b" +loglevel VERBOSE +or +loglevel INFO +# grep -Pi '^\s*loglevel\b' /etc/ssh/sshd_config | grep -Pvi '(\bVERBOSE\b|\bINFO\b)' Nothing should be returned ``` diff --git a/benchmarks/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.md b/benchmarks/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.md index 4a90dae..37ca6cc 100644 --- a/benchmarks/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.md +++ b/benchmarks/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.md @@ -31,9 +31,9 @@ IgnoreRhosts yes 1. 执行以下命令,验证`SSH`的`IgnoreRhosts`配置是否正确: ```bash -# sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep ignorerhosts +# sshd -T | grep -Pi "^ignorerhosts\b" ignorerhosts yes -# grep -Ei '^\s*ignorerhosts\s+no\b' /etc/ssh/sshd_config +# grep -Pi '^\s*ignorerhosts' /etc/ssh/sshd_config | grep -Pvi '\byes\b' Nothing is returned ``` diff --git a/benchmarks/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.md b/benchmarks/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.md index 7072746..77318b4 100644 --- a/benchmarks/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.md +++ b/benchmarks/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.md @@ -29,9 +29,9 @@ HostbasedAuthentication no 1. 执行以下命令,验证`SSH`的`HostbasedAuthentication`配置是否正确: ```bash -# sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep hostbasedauthentication +# sshd -T | grep -Pi "^hostbasedauthentication\b" hostbasedauthentication no -# grep -Ei '^\s*HostbasedAuthentication\s+yes' /etc/ssh/sshd_config +# grep -Pi '^\s*hostbasedauthentication\b' /etc/ssh/sshd_config | grep -Pvi '\bno\b' Nothing is returned ``` diff --git a/benchmarks/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.md b/benchmarks/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.md index 19a9228..95a11f6 100644 --- a/benchmarks/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.md +++ b/benchmarks/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.md @@ -29,13 +29,12 @@ PermitEmptyPasswords no 1. 执行以下命令,验证`SSH`的`PermitEmptyPasswords`配置是否正确: ```bash -# sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep permitemptypasswords +# sshd -T | grep -Pi "^permitemptypasswords\b" permitemptypasswords no -# grep -Ei '^\s*PermitEmptyPasswords\s+yes' /etc/ssh/sshd_config +# grep -Pi '^\s*PermitEmptyPasswords\b' /etc/ssh/sshd_config | grep -Pvi '\bno\b' Nothing is returned ``` -如果第一条命令执行后返回`no`,且第二条命令执行后,没有返回任何结果,则视为通过此项检查。 +如果第一条命令执行后返回`permitemptypasswords no`,且第二条命令执行后,没有返回任何结果,则视为通过此项检查。 ## 参考 - diff --git a/benchmarks/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.md b/benchmarks/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.md index e8f16d5..d515190 100644 --- a/benchmarks/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.md +++ b/benchmarks/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.md @@ -28,13 +28,13 @@ PermitUserEnvironment no 1. 执行以下命令,验证`SSH`的`PermitUserEnvironment`配置是否正确: ```bash -# sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep permituserenvironment +# sshd -T | grep -Pi "^permituserenvironment\b" permituserenvironment no -# grep -Ei '^\s*PermitUserEnvironment\s+yes' /etc/ssh/sshd_config +# grep -Pi '^\s*PermitUserEnvironment\b' /etc/ssh/sshd_config | grep -Pvi '\bno\b' Nothing is returned ``` -如果第一条命令执行后返回`no`,且第二条命令执行后,没有返回任何结果,则视为通过此项检查。 +如果第一条命令执行后返回`permituserenvironment no`,且第二条命令执行后,没有返回任何结果,则视为通过此项检查。 ## 参考 diff --git a/benchmarks/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.md b/benchmarks/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.md index ee0e302..0dbb278 100644 --- a/benchmarks/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.md +++ b/benchmarks/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.md @@ -16,7 +16,7 @@ SSH 配置文件:`/etc/ssh/sshd_config`中的`MaxStartups`参数指定了 SSH * 10:等待认证阶段的最大并发连接数。若超过此数量,后面的认证请求连接将被拒绝。即:最多有10个人可以同时向 sshd 发起登录请求。 * 30:该参数是一个概率值(百分比的形式)。若设置了该参数,超过了上限(10)的连接,将会被随机拒绝,拒绝的比率是30%。即:超过了10个连接以后,后续的认证请求连接中,每3个中会有一个被随机拒绝。 -* 60:随着并发连接数的增加,这个拒绝连接的概率(30)也会逐步线性增加,当并发连接数达到最大值(60)后,后续的连接都将会被直接拒绝。 +* 60:随着并发连接数的增加,这个拒绝连接的概率(30)也会逐步线性增加,当并发连接数达到最大值(60)后,后续的连接都将会被直接拒绝。 **参数3需大于参数1,否则应用配置时将报错:Illegal MaxStartups spec.** 已通过认证、认证失败、或连接超时等,都会减少等待认证的并发连接数。 @@ -39,13 +39,13 @@ maxstartups 10:30:60 1. 执行以下命令,验证`SSH`的`MaxStartups`参数配置是否正确: ```bash -# sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -i maxstartups +# sshd -T | grep -Pi "^maxstartups\b" maxstartups 10:30:60 -# grep -Ei '^\s*maxstartups\s+(((1[1-9]|[1-9][0-9][0-9]+):([0-9]+):([0-9]+))|(([0-9]+):(3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):([0-9]+))|(([0-9]+):([0-9]+):(6[1-9]|[7-9][0-9]|[1-9][0-9][0-9]+)))' /etc/ssh/sshd_config -Nothing is returned +# grep -Pi '^\s*maxstartups\b' /etc/ssh/sshd_config +MaxStartups 10:30:60 ``` -如果第一条命令执行后返回`10:30:60`或更加严格的规则,且第二条命令执行后,没有返回任何结果,则视为通过此项检查。 +如执行后返回`10:30:60`或更加严格的规则,则视为通过此项检查。 ## 参考 diff --git a/benchmarks/access-and-control/1.41-ensure-ssh-server-use-protocol_2.md b/benchmarks/access-and-control/1.41-ensure-ssh-server-use-protocol_2.md index 197c6d3..27bc985 100644 --- a/benchmarks/access-and-control/1.41-ensure-ssh-server-use-protocol_2.md +++ b/benchmarks/access-and-control/1.41-ensure-ssh-server-use-protocol_2.md @@ -15,7 +15,7 @@ ssh配置中确保 protocol 2 ,存在该选项则修改为2,没有则添加 1.执行以下命令,修改或添加ssh配置文件中的Protocol配置: ```bash -# grep -qiP '^Protocol' /etc/ssh/sshd_config && sed -i "/^Protocol/cProtocol 2" /etc/ssh/sshd_config || echo -e "Protocol 2" >> /etc/ssh/sshd_config +# grep -qiP '^\s*Protocol\b' /etc/ssh/sshd_config && sed -i "/^\s*Protocol\b/cProtocol 2" /etc/ssh/sshd_config || echo -e "Protocol 2" >> /etc/ssh/sshd_config ``` 2.执行以下命令,重启sshd服务: @@ -29,7 +29,7 @@ ssh配置中确保 protocol 2 ,存在该选项则修改为2,没有则添加 查看ssh配置文件Protocol行内容 ```bash -# grep -R "^Protocol" /etc/ssh/sshd_config +# grep -Pi "^\s*Protocol\b" /etc/ssh/sshd_config Protocol 2 ``` diff --git a/benchmarks/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.md b/benchmarks/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.md index d34a4c5..0a6d1cb 100644 --- a/benchmarks/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.md +++ b/benchmarks/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.md @@ -24,6 +24,8 @@ X11Forwarding no ``` +- `/etc/ssh/sshd_config`配置文件的`X11Forwarding`参数在未配置或注释的状态下,默认为`X11Forwarding no` + ## 扫描检测 确保`SSH`的`X11Forwarding`配置正确。 @@ -31,9 +33,9 @@ X11Forwarding no 1. 执行以下命令,验证`SSH`的`X11Forwarding`配置是否正确: ```bash -# sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -i x11forwarding +# sshd -T | grep -Pi "^\s*x11forwarding\b" x11forwarding no -# grep -Ei '^\s*x11forwarding\s+yes' /etc/ssh/sshd_config +# grep -Pi '^\s*x11forwarding\b' /etc/ssh/sshd_config | grep -Pvi '\bno\b' Nothing is returned ``` diff --git a/remediation-kits/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh b/remediation-kits/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh index b687a2a..13eed9c 100644 --- a/remediation-kits/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh +++ b/remediation-kits/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh @@ -1,4 +1,4 @@ -grep -Eq "^(\s*)ClientAliveInterval\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)ClientAliveInterval\s+\S+(\s*#.*)?\s*$/\1ClientAliveInterval 900\2/" /etc/ssh/sshd_config || echo "ClientAliveInterval 300" >> /etc/ssh/sshd_config -grep -Eq "^(\s*)ClientAliveCountMax\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)ClientAliveCountMax\s+\S+(\s*#.*)?\s*$/\1ClientAliveCountMax 0\2/" /etc/ssh/sshd_config || echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config +grep -Pq "^(\s*)ClientAliveInterval\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)ClientAliveInterval\s+\S+(\s*#.*)?\s*$/\1ClientAliveInterval 900\2/" /etc/ssh/sshd_config || echo "ClientAliveInterval 900" >> /etc/ssh/sshd_config +grep -Pq "^(\s*)ClientAliveCountMax\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)ClientAliveCountMax\s+\S+(\s*#.*)?\s*$/\1ClientAliveCountMax 0\2/" /etc/ssh/sshd_config || echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config systemctl restart sshd \ No newline at end of file diff --git a/scanners/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh b/scanners/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh index 77a57d6..910f665 100644 --- a/scanners/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh +++ b/scanners/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh @@ -1,9 +1,5 @@ -result=false +loadedSystemConfig=$(sshd -T | grep -Pi "^loglevel\b\s+(INFO|VERBOSE)$") +configFileSettings=$(grep -Pi '^\s*loglevel\b\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*loglevel\b\s+(INFO|VERBOSE)\b') -sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -q loglevel && grep -Eqi 'loglevel\s+(VERBOSE|INFO)' /etc/ssh/sshd_config && result=true - -if [ "$result" = true ]; then - echo "pass" -else - echo "fail" -fi \ No newline at end of file +[[ -z $loadedSystemConfig ]] && echo 'fail' && exit 1 +[[ -z $configFileSettings && -n $loadedSystemConfig ]] && echo 'pass' || echo 'fail' diff --git a/scanners/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh b/scanners/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh index 87e95ba..9d16330 100644 --- a/scanners/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh +++ b/scanners/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh @@ -1,9 +1,5 @@ -result=false +loadedSystemConfig=$(sshd -T | grep -Pi '^\s*maxauthtries\b\s+[0-4]$') +configFileSettings=$(grep -Pi '^\s*maxauthtries\b\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*maxauthtries\b\s+[0-4]{1}\b') -sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Eiq ^maxauthtries\\s+[0-4]$ && grep -Eiq '^\s*maxauthtries\s+[0-4]$' /etc/ssh/sshd_config && result=true - -if [ "$result" = true ]; then - echo "pass" -else - echo "fail" -fi \ No newline at end of file +[[ -z $loadedSystemConfig ]] && echo 'fail' && exit 1 +[[ -z $configFileSettings && -n $loadedSystemConfig ]] && echo 'pass' || echo 'fail' diff --git a/scanners/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh b/scanners/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh index 4b0c99d..632bee7 100644 --- a/scanners/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh +++ b/scanners/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh @@ -1,9 +1,5 @@ -result=false +loadedSystemConfig=$(sshd -T | grep -Pi "^ignorerhosts\b\s+yes$") +configFileSettings=$(grep -Pi '^\s*ignorerhosts\b' /etc/ssh/sshd_config | grep -Pvi '^\s*ignorerhosts\b\s+yes\b') -sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Eiq ^ignorerhosts\\s+yes && ! (grep -Eiq '^\s*ignorerhosts\s+no\b' /etc/ssh/sshd_config) && result=true - -if [ "$result" = true ]; then - echo "pass" -else - echo "fail" -fi \ No newline at end of file +[[ -z $loadedSystemConfig ]] && echo 'fail' && exit 1 +[[ -z $configFileSettings && -n $loadedSystemConfig ]] && echo 'pass' || echo 'fail' diff --git a/scanners/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh b/scanners/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh index 859d920..970daf4 100644 --- a/scanners/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh +++ b/scanners/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh @@ -1,9 +1,5 @@ -result=false +loadedSystemConfig=$(sshd -T | grep -Pi "^hostbasedauthentication\b\s+no$") +configFileSettings=$(grep -Pi '^\s*hostbasedauthentication\b\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*hostbasedauthentication\b\s+no\b') -sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Eiq ^hostbasedauthentication\\s+no && grep -Eiq 'hostbasedauthentication\s+no' /etc/ssh/sshd_config && result=true - -if [ "$result" = true ]; then - echo "pass" -else - echo "fail" -fi \ No newline at end of file +[[ -z $loadedSystemConfig ]] && echo 'fail' && exit 1 +[[ -z $configFileSettings && -n $loadedSystemConfig ]] && echo 'pass' || echo 'fail' diff --git a/scanners/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh b/scanners/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh index 3f73247..108c4b8 100644 --- a/scanners/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh +++ b/scanners/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh @@ -1,9 +1,5 @@ -result=false +loadedSystemConfig=$(sshd -T | grep -Pi "^permitrootlogin\b\s+no$") +configFileSettings=$(grep -Pi '^\s*permitrootlogin\b\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*permitrootlogin\b\s+no\b') -sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Eiq ^permitrootlogin\\s+no && grep -Eiq 'permitrootlogin\s+no' /etc/ssh/sshd_config && result=true - -if [ "$result" = true ]; then - echo "pass" -else - echo "fail" -fi \ No newline at end of file +[[ -z $loadedSystemConfig ]] && echo 'fail' && exit 1 +[[ -z $configFileSettings && -n $loadedSystemConfig ]] && echo 'pass' || echo 'fail' diff --git a/scanners/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh b/scanners/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh index 0edb386..6e1d550 100644 --- a/scanners/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh +++ b/scanners/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh @@ -1,9 +1,5 @@ -result=false +loadedSystemConfig=$(sshd -T | grep -Pi "^permitemptypasswords\b\s+no$") +configFileSettings=$(grep -Pi '^\s*permitemptypasswords\b\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*permitemptypasswords\b\s+no\b') -sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Eiq ^permitemptypasswords\\s+no && ! (grep -Eiq '^\s*PermitEmptyPasswords\s+yes' /etc/ssh/sshd_config) && result=true - -if [ "$result" = true ]; then - echo "pass" -else - echo "fail" -fi \ No newline at end of file +[[ -z $loadedSystemConfig ]] && echo 'fail' && exit 1 +[[ -z $configFileSettings && -n $loadedSystemConfig ]] && echo 'pass' || echo 'fail' diff --git a/scanners/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh b/scanners/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh index 9dd6389..6f093c7 100644 --- a/scanners/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh +++ b/scanners/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh @@ -1,9 +1,5 @@ -result=false +loadedSystemConfig=$(sshd -T | grep -Pi "^permituserenvironment\b\s+no$") +configFileSettings=$(grep -Pi '^\s*permituserenvironment\b\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*permituserenvironment\b\s+no\b') -sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Eiq ^permituserenvironment\\s+no && ! (grep -Eiq '^\s*PermitUserEnvironment\s+yes\b' /etc/ssh/sshd_config) && result=true - -if [ "$result" = true ]; then - echo "pass" -else - echo "fail" -fi \ No newline at end of file +[[ -z $loadedSystemConfig ]] && echo 'fail' && exit 1 +[[ -z $configFileSettings && -n $loadedSystemConfig ]] && echo 'pass' || echo 'fail' diff --git a/scanners/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh b/scanners/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh index f2db9f0..56d9d50 100644 --- a/scanners/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh +++ b/scanners/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh @@ -1,20 +1,19 @@ -result_client_alive_interval=0 -result_client_alive_countmax=0 -result_client_alive_interval_sshd_config=false -result_client_alive_countmax_sshd_config=false +checkPoint=false +loadedSystemConfig_clientalivecountmax=$(sshd -T | grep -Pi '^clientalivecountmax\b\s+[0]{1}$') +configFileSettings_clientalivecountmax=$(grep -Pi '^\s*ClientAliveCountMax\b\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*ClientAliveCountMax\b\s+[0]{1}\b') -val_clientaliveinterval=`sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep clientaliveinterval | cut -d ' ' -f 2` -result_client_alive_interval=`echo "$val_clientaliveinterval <= 900 && $val_clientaliveinterval != 0" | bc` - -val_clientalivecountmax=`sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep clientalivecountmax | cut -d ' ' -f 2` -result_client_alive_countmax=`echo "$val_clientalivecountmax == 0" | bc` +[[ -z $loadedSystemConfig_clientalivecountmax ]] && echo 'fail' && exit 1 +if [[ -z $configFileSettings_clientalivecountmax && -n $loadedSystemConfig_clientalivecountmax ]]; then + checkPoint=true +else + echo 'fail' + exit 1 +fi -grep -Ei '^\s*ClientAliveInterval\s+(0|9[0-9][1-9]|[1-9][0-9][0-9][0-9]+|1[6-9]m|[2-9][0-9]m|[1-9][0-9][0-9]+m)\b' /etc/ssh/sshd_config || result_client_alive_interval_sshd_config=true +[[ -z $configFileSettings_clientalivecountmax && -n $loadedSystemConfig_clientalivecountmax ]] && checkPoint=true || { echo 'fail'; exit 1; } -grep -Ei '^\s*ClientAliveCountMax\s+([1-9]|[1-9][0-9]+)\b' /etc/ssh/sshd_config || result_client_alive_countmax_sshd_config=true +loadedSystemConfig_clientaliveinterval=$(sshd -T | grep -Pi "^clientaliveinterval\b" | awk '{ if ($2 > 900) print 1; else print 0 }') +configFileSettings_clientaliveinterval=$(grep -Pi '^\s*clientaliveinterval\b\s+' /etc/ssh/sshd_config | awk '{ if ($2 > 900) print 1; else print 0 }') -if [[ $result_client_alive_interval -eq 1 && $result_client_alive_countmax -eq 1 && $result_client_alive_interval_sshd_config == true && $result_client_alive_countmax_sshd_config == true ]]; then - echo "pass" -else - echo "fail" -fi \ No newline at end of file +[[ $loadedSystemConfig_clientaliveinterval -ne 0 ]] && echo 'fail' && exit 1 +[[ $configFileSettings_clientaliveinterval -eq 0 && $loadedSystemConfig_clientaliveinterval -eq 0 && $checkPoint == "true" ]] && echo 'pass' || echo 'fail' diff --git a/scanners/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh b/scanners/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh index 0b2b4cd..b7ab969 100644 --- a/scanners/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh +++ b/scanners/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh @@ -1,13 +1,19 @@ -result_logingracetime=0 -result_LoginGraceTime_sshd_config=false +loadedSystemConfig=$(sshd -T | grep -Pi "^logingracetime\b" | awk '{ if ($2 > 60) print 1; else print 0 }') +configFileType=$(grep -Pi '^\s*logingracetime\b\s+[0-9]+' /etc/ssh/sshd_config | awk '{print $2}' | grep -Poi '[s|m]$' | tr 'A-Z' 'a-z') +configFileSettings=$(grep -Poi '^\s*logingracetime\b\s+[0-9]+' /etc/ssh/sshd_config | awk '{print $2}') -val_logingracetime=`sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep logingracetime | cut -d ' ' -f 2` -result_logingracetime=`echo "$val_logingracetime <= 60" | bc` +[[ $loadedSystemConfig -ne 0 ]] && echo 'fail' && exit 1 -grep -Ei '^\s*LoginGraceTime\s+(0|6[1-9]|[7-9][0-9]|[1-9][0-9][0-9]+|[^1]m)' /etc/ssh/sshd_config || result_LoginGraceTime_sshd_config=true - -if [[ $result_logingracetime -eq 1 && $result_LoginGraceTime_sshd_config == true ]]; then - echo "pass" +if [[ -z $configFileType && -z configFileSettings ]]; then + [[ $loadedSystemConfig -eq 0 ]] && echo 'pass' || echo 'fail' + exit 0 +elif [[ $configFileType == 's' && -n $configFileSettings ]] || [[ -z $configFileType && -n $configFileSettings ]]; then + [[ $configFileSettings -le 60 ]] && echo 'pass' || echo 'fail' + exit 0 +elif [[ $configFileType == 'm' && -n $configFileSettings ]]; then + [[ $configFileSettings -le 1 ]] && echo 'pass' || echo 'fail' + exit 0 else - echo "fail" -fi \ No newline at end of file + echo 'fail' + exit 0 +fi diff --git a/scanners/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh b/scanners/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh index 7d12a00..3037198 100644 --- a/scanners/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh +++ b/scanners/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh @@ -1,8 +1,7 @@ -result=false -sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Piq ^banner\\s+\/etc\/issue.net && result=true +loadedSystemConfig=$(sshd -T | grep -Pi "^banner\b\s+none$") -if [[ $result == true ]]; then - echo "pass" +if [[ -n $loadedSystemConfig ]]; then + echo 'fail' && exit 1 else - echo "fail" -fi \ No newline at end of file + echo 'pass' +fi diff --git a/scanners/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh b/scanners/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh index c772433..27a98b6 100644 --- a/scanners/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh +++ b/scanners/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh @@ -1,8 +1,5 @@ -result=false -sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Eiq ^usepam\\s+yes && grep -Eiq '^\s*UsePAM\s+yes' /etc/ssh/sshd_config && result=true +loadedSystemConfig=$(sshd -T | grep -Pi "^usepam\b\s+yes$") +configFileSettings=$(grep -Pi '^\s*usepam\b\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*usepam\b\s+yes\b') -if [[ $result == true ]]; then - echo "pass" -else - echo "fail" -fi \ No newline at end of file +[[ -z $loadedSystemConfig ]] && echo 'fail' && exit 1 +[[ -z $configFileSettings && -n $loadedSystemConfig ]] && echo 'pass' || echo 'fail' diff --git a/scanners/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.sh b/scanners/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.sh index 773f2e6..03f4a68 100644 --- a/scanners/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.sh +++ b/scanners/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.sh @@ -1,11 +1,23 @@ -result_sshd_config=false -result_sshd=false +result=false -grep -Eiq '^\s*maxstartups\s+(((1[1-9]|[2-9][0-9]|[1-9][0-9][0-9]+):([0-9]+):([0-9]+))|(([0-9]+):(3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):([0-9]+))|(([0-9]+):([0-9]+):(6[1-9]|[7-9][0-9]|[1-9][0-9][0-9]+)))' /etc/ssh/sshd_config || result_sshd_config=true +maxstartups_first=$(sshd -T | grep -Pi "^\s*maxstartups\b" | awk '{print $2}' | awk -F: '{print $1}') +maxstartups_second=$(sshd -T | grep -Pi "^\s*maxstartups\b" | awk '{print $2}' | awk -F: '{print $2}') +maxstartups_third=$(sshd -T | grep -Pi "^\s*maxstartups\b" | awk '{print $2}' | awk -F: '{print $3}') -sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Eiq '^\s*maxstartups\s+(((1[1-9]|[2-9][0-9]|[1-9][0-9][0-9]+):([0-9]+):([0-9]+))|(([0-9]+):(3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):([0-9]+))|(([0-9]+):([0-9]+):(6[1-9]|[7-9][0-9]|[1-9][0-9][0-9]+)))' || result_sshd=true +if $(grep -Piq '^\s*maxstartups\b\s+[0-9]+\:[0-9]+\:[0-9]+\b' /etc/ssh/sshd_config); then + config_maxstartups_first=$(grep -Pi '^\s*maxstartups\b\s+[0-9]+\:[0-9]+\:[0-9]+\b' /etc/ssh/sshd_config | awk '{print $2}' | awk -F: '{print $1}') + config_maxstartups_second=$(grep -Pi '^\s*maxstartups\b\s+[0-9]+\:[0-9]+\:[0-9]+\b' /etc/ssh/sshd_config | awk '{print $2}' | awk -F: '{print $2}') + config_maxstartups_third=$(grep -Pi '^\s*maxstartups\b\s+[0-9]+\:[0-9]+\:[0-9]+\b' /etc/ssh/sshd_config | awk '{print $2}' | awk -F: '{print $3}') + [[ $maxstartups_first -le 10 ]] && [[ $maxstartups_second -ge 30 ]] && [[ $maxstartups_third -ge $maxstartups_first && $maxstartups_third -le 60 ]] && \ + [[ $config_maxstartups_first -le 10 ]] && [[ $config_maxstartups_second -ge 30 ]] && [[ $config_maxstartups_third -ge $config_maxstartups_first && $config_maxstartups_third -le 60 ]] && \ + result=true +else + [[ $maxstartups_first -le 10 ]] && [[ $maxstartups_second -ge 30 ]] && \ + # 参数3需大于等于参数1 + [[ $maxstartups_third -ge $maxstartups_first && $maxstartups_third -le 60 ]] && result=true +fi -if [[ $result_sshd_config == true && $result_sshd == true ]]; then +if [[ "$result" = true ]]; then echo "pass" else echo "fail" diff --git a/scanners/access-and-control/1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh b/scanners/access-and-control/1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh index 7e827ec..bf8643b 100644 --- a/scanners/access-and-control/1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh +++ b/scanners/access-and-control/1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh @@ -1,12 +1,5 @@ -result_sshd_config=false -result_sshd=false +loadedSystemConfig=$(sshd -T | grep -Pi "^MaxSessions\b" | awk '{ if ($2 > 10) print 1; else print 0 }') +configFileSettings=$(grep -Pi '^\s*MaxSessions\b\s+' /etc/ssh/sshd_config | awk '{ if ($2 > 10) print 1; else print 0 }') -grep -Ei '^\s*MaxSessions\s+(1[1-9]|[2-9][0-9]|[1-9][0-9][0-9]+)' /etc/ssh/sshd_config || result_sshd_config=true - -sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Ei '^\s*MaxSessions\s+(1[1-9]|[2-9][0-9]|[1-9][0-9][0-9]+)' || result_sshd=true - -if [[ $result_sshd_config == true && $result_sshd == true ]]; then - echo "pass" -else - echo "fail" -fi \ No newline at end of file +[[ $loadedSystemConfig -ne 0 ]] && echo 'fail' && exit 1 +[[ $configFileSettings -eq 0 && $loadedSystemConfig -eq 0 ]] && echo 'pass' || echo 'fail' diff --git a/scanners/access-and-control/1.41-ensure-ssh-server-use-protocol_2.sh b/scanners/access-and-control/1.41-ensure-ssh-server-use-protocol_2.sh index 8d72427..3ddf5e4 100755 --- a/scanners/access-and-control/1.41-ensure-ssh-server-use-protocol_2.sh +++ b/scanners/access-and-control/1.41-ensure-ssh-server-use-protocol_2.sh @@ -1,15 +1,11 @@ -#!/bin/bash +result=false -PROTOCOL=`grep -R "^Protocol" /etc/ssh/sshd_config` +protocol_value=$(grep -Pi "^Protocol\b\s+" /etc/ssh/sshd_config | awk '{print $2}') -grep -R "^Protocol" /etc/ssh/sshd_config >/dev/null +[[ $protocol_value -eq 2 ]] && result=true -if [ $? == 0 ];then #0 have - if [[ $PROTOCOL =~ "2" ]];then - echo "pass" - else - echo "fail" - fi +if [[ "$result" = true ]]; then + echo "pass" else echo "fail" -fi +fi \ No newline at end of file diff --git a/scanners/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh b/scanners/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh index 6209ca7..88629d7 100644 --- a/scanners/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh +++ b/scanners/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh @@ -1,9 +1,5 @@ -result=false +loadedSystemConfig=$(sshd -T | grep -Pi '^\s*maxauthtries\b' | awk '{ if ($2 > 5 || $2 < 3) print 1; else print 0 }') +configFileSettings=$(grep -Pi '^\s*maxauthtries\b\s+' /etc/ssh/sshd_config | awk '{ if ($2 > 5 || $2 < 3) print 1; else print 0 }') -sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Eiq ^maxauthtries\\s+[3-5]$ && grep -Eiq '^\s*maxauthtries\s+[3-5]$' /etc/ssh/sshd_config && result=true - -if [ "$result" = true ]; then - echo "pass" -else - echo "fail" -fi \ No newline at end of file +[[ $loadedSystemConfig -ne 0 ]] && echo 'fail' && exit 1 +[[ $configFileSettings -eq 0 && $loadedSystemConfig -eq 0 ]] && echo 'pass' || echo 'fail' diff --git a/scanners/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.sh b/scanners/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.sh index a05410c..f30414b 100644 --- a/scanners/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.sh +++ b/scanners/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.sh @@ -1,9 +1,5 @@ -result=false +loadedSystemConfig=$(sshd -T | grep -Pi "^x11forwarding\b\s+no$") +configFileSettings=$(grep -Pi '^\s*x11forwarding\b\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*x11forwarding\b\s+no\b') -sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -qi x11forwarding && grep -Eqi '^\s*x11forwarding\s+no' /etc/ssh/sshd_config && result=true - -if [ "$result" = true ]; then - echo "pass" -else - echo "fail" -fi +[[ -z $loadedSystemConfig ]] && echo 'fail' && exit 1 +[[ -z $configFileSettings && -n $loadedSystemConfig ]] && echo 'pass' || echo 'fail' -- Gitee From f2cc13b8204e0726a80668a640dafc7678dd5329 Mon Sep 17 00:00:00 2001 From: YuQing Yang Date: Fri, 15 Mar 2024 14:58:06 +0800 Subject: [PATCH 2/2] Bug fix for scanning script: optimized some query statements and judgment logic of the script to make the inspection more rigorous. Code format fix Benchmark description update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: #I94I8C - benchmarks/access-and-control/1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.md Modified the regular expression in the detection script, added \b anchor to make the check more rigorous. - benchmarks/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.md Fix description errors - benchmarks/system-configurations/4.66-ensure-system-histsize-as-100-or-other.md 1. Add description information to explain the meaning of the rule 2. Update the query script to make the query more rigorous 3. Update the rule requirements from the original equal to 100 to less than 100, so that the rule is more reasonable - benchmarks/system-configurations/4.67-ensure-system-histfilesize-100.md 1. Add description information to explain the meaning of the rule 2. Update the query script to make the query more rigorous 3. Update the rule requirements from the original equal to 100 to less than 100, so that the rule is more reasonable 4. fix bug:`echo -e "export HISTFILESIZE=100" >> /etc/profile` --> `echo -e "HISTFILESIZE=100" >> /etc/profile` - scanners/access-and-control/1.12-ensure-permissions-on-ssh-public-host-key-files-are-configured.sh - scanners/access-and-control/1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.sh - scanners/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh - scanners/access-and-control/1.37-ensure-default-user-shell-timeout-is-900-seconds-or-less.sh - scanners/access-and-control/1.42-ensure-that-the-password-expires-between-30-and-90-days.sh - scanners/access-and-control/1.43-ensure-that-the-minimum-password-change-between-7-and-14-days.sh - scanners/access-and-control/1.46-ensure-default-user-shell-timeout-is-between-600-and-1800-seconds.sh - scanners/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh - scanners/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh - scanners/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.sh - scanners/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.sh - scanners/services/3.27-ensure-time-synchronization-is-installed.sh - scanners/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh - scanners/access-and-control/1.31-ensure-password-expiration-is-365-days-or-less.sh - scanners/access-and-control/1.32-ensure-minimum-days-between-password-changes-is-7-or-more.sh - scanners/access-and-control/1.33-ensure-password-expiration-warning-days-is-7-or-more.sh - scanners/access-and-control/1.34-ensure-inactive-password-lock-is-30-days-or-less.sh - scanners/access-and-control/1.49-lock-or-delete-the-shutdown-and-halt-users.sh - scanners/access-and-control/1.54-lock-the-bin-and-adm-users.sh - scanners/system-configurations/4.66-ensure-system-histsize-as-100-or-other.sh - scanners/system-configurations/4.67-ensure-system-histfilesize-100.sh - scanners/logging-and-auditing/2.11-ensure-cryptographic-mechanisms-are-used-to-protect-the-integrity-of-audit-tools.sh - scanners/logging-and-auditing/2.15-ensure-rsyslog-is-configured-to-send-logs-to-a-remote-log-host.sh - scanners/logging-and-auditing/2.16-ensure-journald-is-configured-to-send-logs-to-rsyslog.sh - scanners/logging-and-auditing/2.17-ensure-journald-is-configured-to-compress-large-log-files.sh - scanners/logging-and-auditing/2.18-ensure-journald-is-configured-to-write-logfiles-to-persistent-disk.sh - scanners/logging-and-auditing/2.20-ensure-audit-service-is-enabled.sh - scanners/mandatory-access-control/5.1-ensure-selinux-is-installed.sh - scanners/mandatory-access-control/5.2-ensure-selinux-policy-is-configured.sh - scanners/mandatory-access-control/5.4-ensure-the-selinux-mode-is-enforcing.sh - scanners/mandatory-access-control/5.9-ensure-setroubleshoot-is-not-installed.sh - scanners/services/3.1-disable-http-server.sh - scanners/services/3.10-disable-rsync-server.sh - scanners/services/3.11-disable-avahi-server.sh - scanners/services/3.12-disable-snmp-server.sh - scanners/services/3.13-disable-http-proxy-server.sh - scanners/services/3.14-disable-samba.sh - scanners/services/3.15-disable-imap-and-pop3-server.sh - scanners/services/3.16-disable-smtp-protocol.sh - scanners/services/3.17-disable-or-uninstall-the-telnet.sh - scanners/services/3.18-uninstall-the-avahi-server.sh - scanners/services/3.19-uninstall-the-kexec-tools.sh - scanners/services/3.2-disable-ftp-server.sh - scanners/services/3.20-uninstall-the-firstboot.sh - scanners/services/3.21-uninstall-the-wpa_supplicant.sh - scanners/services/3.22-ensure-NIS-Client-is-not-installed.sh - scanners/services/3.23-disable-rsh.sh - scanners/services/3.24-disable-ntalk.sh - scanners/services/3.25-ensure-xinetd-is-not-installed.sh - scanners/services/3.26-disable-usb-storage.sh - scanners/services/3.3-disable-dns-server.sh - scanners/services/3.4-disable-nfs.sh - scanners/services/3.5-disable-rpc.sh - scanners/services/3.6-disable-ldap-server.sh - scanners/services/3.7-disable-dhcp-server.sh - scanners/services/3.8-disable-cups.sh - scanners/services/3.9-disable-nis-server.sh - scanners/system-configurations/4.1-ensure-message-of-the-day-is-configured-properly.sh - scanners/system-configurations/4.10-ensure-bootloader-password-is-set.sh - scanners/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh - scanners/system-configurations/4.13-ensure-core-dumps-are-restricted.sh - scanners/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh - scanners/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh - scanners/system-configurations/4.16-ensure-sticky-bit-is-set-on-all-world-writable-directories.sh - scanners/system-configurations/4.17-ensure-permissions-on-etc-passwd-are-configured.sh - scanners/system-configurations/4.18-ensure-permissions-on-etc-shadow-are-configured.sh - scanners/system-configurations/4.19-ensure-permissions-on-etc-group-are-configured.sh - scanners/system-configurations/4.2-ensure-local-login-warning-banner-is-configured-properly.sh - scanners/system-configurations/4.20-ensure-permissions-on-etc-gshadow-are-configured.sh - scanners/system-configurations/4.21-ensure-permissions-on-etc-passwd--are-configured.sh - scanners/system-configurations/4.22-ensure-permissions-on-etc-shadow--are-configured.sh - scanners/system-configurations/4.23-ensure-permissions-on-etc-group--are-configured.sh - scanners/system-configurations/4.24-ensure-permissions-on-etc-gshadow--are-configured.sh - scanners/system-configurations/4.25-ensure-no-world-writable-files-exist.sh - scanners/system-configurations/4.26-ensure-no-unowned-files-or-directories-exist.sh - scanners/system-configurations/4.27-ensure-no-ungrouped-files-or-directories-exist.sh - scanners/system-configurations/4.28-ensure-no-password-fields-are-not-empty.sh - scanners/system-configurations/4.29-ensure-root-path-integrity.sh - scanners/system-configurations/4.3-ensure-remote-login-warning-banner-is-configured-properly.sh - scanners/system-configurations/4.30-ensure-root-is-the-only-uid-0-account.sh - scanners/system-configurations/4.31-ensure-users-home-directories-permissions-are-750-or-more-restrictive.sh - scanners/system-configurations/4.32-ensure-users-own-their-home-directories.sh - scanners/system-configurations/4.33-ensure-users-dot-files-are-not-group-or-world-writable.sh - scanners/system-configurations/4.34-ensure-no-users-have-.forward-files.sh - scanners/system-configurations/4.35-ensure-no-users-have-.netrc-files.sh - scanners/system-configurations/4.36-ensure-users-.netrc-files-are-not-group-or-world-accessible.sh - scanners/system-configurations/4.37-ensure-no-users-have-.rhosts-files.sh - scanners/system-configurations/4.38-ensure-all-groups-in-etc-passwd-exist-in-etc-group.sh - scanners/system-configurations/4.39-ensure-no-duplicate-uids-exist.sh - scanners/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh - scanners/system-configurations/4.40-ensure-no-duplicate-gids-exist.sh - scanners/system-configurations/4.41-ensure-no-duplicate-user-names-exist.sh - scanners/system-configurations/4.42-ensure-no-duplicate-group-names-exist.sh - scanners/system-configurations/4.43-ensure-all-users-home-directories-exist.sh - scanners/system-configurations/4.44-ensure-sctp-is-disabled.sh - scanners/system-configurations/4.45-ensure-dccp-is-disabled.sh - scanners/system-configurations/4.46-ensure-wireless-interfaces-are-disabled.sh - scanners/system-configurations/4.47-ensure-ip-forwarding-is-disabled.sh - scanners/system-configurations/4.48-ensure-packet-redirect-sending-is-disabled.sh - scanners/system-configurations/4.49-ensure-source-routed-packets-are-not-accepted.sh - scanners/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh - scanners/system-configurations/4.50-ensure-icmp-redirects-are-not-accepted.sh - scanners/system-configurations/4.51-ensure-secure-icmp-redirects-are-not-accepted.sh - scanners/system-configurations/4.52-ensure-suspicious-packets-are-logged.sh - scanners/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.sh - scanners/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.sh - scanners/system-configurations/4.55-ensure-reverse-path-filtering-is-enabled.sh - scanners/system-configurations/4.56-ensure-tcp-syn-cookies-is-enabled.sh - scanners/system-configurations/4.57-ensure-ipv6-router-advertisements-are-not-accepted.sh - scanners/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh - scanners/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh - scanners/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh - scanners/system-configurations/4.60-ensure-iptables-is-not-enabled.sh - scanners/system-configurations/4.61-ensure-nftables-is-not-enabled.sh - scanners/system-configurations/4.62-ensure-nftables-service-is-enabled.sh - scanners/system-configurations/4.63-ensure-iptables-packages-are-installed.sh - scanners/system-configurations/4.64-ensure-nftables-is-not-installed.sh - scanners/system-configurations/4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked.sh - scanners/system-configurations/4.68-ensure-permissions-TMP-is-correct.sh - scanners/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh - scanners/system-configurations/4.8-ensure-aide-is-installed.sh - scanners/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh Signed-off-by: YuQing Yang --- ...m-wide-crypto-policy-is-not-over-ridden.md | 2 +- ...-failed-password-attempts-is-configured.md | 2 +- ...log-default-file-permissions-configured.md | 12 +++- ...-collect-file-deletion-events-for-users.md | 37 +++++++------ ...-management-scope-sudoers-are-collected.md | 5 ++ ...fy-user-group-information-are-collected.md | 5 ++ ...ts-to-use-the-chsh-command-are-recorded.md | 6 +- ...he-firewall-logging-function-is-enabled.md | 13 ++++- .../2.29-ensure-sudo-log-are-collected.md | 2 +- ...ssion-modification-events-are-collected.md | 55 +++---------------- .../services/3.26-disable-usb-storage.md | 2 +- ...-ensure-system-histsize-as-100-or-other.md | 16 ++++-- .../4.67-ensure-system-histfilesize-100.md | 19 ++++--- ...log-default-file-permissions-configured.sh | 3 +- ...-collect-file-deletion-events-for-users.sh | 14 ++++- ...ts-to-use-the-chsh-command-are-recorded.sh | 4 +- .../2.29-ensure-sudo-log-are-collected.sh | 4 +- ...se-of-privileged-commands-are-collected.sh | 1 + ...ssion-modification-events-are-collected.sh | 10 ++-- .../services/3.26-disable-usb-storage.sh | 2 +- .../1.1-ensure-cron-daemon-is-enabled.sh | 2 +- .../1.10-ensure-ssh-access-is-limited.sh | 4 +- ...h-private-host-key-files-are-configured.sh | 2 +- ...sh-public-host-key-files-are-configured.sh | 4 +- ...1.13-ensure-ssh-loglevel-is-appropriate.sh | 4 +- ...re-ssh-maxauthtries-is-set-to-4-or-less.sh | 4 +- ...1.15-ensure-ssh-ignorerhosts-is-enabled.sh | 4 +- ...ssh-hostbasedauthentication-is-disabled.sh | 4 +- .../1.17-ensure-ssh-root-login-is-disabled.sh | 4 +- ...re-ssh-permitemptypasswords-is-disabled.sh | 4 +- ...e-ssh-permituserenvironment-is-disabled.sh | 4 +- ...rmissions-on-etc-crontab-are-configured.sh | 2 +- ...ssh-idle-timeout-interval-is-configured.sh | 6 +- ...ngracetime-is-set-to-one-minute-or-less.sh | 6 +- ...ensure-ssh-warning-banner-is-configured.sh | 5 +- .../1.23-ensure-ssh-pam-is-enabled.sh | 4 +- ...24-ensure-ssh-maxstartups-is-configured.sh | 8 +-- ...re-ssh-maxsessions-is-set-to-10-or-less.sh | 2 +- ...m-wide-crypto-policy-is-not-over-ridden.sh | 2 +- ...rd-creation-requirements-are-configured.sh | 14 ++--- ...-failed-password-attempts-is-configured.sh | 39 +++++++++++-- ...sions-on-etc-cron.hourly-are-configured.sh | 2 +- ...e-password-hashing-algorithm-is-sha-512.sh | 4 +- ...password-expiration-is-365-days-or-less.sh | 13 ++--- ...s-between-password-changes-is-7-or-more.sh | 13 ++--- ...rd-expiration-warning-days-is-7-or-more.sh | 13 ++--- ...active-password-lock-is-30-days-or-less.sh | 15 ++--- ...er-shell-timeout-is-900-seconds-or-less.sh | 6 +- ...ult-group-for-the-root-account-is-gid-0.sh | 2 +- ...ssions-on-etc-cron.daily-are-configured.sh | 2 +- ...-access-to-the-su-command-is-restricted.sh | 2 +- .../1.41-ensure-ssh-server-use-protocol_2.sh | 4 +- ...password-expires-between-30-and-90-days.sh | 6 +- ...m-password-change-between-7-and-14-days.sh | 6 +- ...-failed-password-attempts-is-configured.sh | 6 +- ...timeout-is-between-600-and-1800-seconds.sh | 4 +- ...-maxauthtries-is-set-to-between-3-and-5.sh | 2 +- ...k-or-delete-the-shutdown-and-halt-users.sh | 19 ++++++- ...sions-on-etc-cron.weekly-are-configured.sh | 2 +- ...0-ensure-ssh-x11-forwarding-is-disabled.sh | 4 +- ...mounting-of-udf-filesystems-is-disabled.sh | 8 +-- ...nting-of-cramfs-filesystems-is-disabled.sh | 8 +-- ...ing-of-squashfs-filesystems-is-disabled.sh | 4 +- .../1.54-lock-the-bin-and-adm-users.sh | 11 +++- ...ions-on-etc-cron.monthly-are-configured.sh | 2 +- ...ermissions-on-etc-cron.d-are-configured.sh | 2 +- ...-cron-is-restricted-to-authorized-users.sh | 10 ++-- ...s-on-etc-ssh-sshd_config-are-configured.sh | 2 +- ...-write-accessible-by-unauthorized-users.sh | 4 +- ...ure-audit-tools-are-group-owned-by-root.sh | 24 ++------ ...to-protect-the-integrity-of-audit-tools.sh | 25 +++++---- .../2.12-ensure-rsyslog-is-installed.sh | 6 +- .../2.13-ensure-rsyslog-service-is-enabled.sh | 4 +- ...log-default-file-permissions-configured.sh | 21 +++---- ...gured-to-send-logs-to-a-remote-log-host.sh | 17 ++---- ...d-is-configured-to-send-logs-to-rsyslog.sh | 6 +- ...-configured-to-compress-large-log-files.sh | 6 +- ...ed-to-write-logfiles-to-persistent-disk.sh | 6 +- .../2.19-ensure-audit-is-installed.sh | 6 +- ...ly-authorized-users-own-audit-log-files.sh | 4 +- .../2.20-ensure-audit-service-is-enabled.sh | 8 +-- ...-collect-file-deletion-events-for-users.sh | 48 +++++++++++----- ...-management-scope-sudoers-are-collected.sh | 2 +- ...fy-user-group-information-are-collected.sh | 22 ++++---- ...ts-to-use-the-chsh-command-are-recorded.sh | 7 ++- ...g-and-on-disk-configuration-is-the-same.sh | 2 +- ...he-firewall-logging-function-is-enabled.sh | 10 +++- .../2.29-ensure-sudo-log-are-collected.sh | 2 +- ...zed-groups-ownership-of-audit-log-files.sh | 4 +- ...-modify-the-sudo-log-file-are-collected.sh | 2 +- ...ssion-modification-events-are-collected.sh | 26 ++++----- ...g-directory-is-0750-or-more-restrictive.sh | 2 +- ...ls-are-mode-of-0755-or-more-restrictive.sh | 24 ++------ ....9-ensure-audit-tools-are-owned-by-root.sh | 24 ++------ .../5.1-ensure-selinux-is-installed.sh | 2 +- ...5.2-ensure-selinux-policy-is-configured.sh | 4 +- ....4-ensure-the-selinux-mode-is-enforcing.sh | 2 +- ...-ensure-setroubleshoot-is-not-installed.sh | 2 +- scanners/services/3.1-disable-http-server.sh | 4 +- .../services/3.10-disable-rsync-server.sh | 4 +- .../services/3.11-disable-avahi-server.sh | 4 +- scanners/services/3.12-disable-snmp-server.sh | 4 +- .../3.13-disable-http-proxy-server.sh | 4 +- scanners/services/3.14-disable-samba.sh | 4 +- .../3.15-disable-imap-and-pop3-server.sh | 4 +- .../services/3.16-disable-smtp-protocol.sh | 6 +- .../3.17-disable-or-uninstall-the-telnet.sh | 2 +- .../3.18-uninstall-the-avahi-server.sh | 2 +- .../3.19-uninstall-the-kexec-tools.sh | 2 +- scanners/services/3.2-disable-ftp-server.sh | 4 +- .../services/3.20-uninstall-the-firstboot.sh | 2 +- .../3.21-uninstall-the-wpa_supplicant.sh | 2 +- ...3.22-ensure-NIS-Client-is-not-installed.sh | 2 +- scanners/services/3.23-disable-rsh.sh | 4 +- scanners/services/3.24-disable-ntalk.sh | 4 +- .../3.25-ensure-xinetd-is-not-installed.sh | 2 +- scanners/services/3.26-disable-usb-storage.sh | 4 +- ...nsure-time-synchronization-is-installed.sh | 8 +-- scanners/services/3.3-disable-dns-server.sh | 4 +- scanners/services/3.4-disable-nfs.sh | 4 +- scanners/services/3.5-disable-rpc.sh | 4 +- scanners/services/3.6-disable-ldap-server.sh | 4 +- scanners/services/3.7-disable-dhcp-server.sh | 4 +- scanners/services/3.8-disable-cups.sh | 4 +- scanners/services/3.9-disable-nis-server.sh | 4 +- ...ssage-of-the-day-is-configured-properly.sh | 2 +- .../4.10-ensure-bootloader-password-is-set.sh | 4 +- ...ntication-required-for-single-user-mode.sh | 2 +- .../4.13-ensure-core-dumps-are-restricted.sh | 2 +- ...-layout-randomization-(ASLR)-is-enabled.sh | 6 +- ...system-wide-crypto-policy-is-not-legacy.sh | 2 +- ...s-set-on-all-world-writable-directories.sh | 2 +- ...ermissions-on-etc-passwd-are-configured.sh | 2 +- ...ermissions-on-etc-shadow-are-configured.sh | 2 +- ...permissions-on-etc-group-are-configured.sh | 2 +- ...n-warning-banner-is-configured-properly.sh | 2 +- ...rmissions-on-etc-gshadow-are-configured.sh | 2 +- ...rmissions-on-etc-passwd--are-configured.sh | 2 +- ...rmissions-on-etc-shadow--are-configured.sh | 2 +- ...ermissions-on-etc-group--are-configured.sh | 2 +- ...missions-on-etc-gshadow--are-configured.sh | 2 +- ...25-ensure-no-world-writable-files-exist.sh | 2 +- ...e-no-unowned-files-or-directories-exist.sh | 2 +- ...no-ungrouped-files-or-directories-exist.sh | 2 +- ...ensure-no-password-fields-are-not-empty.sh | 2 +- .../4.29-ensure-root-path-integrity.sh | 2 +- ...n-warning-banner-is-configured-properly.sh | 2 +- ...0-ensure-root-is-the-only-uid-0-account.sh | 2 +- ...permissions-are-750-or-more-restrictive.sh | 10 ++-- ...ensure-users-own-their-home-directories.sh | 10 ++-- ...t-files-are-not-group-or-world-writable.sh | 12 ++-- ....34-ensure-no-users-have-.forward-files.sh | 10 ++-- .../4.35-ensure-no-users-have-.netrc-files.sh | 10 ++-- ...files-are-not-group-or-world-accessible.sh | 10 ++-- ...4.37-ensure-no-users-have-.rhosts-files.sh | 10 ++-- ...groups-in-etc-passwd-exist-in-etc-group.sh | 6 +- .../4.39-ensure-no-duplicate-uids-exist.sh | 4 +- ...-permissions-on-etc-motd-are-configured.sh | 2 +- .../4.40-ensure-no-duplicate-gids-exist.sh | 4 +- ...41-ensure-no-duplicate-user-names-exist.sh | 4 +- ...2-ensure-no-duplicate-group-names-exist.sh | 4 +- ...ensure-all-users-home-directories-exist.sh | 6 +- .../4.44-ensure-sctp-is-disabled.sh | 4 +- .../4.45-ensure-dccp-is-disabled.sh | 4 +- ...ensure-wireless-interfaces-are-disabled.sh | 6 +- .../4.47-ensure-ip-forwarding-is-disabled.sh | 6 +- ...ure-packet-redirect-sending-is-disabled.sh | 2 +- ...-source-routed-packets-are-not-accepted.sh | 2 +- ...permissions-on-etc-issue-are-configured.sh | 2 +- ...-ensure-icmp-redirects-are-not-accepted.sh | 2 +- ...-secure-icmp-redirects-are-not-accepted.sh | 2 +- ...52-ensure-suspicious-packets-are-logged.sh | 2 +- ...ure-broadcast-icmp-requests-are-ignored.sh | 4 +- ...ensure-bogus-icmp-responses-are-ignored.sh | 4 +- ...nsure-reverse-path-filtering-is-enabled.sh | 4 +- .../4.56-ensure-tcp-syn-cookies-is-enabled.sh | 4 +- ...-router-advertisements-are-not-accepted.sh | 2 +- ...-ensure-a-firewall-package-is-installed.sh | 6 +- ...irewalld-service-is-enabled-and-running.sh | 2 +- ...issions-on-etc-issue.net-are-configured.sh | 2 +- .../4.60-ensure-iptables-is-not-enabled.sh | 2 +- .../4.61-ensure-nftables-is-not-enabled.sh | 2 +- ...4.62-ensure-nftables-service-is-enabled.sh | 2 +- ...-ensure-iptables-packages-are-installed.sh | 2 +- .../4.64-ensure-nftables-is-not-installed.sh | 2 +- ...-is-not-installed-or-stopped-and-masked.sh | 4 +- ...-ensure-system-histsize-as-100-or-other.sh | 10 +--- .../4.67-ensure-system-histfilesize-100.sh | 10 +--- .../4.68-ensure-permissions-TMP-is-correct.sh | 2 +- .../4.70-ensure-xdmcp-is-not-enabled.sh | 2 +- .../4.8-ensure-aide-is-installed.sh | 2 +- ...lesystem-integrity-is-regularly-checked.sh | 4 +- 192 files changed, 600 insertions(+), 594 deletions(-) diff --git a/benchmarks/access-and-control/1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.md b/benchmarks/access-and-control/1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.md index 3e910c5..1da8b89 100644 --- a/benchmarks/access-and-control/1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.md +++ b/benchmarks/access-and-control/1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.md @@ -33,7 +33,7 @@ 1. 执行以下命令,验证`SSH`的`CRYPTO_POLICY`配置是否正确: ```bash -# grep -i '^\s*CRYPTO_POLICY=' /etc/sysconfig/sshd +# grep -iP '^\s*CRYPTO_POLICY\b\s*\=' /etc/sysconfig/sshd Nothing is returned ``` diff --git a/benchmarks/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.md b/benchmarks/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.md index cd22cbd..6d8a9dd 100644 --- a/benchmarks/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.md +++ b/benchmarks/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.md @@ -58,7 +58,7 @@ authselect enable-feature with-faillock /etc/pam.d/system-auth:auth required pam_faillock.so authfail deny=5 unlock_time=900 ``` -输出结果中应符合:`deny<=5`、`unlock_time<=900`。 +输出结果中应符合:`deny<=5`、`unlock_time>=900`。 ## 参考 diff --git a/benchmarks/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.md b/benchmarks/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.md index 92fffe3..031cddb 100644 --- a/benchmarks/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.md +++ b/benchmarks/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.md @@ -14,11 +14,17 @@ rsyslog 服务会生成新的日志文件,以下配置的作用在于控制这 目标:正确配置 rsyslog 默认文件权限。 -1. 编辑`/etc/rsyslog.conf`和`/etc/rsyslog.d/*.conf`文件,将`$FileCreateMode`的值设置为`0640`或更低: +1. 检查`/etc/rsyslog.conf`或`/etc/rsyslog.d/*.conf`(如有配置)文件中的`$FileCreateMode`参数值,将其设置为`0640`或更低。 ```bash -# echo "\$FileCreateMode 0640" >> /etc/rsyslog.conf -# echo "\$FileCreateMode 0640" >> /etc/rsyslog.d/listen.conf +# grep -Ps "^\s*\\\$FileCreateMode" /etc/rsyslog.conf /etc/rsyslog.d/*.conf +/etc/rsyslog.conf: $FileCreateMode 0640 +``` + +2. 如未配置,则在`/etc/rsyslog.conf`中添加`$FileCreateMode`参数: + +```bash +echo "\$FileCreateMode 0640" >> /etc/rsyslog.conf ``` ## 扫描检测 diff --git a/benchmarks/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.md b/benchmarks/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.md index a60dc25..ce0deb9 100644 --- a/benchmarks/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.md +++ b/benchmarks/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.md @@ -34,12 +34,17 @@ aarch64 - X86架构: ```bash -# echo -e "\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n" >> /etc/audit/rules.d/audit.rules +# echo -e "\n-a always,exit -F arch=b32 -S unlink,rename,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete\n-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete\n" >> /etc/audit/rules.d/audit.rules ``` - ARM架构: ```bash -# echo -e "\n-a always,exit -F arch=b64 -S unlinkat -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n" >> /etc/audit/rules.d/audit.rules +# echo -e "\n-a always,exit -F arch=b32 -S unlink,rename,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete\n-a always,exit -F arch=b64 -S unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete\n" >> /etc/audit/rules.d/audit.rules +``` + +执行以下命令,加载审计规则 +```bash +# augenrules --load ``` ## 扫描检测 @@ -50,38 +55,38 @@ aarch64 - X86架构: ```bash -# grep -P "\-a\salways\,exit\s\-F\sarch=b(32|64)\s\-S\sunlink\s\-S\sunlinkat\s\-S\srename\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/rules.d/*.rules /etc/audit/*.rules +# grep -P "^(?=^\s*-a\s+always,exit)(?=.*-F\s+arch=)(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat)(?=.*-F\s+auid>=1000)(?=.*-F\s+auid!=-1)" /etc/audit/rules.d/*.rules /etc/audit/*.rules -/etc/audit/rules.d/audit.rules:-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete -/etc/audit/rules.d/audit.rules:-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete -/etc/audit/audit.rules:-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete -/etc/audit/audit.rules:-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +/etc/audit/rules.d/audit.rules:-a always,exit -F arch=b32 -S unlink,rename,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete +/etc/audit/rules.d/audit.rules:-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete +/etc/audit/audit.rules:-a always,exit -F arch=b32 -S unlink,rename,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete +/etc/audit/audit.rules:-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete ``` - ARM架构: ```bash -# grep -P "\-a\salways\,exit\s\-F\sarch=b(32|64)\s\-S\sunlink.*-k\sdelete" /etc/audit/rules.d/*.rules /etc/audit/*.rules +# grep -P "^(?=^\s*-a\s+always,exit)(?=.*-F\s+arch=)(?=.*unlinkat)(?=.*renameat)(?=.*-F\s+auid>=1000)(?=.*-F\s+auid!=-1)" /etc/audit/rules.d/*.rules /etc/audit/*.rules -/etc/audit/rules.d/audit.rules:-a always,exit -F arch=b64 -S unlinkat -S renameat -F auid>=1000 -F auid!=4294967295 -k delete -/etc/audit/rules.d/audit.rules:-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete -/etc/audit/audit.rules:-a always,exit -F arch=b64 -S unlinkat -S renameat -F auid>=1000 -F auid!=4294967295 -k delete -/etc/audit/audit.rules:-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +/etc/audit/rules.d/audit.rules:-a always,exit -F arch=b32 -S unlink,rename,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete +/etc/audit/rules.d/audit.rules:-a always,exit -F arch=b64 -S unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete +/etc/audit/audit.rules:-a always,exit -F arch=b32 -S unlink,rename,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete +/etc/audit/audit.rules:-a always,exit -F arch=b64 -S unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete ``` 2. 执行以下命令,检查文件删除审计收集是否正确加载: - X86架构: ```bash -# auditctl -l | grep -P "^\-a\s+always,exit\s+\-F\s+arch=b64\s+\-S\s+rename,unlink,unlinkat,renameat\s+\-F\s+auid>=1000\s+\-F\s+auid!=-1\s+\-F\s+key=delete" && auditctl -l | grep -P "^\-a\s+always,exit\s+\-F\s+arch=b32\s+\-S\s+unlink,rename,unlinkat,renameat\s+\-F\s+auid>=1000\s+\-F\s+auid!=-1\s+\-F\s+key=delete" --a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete +# auditctl -l | grep -P "^(?=^\s*-a\s+always,exit)(?=.*-F\s+arch=)(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat)(?=.*-F\s+auid>=1000)" -a always,exit -F arch=b32 -S unlink,rename,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete +-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete ``` - ARM架构: ```bash -# auditctl -l | grep -P "^\-a\s+always,exit\s+\-F\s+arch=b64\s+\-S\s+unlinkat,renameat\s+-F\s+auid>=1000\s+-F\s+auid!=-1\s+-F\s+key=delete" && auditctl -l | grep -P "^\-a\s+always,exit\s+\-F\s+arch=b32\s+\-S\s+unlink,rename,unlinkat,renameat\s+\-F\s+auid>=1000\s+\-F\s+auid!=-1\s+\-F\s+key=delete" --a always,exit -F arch=b64 -S unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete +# auditctl -l | grep -P "^(?=^\s*-a\s+always,exit)(?=.*-F\s+arch=)(?=.*unlinkat)(?=.*renameat)(?=.*-F\s+auid>=1000)" -a always,exit -F arch=b32 -S unlink,rename,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete +-a always,exit -F arch=b64 -S unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete ``` 如输出结果符合预期,则视为通过此项检查。 diff --git a/benchmarks/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.md b/benchmarks/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.md index a2dde14..bb6bb07 100644 --- a/benchmarks/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.md +++ b/benchmarks/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.md @@ -18,6 +18,11 @@ # echo -e "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/rules.d/audit.rules ``` +执行以下命令,加载审计规则 +```bash +# augenrules --load +``` + ## 扫描检测 确保收集对系统管理范围(sudoers)的更改。 diff --git a/benchmarks/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.md b/benchmarks/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.md index f828856..0406a48 100644 --- a/benchmarks/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.md +++ b/benchmarks/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.md @@ -18,6 +18,11 @@ # echo -e "-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n" >> /etc/audit/rules.d/audit.rules ``` +执行以下命令,加载审计规则 +```bash +# augenrules --load +``` + ## 扫描检测 确保收集修改用户/组信息的事件。 diff --git a/benchmarks/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.md b/benchmarks/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.md index 767267e..377f5c4 100644 --- a/benchmarks/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.md +++ b/benchmarks/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.md @@ -15,7 +15,7 @@ 1. 运行以下命令,在`/etc/audit/rules.d/stig.rules`文件中添加或更新审计规则: ```bash -# grep -qs "\-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd" /etc/audit/rules.d/stig.rules || echo -e "-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd" >> /etc/audit/rules.d/stig.rules +# grep -Ps "^\s*-a always,exit \-F path=/usr/bin/chsh \-F perm=x$" /etc/audit/rules.d/*.rules || echo -e "-a always,exit -S all -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F key=priv_cmd" >> /etc/audit/rules.d/stig.rules ``` 2. 执行以下命令,加载审计规则: @@ -30,8 +30,8 @@ ```bash # grep chsh /etc/audit/rules.d/*.rules /etc/audit/*.rules -/etc/audit/rules.d/stig.rules:-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd -/etc/audit/audit.rules:-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd +/etc/audit/rules.d/stig.rules:-a always,exit -S all -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=-1 -F key=priv_cmd +/etc/audit/audit.rules:-a always,exit -S all -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=-1 -F key=priv_cmd ``` 2. 执行以下命令,检测chsh命令的审计规则是否已正确加载: diff --git a/benchmarks/logging-and-auditing/2.27-ensure-that-the-firewall-logging-function-is-enabled.md b/benchmarks/logging-and-auditing/2.27-ensure-that-the-firewall-logging-function-is-enabled.md index c0dbbf4..4226e87 100644 --- a/benchmarks/logging-and-auditing/2.27-ensure-that-the-firewall-logging-function-is-enabled.md +++ b/benchmarks/logging-and-auditing/2.27-ensure-that-the-firewall-logging-function-is-enabled.md @@ -14,6 +14,12 @@ 目标:开启防火墙日志记录功能 +**防火墙日志记录功能需开启firewalld服务,请在进行修复前检查firewalld服务是否正常运行。** +**如firewalld未启用,以下配置将无法生效。** +**可参考:** +**[4.58 确保已安装防火墙软件包](https://gitee.com/anolis/security-benchmark/blob/master/benchmarks/system-configurations/4.58-ensure-a-firewall-package-is-installed.md)** +**[4.59 确保防火墙服务已启用且运行状态正常](https://gitee.com/anolis/security-benchmark/blob/master/benchmarks/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.md)** + 1. 修改`firewalld`配置文件,添加或修改`LogDenied`参数,以开启防火墙日志功能。 ```bash @@ -32,10 +38,13 @@ systemctl restart firewalld.service 1. 使用以下命令,检查防火墙日志是否正确启用: ```bash -# firewall-cmd --get-log-denied +# firewall-cmd --get-log-denied 2>&1 | awk '{ if ($0 == "all") print; else print "fail"; }' all + +# grep -P "^\s*LogDenied=\s*" /etc/firewalld/firewalld.conf +LogDenied=all ``` -如执行结果为`all`则视为通过此项检查。 +如输出结果符合预期,则视为通过此项检查。 ## 参考 diff --git a/benchmarks/logging-and-auditing/2.29-ensure-sudo-log-are-collected.md b/benchmarks/logging-and-auditing/2.29-ensure-sudo-log-are-collected.md index 15054a8..397bf55 100644 --- a/benchmarks/logging-and-auditing/2.29-ensure-sudo-log-are-collected.md +++ b/benchmarks/logging-and-auditing/2.29-ensure-sudo-log-are-collected.md @@ -25,7 +25,7 @@ Defaults logfile=/var/log/sudo.log 1. 执行以下命令,检查审计规则是否正确写入配置文件: ```bash -# grep -Ps "^Defaults\slogfile\=.*\.log$" /etc/sudoers +# grep -P "^\s*Defaults\s+logfile\s*=\s*" /etc/sudoers Defaults logfile=/var/log/sudo.log ``` diff --git a/benchmarks/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.md b/benchmarks/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.md index 4d8a62e..0a17bd2 100644 --- a/benchmarks/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.md +++ b/benchmarks/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.md @@ -31,16 +31,7 @@ 1. 执行以下命令,添加审计规则: ```bash -UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) -[ -n "${UID_MIN}" ] && printf " --a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod --a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod --a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod -" >> /etc/audit/rules.d/50-perm_mod.rules \ -|| printf "ERROR: Variable 'UID_MIN' is unset.\n" +# echo -e "-a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F key=perm_mod\n-a always,exit -F arch=b32 -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F key=perm_mod" >> /etc/audit/rules.d/50-perm_mod.rules ``` 2. 执行以下命令,加载审计规则: @@ -54,57 +45,29 @@ UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) 1. 执行以下命令,检查审计规则是否正确写入配置文件: ```bash -UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) -[ -n "${UID_MIN}" ] && awk "/^ *-a *always,exit/ \ -&&/ -F *arch=b[2346]{2}/ \ -&&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) \ -&&/ -S/ \ -&&/ -F *auid>=${UID_MIN}/ \ -&&(/chmod/||/fchmod/||/fchmodat/ \ - ||/chown/||/fchown/||/fchownat/||/lchown/ \ - ||/setxattr/||/lsetxattr/||/fsetxattr/ \ - ||/removexattr/||/lremovexattr/||/fremovexattr/) \ -&&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules /etc/audit/*.rules \ -|| printf "ERROR: Variable 'UID_MIN' is unset.\n" +# grep -P "^(?=^\s*-a\s+always,exit)(?=.*-F\s+arch=)(?=.*chmod)(?=.*fchmod)(?=.*chown)(?=.*fchown)(?=.*lchown)(?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr)(?=.*fchownat)(?=.*fchmodat)" /etc/audit/rules.d/*.rules /etc/audit/*.rules ``` - 预期输出结果 ``` --a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod +/etc/audit/rules.d/50-perm_mod.rules:-a always,exit -F arch=b32 -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod +/etc/audit/rules.d/50-perm_mod.rules:-a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod +/etc/audit/audit.rules:-a always,exit -F arch=b32 -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod +/etc/audit/audit.rules:-a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod ``` 2. 执行以下命令,审计规则是否正确加载: ```bash -UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) -[ -n "${UID_MIN}" ] && auditctl -l | awk "/^ *-a *always,exit/ \ -&&/ -F *arch=b[2346]{2}/ \ -&&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) \ -&&/ -S/ \ -&&/ -F *auid>=${UID_MIN}/ \ -&&(/chmod/||/fchmod/||/fchmodat/ \ - ||/chown/||/fchown/||/fchownat/||/lchown/ \ - ||/setxattr/||/lsetxattr/||/fsetxattr/ \ - ||/removexattr/||/lremovexattr/||/fremovexattr/) \ -&&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" \ -|| printf "ERROR: Variable 'UID_MIN' is unset.\n" +# auditctl -l | grep -P "^(?=^\s*-a\s+always,exit)(?=.*-F\s+arch=)(?=.*chmod)(?=.*fchmod)(?=.*chown)(?=.*fchown)(?=.*lchown)(?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr)(?=.*fchownat)(?=.*fchmodat)" ``` - 预期输出结果 ``` --a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod --a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod --a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod --a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=-1 -F key=perm_mod --a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=-1 -F key=perm_mod +-a always,exit -F arch=b32 -S chmod,lchown,fchmod,fchown,chown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod +-a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod ``` 如输出结果均符合预期,则视为通过此项检查。 diff --git a/benchmarks/services/3.26-disable-usb-storage.md b/benchmarks/services/3.26-disable-usb-storage.md index 5375fdd..239d821 100644 --- a/benchmarks/services/3.26-disable-usb-storage.md +++ b/benchmarks/services/3.26-disable-usb-storage.md @@ -45,7 +45,7 @@ install usb-storage /bin/true ```bash # modprobe -n -v usb-storage install /bin/true -# lsmod | grep usb-storage +# lsmod | grep -P "^usb(_|-)storage\b" ``` diff --git a/benchmarks/system-configurations/4.66-ensure-system-histsize-as-100-or-other.md b/benchmarks/system-configurations/4.66-ensure-system-histsize-as-100-or-other.md index 2ec80ce..920010b 100644 --- a/benchmarks/system-configurations/4.66-ensure-system-histsize-as-100-or-other.md +++ b/benchmarks/system-configurations/4.66-ensure-system-histsize-as-100-or-other.md @@ -6,14 +6,22 @@ ## 描述 -建议系统限制查看历史命令的数量,建议50或100(参考三级标准) +HISTSIZE 是一个在 Unix 和类 Unix 系统(如 Linux)的 shell 环境中设置的变量,它定义了 shell 会话中命令历史记录的数量。具体来说,HISTSIZE 决定了在当前 shell 会话中可以保存和回顾的命令行的最大数量。 + +当用户在一个 shell 会话中输入命令时,这些命令会被保存在一个历史列表中,用户可以通过按上下箭头键来浏览这个列表,从而快速访问之前输入过的命令。HISTSIZE 变量的值就决定了这个历史列表的大小。 + +例如,如果 HISTSIZE 被设置为 100,那么 shell 会保存最近的 1000 条命令。当用户输入第 1001 条命令时,最早的那条命令将从历史记录中被移除,以确保历史列表的大小不会超过 100。 + +需要注意的是,HISTSIZE 只影响当前 shell 会话中的命令历史记录数量。如果想要永久保存命令历史记录,可以将它们添加到 .bash_history 文件或其他相应的历史文件中,这通常是通过设置另一个变量 HISTFILESIZE 来实现的。HISTFILESIZE 定义了保存在 .bash_history 文件中的命令的最大数量。 + +从安全性的角度来看,合理设置 HISTSIZE 的值是很重要的,以避免敏感信息(如密码、密钥等)被保存在历史记录中并被其他用户或进程访问。建议设置为100以下。(默认为1000) ## 修复建议 查看profile文件中环境变量HISTSIZE的值,运行以下命令设置历史命令记录数量为100并生效: ```bash -# grep -qiP "^HISTSIZE" /etc/profile && sed -i "/^HISTSIZE/cHISTSIZE=100" /etc/profile || echo -e "HISTSIZE=100" >> /etc/profile +# grep -qP "^HISTSIZE" /etc/profile && sed -i "/^HISTSIZE/cHISTSIZE=100" /etc/profile || echo -e "HISTSIZE=100" >> /etc/profile # source /etc/profile ``` @@ -27,10 +35,10 @@ 2.查看profile文件HISTSIZE设置的值: ```bash -# grep -iP "^HISTSIZE" /etc/profile +# grep -P "^HISTSIZE" /etc/profile HISTSIZE=100 ``` -如果检测1中输出为100,且检测2中输出为HISTSIZE=100,说明则通过检查,否则检测未通过。 +如以上输出的结果均小于等于100,则通过此项检查,否则检测未通过。 ## 参考 diff --git a/benchmarks/system-configurations/4.67-ensure-system-histfilesize-100.md b/benchmarks/system-configurations/4.67-ensure-system-histfilesize-100.md index fcd3c5c..c2d8efc 100644 --- a/benchmarks/system-configurations/4.67-ensure-system-histfilesize-100.md +++ b/benchmarks/system-configurations/4.67-ensure-system-histfilesize-100.md @@ -6,31 +6,36 @@ ## 描述 -建议系统对bash_history文件保存命令条数进行限制 +`HISTFILESIZE` 是一个 shell 变量,它定义了保存在历史命令文件中的最大行数。历史命令默认保存在用户的家目录下的 `.bash_history` 文件中。当用户在 shell 中执行命令时,这些命令会被记录在这个文件中,以便用户可以在稍后的时间使用 history 命令查看它们。 +`HISTFILESIZE` 变量的值决定了 .bash_history 文件中可以保存的最大命令数量。如果 `.bash_history` 文件中的命令行数超过 `HISTFILESIZE`的值,那么最早的命令将被删除,以便为新的命令腾出空间。 + +限制命令历史的大小:较小的 `HISTFILESIZE` 值可以减少保存在 `.bash_history`文件中的敏感信息数量。例如,如果用户在命令行中输入了密码、密钥或其他敏感数据(尽管这通常是不建议的),那么这些数据可能会被记录在命令历史中。通过限制历史记录的大小,可以降低这些数据被未经授权的用户访问的风险。 + +建议将 `HISTFILESIZE` 的值配置为100以下(默认值为1000)。 ## 修复建议 -查看profile文件中环境变量HISTFILESIZE的值,运行以下命令设置历史命令保存条数为100并生效: +查看profile文件中环境变量`HISTFILESIZE`的值,运行以下命令设置历史命令保存条数为100并生效: ```bash -# grep -qiP "^HISTFILESIZE" /etc/profile && sed -i "/^HISTFILESIZE/cexport HISTFILESIZE=100" /etc/profile || echo -e "export HISTFILESIZE=100" >> /etc/profile +# grep -qP "^HISTFILESIZE" /etc/profile && sed -i "/^HISTFILESIZE/cHISTFILESIZE=100" /etc/profile || echo -e "HISTFILESIZE=100" >> /etc/profile # source /etc/profile ``` ## 扫描检测 -1.查看环境变量HISTFILESIZE设置的值: +1.查看环境变量`HISTFILESIZE`设置的值: ```bash # echo $HISTFILESIZE 100 ``` -2.查看profile文件HISTFILESIZE设置的值: +2.查看profile文件`HISTFILESIZE`设置的值: ```bash -# grep -iP "HISTFILESIZE" /etc/profile +# grep -P "^HISTFILESIZE" /etc/profile HISTFILESIZE=100 ``` -如果检测1中输出为100,且检测2中输出为HISTFILESIZE=100,说明则通过检查,否则检测未通过。 +如以上输出的结果均小于等于100,则通过此项检查,否则检测未通过。 ## 参考 diff --git a/remediation-kits/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.sh b/remediation-kits/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.sh index 69e213e..e4ef60a 100644 --- a/remediation-kits/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.sh +++ b/remediation-kits/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.sh @@ -1,2 +1 @@ -grep -Psq "^\\\$FileCreateMode 0640" /etc/rsyslog.conf || echo "\$FileCreateMode 0640" >> /etc/rsyslog.conf -grep -Psq "^\\\$FileCreateMode 0640" /etc/rsyslog.d/listen.conf || echo "\$FileCreateMode 0640" >> /etc/rsyslog.d/listen.conf +grep -Psq "^\\\$FileCreateMode 0640" /etc/rsyslog.conf || echo "\$FileCreateMode 0640" >> /etc/rsyslog.conf \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh b/remediation-kits/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh index e79ad76..f52af7f 100644 --- a/remediation-kits/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh +++ b/remediation-kits/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh @@ -1,7 +1,15 @@ -if [[ `arch` == 'aarch64' ]] && [[ `uname -m` == 'aarch64' ]] ; then - grep -Pq "\-a\salways\,exit\s\-F\sarch=b(32|64)\s\-S\sunlink.*-k\sdelete" /etc/audit/rules.d/audit.rules || echo -e "\n-a always,exit -F arch=b64 -S unlinkat -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n" >> /etc/audit/rules.d/audit.rules +Rule32="-a always,exit -F arch=b32 -S unlink,rename,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete" +x86Rule64="-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete" + +armRule64="-a always,exit -F arch=b64 -S unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete" + +checkRule="^(?=^\s*-a\s+always,exit)(?=.*-F\s+arch=b(64|32))(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat)(?=.*-F\s+auid>=1000)" +checkRuleArm="^(?=^\s*-a\s+always,exit)(?=.*-F\s+arch=b(64|32))(?=.*unlinkat)(?=.*renameat)(?=.*-F\s+auid>=1000)" + +if [[ $(arch) == 'aarch64' ]] && [[ $(uname -m) == 'aarch64' ]] ; then + grep -Psq "$checkRuleArm" /etc/audit/rules.d/audit.rules || echo -e "\n$Rule32\n$armRule64\n" >> /etc/audit/rules.d/audit.rules else - grep -Pq "\-a\salways\,exit\s\-F\sarch=b(32|64)\s\-S\sunlink.*-k\sdelete" /etc/audit/rules.d/audit.rules || echo -e "\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n" >> /etc/audit/rules.d/audit.rules + grep -Psq "$checkRule" /etc/audit/rules.d/audit.rules || echo -e "\n$Rule32\n$x86Rule64\n" >> /etc/audit/rules.d/audit.rules fi augenrules --load \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.sh b/remediation-kits/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.sh index fd6c681..1e3a00c 100644 --- a/remediation-kits/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.sh +++ b/remediation-kits/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.sh @@ -1,3 +1,3 @@ #!/usr/bin/env bash -grep -qs "\-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd" /etc/audit/rules.d/stig.rules || echo -e "-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd" >> /etc/audit/rules.d/stig.rules -augenrules --load \ No newline at end of file +grep -Ps "^(?=^\s*-a\s+always,exit)(?=.*-S\s+all)(?=.*-F\s+path=/usr/bin/chsh)(?=.*-F\s+perm=x)(?=.*-F\s+auid>=1000)(?=.*-F\s+auid!=-1)" /etc/audit/rules.d/*.rules || echo -e "-a always,exit -S all -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=-1 -F key=priv_cmd" >> /etc/audit/rules.d/stig.rules +augenrules --load diff --git a/remediation-kits/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh b/remediation-kits/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh index eb27c28..61db05a 100644 --- a/remediation-kits/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh +++ b/remediation-kits/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh @@ -1,3 +1 @@ -grep -Psq "^Defaults\slogfile\=.*\.log$" /etc/sudoers || echo "Defaults logfile=/var/log/sudo.log" >> /etc/sudoers - -auditctl -s | grep "enabled" \ No newline at end of file +grep -Psq "^\s*Defaults\s+logfile\s*=\s*(/?)([a-zA-Z0-9_.-]+/?)*" /etc/sudoers || echo "Defaults logfile=/var/log/sudo.log" >> /etc/sudoers diff --git a/remediation-kits/logging-and-auditing/2.31-ensure-use-of-privileged-commands-are-collected.sh b/remediation-kits/logging-and-auditing/2.31-ensure-use-of-privileged-commands-are-collected.sh index 86bd65d..a81c7b7 100644 --- a/remediation-kits/logging-and-auditing/2.31-ensure-use-of-privileged-commands-are-collected.sh +++ b/remediation-kits/logging-and-auditing/2.31-ensure-use-of-privileged-commands-are-collected.sh @@ -1,3 +1,4 @@ +#! /bin/bash build_audit_rules() ( UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) diff --git a/remediation-kits/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.sh b/remediation-kits/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.sh index 91c3d4c..d9de6a4 100644 --- a/remediation-kits/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.sh +++ b/remediation-kits/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.sh @@ -1,8 +1,6 @@ -grep -Psq "^\-a\s+always,exit\s+\-F\s+arch=b64\s+\-S\s+chmod,fchmod,fchmodat\s+\-F\s+auid>=1000\s+\-F\s+auid!=unset\s+\-F\s+key=.*$" /etc/audit/rules.d/*.rules || echo "-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod" >> /etc/audit/rules.d/50-perm_mod.rules -grep -Psq "^\-a\s+always,exit\s+\-F\s+arch=b64\s+\-S\s+chown,fchown,lchown,fchownat\s+\-F\s+auid>=1000\s+\-F\s+auid!=unset\s+\-F\s+key=.*$" /etc/audit/rules.d/*.rules || echo "-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod" >> /etc/audit/rules.d/50-perm_mod.rules -grep -Psq "^\-a\s+always,exit\s+\-F\s+arch=b32\s+\-S\s+chmod,fchmod,fchmodat\s+\-F\s+auid>=1000\s+\-F\s+auid!=unset\s+\-F\s+key=.*$" /etc/audit/rules.d/*.rules || echo "-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod" >> /etc/audit/rules.d/50-perm_mod.rules -grep -Psq "^\-a\s+always,exit\s+\-F\s+arch=b32\s+\-S\s+lchown,fchown,chown,fchownat\s+\-F\s+auid>=1000\s+\-F\s+auid!=unset\s+\-F\s+key=.*$" /etc/audit/rules.d/*.rules || echo "-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod" >> /etc/audit/rules.d/50-perm_mod.rules -grep -Psq "^\-a\s+always,exit\s+\-F\s+arch=b64\s+\-S\s+setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr\s+\-F\s+auid>=1000\s+\-F\s+auid!=unset\s+\-F\s+key=.*$" /etc/audit/rules.d/*.rules || echo "-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" >> /etc/audit/rules.d/50-perm_mod.rules -grep -Psq "^\-a\s+always,exit\s+\-F\s+arch=b32\s+\-S\s+setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr\s+\-F\s+auid>=1000\s+\-F\s+auid!=unset\s+\-F\s+key=.*$" /etc/audit/rules.d/*.rules || echo "-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" >> /etc/audit/rules.d/50-perm_mod.rules +for BIT in b32 b64 ; do + checkRule="^(?=^\s*-a\s+always,exit)(?=.*-F\s+arch=$BIT)(?=.*chmod)(?=.*fchmod)(?=.*chown)(?=.*fchown)(?=.*lchown)(?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr)(?=.*fchownat)(?=.*fchmodat)" + grep -Pq $checkRule /etc/audit/rules.d/*.rules /etc/audit/*.rules || echo "-a always,exit -F arch=$BIT -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod" >> /etc/audit/rules.d/50-perm_mod.rules +done augenrules --load \ No newline at end of file diff --git a/remediation-kits/services/3.26-disable-usb-storage.sh b/remediation-kits/services/3.26-disable-usb-storage.sh index 2208280..d4d3218 100644 --- a/remediation-kits/services/3.26-disable-usb-storage.sh +++ b/remediation-kits/services/3.26-disable-usb-storage.sh @@ -1,2 +1,2 @@ grep -Psq "^install\s+usb\-storage\s+\/bin\/true$" /etc/modprobe.d/*.conf || echo "install usb-storage /bin/true" >> /etc/modprobe.d/usb_storage.conf -[[ $(lsmod | grep usb-storage) ]] && rmmod usb-storage +[[ $(lsmod | grep -P "^usb(_|-)storage\b") ]] && rmmod usb-storage diff --git a/scanners/access-and-control/1.1-ensure-cron-daemon-is-enabled.sh b/scanners/access-and-control/1.1-ensure-cron-daemon-is-enabled.sh index b801c6b..708f491 100644 --- a/scanners/access-and-control/1.1-ensure-cron-daemon-is-enabled.sh +++ b/scanners/access-and-control/1.1-ensure-cron-daemon-is-enabled.sh @@ -1,5 +1,5 @@ result=$(systemctl is-enabled crond) -if [ $result = enabled ]; then +if [[ $result == "enabled" ]]; then echo "pass" else echo "fail" diff --git a/scanners/access-and-control/1.10-ensure-ssh-access-is-limited.sh b/scanners/access-and-control/1.10-ensure-ssh-access-is-limited.sh index b83cf91..e939fc4 100644 --- a/scanners/access-and-control/1.10-ensure-ssh-access-is-limited.sh +++ b/scanners/access-and-control/1.10-ensure-ssh-access-is-limited.sh @@ -1,8 +1,8 @@ result=false -sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Piq '^\h*(allow|deny)(users|groups)\h+\H+(\h+.*)?$' && grep -Piq '^\h*(allow|deny)(users|groups)\h+\H+(\h+.*)?$' /etc/ssh/sshd_config && result=true +sshd -T | grep -Piq '^(allow|deny)(users|groups)\s+.*' && grep -Piq '^\h*(allow|deny)(users|groups)\h+.*$' /etc/ssh/sshd_config && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/access-and-control/1.11-ensure-permissions-on-ssh-private-host-key-files-are-configured.sh b/scanners/access-and-control/1.11-ensure-permissions-on-ssh-private-host-key-files-are-configured.sh index 9737c3a..ab197fd 100644 --- a/scanners/access-and-control/1.11-ensure-permissions-on-ssh-private-host-key-files-are-configured.sh +++ b/scanners/access-and-control/1.11-ensure-permissions-on-ssh-private-host-key-files-are-configured.sh @@ -4,7 +4,7 @@ result_ssh_keys=false find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec stat -c %G-%U-%a {} \; | grep -Piq "root\-root\-([7][1-7][1-7]|[0-7][1-7][1-7])" || result_root=true find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec stat -c %G-%U-%a {} \; | grep -Piq "ssh_keys\-root\-([7][5-7][1-7]|[0-7][5-7][1-7])" || result_ssh_keys=true -if [[ "$result_root" == true && "$result_ssh_keys" == true ]]; then +if [[ "$result_root" == "true" && "$result_ssh_keys" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/access-and-control/1.12-ensure-permissions-on-ssh-public-host-key-files-are-configured.sh b/scanners/access-and-control/1.12-ensure-permissions-on-ssh-public-host-key-files-are-configured.sh index 4a24cd5..545fbba 100644 --- a/scanners/access-and-control/1.12-ensure-permissions-on-ssh-public-host-key-files-are-configured.sh +++ b/scanners/access-and-control/1.12-ensure-permissions-on-ssh-public-host-key-files-are-configured.sh @@ -1,8 +1,8 @@ result=false -find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec stat -c %G-%U-%a {} \; | grep -Pi "root\-root\-([7][5-7][5-7]|[0-7][5-7][5-7])" || result=true +find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec stat -c %G-%U-%a {} \; | grep -Piq "root\-root\-([7][5-7][5-7]|[0-7][5-7][5-7])" || result=true -if [[ "$result" == true ]]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh b/scanners/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh index 910f665..9756b8c 100644 --- a/scanners/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh +++ b/scanners/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh @@ -1,5 +1,5 @@ -loadedSystemConfig=$(sshd -T | grep -Pi "^loglevel\b\s+(INFO|VERBOSE)$") -configFileSettings=$(grep -Pi '^\s*loglevel\b\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*loglevel\b\s+(INFO|VERBOSE)\b') +loadedSystemConfig=$(sshd -T | grep -Pi "^loglevel\s+(INFO|VERBOSE)$") +configFileSettings=$(grep -Pi '^\s*loglevel\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*loglevel\s+(INFO|VERBOSE)\b') [[ -z $loadedSystemConfig ]] && echo 'fail' && exit 1 [[ -z $configFileSettings && -n $loadedSystemConfig ]] && echo 'pass' || echo 'fail' diff --git a/scanners/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh b/scanners/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh index 9d16330..2b29e11 100644 --- a/scanners/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh +++ b/scanners/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh @@ -1,5 +1,5 @@ -loadedSystemConfig=$(sshd -T | grep -Pi '^\s*maxauthtries\b\s+[0-4]$') -configFileSettings=$(grep -Pi '^\s*maxauthtries\b\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*maxauthtries\b\s+[0-4]{1}\b') +loadedSystemConfig=$(sshd -T | grep -Pi '^\s*maxauthtries\s+[0-4]$') +configFileSettings=$(grep -Pim1 '^\s*maxauthtries\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*maxauthtries\s+[0-4]{1}\b') [[ -z $loadedSystemConfig ]] && echo 'fail' && exit 1 [[ -z $configFileSettings && -n $loadedSystemConfig ]] && echo 'pass' || echo 'fail' diff --git a/scanners/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh b/scanners/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh index 632bee7..8f30d5b 100644 --- a/scanners/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh +++ b/scanners/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh @@ -1,5 +1,5 @@ -loadedSystemConfig=$(sshd -T | grep -Pi "^ignorerhosts\b\s+yes$") -configFileSettings=$(grep -Pi '^\s*ignorerhosts\b' /etc/ssh/sshd_config | grep -Pvi '^\s*ignorerhosts\b\s+yes\b') +loadedSystemConfig=$(sshd -T | grep -Pi "^ignorerhosts\s+yes$") +configFileSettings=$(grep -Pim1 '^\s*ignorerhosts\b' /etc/ssh/sshd_config | grep -Pvi '^\s*ignorerhosts\s+yes\b') [[ -z $loadedSystemConfig ]] && echo 'fail' && exit 1 [[ -z $configFileSettings && -n $loadedSystemConfig ]] && echo 'pass' || echo 'fail' diff --git a/scanners/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh b/scanners/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh index 970daf4..e77578e 100644 --- a/scanners/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh +++ b/scanners/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh @@ -1,5 +1,5 @@ -loadedSystemConfig=$(sshd -T | grep -Pi "^hostbasedauthentication\b\s+no$") -configFileSettings=$(grep -Pi '^\s*hostbasedauthentication\b\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*hostbasedauthentication\b\s+no\b') +loadedSystemConfig=$(sshd -T | grep -Pi "^hostbasedauthentication\s+no$") +configFileSettings=$(grep -Pim1 '^\s*hostbasedauthentication\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*hostbasedauthentication\s+no\b') [[ -z $loadedSystemConfig ]] && echo 'fail' && exit 1 [[ -z $configFileSettings && -n $loadedSystemConfig ]] && echo 'pass' || echo 'fail' diff --git a/scanners/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh b/scanners/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh index 108c4b8..ab9dc77 100644 --- a/scanners/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh +++ b/scanners/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh @@ -1,5 +1,5 @@ -loadedSystemConfig=$(sshd -T | grep -Pi "^permitrootlogin\b\s+no$") -configFileSettings=$(grep -Pi '^\s*permitrootlogin\b\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*permitrootlogin\b\s+no\b') +loadedSystemConfig=$(sshd -T | grep -Pi "^permitrootlogin\s+no$") +configFileSettings=$(grep -Pim1 '^\s*permitrootlogin\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*permitrootlogin\s+no\b') [[ -z $loadedSystemConfig ]] && echo 'fail' && exit 1 [[ -z $configFileSettings && -n $loadedSystemConfig ]] && echo 'pass' || echo 'fail' diff --git a/scanners/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh b/scanners/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh index 6e1d550..80641bb 100644 --- a/scanners/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh +++ b/scanners/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh @@ -1,5 +1,5 @@ -loadedSystemConfig=$(sshd -T | grep -Pi "^permitemptypasswords\b\s+no$") -configFileSettings=$(grep -Pi '^\s*permitemptypasswords\b\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*permitemptypasswords\b\s+no\b') +loadedSystemConfig=$(sshd -T | grep -Pi "^permitemptypasswords\s+no$") +configFileSettings=$(grep -Pim1 '^\s*permitemptypasswords\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*permitemptypasswords\s+no\b') [[ -z $loadedSystemConfig ]] && echo 'fail' && exit 1 [[ -z $configFileSettings && -n $loadedSystemConfig ]] && echo 'pass' || echo 'fail' diff --git a/scanners/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh b/scanners/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh index 6f093c7..073bd98 100644 --- a/scanners/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh +++ b/scanners/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh @@ -1,5 +1,5 @@ -loadedSystemConfig=$(sshd -T | grep -Pi "^permituserenvironment\b\s+no$") -configFileSettings=$(grep -Pi '^\s*permituserenvironment\b\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*permituserenvironment\b\s+no\b') +loadedSystemConfig=$(sshd -T | grep -Pi "^permituserenvironment\s+no$") +configFileSettings=$(grep -Pim1 '^\s*permituserenvironment\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*permituserenvironment\s+no\b') [[ -z $loadedSystemConfig ]] && echo 'fail' && exit 1 [[ -z $configFileSettings && -n $loadedSystemConfig ]] && echo 'pass' || echo 'fail' diff --git a/scanners/access-and-control/1.2-ensure-permissions-on-etc-crontab-are-configured.sh b/scanners/access-and-control/1.2-ensure-permissions-on-etc-crontab-are-configured.sh index 3a30bfc..0debad1 100644 --- a/scanners/access-and-control/1.2-ensure-permissions-on-etc-crontab-are-configured.sh +++ b/scanners/access-and-control/1.2-ensure-permissions-on-etc-crontab-are-configured.sh @@ -2,7 +2,7 @@ result=false stat -c "%a-%U-%G" /etc/crontab | grep -Pq '^[0-6][0][0]\-root\-root$' && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh b/scanners/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh index 56d9d50..2cd6792 100644 --- a/scanners/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh +++ b/scanners/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh @@ -1,6 +1,6 @@ checkPoint=false -loadedSystemConfig_clientalivecountmax=$(sshd -T | grep -Pi '^clientalivecountmax\b\s+[0]{1}$') -configFileSettings_clientalivecountmax=$(grep -Pi '^\s*ClientAliveCountMax\b\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*ClientAliveCountMax\b\s+[0]{1}\b') +loadedSystemConfig_clientalivecountmax=$(sshd -T | grep -Pi '^clientalivecountmax\s+[0]{1}$') +configFileSettings_clientalivecountmax=$(grep -Pim1 '^\s*ClientAliveCountMax\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*ClientAliveCountMax\s+[0]{1}\b') [[ -z $loadedSystemConfig_clientalivecountmax ]] && echo 'fail' && exit 1 if [[ -z $configFileSettings_clientalivecountmax && -n $loadedSystemConfig_clientalivecountmax ]]; then @@ -13,7 +13,7 @@ fi [[ -z $configFileSettings_clientalivecountmax && -n $loadedSystemConfig_clientalivecountmax ]] && checkPoint=true || { echo 'fail'; exit 1; } loadedSystemConfig_clientaliveinterval=$(sshd -T | grep -Pi "^clientaliveinterval\b" | awk '{ if ($2 > 900) print 1; else print 0 }') -configFileSettings_clientaliveinterval=$(grep -Pi '^\s*clientaliveinterval\b\s+' /etc/ssh/sshd_config | awk '{ if ($2 > 900) print 1; else print 0 }') +configFileSettings_clientaliveinterval=$(grep -Pim1 '^\s*clientaliveinterval\s+' /etc/ssh/sshd_config | awk '{ if ($2 > 900) print 1; else print 0 }') [[ $loadedSystemConfig_clientaliveinterval -ne 0 ]] && echo 'fail' && exit 1 [[ $configFileSettings_clientaliveinterval -eq 0 && $loadedSystemConfig_clientaliveinterval -eq 0 && $checkPoint == "true" ]] && echo 'pass' || echo 'fail' diff --git a/scanners/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh b/scanners/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh index b7ab969..e57f146 100644 --- a/scanners/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh +++ b/scanners/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh @@ -1,10 +1,10 @@ loadedSystemConfig=$(sshd -T | grep -Pi "^logingracetime\b" | awk '{ if ($2 > 60) print 1; else print 0 }') -configFileType=$(grep -Pi '^\s*logingracetime\b\s+[0-9]+' /etc/ssh/sshd_config | awk '{print $2}' | grep -Poi '[s|m]$' | tr 'A-Z' 'a-z') -configFileSettings=$(grep -Poi '^\s*logingracetime\b\s+[0-9]+' /etc/ssh/sshd_config | awk '{print $2}') +configFileType=$(grep -Pim1 '^\s*logingracetime\s+[0-9]+' /etc/ssh/sshd_config | awk '{print $2}' | grep -Poi '[s|m]$' | tr 'A-Z' 'a-z') +configFileSettings=$(grep -Poim1 '^\s*logingracetime\s+[0-9]+' /etc/ssh/sshd_config | awk '{print $2}') [[ $loadedSystemConfig -ne 0 ]] && echo 'fail' && exit 1 -if [[ -z $configFileType && -z configFileSettings ]]; then +if [[ -z $configFileType && -z $configFileSettings ]]; then [[ $loadedSystemConfig -eq 0 ]] && echo 'pass' || echo 'fail' exit 0 elif [[ $configFileType == 's' && -n $configFileSettings ]] || [[ -z $configFileType && -n $configFileSettings ]]; then diff --git a/scanners/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh b/scanners/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh index 3037198..ce0cfbd 100644 --- a/scanners/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh +++ b/scanners/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh @@ -1,6 +1,7 @@ -loadedSystemConfig=$(sshd -T | grep -Pi "^banner\b\s+none$") +loadedSystemConfig=$(sshd -T | grep -Pi "^banner\s+none$") +configFileSettings=$(grep -Pim1 "^\s*Banner\s+.*$" /etc/ssh/sshd_config) -if [[ -n $loadedSystemConfig ]]; then +if [[ -n $loadedSystemConfig && -n $configFileSettings ]]; then echo 'fail' && exit 1 else echo 'pass' diff --git a/scanners/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh b/scanners/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh index 27a98b6..e0bf858 100644 --- a/scanners/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh +++ b/scanners/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh @@ -1,5 +1,5 @@ -loadedSystemConfig=$(sshd -T | grep -Pi "^usepam\b\s+yes$") -configFileSettings=$(grep -Pi '^\s*usepam\b\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*usepam\b\s+yes\b') +loadedSystemConfig=$(sshd -T | grep -Pi "^usepam\s+yes$") +configFileSettings=$(grep -Pi '^\s*usepam\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*usepam\s+yes\b') [[ -z $loadedSystemConfig ]] && echo 'fail' && exit 1 [[ -z $configFileSettings && -n $loadedSystemConfig ]] && echo 'pass' || echo 'fail' diff --git a/scanners/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.sh b/scanners/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.sh index 03f4a68..e2a0e29 100644 --- a/scanners/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.sh +++ b/scanners/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.sh @@ -4,10 +4,10 @@ maxstartups_first=$(sshd -T | grep -Pi "^\s*maxstartups\b" | awk '{print $2}' | maxstartups_second=$(sshd -T | grep -Pi "^\s*maxstartups\b" | awk '{print $2}' | awk -F: '{print $2}') maxstartups_third=$(sshd -T | grep -Pi "^\s*maxstartups\b" | awk '{print $2}' | awk -F: '{print $3}') -if $(grep -Piq '^\s*maxstartups\b\s+[0-9]+\:[0-9]+\:[0-9]+\b' /etc/ssh/sshd_config); then - config_maxstartups_first=$(grep -Pi '^\s*maxstartups\b\s+[0-9]+\:[0-9]+\:[0-9]+\b' /etc/ssh/sshd_config | awk '{print $2}' | awk -F: '{print $1}') - config_maxstartups_second=$(grep -Pi '^\s*maxstartups\b\s+[0-9]+\:[0-9]+\:[0-9]+\b' /etc/ssh/sshd_config | awk '{print $2}' | awk -F: '{print $2}') - config_maxstartups_third=$(grep -Pi '^\s*maxstartups\b\s+[0-9]+\:[0-9]+\:[0-9]+\b' /etc/ssh/sshd_config | awk '{print $2}' | awk -F: '{print $3}') +if $(grep -Piq '^\s*maxstartups\s+[0-9]+\:[0-9]+\:[0-9]+\b' /etc/ssh/sshd_config); then + config_maxstartups_first=$(grep -Pim1 '^\s*maxstartups\b\s+[0-9]+\:[0-9]+\:[0-9]+\b' /etc/ssh/sshd_config | awk '{print $2}' | awk -F: '{print $1}') + config_maxstartups_second=$(grep -Pim1 '^\s*maxstartups\b\s+[0-9]+\:[0-9]+\:[0-9]+\b' /etc/ssh/sshd_config | awk '{print $2}' | awk -F: '{print $2}') + config_maxstartups_third=$(grep -Pim1 '^\s*maxstartups\b\s+[0-9]+\:[0-9]+\:[0-9]+\b' /etc/ssh/sshd_config | awk '{print $2}' | awk -F: '{print $3}') [[ $maxstartups_first -le 10 ]] && [[ $maxstartups_second -ge 30 ]] && [[ $maxstartups_third -ge $maxstartups_first && $maxstartups_third -le 60 ]] && \ [[ $config_maxstartups_first -le 10 ]] && [[ $config_maxstartups_second -ge 30 ]] && [[ $config_maxstartups_third -ge $config_maxstartups_first && $config_maxstartups_third -le 60 ]] && \ result=true diff --git a/scanners/access-and-control/1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh b/scanners/access-and-control/1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh index bf8643b..4f6d3d8 100644 --- a/scanners/access-and-control/1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh +++ b/scanners/access-and-control/1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh @@ -1,5 +1,5 @@ loadedSystemConfig=$(sshd -T | grep -Pi "^MaxSessions\b" | awk '{ if ($2 > 10) print 1; else print 0 }') -configFileSettings=$(grep -Pi '^\s*MaxSessions\b\s+' /etc/ssh/sshd_config | awk '{ if ($2 > 10) print 1; else print 0 }') +configFileSettings=$(grep -Pim1 '^\s*MaxSessions\s+' /etc/ssh/sshd_config | awk '{ if ($2 > 10) print 1; else print 0 }') [[ $loadedSystemConfig -ne 0 ]] && echo 'fail' && exit 1 [[ $configFileSettings -eq 0 && $loadedSystemConfig -eq 0 ]] && echo 'pass' || echo 'fail' diff --git a/scanners/access-and-control/1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.sh b/scanners/access-and-control/1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.sh index ab4f225..853874e 100644 --- a/scanners/access-and-control/1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.sh +++ b/scanners/access-and-control/1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.sh @@ -1,6 +1,6 @@ result=false -grep -i '^\s*CRYPTO_POLICY=' /etc/sysconfig/sshd || result=true +grep -iPq '^\s*CRYPTO_POLICY\s*\=' /etc/sysconfig/sshd || result=true if [[ $result == true ]]; then echo "pass" diff --git a/scanners/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh b/scanners/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh index e93bc67..c14f970 100644 --- a/scanners/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh +++ b/scanners/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh @@ -15,14 +15,14 @@ PAM_SYSTEM_AUTH="/etc/pam.d/system-auth" # 检查/etc/security/pwquality.conf文件中的条件 check_pwquality_conf() { # 检查minlen=14 - check_file_contains "$PWQUALITY_CONF" '^minlen(?: |)=(?: |)14' || return 1 + check_file_contains "$PWQUALITY_CONF" '^minlen(?: |)=(?: |)14\b' || return 1 # 检查minclass=4 或者所有credit设置为-1 - (check_file_contains "$PWQUALITY_CONF" '^minclass(?: |)=(?: |)4') || \ - (check_file_contains "$PWQUALITY_CONF" '^dcredit(?: |)=(?: |)-1' && \ - check_file_contains "$PWQUALITY_CONF" '^ucredit(?: |)=(?: |)-1' && \ - check_file_contains "$PWQUALITY_CONF" '^ocredit(?: |)=(?: |)-1' && \ - check_file_contains "$PWQUALITY_CONF" '^lcredit(?: |)=(?: |)-1') || return 1 + (check_file_contains "$PWQUALITY_CONF" '^minclass(?: |)=(?: |)4\b') || \ + (check_file_contains "$PWQUALITY_CONF" '^dcredit(?: |)=(?: |)-1\b' && \ + check_file_contains "$PWQUALITY_CONF" '^ucredit(?: |)=(?: |)-1\b' && \ + check_file_contains "$PWQUALITY_CONF" '^ocredit(?: |)=(?: |)-1\b' && \ + check_file_contains "$PWQUALITY_CONF" '^lcredit(?: |)=(?: |)-1\b') || return 1 return 0 } @@ -30,7 +30,7 @@ check_pwquality_conf() { # 检查/etc/pam.d/password-auth和/etc/pam.d/system-auth文件中的条件 check_pam_files() { local files=("$PAM_PASSWORD_AUTH" "$PAM_SYSTEM_AUTH") - local patterns=("enforce-for-root" "retry=\d+") + local patterns=("\benforce-for-root\b" "\bretry=\d+\b") for file in "${files[@]}"; do for pattern in "${patterns[@]}"; do diff --git a/scanners/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh b/scanners/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh index 20d2e08..8852beb 100644 --- a/scanners/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh +++ b/scanners/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh @@ -1,9 +1,36 @@ -result=false +grep -Pi "^\s*auth\s+required\s+pam_faillock.so\b\s+.*" /etc/pam.d/password-auth | grep -Pqiv ".*\bdeny=[0-9]+\b\s+.*unlock_time=[0-9]+\b.*" && echo 'fail' && exit 1 +grep -Pi "^\s*auth\s+required\s+pam_faillock.so\b\s+.*" /etc/pam.d/system-auth | grep -Pqiv ".*\bdeny=[0-9]+\b\s+.*unlock_time=[0-9]+\b.*" && echo 'fail' && exit 1 -grep -Eiq "^\s*auth\s+required\s+.*\s+deny=[1-5]\s*.*$" /etc/pam.d/password-auth && grep -Eiq "^\s*auth\s+required\s+.*\s+unlock_time=(9[0-9][0-9]|[1-9][0-9][0-9][0-9])\s*.*$" /etc/pam.d/password-auth && grep -Eiq "^\s*auth\s+required\s+.*\s+deny=[1-5]\s*.*$" /etc/pam.d/system-auth && grep -Eiq "^\s*auth\s+required\s+.*\s+unlock_time=(9[0-9][0-9]|[1-9][0-9][0-9][0-9])\s*.*$" /etc/pam.d/system-auth && result=true +denyValuePassword=$(grep -Poi "^\s*auth\s+required\s+pam_faillock.so\s+.*\bdeny=[0-9]+\b" /etc/pam.d/password-auth | grep -Pio "\bdeny=[0-9]+\b" | awk -F= '{print $2}') +denyValueSystem=$(grep -Poi "^\s*auth\s+required\s+pam_faillock.so\s+.*\bdeny=[0-9]+\b" /etc/pam.d/system-auth | grep -Pio "\bdeny=[0-9]+\b" | awk -F= '{print $2}') +unlockValuePassword=$(grep -Poi "^\s*auth\s+required\s+pam_faillock.so\s+.*\bunlock_time=[0-9]+\b" /etc/pam.d/password-auth | grep -Pio "\bunlock_time=[0-9]+\b" | awk -F= '{print $2}') +unlockValueSystem=$(grep -Poi "^\s*auth\s+required\s+pam_faillock.so\s+.*\bunlock_time=[0-9]+\b" /etc/pam.d/system-auth | grep -Pio "\bunlock_time=[0-9]+\b" | awk -F= '{print $2}') -if [[ $result == true ]]; then - echo "pass" +if [[ -n $denyValuePassword && -n $denyValueSystem ]] ; then + for i in $denyValuePassword $denyValueSystem + do + if [[ $i -gt 5 ]]; then + echo 'fail' + exit 1 + fi + done else - echo "fail" -fi \ No newline at end of file + echo 'fail' + exit 1 +fi + + +if [[ -n $unlockValuePassword && -n $unlockValueSystem ]] ; then + for i in $unlockValuePassword $unlockValueSystem + do + if [[ $i -lt 900 ]]; then + echo 'fail' + exit 1 + fi + done +else + echo 'fail' + exit 1 +fi + +echo 'pass' diff --git a/scanners/access-and-control/1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh b/scanners/access-and-control/1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh index 8803947..ebcfa84 100644 --- a/scanners/access-and-control/1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh +++ b/scanners/access-and-control/1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh @@ -2,7 +2,7 @@ result=false stat -c "%a-%U-%G" /etc/cron.hourly | grep -Pq '^[0-7][0][0]\-root\-root$' && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh b/scanners/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh index 7d3b443..af6481d 100644 --- a/scanners/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh +++ b/scanners/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh @@ -1,8 +1,8 @@ result=false -grep -Eiq "^\s*password\s+sufficient\s+pam_unix.so\s+.*sha512\s*.*$" /etc/pam.d/password-auth && grep -Eiq "^\s*password\s+sufficient\s+pam_unix.so\s+.*sha512\s*.*$" /etc/pam.d/system-auth && result=true +grep -Eiq "^\s*\bpassword\s+\bsufficient\s+\bpam_unix.so\s+.*\bsha512\s*.*$" /etc/pam.d/password-auth && grep -Eiq "^\s*\bpassword\s+\bsufficient\s+\bpam_unix.so\s+.*\bsha512\s*.*$" /etc/pam.d/system-auth && result=true -if [[ $result == true ]]; then +if [[ $result == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/access-and-control/1.31-ensure-password-expiration-is-365-days-or-less.sh b/scanners/access-and-control/1.31-ensure-password-expiration-is-365-days-or-less.sh index 7cdce81..b337840 100644 --- a/scanners/access-and-control/1.31-ensure-password-expiration-is-365-days-or-less.sh +++ b/scanners/access-and-control/1.31-ensure-password-expiration-is-365-days-or-less.sh @@ -1,9 +1,8 @@ -result=false +loginPassMaxDaysVaule=$(grep -P "^\s*PASS_MAX_DAYS\s+[0-9]+\b" /etc/login.defs | awk '{ if ($2 <= 365) print $2;}') +userPassMaxDaysVaule=$(grep -P '^[^:]+:[^!*]' /etc/shadow | awk -F: '$5 == "" || $5 > 365 {print 1}') -grep -Eiq "^\s*PASS_MAX_DAYS\s+(36[0-5]|3[0-5][0-9]|[1-2][0-9][0-9]|[1-9][0-9]?)\s*(\s+#.*)?$" /etc/login.defs && grep -E '^[^:]+:[^!*]' /etc/shadow | cut -d: -f5 | grep -Eq "^(36[0-5]|3[0-5][0-9]|[1-2][0-9][0-9]|[1-9][0-9]?)\s*(\s+#.*)?$" && result=true - -if [[ $result == true ]]; then - echo "pass" +if [[ -n $loginPassMaxDaysVaule && -z $userPassMaxDaysVaule ]]; then + echo 'pass' else - echo "fail" -fi \ No newline at end of file + echo 'fail' +fi diff --git a/scanners/access-and-control/1.32-ensure-minimum-days-between-password-changes-is-7-or-more.sh b/scanners/access-and-control/1.32-ensure-minimum-days-between-password-changes-is-7-or-more.sh index 8daa8e1..019a235 100644 --- a/scanners/access-and-control/1.32-ensure-minimum-days-between-password-changes-is-7-or-more.sh +++ b/scanners/access-and-control/1.32-ensure-minimum-days-between-password-changes-is-7-or-more.sh @@ -1,11 +1,8 @@ -result_login_defs=false -result_shadow=false +loginPassMinDaysVaule=$(grep -P "^\s*PASS_MIN_DAYS\s+[0-9]+\b" /etc/login.defs | awk '{ if ($2 >= 7) print $2;}') +userPassMinDaysVaule=$(grep -P '^[^:]+:[^!*]' /etc/shadow | awk -F: '$4 == "" || $4 < 7 {print 1}') -grep -Piq "^\s*PASS_MIN_DAYS\s+([7-9]|[1-9][0-9]+)\s*(\s+#.*)?$" /etc/login.defs && result_login_defs=true -grep -Piq "^\S+:[^\!\*:]*:[^:]*:([0-6]|\-1):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*\s*$" /etc/shadow || result_shadow=true - -if [[ $result_login_defs == true && $result_shadow == true ]]; then - echo "pass" +if [[ -n $loginPassMinDaysVaule && -z $userPassMinDaysVaule ]]; then + echo 'pass' else - echo "fail" + echo 'fail' fi diff --git a/scanners/access-and-control/1.33-ensure-password-expiration-warning-days-is-7-or-more.sh b/scanners/access-and-control/1.33-ensure-password-expiration-warning-days-is-7-or-more.sh index 0581b9d..0acea60 100644 --- a/scanners/access-and-control/1.33-ensure-password-expiration-warning-days-is-7-or-more.sh +++ b/scanners/access-and-control/1.33-ensure-password-expiration-warning-days-is-7-or-more.sh @@ -1,11 +1,8 @@ -result_login_defs=false -result_shadow=false +loginPassWarnageVaule=$(grep -P "^\s*PASS_WARN_AGE\s+[0-9]+\b" /etc/login.defs | awk '{ if ($2 >= 7) print $2;}') +userPassWarnageVaule=$(grep -P '^[^:]+:[^!*]' /etc/shadow | awk -F: '$6 == "" || $6 < 7 {print 1}') -grep -Piq "^\s*PASS_WARN_AGE\s+([789]|[1-9][0-9]+)\s*(\s+#.*)?$" /etc/login.defs && result_login_defs=true -grep -Piq "^\S+:[^\!\*:]*:[^:]*:[^:]*:[^:]*:([0-6]|\-1):[^:]*:[^:]*:[^:]*\s*$" /etc/shadow || result_shadow=true - -if [[ $result_login_defs == true && $result_shadow == true ]]; then - echo "pass" +if [[ -n $loginPassWarnageVaule && -z $userPassWarnageVaule ]]; then + echo 'pass' else - echo "fail" + echo 'fail' fi diff --git a/scanners/access-and-control/1.34-ensure-inactive-password-lock-is-30-days-or-less.sh b/scanners/access-and-control/1.34-ensure-inactive-password-lock-is-30-days-or-less.sh index 911455e..0598ef6 100644 --- a/scanners/access-and-control/1.34-ensure-inactive-password-lock-is-30-days-or-less.sh +++ b/scanners/access-and-control/1.34-ensure-inactive-password-lock-is-30-days-or-less.sh @@ -1,11 +1,8 @@ -result_useradd=false -result_shadow=false +inactiveVaule=$(grep -P "^\s*INACTIVE=[0-9]+\b" /etc/default/useradd | awk -F= '{ if ($2 <= 30) print $2;}') +userInactiveVaule=$(grep -P '^[^:]+:[^!*]' /etc/shadow | awk -F: '$7 == "" || $7 > 30 { print 1 }') -grep -Eiq "^\s*INACTIVE\s*=\s*(30|[1-2][0-9]|[1-9])\s*(\s+#.*)?$" /etc/default/useradd && result_useradd=true -grep -Eiq "^\S+:[^\!\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:([3-9][1-9].*):[^:]*:[^:]*\s*$" /etc/shadow || result_shadow=true - -if [[ $result_useradd == true && $result_shadow == true ]]; then - echo "pass" +if [[ -n $inactiveVaule && -z $userInactiveVaule ]]; then + echo 'pass' else - echo "fail" -fi \ No newline at end of file + echo 'fail' +fi diff --git a/scanners/access-and-control/1.37-ensure-default-user-shell-timeout-is-900-seconds-or-less.sh b/scanners/access-and-control/1.37-ensure-default-user-shell-timeout-is-900-seconds-or-less.sh index 189d250..f51d16a 100644 --- a/scanners/access-and-control/1.37-ensure-default-user-shell-timeout-is-900-seconds-or-less.sh +++ b/scanners/access-and-control/1.37-ensure-default-user-shell-timeout-is-900-seconds-or-less.sh @@ -2,7 +2,7 @@ result=true [ -f /etc/bashrc ] && BRC="/etc/bashrc" for f in "$BRC" /etc/profile /etc/profile.d/*.sh ; do - val_TMOUT=$(grep -vP "^#.*" $f | grep -Pio "TMOUT=[0-9]+" | tail -1 | cut -d"=" -f 2) + val_TMOUT=$(grep -vP "^#.*" $f | grep -Pio "\bTMOUT=[0-9]+\b" | tail -1 | cut -d"=" -f 2) [[ -n $val_TMOUT ]] && ex_TMOUT=true if [[ -n $val_TMOUT ]] && [[ $val_TMOUT == 0 || $val_TMOUT -gt 900 ]] ; then result=false @@ -11,8 +11,8 @@ for f in "$BRC" /etc/profile /etc/profile.d/*.sh ; do fi done -if [[ $ex_TMOUT == true && $result == true ]]; then +if [[ $ex_TMOUT == "true" && $result == "true" ]]; then echo "pass" else echo "fail" -fi \ No newline at end of file +fi diff --git a/scanners/access-and-control/1.38-ensure-default-group-for-the-root-account-is-gid-0.sh b/scanners/access-and-control/1.38-ensure-default-group-for-the-root-account-is-gid-0.sh index cbfb0e3..4f9bb38 100644 --- a/scanners/access-and-control/1.38-ensure-default-group-for-the-root-account-is-gid-0.sh +++ b/scanners/access-and-control/1.38-ensure-default-group-for-the-root-account-is-gid-0.sh @@ -2,7 +2,7 @@ result=false grep "^root:" /etc/passwd | cut -f4 -d: | grep -q 0 && result=true -if [[ $result == true ]]; then +if [[ $result == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/access-and-control/1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh b/scanners/access-and-control/1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh index 79b5731..9db8477 100644 --- a/scanners/access-and-control/1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh +++ b/scanners/access-and-control/1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh @@ -2,7 +2,7 @@ result=false stat -c "%a-%U-%G" /etc/cron.daily | grep -Pq '^[0-7][0][0]\-root\-root$' && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/access-and-control/1.40-ensure-access-to-the-su-command-is-restricted.sh b/scanners/access-and-control/1.40-ensure-access-to-the-su-command-is-restricted.sh index 701f97a..7b55777 100644 --- a/scanners/access-and-control/1.40-ensure-access-to-the-su-command-is-restricted.sh +++ b/scanners/access-and-control/1.40-ensure-access-to-the-su-command-is-restricted.sh @@ -2,7 +2,7 @@ result=false grep -Eiq "^\s*auth\s+required\s+pam_wheel.so(\s+\S+)*\s+use_uid(\s+\S+)*\s*(\s+#.*)?$" /etc/pam.d/su && grep -Eiq "^wheel:x:10:" /etc/group && result=true -if [[ $result == true ]]; then +if [[ $result == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/access-and-control/1.41-ensure-ssh-server-use-protocol_2.sh b/scanners/access-and-control/1.41-ensure-ssh-server-use-protocol_2.sh index 3ddf5e4..b10a262 100755 --- a/scanners/access-and-control/1.41-ensure-ssh-server-use-protocol_2.sh +++ b/scanners/access-and-control/1.41-ensure-ssh-server-use-protocol_2.sh @@ -1,10 +1,10 @@ result=false -protocol_value=$(grep -Pi "^Protocol\b\s+" /etc/ssh/sshd_config | awk '{print $2}') +protocol_value=$(grep -Pim1 "^Protocol\s+" /etc/ssh/sshd_config | awk '{print $2}') [[ $protocol_value -eq 2 ]] && result=true -if [[ "$result" = true ]]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/access-and-control/1.42-ensure-that-the-password-expires-between-30-and-90-days.sh b/scanners/access-and-control/1.42-ensure-that-the-password-expires-between-30-and-90-days.sh index bdee637..f174ae8 100644 --- a/scanners/access-and-control/1.42-ensure-that-the-password-expires-between-30-and-90-days.sh +++ b/scanners/access-and-control/1.42-ensure-that-the-password-expires-between-30-and-90-days.sh @@ -1,16 +1,16 @@ val_Pass_Max_Days=99999 result_Pass_Max_Days_User=true -val_Pass_Max_Days=`grep -Ei "^\s*PASS_MAX_DAYS\s" /etc/login.defs | cut -f2` +val_Pass_Max_Days=`grep -Ei "^\s*\bPASS_MAX_DAYS\b\s" /etc/login.defs | cut -f2` result_Pass_Max_Days=`echo "$val_Pass_Max_Days >=30 && $val_Pass_Max_Days <= 90" | bc` result_Pass_Max_Days_User=true for i in `grep -E '^[^:]+:[^!*]' /etc/shadow | cut -d: -f5`; do - if [[ i -lt 30 ]] || [[ i -gt 90 ]] ; then + if [[ $i -lt 30 ]] || [[ $i -gt 90 ]] ; then result_Pass_Max_Days_User=false fi done -if [[ $result_Pass_Max_Days -eq 1 && $result_Pass_Max_Days_User == true ]]; then +if [[ $result_Pass_Max_Days -eq 1 && $result_Pass_Max_Days_User == "true" ]]; then echo 'pass' else echo 'fail' diff --git a/scanners/access-and-control/1.43-ensure-that-the-minimum-password-change-between-7-and-14-days.sh b/scanners/access-and-control/1.43-ensure-that-the-minimum-password-change-between-7-and-14-days.sh index 0a9bcf0..b7f93dd 100644 --- a/scanners/access-and-control/1.43-ensure-that-the-minimum-password-change-between-7-and-14-days.sh +++ b/scanners/access-and-control/1.43-ensure-that-the-minimum-password-change-between-7-and-14-days.sh @@ -1,16 +1,16 @@ val_Pass_Min_Days=0 result_Pass_Min_Days_User=true -val_Pass_Min_Days=`grep -Ei "^\s*PASS_Min_DAYS\s" /etc/login.defs | cut -f2` +val_Pass_Min_Days=`grep -Ei "^\s*\bPASS_Min_DAYS\b\s" /etc/login.defs | cut -f2` result_Pass_Min_Days=`echo "$val_Pass_Min_Days >=7 && $val_Pass_Min_Days <= 14" | bc` result_Pass_Min_Days_User=true for i in `grep -E ^[^:]+:[^\!*] /etc/shadow | cut -d: -f4`; do - if [[ i -lt 7 ]] || [[ i -gt 14 ]] ; then + if [[ $i -lt 7 ]] || [[ $i -gt 14 ]] ; then result_Pass_Min_Days_User=false fi done -if [[ $result_Pass_Min_Days -eq 1 && $result_Pass_Min_Days_User == true ]]; then +if [[ $result_Pass_Min_Days -eq 1 && $result_Pass_Min_Days_User == "true" ]]; then echo 'pass' else echo 'fail' diff --git a/scanners/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh b/scanners/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh index c4aaff3..2f69a05 100644 --- a/scanners/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh +++ b/scanners/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh @@ -4,18 +4,18 @@ result_Deny=true result_Unlock_Time=true for i in `grep -E '^\s*auth\s+required\s+pam_faillock.so\s+(preauth|authfail)\s+' /etc/pam.d/password-auth /etc/pam.d/system-auth | grep -Eio "deny=[0-9]+" | cut -d"=" -f 2`; do - if [[ i -lt 3 ]] || [[ i -gt 8 ]] ; then + if [[ $i -lt 3 ]] || [[ $i -gt 8 ]] ; then result_Deny=false fi done for i in `grep -E '^\s*auth\s+required\s+pam_faillock.so\s+(preauth|authfail)\s+' /etc/pam.d/password-auth /etc/pam.d/system-auth | grep -Eio "unlock_time=[0-9]+" | cut -d"=" -f 2`; do - if [[ i -lt 600 ]] || [[ i -gt 1800 ]] ; then + if [[ $i -lt 600 ]] || [[ $i -gt 1800 ]] ; then result_Unlock_Time=false fi done -if [[ -n $result_File_Password && -n $result_File_System && $result_Deny == true && $result_Unlock_Time == true ]]; then +if [[ -n $result_File_Password && -n $result_File_System && $result_Deny == "true" && $result_Unlock_Time == "true" ]]; then echo 'pass' else echo 'fail' diff --git a/scanners/access-and-control/1.46-ensure-default-user-shell-timeout-is-between-600-and-1800-seconds.sh b/scanners/access-and-control/1.46-ensure-default-user-shell-timeout-is-between-600-and-1800-seconds.sh index fce7aad..83d9899 100644 --- a/scanners/access-and-control/1.46-ensure-default-user-shell-timeout-is-between-600-and-1800-seconds.sh +++ b/scanners/access-and-control/1.46-ensure-default-user-shell-timeout-is-between-600-and-1800-seconds.sh @@ -2,7 +2,7 @@ result=true [ -f /etc/bashrc ] && BRC="/etc/bashrc" for f in "$BRC" /etc/profile /etc/profile.d/*.sh ; do - val_TMOUT=$(grep -vP "^#.*" $f | grep -Pio "TMOUT=[0-9]+" | tail -1 | cut -d"=" -f 2) + val_TMOUT=$(grep -vP "^#.*" $f | grep -Pio "\bTMOUT=[0-9]+\b" | tail -1 | cut -d"=" -f 2) [[ -n $val_TMOUT ]] && ex_TMOUT=true if [[ -n $val_TMOUT ]] && [[ $val_TMOUT -lt 600 || $val_TMOUT -gt 1800 ]] ; then result=false @@ -11,7 +11,7 @@ for f in "$BRC" /etc/profile /etc/profile.d/*.sh ; do fi done -if [[ $ex_TMOUT == true && $result == true ]]; then +if [[ $ex_TMOUT == "true" && $result == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh b/scanners/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh index 88629d7..ac88a26 100644 --- a/scanners/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh +++ b/scanners/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh @@ -1,5 +1,5 @@ loadedSystemConfig=$(sshd -T | grep -Pi '^\s*maxauthtries\b' | awk '{ if ($2 > 5 || $2 < 3) print 1; else print 0 }') -configFileSettings=$(grep -Pi '^\s*maxauthtries\b\s+' /etc/ssh/sshd_config | awk '{ if ($2 > 5 || $2 < 3) print 1; else print 0 }') +configFileSettings=$(grep -Pim1 '^\s*maxauthtries\s+' /etc/ssh/sshd_config | awk '{ if ($2 > 5 || $2 < 3) print 1; else print 0 }') [[ $loadedSystemConfig -ne 0 ]] && echo 'fail' && exit 1 [[ $configFileSettings -eq 0 && $loadedSystemConfig -eq 0 ]] && echo 'pass' || echo 'fail' diff --git a/scanners/access-and-control/1.49-lock-or-delete-the-shutdown-and-halt-users.sh b/scanners/access-and-control/1.49-lock-or-delete-the-shutdown-and-halt-users.sh index d5adb05..3b3b272 100644 --- a/scanners/access-and-control/1.49-lock-or-delete-the-shutdown-and-halt-users.sh +++ b/scanners/access-and-control/1.49-lock-or-delete-the-shutdown-and-halt-users.sh @@ -1,8 +1,23 @@ +export LANG="en_US.UTF-8" +shutdownCheck=$(grep -P "^shutdown\b" /etc/shadow) +haltCheck=$(grep -P "^halt\b" /etc/shadow) result=false -passwd -S shutdown | grep -Eq "shutdown\s+LK" && passwd -S halt | grep -Eq "halt\s+LK" && result=true +if [[ $shutdownCheck ]]; then + passwd -S shutdown | grep -Pq "^shutdown\s+LK" + result="shutdownpass" +else + result="shutdownpass" +fi + +if [[ $haltCheck ]]; then + passwd -S halt | grep -Pq "^halt\s+LK" + result="${result}haltpass" +else + result="${result}haltpass" +fi -if [ "$result" = true ]; then +if [[ "$result" == "shutdownpasshaltpass" ]]; then echo "pass" else echo "fail" diff --git a/scanners/access-and-control/1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh b/scanners/access-and-control/1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh index 7719f2f..0648967 100644 --- a/scanners/access-and-control/1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh +++ b/scanners/access-and-control/1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh @@ -2,7 +2,7 @@ result=false stat -c "%a-%U-%G" /etc/cron.weekly | grep -Pq '^[0-7][0][0]\-root\-root$' && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.sh b/scanners/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.sh index f30414b..85f8e6a 100644 --- a/scanners/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.sh +++ b/scanners/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.sh @@ -1,5 +1,5 @@ -loadedSystemConfig=$(sshd -T | grep -Pi "^x11forwarding\b\s+no$") -configFileSettings=$(grep -Pi '^\s*x11forwarding\b\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*x11forwarding\b\s+no\b') +loadedSystemConfig=$(sshd -T | grep -Pi "^x11forwarding\s+no$") +configFileSettings=$(grep -Pim1 '^\s*x11forwarding\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*x11forwarding\s+no\b') [[ -z $loadedSystemConfig ]] && echo 'fail' && exit 1 [[ -z $configFileSettings && -n $loadedSystemConfig ]] && echo 'pass' || echo 'fail' diff --git a/scanners/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh b/scanners/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh index bd23f6e..8a98570 100644 --- a/scanners/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh +++ b/scanners/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh @@ -1,9 +1,9 @@ result=false -modprobe -n -v udf | grep -q "^install" && test -z "$(lsmod | grep -e udf)" && grep -E -q "^blacklist[[:blank:]]*udf" /etc/modprobe.d/* && result=true +modprobe -n -v udf | grep -Pq "^install\s+\/bin/false\b" && test -z "$(lsmod | grep -P "^udf\b")" && grep -Pq "^blacklist\s*udf\b" /etc/modprobe.d/* && result=true -if [ "$result" == true ]; then - echo "pass" +if [[ "$result" == "true" ]]; then + echo "pass" else - echo "fail" + echo "fail" fi diff --git a/scanners/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh b/scanners/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh index 0b6e13e..0254426 100644 --- a/scanners/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh +++ b/scanners/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh @@ -1,9 +1,9 @@ result=false -modprobe -n -v cramfs | grep -q "^install" && test -z "$(lsmod | grep -e cramfs)" && grep -E -q "^blacklist[[:blank:]]*cramfs" /etc/modprobe.d/* && result=true +modprobe -n -v cramfs | grep -Pq "^install\s+\/bin/false\b" && test -z "$(lsmod | grep -P "^cramfs\b")" && grep -Pq "^blacklist\b\s*cramfs\b" /etc/modprobe.d/* && result=true -if [ "$result" == true ]; then - echo "pass" +if [[ "$result" == "true" ]]; then + echo "pass" else - echo "fail" + echo "fail" fi \ No newline at end of file diff --git a/scanners/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.sh b/scanners/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.sh index 1f2d07f..06f19b6 100644 --- a/scanners/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.sh +++ b/scanners/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.sh @@ -1,6 +1,6 @@ result=false -echo $(modprobe -n -v squashfs) | grep -Psq "^install\s+\/bin\/false$" && test -z "$(lsmod | grep -e squashfs)" && grep -E -q "^blacklist\s+squashfs" /etc/modprobe.d/* && result=true -if [ "$result" = true ]; then +echo $(modprobe -n -v squashfs) | grep -Psq "^install\s+\/bin/false\b" && test -z "$(lsmod | grep -P "^squashfs\b")" && grep -Pq "^blacklist\s+squashfs\b" /etc/modprobe.d/* && result=true +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/access-and-control/1.54-lock-the-bin-and-adm-users.sh b/scanners/access-and-control/1.54-lock-the-bin-and-adm-users.sh index 71fc6e0..0b37fde 100644 --- a/scanners/access-and-control/1.54-lock-the-bin-and-adm-users.sh +++ b/scanners/access-and-control/1.54-lock-the-bin-and-adm-users.sh @@ -1,8 +1,15 @@ +export LANG="en_US.UTF-8" +shutdownCheck=$(grep -P "^bin\b" /etc/shadow) result=false -passwd -S bin | grep -Eq "bin\s+LK" && passwd -S adm | grep -Eq "adm\s+LK" && result=true +if [[ $shutdownCheck ]]; then + passwd -S bin | grep -Pq "\bbin\b\s+LK" + result="true" +else + result="true" +fi -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/access-and-control/1.6-ensure-permissions-on-etc-cron.monthly-are-configured.sh b/scanners/access-and-control/1.6-ensure-permissions-on-etc-cron.monthly-are-configured.sh index 9015c1d..e3faeef 100644 --- a/scanners/access-and-control/1.6-ensure-permissions-on-etc-cron.monthly-are-configured.sh +++ b/scanners/access-and-control/1.6-ensure-permissions-on-etc-cron.monthly-are-configured.sh @@ -2,7 +2,7 @@ result=false stat -c "%a-%U-%G" /etc/cron.monthly | grep -Pq '^[0-7][0][0]\-root\-root$' && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/access-and-control/1.7-ensure-permissions-on-etc-cron.d-are-configured.sh b/scanners/access-and-control/1.7-ensure-permissions-on-etc-cron.d-are-configured.sh index e04716e..dd2a6c9 100644 --- a/scanners/access-and-control/1.7-ensure-permissions-on-etc-cron.d-are-configured.sh +++ b/scanners/access-and-control/1.7-ensure-permissions-on-etc-cron.d-are-configured.sh @@ -2,7 +2,7 @@ result=false stat -c "%a-%U-%G" /etc/cron.d | grep -Pq '^[0-7][0][0]\-root\-root$' && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/access-and-control/1.8-ensure-at-cron-is-restricted-to-authorized-users.sh b/scanners/access-and-control/1.8-ensure-at-cron-is-restricted-to-authorized-users.sh index da68eef..1b70bfc 100644 --- a/scanners/access-and-control/1.8-ensure-at-cron-is-restricted-to-authorized-users.sh +++ b/scanners/access-and-control/1.8-ensure-at-cron-is-restricted-to-authorized-users.sh @@ -3,18 +3,18 @@ result_at_deny=false result_cron_allow=false result_at_allow=false -[ -e /etc/cron.deny ] || result_cron_deny=true -[ -e /etc/at.deny ] || result_at_deny=true +[[ -e /etc/cron.deny ]] || result_cron_deny=true +[[ -e /etc/at.deny ]] || result_at_deny=true -if [ -e /etc/cron.allow ] ; then +if [[ -e /etc/cron.allow ]] ; then stat -c "%a-%U-%G" /etc/cron.allow | grep -Pq '^[0-6][0][0]\-root\-root$' && result_cron_allow=true fi -if [ -e /etc/at.allow ] ; then +if [[ -e /etc/at.allow ]] ; then stat -c "%a-%U-%G" /etc/at.allow | grep -Pq '^[0-6][0][0]\-root\-root$' && result_at_allow=true fi -if [[ "$result_cron_deny" == true && "$result_at_deny" == true && "$result_cron_allow" == true && "$result_at_allow" == true ]] ; then +if [[ "$result_cron_deny" == "true" && "$result_at_deny" == "true" && "$result_cron_allow" == "true" && "$result_at_allow" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/access-and-control/1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh b/scanners/access-and-control/1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh index 951aaf1..f36559d 100644 --- a/scanners/access-and-control/1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh +++ b/scanners/access-and-control/1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh @@ -2,7 +2,7 @@ result=false stat -c "%a-%U-%G" /etc/ssh/sshd_config | grep -Pq '^[0-7][0][0]\-root\-root$' && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/logging-and-auditing/2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.sh b/scanners/logging-and-auditing/2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.sh index d0d33c3..9d01c4e 100644 --- a/scanners/logging-and-auditing/2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.sh +++ b/scanners/logging-and-auditing/2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.sh @@ -3,9 +3,9 @@ result=false log_path=$(dirname "$(awk -F = '/^\s*log_file\s*=\s*\S+/ {print $2}' /etc/audit/auditd.conf)") output="$(find $log_path -maxdepth 1 -type f \( ! -perm 600 -a ! -perm 0400 -a ! -perm 0200 -a ! -perm 0000 \))" -[ -z "$output" ] && result=true +[[ -z "$output" ]] && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/logging-and-auditing/2.10-ensure-audit-tools-are-group-owned-by-root.sh b/scanners/logging-and-auditing/2.10-ensure-audit-tools-are-group-owned-by-root.sh index a4502fc..685e5c7 100644 --- a/scanners/logging-and-auditing/2.10-ensure-audit-tools-are-group-owned-by-root.sh +++ b/scanners/logging-and-auditing/2.10-ensure-audit-tools-are-group-owned-by-root.sh @@ -1,19 +1,7 @@ -result_auditctl=false -result_aureport=false -result_ausearch=false -result_autrace=false -result_auditd=false -result_augenrules=false +result=0 +for i in $(stat -c "%G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules) +do + echo $i | grep -Eq '^root$' && ((result++)) +done -stat -c "%G" /sbin/auditctl | grep -Eq 'root' && result_auditctl=true -stat -c "%G" /sbin/aureport | grep -Eq 'root' && result_aureport=true -stat -c "%G" /sbin/ausearch | grep -Eq 'root' && result_ausearch=true -stat -c "%G" /sbin/autrace | grep -Eq 'root' && result_autrace=true -stat -c "%G" /sbin/auditd | grep -Eq 'root' && result_auditd=true -stat -c "%G" /sbin/augenrules | grep -Eq 'root' && result_augenrules=true - -if [ "$result_auditctl" = true ] && [ "$result_aureport" = true ] && [ "$result_ausearch" = true ] && [ "$result_autrace" = true ] && [ "$result_auditd" = true ] && [ "$result_augenrules" = true ]; then - echo "pass" -else - echo "fail" -fi \ No newline at end of file +[[ $result -eq 6 ]] && echo 'pass' || echo 'fail' \ No newline at end of file diff --git a/scanners/logging-and-auditing/2.11-ensure-cryptographic-mechanisms-are-used-to-protect-the-integrity-of-audit-tools.sh b/scanners/logging-and-auditing/2.11-ensure-cryptographic-mechanisms-are-used-to-protect-the-integrity-of-audit-tools.sh index 533a5d1..451fb7b 100644 --- a/scanners/logging-and-auditing/2.11-ensure-cryptographic-mechanisms-are-used-to-protect-the-integrity-of-audit-tools.sh +++ b/scanners/logging-and-auditing/2.11-ensure-cryptographic-mechanisms-are-used-to-protect-the-integrity-of-audit-tools.sh @@ -1,13 +1,14 @@ -result=false - -if [ -a /etc/aide/aide.conf ]; then - cat /etc/aide/aide.conf | grep -Pq ^\/sbin\/auditctl\\s\+p\\+i\\+n\\+u\\+g\\+s\\+b\\+acl\\+xattrs\\+sha512 && cat /etc/aide/aide.conf | grep -Pq ^\/sbin\/auditd\\s\+p\\+i\\+n\\+u\\+g\\+s\\+b\\+acl\\+xattrs\\+sha512 && cat /etc/aide/aide.conf | grep -Pq ^\/sbin\/ausearch\\s\+p\\+i\\+n\\+u\\+g\\+s\\+b\\+acl\\+xattrs\\+sha512 && cat /etc/aide/aide.conf | grep -Pq ^\/sbin\/aureport\\s\+p\\+i\\+n\\+u\\+g\\+s\\+b\\+acl\\+xattrs\\+sha512 && cat /etc/aide/aide.conf | grep -Pq ^\/sbin\/autrace\\s\+p\\+i\\+n\\+u\\+g\\+s\\+b\\+acl\\+xattrs\\+sha512 && cat /etc/aide/aide.conf | grep -Pq ^\/sbin\/augenrules\\s\+p\\+i\\+n\\+u\\+g\\+s\\+b\\+acl\\+xattrs\\+sha512 && result=true - - if [[ $result == true ]]; then - echo "pass" - else - echo "fail" - fi +if [[ -e /etc/aide/aide.conf ]]; then + checkContent="p\+i\+n\+u\+g\+s\+b\+acl\+xattrs\+sha512\b$" + lineNumber=$(grep -Ecs -e "^/sbin/auditctl\s+$checkContent" \ + -e "^/sbin/auditd\s+$checkContent" \ + -e "^/sbin/ausearch\s+$checkContent" \ + -e "^/sbin/aureport\s+$checkContent" \ + -e "^/sbin/autrace\s+$checkContent" \ + -e "^/sbin/augenrules\s+$checkContent" \ + /etc/aide/aide.conf) + [[ -n $lineNumber && $lineNumber -eq 6 ]] && echo 'pass' || echo 'fail' else - echo "fail" -fi \ No newline at end of file + echo 'fail' + exit 1 +fi diff --git a/scanners/logging-and-auditing/2.12-ensure-rsyslog-is-installed.sh b/scanners/logging-and-auditing/2.12-ensure-rsyslog-is-installed.sh index 9af10f6..fae435e 100644 --- a/scanners/logging-and-auditing/2.12-ensure-rsyslog-is-installed.sh +++ b/scanners/logging-and-auditing/2.12-ensure-rsyslog-is-installed.sh @@ -1,5 +1 @@ -if [ "$(rpm -qa rsyslog)" ]; then - echo "pass" -else - echo "fail" -fi \ No newline at end of file +rpm -q rsyslog >/dev/null 2>&1 && echo 'pass' || echo 'fail' \ No newline at end of file diff --git a/scanners/logging-and-auditing/2.13-ensure-rsyslog-service-is-enabled.sh b/scanners/logging-and-auditing/2.13-ensure-rsyslog-service-is-enabled.sh index 7639894..7281446 100644 --- a/scanners/logging-and-auditing/2.13-ensure-rsyslog-service-is-enabled.sh +++ b/scanners/logging-and-auditing/2.13-ensure-rsyslog-service-is-enabled.sh @@ -1,6 +1,6 @@ -if [ "$(rpm -qa rsyslog)" ]; then +if rpm -q rsyslog >/dev/null 2>&1 ; then result=$(systemctl is-enabled rsyslog) - if [ $result = enabled ]; then + if [[ $result == "enabled" ]]; then echo "pass" else echo "fail" diff --git a/scanners/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.sh b/scanners/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.sh index b70ed6c..adeaa1c 100644 --- a/scanners/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.sh +++ b/scanners/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.sh @@ -1,18 +1,15 @@ -#!/usr/bin/env bash -result=0 +value=$(grep -P "^\s*\\\$FileCreateMode\s+[0-9]{4}\s*$" /etc/rsyslog.conf /etc/rsyslog.d/*.conf | grep -o [0-9]*) -for p in `find /etc/rsyslog.conf ; find /etc/rsyslog.d/ -name *.conf` ; do - [[ -f $p ]] && file_path=$file_path" ${p}" -done - -if [[ -n $file_path ]] && [[ -n $(sed -rn 's/^\$FileCreateMode\s*//gp' $file_path) ]]; then - for num in $(sed -rn 's/^\$FileCreateMode\s*//gp' $file_path); do - result=0 - echo $num | grep -Pq '[0][0-6][0-4][0]' && result=1 - [[ $result == 0 ]] && echo 'fail' && break +if [[ -n $value ]]; then + for i in $value ; do + if echo $i | grep -vsq [0][0-6][0-4][0] ; then + echo 'fail' + exit 1 + fi done else echo 'fail' + exit 1 fi -[[ $result == 1 ]] && echo 'pass' +echo 'pass' \ No newline at end of file diff --git a/scanners/logging-and-auditing/2.15-ensure-rsyslog-is-configured-to-send-logs-to-a-remote-log-host.sh b/scanners/logging-and-auditing/2.15-ensure-rsyslog-is-configured-to-send-logs-to-a-remote-log-host.sh index a92de98..c211841 100644 --- a/scanners/logging-and-auditing/2.15-ensure-rsyslog-is-configured-to-send-logs-to-a-remote-log-host.sh +++ b/scanners/logging-and-auditing/2.15-ensure-rsyslog-is-configured-to-send-logs-to-a-remote-log-host.sh @@ -1,18 +1,9 @@ -result_rsyslog=false -result_rsyslog_d=false -conf_file_path=`find /etc/rsyslog.d/ -name *.conf` +result=false -if [[ -a /etc/rsyslog.conf && -a $conf_file_path ]]; then - grep -q "^*.*[^I][^I]*@" /etc/rsyslog.conf && result_rsyslog=true - grep -q "^*.*[^I][^I]*@" /etc/rsyslog.d/*.conf && result_rsyslog_d=true -elif [[ -a /etc/rsyslog.conf ]]; then - grep -q "^*.*[^I][^I]*@" /etc/rsyslog.conf && result_rsyslog=true -elif [[ -a $conf_file_path ]]; then - grep -q "^*.*[^I][^I]*@" /etc/rsyslog.d/*.conf && result_rsyslog_d=true -fi +grep -Psq "^\*\.\*\s*\@{1,2}.*" /etc/rsyslog.conf /etc/rsyslog.d/*.conf && result=true -if [[ $result_rsyslog == true || $result_rsyslog_d == true ]]; then +if [[ $result == "true" ]]; then echo "pass" else echo "fail" -fi \ No newline at end of file +fi diff --git a/scanners/logging-and-auditing/2.16-ensure-journald-is-configured-to-send-logs-to-rsyslog.sh b/scanners/logging-and-auditing/2.16-ensure-journald-is-configured-to-send-logs-to-rsyslog.sh index 220ba55..84c7445 100644 --- a/scanners/logging-and-auditing/2.16-ensure-journald-is-configured-to-send-logs-to-rsyslog.sh +++ b/scanners/logging-and-auditing/2.16-ensure-journald-is-configured-to-send-logs-to-rsyslog.sh @@ -1,8 +1,8 @@ result=false -if [[ -a /etc/systemd/journald.conf ]]; then - grep -qe ^\s*ForwardToSyslog /etc/systemd/journald.conf && result=true - if [[ $result == true ]]; then +if [[ -e /etc/systemd/journald.conf ]]; then + grep -Pq "^\s*ForwardToSyslog\=yes$" /etc/systemd/journald.conf && result=true + if [[ $result == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/logging-and-auditing/2.17-ensure-journald-is-configured-to-compress-large-log-files.sh b/scanners/logging-and-auditing/2.17-ensure-journald-is-configured-to-compress-large-log-files.sh index 821206e..fde6776 100644 --- a/scanners/logging-and-auditing/2.17-ensure-journald-is-configured-to-compress-large-log-files.sh +++ b/scanners/logging-and-auditing/2.17-ensure-journald-is-configured-to-compress-large-log-files.sh @@ -1,8 +1,8 @@ result=false -if [[ -a /etc/systemd/journald.conf ]]; then - grep -qe ^\s*Compress /etc/systemd/journald.conf && result=true - if [[ $result == true ]]; then +if [[ -e /etc/systemd/journald.conf ]]; then + grep -Pq "^\s*Compress\=yes$" /etc/systemd/journald.conf && result=true + if [[ $result == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/logging-and-auditing/2.18-ensure-journald-is-configured-to-write-logfiles-to-persistent-disk.sh b/scanners/logging-and-auditing/2.18-ensure-journald-is-configured-to-write-logfiles-to-persistent-disk.sh index ef080c1..63f4399 100644 --- a/scanners/logging-and-auditing/2.18-ensure-journald-is-configured-to-write-logfiles-to-persistent-disk.sh +++ b/scanners/logging-and-auditing/2.18-ensure-journald-is-configured-to-write-logfiles-to-persistent-disk.sh @@ -1,8 +1,8 @@ result=false -if [[ -a /etc/systemd/journald.conf ]]; then - grep -qe ^\s*Storage /etc/systemd/journald.conf && result=true - if [[ $result == true ]]; then +if [[ -e /etc/systemd/journald.conf ]]; then + grep -P "^Storage\=persistent$" /etc/systemd/journald.conf && result=true + if [[ $result == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/logging-and-auditing/2.19-ensure-audit-is-installed.sh b/scanners/logging-and-auditing/2.19-ensure-audit-is-installed.sh index 766b35c..dcd71da 100644 --- a/scanners/logging-and-auditing/2.19-ensure-audit-is-installed.sh +++ b/scanners/logging-and-auditing/2.19-ensure-audit-is-installed.sh @@ -1,5 +1 @@ -if [ "$(rpm -qa audit)" ] && [ "$(rpm -qa audit-libs)" ]; then - echo "pass" -else - echo "fail" -fi +rpm -q audit >/dev/null 2>&1 && rpm -q audit-libs >/dev/null 2>&1 && echo 'pass' || echo 'fail' \ No newline at end of file diff --git a/scanners/logging-and-auditing/2.2-ensure-only-authorized-users-own-audit-log-files.sh b/scanners/logging-and-auditing/2.2-ensure-only-authorized-users-own-audit-log-files.sh index 2a40529..0d051e7 100644 --- a/scanners/logging-and-auditing/2.2-ensure-only-authorized-users-own-audit-log-files.sh +++ b/scanners/logging-and-auditing/2.2-ensure-only-authorized-users-own-audit-log-files.sh @@ -3,9 +3,9 @@ result=false log_path=$(dirname "$(awk -F = '/^\s*log_file\s*=\s*\S+/ {print $2}' /etc/audit/auditd.conf)") output="$(find $log_path -maxdepth 1 -type f ! -user root)" -[ -z "$output" ] && result=true +[[ -z "$output" ]] && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/logging-and-auditing/2.20-ensure-audit-service-is-enabled.sh b/scanners/logging-and-auditing/2.20-ensure-audit-service-is-enabled.sh index e9e614d..7d1e1fe 100644 --- a/scanners/logging-and-auditing/2.20-ensure-audit-service-is-enabled.sh +++ b/scanners/logging-and-auditing/2.20-ensure-audit-service-is-enabled.sh @@ -1,10 +1,10 @@ -if [ "$(rpm -qa audit audit-libs)" ]; then - result=$(systemctl is-enabled auditd ) - if [ $result = enabled ]; then +if rpm -q audit >/dev/null 2>&1 && rpm -q audit-libs >/dev/null 2>&1 ; then + result=$(systemctl is-enabled auditd) + if [[ $result == "enabled" ]]; then echo "pass" else echo "fail" fi else - echo "pass" + echo "fail" fi diff --git a/scanners/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh b/scanners/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh index 0e21b4f..ea181cc 100644 --- a/scanners/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh +++ b/scanners/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh @@ -1,22 +1,40 @@ -fileResult=false -curResult=false +#!/bin/bash -if [[ `arch` == 'aarch64' ]] && [[ `uname -m` == 'aarch64' ]] ; then -grep -Pq "\-a\salways\,exit\s\-F\sarch=b64\s\-S\sunlinkat\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/rules.d/*.rules /etc/audit/*.rules && grep -Pq "\-a\salways\,exit\s\-F\sarch=b32\s\-S\sunlink\s\-S\sunlinkat\s\-S\srename\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/rules.d/*.rules /etc/audit/*.rules && fileResult=true -else -grep -Pq "\-a\salways\,exit\s\-F\sarch=b64\s\-S\sunlink\s\-S\sunlinkat\s\-S\srename\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/rules.d/*.rules /etc/audit/*.rules && grep -Pq "\-a\salways\,exit\s\-F\sarch=b32\s\-S\sunlink\s\-S\sunlinkat\s\-S\srename\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/rules.d/*.rules /etc/audit/*.rules && fileResult=true -fi +result='true' +check_rule() { + if [[ $1 == "x86" ]]; then + checkRule="^(?=^\s*-a\s+always,exit)(?=.*-F\s+arch=$2)(?=.*rename)(?=.*unlink)(?=.*unlinkat)(?=.*renameat)(?=.*-F\s+auid>=1000)(?=.*-F\s+auid!=-1)" + elif [[ $1 == "arm" ]]; then + checkRule="^(?=^\s*-a\s+always,exit)(?=.*-F\s+arch=$2)(?=.*unlinkat)(?=.*renameat)(?=.*-F\s+auid>=1000)(?=.*-F\s+auid!=-1)" + fi + check_audit $checkRule +} +check_audit() { + grep -Psq "$1" /etc/audit/rules.d/*.rules /etc/audit/*.rules && auditctl -l | grep -Pq "$1" + if [[ $? -ne 0 ]]; then + result='false' + fi +} -if [[ `arch` == 'aarch64' ]] && [[ `uname -m` == 'aarch64' ]] ; then -auditctl -l | grep -Pq "^\-a\s+always,exit\s+\-F\s+arch=b64\s+\-S\s+unlinkat,renameat\s+-F\s+auid>=1000\s+-F\s+auid!=-1\s+-F\s+key=delete" && auditctl -l | grep -Pq "^\-a\s+always,exit\s+\-F\s+arch=b32\s+\-S\s+unlink,rename,unlinkat,renameat\s+\-F\s+auid>=1000\s+\-F\s+auid!=-1\s+\-F\s+key=delete" && curResult=true +if [[ $(getconf LONG_BIT) -eq 64 && $(arch) =~ ^x86 ]]; then + for BIT in "b64" "b32"; do + check_rule "x86" "$BIT" + done +elif [[ $(getconf LONG_BIT) -eq 32 && $(arch) =~ ^x86 ]]; then + BIT='b32' + check_rule "x86" "$BIT" +elif [[ $(getconf LONG_BIT) -eq 64 && $(arch) =~ ^aarch ]]; then + for BIT in "b64" "b32"; do + check_rule "arm" "$BIT" + done +elif [[ $(getconf LONG_BIT) -eq 32 && $(arch) =~ ^aarch ]]; then + BIT='b32' + check_rule "arm" "$BIT" else -auditctl -l | grep -Pq "^\-a\s+always,exit\s+\-F\s+arch=b64\s+\-S\s+rename,unlink,unlinkat,renameat\s+\-F\s+auid>=1000\s+\-F\s+auid!=-1\s+\-F\s+key=delete" && auditctl -l | grep -Pq "^\-a\s+always,exit\s+\-F\s+arch=b32\s+\-S\s+unlink,rename,unlinkat,renameat\s+\-F\s+auid>=1000\s+\-F\s+auid!=-1\s+\-F\s+key=delete" && curResult=true + echo 'fail' + exit 1 fi -if [[ $fileResult = true && $curResult == true ]]; then - echo "pass" -else - echo "fail" -fi \ No newline at end of file +[[ $result == "true" ]] && echo 'pass' || echo 'fail' diff --git a/scanners/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh b/scanners/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh index b35203f..cdff2c5 100644 --- a/scanners/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh +++ b/scanners/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh @@ -3,7 +3,7 @@ result=false grep -q "\-w /etc/sudoers -p wa -k scope -w /etc/sudoers.d/ -p wa -k scope" /etc/audit/rules.d/*.rules /etc/audit/*.rules && auditctl -l | grep -Pq "^\-w\s+\/etc\/sudoers\s+\-p\s+wa\s+\-k\s+scope" && auditctl -l | grep -Pq "^\-w\s+\/etc\/sudoers.d\s+\-p\s+wa\s+\-k\s+scope" && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh b/scanners/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh index 7aa077f..fcbd3e8 100644 --- a/scanners/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh +++ b/scanners/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh @@ -1,17 +1,15 @@ -result=false +result=true -grep -q "\-w /etc/group -p wa -k identity --w /etc/passwd -p wa -k identity --w /etc/gshadow -p wa -k identity --w /etc/shadow -p wa -k identity --w /etc/security/opasswd -p wa -k identity" /etc/audit/rules.d/*.rules /etc/audit/*.rules && auditctl -l | grep -q "\-w /etc/group -p wa -k identity --w /etc/passwd -p wa -k identity --w /etc/gshadow -p wa -k identity --w /etc/shadow -p wa -k identity --w /etc/security/opasswd -p wa -k identity" && result=true +checkFile=$(echo "/etc/group" "/etc/passwd" "/etc/gshadow" "/etc/shadow " "/etc/security/opasswd") -if [ "$result" = true ]; then +for f in $checkFile ; do + checkRule="^\s*-w\s+${f}\s+-p\s+wa\s+-k\s+.*$" + grep -Pq $checkRule /etc/audit/rules.d/*.rules /etc/audit/*.rules && auditctl -l | grep -Pq $checkRule + [[ $? -ne 0 ]] && result=false +done + +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" -fi \ No newline at end of file +fi diff --git a/scanners/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.sh b/scanners/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.sh index 2f0e2fb..8b35c1f 100644 --- a/scanners/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.sh +++ b/scanners/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.sh @@ -1,10 +1,11 @@ #!/usr/bin/env bash result=false +checkRule="^(?=^\s*-a\s+always,exit)(?=.*-S\s+all)(?=.*-F\s+path=/usr/bin/chsh)(?=.*-F\s+perm=x)(?=.*-F\s+auid>=1000)(?=.*-F\s+auid!=-1)" -auditctl -l | grep -Pq "^\-a\s+always,exit\s+-S\s+all\s+-F\s+path=/usr/bin/chsh\s+-F\s+perm=x\s+-F\s+auid>=1000\s+-F\s+auid!=-1 -F\s+key=.*$" && grep -Pq "^\-a\s+always,exit\s+\-F\s+path=/usr/bin/chsh\s+\-F\s+perm=x\s+\-F\s+auid>=1000\s+\-F\s+auid!=4294967295\s+\-k\s.*$" /etc/audit/rules.d/*.rules /etc/audit/*.rules && result=true +auditctl -l | grep -Pq "$checkRule" && grep -Pq "$checkRule" /etc/audit/rules.d/*.rules /etc/audit/*.rules && result=true -if [ "$result" == true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" -fi \ No newline at end of file +fi diff --git a/scanners/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.sh b/scanners/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.sh index 95b17a9..ca00b10 100644 --- a/scanners/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.sh +++ b/scanners/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.sh @@ -1,3 +1,3 @@ checkResult=$(augenrules --check) -echo $checkResult | grep -Psiq "No\s+change" && echo 'pass' || echo 'fail' \ No newline at end of file +echo $checkResult | grep -Psiq "\bNo\s+change$" && echo 'pass' || echo 'fail' \ No newline at end of file diff --git a/scanners/logging-and-auditing/2.27-ensure-that-the-firewall-logging-function-is-enabled.sh b/scanners/logging-and-auditing/2.27-ensure-that-the-firewall-logging-function-is-enabled.sh index 380a233..b53d3e6 100644 --- a/scanners/logging-and-auditing/2.27-ensure-that-the-firewall-logging-function-is-enabled.sh +++ b/scanners/logging-and-auditing/2.27-ensure-that-the-firewall-logging-function-is-enabled.sh @@ -1,2 +1,8 @@ -fwDenied=$(firewall-cmd --get-log-denied) -( [[ $fwDenied == 'all' ]] && echo 'pass' ) || echo 'fail' \ No newline at end of file +fwDenied=$(firewall-cmd --get-log-denied 2>&1) +fwDeniedFile=$(grep -Pm1 "^\s*LogDenied=all\s*$" /etc/firewalld/firewalld.conf | grep -Po "LogDenied=all") + +if [[ $fwDenied == "all" && $fwDeniedFile == "LogDenied=all" ]]; then + echo 'pass' +else + echo 'fail' +fi diff --git a/scanners/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh b/scanners/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh index 7104506..5347af9 100644 --- a/scanners/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh +++ b/scanners/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh @@ -1 +1 @@ -( grep -Psq "^Defaults\slogfile\=.*\.log$" /etc/sudoers && echo 'pass' ) || echo 'fail' \ No newline at end of file +( awk '/Defaults\s+logfile\s*/ {line = $0; nr = NR} END {if (nr) print line}' /etc/sudoers | grep -Psq "^\s*Defaults\s+logfile\s*=\s*(/?)([a-zA-Z0-9_.-]+/?)*" && echo 'pass' ) || echo 'fail' diff --git a/scanners/logging-and-auditing/2.3-ensure-only-authorized-groups-ownership-of-audit-log-files.sh b/scanners/logging-and-auditing/2.3-ensure-only-authorized-groups-ownership-of-audit-log-files.sh index 03c3059..a9d59db 100644 --- a/scanners/logging-and-auditing/2.3-ensure-only-authorized-groups-ownership-of-audit-log-files.sh +++ b/scanners/logging-and-auditing/2.3-ensure-only-authorized-groups-ownership-of-audit-log-files.sh @@ -3,9 +3,9 @@ result=false log_path=$(dirname "$(awk -F = '/^\s*log_file\s*=\s*\S+/ {print $2}' /etc/audit/auditd.conf)") output="$(find $log_path -maxdepth 1 -type f \( ! -group root -a ! -group adm \))" -[ -z "$output" ] && result=true +[[ -z "$output" ]] && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/logging-and-auditing/2.30-ensure-events-that-modify-the-sudo-log-file-are-collected.sh b/scanners/logging-and-auditing/2.30-ensure-events-that-modify-the-sudo-log-file-are-collected.sh index fe34a7d..9d455f7 100644 --- a/scanners/logging-and-auditing/2.30-ensure-events-that-modify-the-sudo-log-file-are-collected.sh +++ b/scanners/logging-and-auditing/2.30-ensure-events-that-modify-the-sudo-log-file-are-collected.sh @@ -2,4 +2,4 @@ sudoLogFilePath=$(grep -r logfile /etc/sudoers* | sed -e 's/.*logfile=//;s/,? .* sudoLogRunning=$(auditctl -l | awk "/^ *-w/ &&/"${sudoLogFilePath}"/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)") sudoLogdisk=$(awk "/^ *-w/ &&/"${sudoLogFilePath}"/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules /etc/audit/*.rules) -([ -n "${sudoLogFilePath}" ] && [ -n "${sudoLogRunning}" ] && [ -n "${sudoLogdisk}" ] && echo 'pass') || echo 'fail' \ No newline at end of file +([[ -n "${sudoLogFilePath}" ]] && [[ -n "${sudoLogRunning}" ]] && [[ -n "${sudoLogdisk}" ]] && echo 'pass') || echo 'fail' \ No newline at end of file diff --git a/scanners/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.sh b/scanners/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.sh index 7140ac5..9409d64 100644 --- a/scanners/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.sh +++ b/scanners/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.sh @@ -1,17 +1,13 @@ -curResult=false -diskResult=false -# $curLine == Number of compliant audit rules that have been loaded. -curLine=$(auditctl -l | awk "/^ *-a *always,exit/ &&/ -F *arch=b[2346]{2}/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -S/ &&/ -F *auid>=${UID_MIN}/ &&(/chmod/||/fchmod/||/fchmodat/ ||/chown/||/fchown/||/fchownat/||/lchown/ ||/setxattr/||/lsetxattr/||/fsetxattr/ ||/removexattr/||/lremovexattr/||/fremovexattr/) &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" | wc -l) +result=true -# In this benchmark, the number of audit rule entries that need to be loaded is 6. -[[ $curLine == 6 ]] && curResult=true +for BIT in b32 b64 ; do + checkRule="^(?=^\s*-a\s+always,exit)(?=.*-F\s+arch=$BIT)(?=.*chmod)(?=.*fchmod)(?=.*chown)(?=.*fchown)(?=.*lchown)(?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr)(?=.*fchownat)(?=.*fchmodat)" + grep -Pq $checkRule /etc/audit/rules.d/*.rules /etc/audit/*.rules && auditctl -l | grep -Pq $checkRule + [[ $? -ne 0 ]] && result=false +done -grep -Psq "^\-a\s+always,exit\s+\-F\s+arch=b64\s+\-S\s+chmod,fchmod,fchmodat\s+\-F\s+auid>=1000\s+\-F\s+auid!=unset\s+\-F\s+key=.*$" /etc/audit/rules.d/*.rules /etc/audit/*.rules \ -&& grep -Psq "^\-a\s+always,exit\s+\-F\s+arch=b64\s+\-S\s+chown,fchown,lchown,fchownat\s+\-F\s+auid>=1000\s+\-F\s+auid!=unset\s+\-F\s+key=.*$" /etc/audit/rules.d/*.rules /etc/audit/*.rules \ -&& grep -Psq "^\-a\s+always,exit\s+\-F\s+arch=b32\s+\-S\s+chmod,fchmod,fchmodat\s+\-F\s+auid>=1000\s+\-F\s+auid!=unset\s+\-F\s+key=.*$" /etc/audit/rules.d/*.rules /etc/audit/*.rules \ -&& grep -Psq "^\-a\s+always,exit\s+\-F\s+arch=b32\s+\-S\s+lchown,fchown,chown,fchownat\s+\-F\s+auid>=1000\s+\-F\s+auid!=unset\s+\-F\s+key=.*$" /etc/audit/rules.d/*.rules /etc/audit/*.rules \ -&& grep -Psq "^\-a\s+always,exit\s+\-F\s+arch=b64\s+\-S\s+setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr\s+\-F\s+auid>=1000\s+\-F\s+auid!=unset\s+\-F\s+key=.*$" /etc/audit/rules.d/*.rules /etc/audit/*.rules \ -&& grep -Psq "^\-a\s+always,exit\s+\-F\s+arch=b32\s+\-S\s+setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr\s+\-F\s+auid>=1000\s+\-F\s+auid!=unset\s+\-F\s+key=.*$" /etc/audit/rules.d/*.rules /etc/audit/*.rules \ -&& diskResult=true - -[[ $curResult == 'true' ]] && [[ $diskResult == 'true' ]] && echo 'pass' || echo 'fail' \ No newline at end of file +if [[ "$result" == "true" ]]; then + echo "pass" +else + echo "fail" +fi diff --git a/scanners/logging-and-auditing/2.4-ensure-the-audit-log-directory-is-0750-or-more-restrictive.sh b/scanners/logging-and-auditing/2.4-ensure-the-audit-log-directory-is-0750-or-more-restrictive.sh index 7336812..ce499d3 100644 --- a/scanners/logging-and-auditing/2.4-ensure-the-audit-log-directory-is-0750-or-more-restrictive.sh +++ b/scanners/logging-and-auditing/2.4-ensure-the-audit-log-directory-is-0750-or-more-restrictive.sh @@ -4,7 +4,7 @@ log_path=$(dirname "$(awk -F = '/^\s*log_file\s*=\s*\S+/ {print $2}' /etc/audit/ stat -c "%a" "$log_path" | grep -Eq '^[0-7][0,1,4,5]0\s*$' && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/logging-and-auditing/2.8-ensure-audit-tools-are-mode-of-0755-or-more-restrictive.sh b/scanners/logging-and-auditing/2.8-ensure-audit-tools-are-mode-of-0755-or-more-restrictive.sh index c7e7884..4b2cec3 100644 --- a/scanners/logging-and-auditing/2.8-ensure-audit-tools-are-mode-of-0755-or-more-restrictive.sh +++ b/scanners/logging-and-auditing/2.8-ensure-audit-tools-are-mode-of-0755-or-more-restrictive.sh @@ -1,19 +1,7 @@ -result_auditctl=false -result_aureport=false -result_ausearch=false -result_autrace=false -result_auditd=false -result_augenrules=false +result=0 +for i in $(stat -c "%a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules) +do + echo $i | grep -Eq '^[0-7][0,1,4,5][0,1,4,5]\s*$' && ((result++)) +done -stat -c "%a" /sbin/auditctl | grep -Eq '^[0-7][0,1,4,5][0,1,4,5]\s*$' && result_auditctl=true -stat -c "%a" /sbin/aureport | grep -Eq '^[0-7][0,1,4,5][0,1,4,5]\s*$' && result_aureport=true -stat -c "%a" /sbin/ausearch | grep -Eq '^[0-7][0,1,4,5][0,1,4,5]\s*$' && result_ausearch=true -stat -c "%a" /sbin/autrace | grep -Eq '^[0-7][0,1,4,5][0,1,4,5]\s*$' && result_autrace=true -stat -c "%a" /sbin/auditd | grep -Eq '^[0-7][0,1,4,5][0,1,4,5]\s*$' && result_auditd=true -stat -c "%a" /sbin/augenrules | grep -Eq '^[0-7][0,1,4,5][0,1,4,5]\s*$' && result_augenrules=true - -if [ "$result_auditctl" = true ] && [ "$result_aureport" = true ] && [ "$result_ausearch" = true ] && [ "$result_autrace" = true ] && [ "$result_auditd" = true ] && [ "$result_augenrules" = true ]; then - echo "pass" -else - echo "fail" -fi \ No newline at end of file +[[ $result -eq 6 ]] && echo 'pass' || echo 'fail' \ No newline at end of file diff --git a/scanners/logging-and-auditing/2.9-ensure-audit-tools-are-owned-by-root.sh b/scanners/logging-and-auditing/2.9-ensure-audit-tools-are-owned-by-root.sh index 0b6555c..2c92a49 100644 --- a/scanners/logging-and-auditing/2.9-ensure-audit-tools-are-owned-by-root.sh +++ b/scanners/logging-and-auditing/2.9-ensure-audit-tools-are-owned-by-root.sh @@ -1,19 +1,7 @@ -result_auditctl=false -result_aureport=false -result_ausearch=false -result_autrace=false -result_auditd=false -result_augenrules=false +result=0 +for i in $(stat -c "%U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules) +do + echo $i | grep -Eq '^root$' && ((result++)) +done -stat -c "%U" /sbin/auditctl | grep -Eq 'root' && result_auditctl=true -stat -c "%U" /sbin/aureport | grep -Eq 'root' && result_aureport=true -stat -c "%U" /sbin/ausearch | grep -Eq 'root' && result_ausearch=true -stat -c "%U" /sbin/autrace | grep -Eq 'root' && result_autrace=true -stat -c "%U" /sbin/auditd | grep -Eq 'root' && result_auditd=true -stat -c "%U" /sbin/augenrules | grep -Eq 'root' && result_augenrules=true - -if [ "$result_auditctl" = true ] && [ "$result_aureport" = true ] && [ "$result_ausearch" = true ] && [ "$result_autrace" = true ] && [ "$result_auditd" = true ] && [ "$result_augenrules" = true ]; then - echo "pass" -else - echo "fail" -fi \ No newline at end of file +[[ $result -eq 6 ]] && echo 'pass' || echo 'fail' \ No newline at end of file diff --git a/scanners/mandatory-access-control/5.1-ensure-selinux-is-installed.sh b/scanners/mandatory-access-control/5.1-ensure-selinux-is-installed.sh index d489e1e..fd1d6b9 100644 --- a/scanners/mandatory-access-control/5.1-ensure-selinux-is-installed.sh +++ b/scanners/mandatory-access-control/5.1-ensure-selinux-is-installed.sh @@ -1,4 +1,4 @@ -if [ "$(rpm -qa libselinux)" ] && [ "$(rpm -qa selinux-policy-mls)" ] && [ "$(rpm -qa selinux-policy-targeted )" ]; then +if [[ "$(rpm -qa libselinux)" ]] && [[ "$(rpm -qa selinux-policy-mls)" ]] && [[ "$(rpm -qa selinux-policy-targeted )" ]]; then echo "pass" else echo "fail" diff --git a/scanners/mandatory-access-control/5.2-ensure-selinux-policy-is-configured.sh b/scanners/mandatory-access-control/5.2-ensure-selinux-policy-is-configured.sh index e91fe53..fc7f43e 100755 --- a/scanners/mandatory-access-control/5.2-ensure-selinux-policy-is-configured.sh +++ b/scanners/mandatory-access-control/5.2-ensure-selinux-policy-is-configured.sh @@ -4,14 +4,14 @@ export LANG="en_US.UTF-8" SELINUX=`grep -E "^\s*SELINUX=disabled\b" /etc/selinux/config` SELINUX_R=`echo $?` # include 0 -if [ $SELINUX_R != 0 ];then +if [[ $SELINUX_R -ne 0 ]];then SELINUXTYPE=`grep -E "^\s*SELINUXTYPE=mls\b" /etc/selinux/config` SELINUXTYPE_R=`echo $?` # include 0 else SELINUXTYPE_R=1 fi -if [[ `sestatus | grep Loaded` =~ "mls" ]] && [ $SELINUXTYPE_R == 0 ];then +if [[ `sestatus | grep Loaded` =~ "mls" ]] && [[ $SELINUXTYPE_R -eq 0 ]];then echo "pass"; else echo "fail"; diff --git a/scanners/mandatory-access-control/5.4-ensure-the-selinux-mode-is-enforcing.sh b/scanners/mandatory-access-control/5.4-ensure-the-selinux-mode-is-enforcing.sh index 83946e0..957015b 100755 --- a/scanners/mandatory-access-control/5.4-ensure-the-selinux-mode-is-enforcing.sh +++ b/scanners/mandatory-access-control/5.4-ensure-the-selinux-mode-is-enforcing.sh @@ -2,7 +2,7 @@ TYPE=`grep -Ei "^\s*SELINUX=enforcing" /etc/selinux/config` TYPE_R=`echo $?` # include 0 -if [ `getenforce` == "Enforcing" ] && [ $TYPE_R == 0 ];then +if [[ `getenforce` == "Enforcing" ]] && [[ $TYPE_R == 0 ]];then echo "pass"; else echo "fail"; diff --git a/scanners/mandatory-access-control/5.9-ensure-setroubleshoot-is-not-installed.sh b/scanners/mandatory-access-control/5.9-ensure-setroubleshoot-is-not-installed.sh index e012fe2..73f19a0 100644 --- a/scanners/mandatory-access-control/5.9-ensure-setroubleshoot-is-not-installed.sh +++ b/scanners/mandatory-access-control/5.9-ensure-setroubleshoot-is-not-installed.sh @@ -5,7 +5,7 @@ result=false rpm -q setroubleshoot | grep -Psiq "^package\s+setroubleshoot\s+is\s+not\s+installed$" && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.1-disable-http-server.sh b/scanners/services/3.1-disable-http-server.sh index a5318fe..c4c6f1f 100755 --- a/scanners/services/3.1-disable-http-server.sh +++ b/scanners/services/3.1-disable-http-server.sh @@ -1,6 +1,6 @@ -if [ "$(rpm -qa httpd)" ]; then +if [[ "$(rpm -qa httpd)" ]]; then result=$(systemctl is-enabled httpd) - if [ $result != enabled ]; then + if [[ $result != enabled ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.10-disable-rsync-server.sh b/scanners/services/3.10-disable-rsync-server.sh index b146126..7a7125c 100644 --- a/scanners/services/3.10-disable-rsync-server.sh +++ b/scanners/services/3.10-disable-rsync-server.sh @@ -1,6 +1,6 @@ -if [ "$(rpm -qa rsync-daemon)" ]; then +if [[ "$(rpm -qa rsync-daemon)" ]]; then result=$(systemctl is-enabled rsyncd) - if [ $result != enabled ]; then + if [[ $result != enabled ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.11-disable-avahi-server.sh b/scanners/services/3.11-disable-avahi-server.sh index ecc6bdb..4919b1b 100644 --- a/scanners/services/3.11-disable-avahi-server.sh +++ b/scanners/services/3.11-disable-avahi-server.sh @@ -1,7 +1,7 @@ -if [ "$(rpm -qa avahi)" ]; then +if [[ "$(rpm -qa avahi)" ]]; then result=$(systemctl is-enabled avahi-daemon.socket) result2=$(systemctl is-enabled avahi-daemon) - if [ $result != enabled ] && [ $result2 != enabled ]; then + if [[ $result != enabled ]] && [[ $result2 != enabled ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.12-disable-snmp-server.sh b/scanners/services/3.12-disable-snmp-server.sh index 024df3d..85f1ff2 100644 --- a/scanners/services/3.12-disable-snmp-server.sh +++ b/scanners/services/3.12-disable-snmp-server.sh @@ -1,6 +1,6 @@ -if [ "$(rpm -qa net-snmp)" ]; then +if [[ "$(rpm -qa net-snmp)" ]]; then result=$(systemctl is-enabled snmpd) - if [ $result != enabled ]; then + if [[ $result != enabled ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.13-disable-http-proxy-server.sh b/scanners/services/3.13-disable-http-proxy-server.sh index a16aa02..13de594 100644 --- a/scanners/services/3.13-disable-http-proxy-server.sh +++ b/scanners/services/3.13-disable-http-proxy-server.sh @@ -1,6 +1,6 @@ -if [ "$(rpm -qa squid)" ]; then +if [[ "$(rpm -qa squid)" ]]; then result=$(systemctl is-enabled squid) - if [ $result != enabled ]; then + if [[ $result != enabled ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.14-disable-samba.sh b/scanners/services/3.14-disable-samba.sh index 7971cb5..e4bd3fa 100644 --- a/scanners/services/3.14-disable-samba.sh +++ b/scanners/services/3.14-disable-samba.sh @@ -1,6 +1,6 @@ -if [ "$(rpm -qa samba)" ]; then +if [[ "$(rpm -qa samba)" ]]; then result=$(systemctl is-enabled smb) - if [ $result != enabled ]; then + if [[ $result != enabled ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.15-disable-imap-and-pop3-server.sh b/scanners/services/3.15-disable-imap-and-pop3-server.sh index 4ab5ad8..fd49de5 100644 --- a/scanners/services/3.15-disable-imap-and-pop3-server.sh +++ b/scanners/services/3.15-disable-imap-and-pop3-server.sh @@ -1,6 +1,6 @@ -if [ "$(rpm -qa dovecot)" ]; then +if [[ "$(rpm -qa dovecot)" ]]; then result=$(systemctl is-enabled dovecot) - if [ $result != enabled ]; then + if [[ $result != enabled ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.16-disable-smtp-protocol.sh b/scanners/services/3.16-disable-smtp-protocol.sh index 9a9a422..c77a750 100644 --- a/scanners/services/3.16-disable-smtp-protocol.sh +++ b/scanners/services/3.16-disable-smtp-protocol.sh @@ -1,6 +1,6 @@ -if [ "$(rpm -qa postfix)" ]; then - result=$(systemctl is-enabled postfix.service) - if [ $result != enabled ]; then +if [[ "$(rpm -qa postfix)" ]]; then + result=$(systemctl is-enabled postfix.service) + if [[ $result != enabled ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.17-disable-or-uninstall-the-telnet.sh b/scanners/services/3.17-disable-or-uninstall-the-telnet.sh index 1ca6133..2994e00 100644 --- a/scanners/services/3.17-disable-or-uninstall-the-telnet.sh +++ b/scanners/services/3.17-disable-or-uninstall-the-telnet.sh @@ -1,5 +1,5 @@ #!/usr/bin/env bash -if [ "$(rpm -qa | grep telnet)" ]; then +if [[ "$(rpm -qa | grep telnet)" ]]; then result=$(systemctl is-enabled telnet.socket) if [[ $result != enabled ]]; then echo "pass" diff --git a/scanners/services/3.18-uninstall-the-avahi-server.sh b/scanners/services/3.18-uninstall-the-avahi-server.sh index ee9cdda..32bfe74 100644 --- a/scanners/services/3.18-uninstall-the-avahi-server.sh +++ b/scanners/services/3.18-uninstall-the-avahi-server.sh @@ -3,7 +3,7 @@ result=false rpm -q avahi | grep -Psiq "^package\s+avahi\s+is\s+not\s+installed$" && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.19-uninstall-the-kexec-tools.sh b/scanners/services/3.19-uninstall-the-kexec-tools.sh index 6e86439..6ebc164 100644 --- a/scanners/services/3.19-uninstall-the-kexec-tools.sh +++ b/scanners/services/3.19-uninstall-the-kexec-tools.sh @@ -3,7 +3,7 @@ result=false rpm -q kexec-tools | grep -Psiq "^package\s+kexec-tools\s+is\s+not\s+installed$" && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.2-disable-ftp-server.sh b/scanners/services/3.2-disable-ftp-server.sh index a065768..ea33f10 100644 --- a/scanners/services/3.2-disable-ftp-server.sh +++ b/scanners/services/3.2-disable-ftp-server.sh @@ -1,6 +1,6 @@ -if [ "$(rpm -qa vsftpd)" ]; then +if [[ "$(rpm -qa vsftpd)" ]]; then result=$(systemctl is-enabled vsftpd) - if [ $result != enabled ]; then + if [[ $result != enabled ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.20-uninstall-the-firstboot.sh b/scanners/services/3.20-uninstall-the-firstboot.sh index d58166d..a3a54b2 100644 --- a/scanners/services/3.20-uninstall-the-firstboot.sh +++ b/scanners/services/3.20-uninstall-the-firstboot.sh @@ -3,7 +3,7 @@ result=false rpm -q firstboot | grep -Psiq "^package\s+firstboot\s+is\s+not\s+installed$" && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.21-uninstall-the-wpa_supplicant.sh b/scanners/services/3.21-uninstall-the-wpa_supplicant.sh index 1844599..596dd2c 100644 --- a/scanners/services/3.21-uninstall-the-wpa_supplicant.sh +++ b/scanners/services/3.21-uninstall-the-wpa_supplicant.sh @@ -3,7 +3,7 @@ result=false rpm -q wpa_supplicant | grep -Psiq "^package\s+wpa_supplicant\s+is\s+not\s+installed$" && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.22-ensure-NIS-Client-is-not-installed.sh b/scanners/services/3.22-ensure-NIS-Client-is-not-installed.sh index 6d621a1..34ef540 100644 --- a/scanners/services/3.22-ensure-NIS-Client-is-not-installed.sh +++ b/scanners/services/3.22-ensure-NIS-Client-is-not-installed.sh @@ -4,7 +4,7 @@ result=false rpm -q ypbind | grep -Psiq "^package\s+ypbind\s+is\s+not\s+installed$" && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.23-disable-rsh.sh b/scanners/services/3.23-disable-rsh.sh index 5b720fc..f5410ba 100644 --- a/scanners/services/3.23-disable-rsh.sh +++ b/scanners/services/3.23-disable-rsh.sh @@ -1,6 +1,6 @@ -if [ "$(rpm -qa rsh)" ]; then +if [[ "$(rpm -qa rsh-server)" ]]; then result=$(systemctl is-enabled rsh.socket) - if [ $result != enabled ]; then + if [[ $result != enabled ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.24-disable-ntalk.sh b/scanners/services/3.24-disable-ntalk.sh index ac54085..2af51e8 100644 --- a/scanners/services/3.24-disable-ntalk.sh +++ b/scanners/services/3.24-disable-ntalk.sh @@ -1,6 +1,6 @@ -if [ "$(rpm -qa ntalk)" ]; then +if [[ "$(rpm -qa ntalk)" ]]; then result=$(systemctl is-enabled ntalk.socket) - if [ $result != enabled ]; then + if [[ $result != enabled ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.25-ensure-xinetd-is-not-installed.sh b/scanners/services/3.25-ensure-xinetd-is-not-installed.sh index 9ff4bcb..69c8df1 100644 --- a/scanners/services/3.25-ensure-xinetd-is-not-installed.sh +++ b/scanners/services/3.25-ensure-xinetd-is-not-installed.sh @@ -4,7 +4,7 @@ result=false rpm -q xinetd | grep -Psiq "^package\s+xinetd\s+is\s+not\s+installed$" && result=true -if [ "$result" == true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.26-disable-usb-storage.sh b/scanners/services/3.26-disable-usb-storage.sh index 848eb82..2b00572 100644 --- a/scanners/services/3.26-disable-usb-storage.sh +++ b/scanners/services/3.26-disable-usb-storage.sh @@ -1,8 +1,8 @@ result=true echo $(modprobe -n -v usb-storage) | grep -Psq "^install\s+\/bin\/true$" || result=false -lsmod | grep -q "usb-storage" && result=false +lsmod | grep -Pq "^usb(_|-)storage\b" && result=false -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.27-ensure-time-synchronization-is-installed.sh b/scanners/services/3.27-ensure-time-synchronization-is-installed.sh index 0281f85..59e09c8 100644 --- a/scanners/services/3.27-ensure-time-synchronization-is-installed.sh +++ b/scanners/services/3.27-ensure-time-synchronization-is-installed.sh @@ -1,10 +1,10 @@ #!/usr/bin/env bash result=false -rpm -q chrony | grep -Psiq "chrony\-" && result=true +rpm -q chrony | grep -Psiq "^chrony\-" && result=true -if [ "$result" = true ]; then - echo "pass" +if [[ "$result" == "true" ]]; then + echo "pass" else - echo "fail" + echo "fail" fi diff --git a/scanners/services/3.3-disable-dns-server.sh b/scanners/services/3.3-disable-dns-server.sh index 665b8a3..9535028 100644 --- a/scanners/services/3.3-disable-dns-server.sh +++ b/scanners/services/3.3-disable-dns-server.sh @@ -1,6 +1,6 @@ -if [ "$(rpm -qa bind)" ]; then +if [[ "$(rpm -qa bind)" ]]; then result=$(systemctl is-enabled named) - if [ $result != enabled ]; then + if [[ $result != enabled ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.4-disable-nfs.sh b/scanners/services/3.4-disable-nfs.sh index 3079213..d0c5fa5 100644 --- a/scanners/services/3.4-disable-nfs.sh +++ b/scanners/services/3.4-disable-nfs.sh @@ -1,6 +1,6 @@ -if [ "$(rpm -qa nfs-utils)" ]; then +if [[ "$(rpm -qa nfs-utils)" ]]; then result=$(systemctl is-enabled nfs-server) - if [ $result != enabled ]; then + if [[ $result != enabled ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.5-disable-rpc.sh b/scanners/services/3.5-disable-rpc.sh index fb823d1..b775bc7 100644 --- a/scanners/services/3.5-disable-rpc.sh +++ b/scanners/services/3.5-disable-rpc.sh @@ -1,6 +1,6 @@ -if [ "$(rpm -qa rpcbind)" ]; then +if [[ "$(rpm -qa rpcbind)" ]]; then result=$(systemctl is-enabled rpcbind) - if [ $result != enabled ]; then + if [[ $result != enabled ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.6-disable-ldap-server.sh b/scanners/services/3.6-disable-ldap-server.sh index f927005..3f70aa5 100644 --- a/scanners/services/3.6-disable-ldap-server.sh +++ b/scanners/services/3.6-disable-ldap-server.sh @@ -1,6 +1,6 @@ -if [ "$(rpm -qa openldap-servers)" ]; then +if [[ "$(rpm -qa openldap-servers)" ]]; then result=$(systemctl is-enabled slapd) - if [ $result != enabled ]; then + if [[ $result != enabled ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.7-disable-dhcp-server.sh b/scanners/services/3.7-disable-dhcp-server.sh index c812c4a..4309c70 100644 --- a/scanners/services/3.7-disable-dhcp-server.sh +++ b/scanners/services/3.7-disable-dhcp-server.sh @@ -1,6 +1,6 @@ -if [ "$(rpm -qa dhcp-server)" ]; then +if [[ "$(rpm -qa dhcp-server)" ]]; then result=$(systemctl is-enabled dhcpd) - if [ $result != enabled ]; then + if [[ $result != enabled ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.8-disable-cups.sh b/scanners/services/3.8-disable-cups.sh index 56499c0..89e4ce3 100644 --- a/scanners/services/3.8-disable-cups.sh +++ b/scanners/services/3.8-disable-cups.sh @@ -1,6 +1,6 @@ -if [ "$(rpm -qa cups)" ]; then +if [[ "$(rpm -qa cups)" ]]; then result=$(systemctl is-enabled cups) - if [ $result != enabled ]; then + if [[ $result != enabled ]]; then echo "pass" else echo "fail" diff --git a/scanners/services/3.9-disable-nis-server.sh b/scanners/services/3.9-disable-nis-server.sh index 18ed619..e3b8dd3 100644 --- a/scanners/services/3.9-disable-nis-server.sh +++ b/scanners/services/3.9-disable-nis-server.sh @@ -1,6 +1,6 @@ -if [ "$(rpm -qa ypserv)" ]; then +if [[ "$(rpm -qa ypserv)" ]]; then result=$(systemctl is-enabled ypserv) - if [ $result != enabled ]; then + if [[ $result != enabled ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.1-ensure-message-of-the-day-is-configured-properly.sh b/scanners/system-configurations/4.1-ensure-message-of-the-day-is-configured-properly.sh index 692acef..689f983 100644 --- a/scanners/system-configurations/4.1-ensure-message-of-the-day-is-configured-properly.sh +++ b/scanners/system-configurations/4.1-ensure-message-of-the-day-is-configured-properly.sh @@ -2,7 +2,7 @@ result=false grep -Eiq "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/motd || result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.10-ensure-bootloader-password-is-set.sh b/scanners/system-configurations/4.10-ensure-bootloader-password-is-set.sh index f5c1175..e46ce76 100644 --- a/scanners/system-configurations/4.10-ensure-bootloader-password-is-set.sh +++ b/scanners/system-configurations/4.10-ensure-bootloader-password-is-set.sh @@ -1,8 +1,8 @@ result=false -if [ -e /boot/grub2/user.cfg ]; then +if [[ -e /boot/grub2/user.cfg ]]; then grep -Pq '^\h*GRUB2_PASSWORD\h*=\h*.+$' /boot/grub2/user.cfg && result=true - if [ "$result" = true ] ; then + if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh b/scanners/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh index ba44249..892913c 100644 --- a/scanners/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh +++ b/scanners/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh @@ -2,7 +2,7 @@ result=false grep -Pq "^\s*ExecStart=-/usr/lib/systemd/systemd-sulogin-shell(\s+emergency|\s*)\s*(\s+#.*)?$" /usr/lib/systemd/system/emergency.service && grep -Pq "^\s*ExecStart=-/usr/lib/systemd/systemd-sulogin-shell(\s+rescue\s*|\s*)\s*(\s+#.*)?$" /usr/lib/systemd/system/rescue.service && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.13-ensure-core-dumps-are-restricted.sh b/scanners/system-configurations/4.13-ensure-core-dumps-are-restricted.sh index 1eefaae..32bd3aa 100644 --- a/scanners/system-configurations/4.13-ensure-core-dumps-are-restricted.sh +++ b/scanners/system-configurations/4.13-ensure-core-dumps-are-restricted.sh @@ -2,7 +2,7 @@ result=false grep -Pq "^\s*\*\s+hard\s+core\s+0\s*(\s+#.*)?$" /etc/security/limits.conf && grep -Pq "^\s*fs\.suid_dumpable\s*=\s*0\s*(\s+#.*)?$" /etc/sysctl.conf /etc/sysctl.d/* && sysctl fs.suid_dumpable|grep -Pq "fs\.suid\_dumpable\s+=\s+0" && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh b/scanners/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh index 0863d34..4feb08e 100644 --- a/scanners/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh +++ b/scanners/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh @@ -1,9 +1,9 @@ result=false -sysctl kernel.randomize_va_space|grep -Psq "^kernel\.randomize\_va\_space\s+=\s+2$" && grep -Psq "^kernel\.randomize_va_space\s*=\s*2" /run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf && result=true +sysctl kernel.randomize_va_space|grep -Psq "^kernel\.randomize\_va\_space\s+=\s+2$" && [[ -z $(grep -Phs "^kernel\.randomize_va_space\s*=\s*" /run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf | grep -Psv "^kernel\.randomize_va_space\s*=\s*2\b$") ]] && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" -fi \ No newline at end of file +fi diff --git a/scanners/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh b/scanners/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh index 627169a..da8c820 100644 --- a/scanners/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh +++ b/scanners/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh @@ -2,7 +2,7 @@ result=false grep -Eiq '^\s*LEGACY\s*(\s+#.*)?$' /etc/crypto-policies/config || result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.16-ensure-sticky-bit-is-set-on-all-world-writable-directories.sh b/scanners/system-configurations/4.16-ensure-sticky-bit-is-set-on-all-world-writable-directories.sh index e1e8c46..adfc90f 100644 --- a/scanners/system-configurations/4.16-ensure-sticky-bit-is-set-on-all-world-writable-directories.sh +++ b/scanners/system-configurations/4.16-ensure-sticky-bit-is-set-on-all-world-writable-directories.sh @@ -1,6 +1,6 @@ result=`df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null` -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.17-ensure-permissions-on-etc-passwd-are-configured.sh b/scanners/system-configurations/4.17-ensure-permissions-on-etc-passwd-are-configured.sh index ebf9c80..07f1178 100644 --- a/scanners/system-configurations/4.17-ensure-permissions-on-etc-passwd-are-configured.sh +++ b/scanners/system-configurations/4.17-ensure-permissions-on-etc-passwd-are-configured.sh @@ -2,7 +2,7 @@ result=false stat -c "%a-%U-%G" /etc/passwd | grep -Pq '^[0-6][0-4][0-4]\-root\-root$' && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.18-ensure-permissions-on-etc-shadow-are-configured.sh b/scanners/system-configurations/4.18-ensure-permissions-on-etc-shadow-are-configured.sh index 051fee1..10a26c3 100644 --- a/scanners/system-configurations/4.18-ensure-permissions-on-etc-shadow-are-configured.sh +++ b/scanners/system-configurations/4.18-ensure-permissions-on-etc-shadow-are-configured.sh @@ -2,7 +2,7 @@ result=false stat -c "%a-%U-%G" /etc/shadow | grep -Pq '^[0]\-root\-root$' && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.19-ensure-permissions-on-etc-group-are-configured.sh b/scanners/system-configurations/4.19-ensure-permissions-on-etc-group-are-configured.sh index f826879..4dae525 100644 --- a/scanners/system-configurations/4.19-ensure-permissions-on-etc-group-are-configured.sh +++ b/scanners/system-configurations/4.19-ensure-permissions-on-etc-group-are-configured.sh @@ -2,7 +2,7 @@ result=false stat -c "%a-%U-%G" /etc/group | grep -Pq '^[0-6][0-4][0-4]\-root\-root$' && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.2-ensure-local-login-warning-banner-is-configured-properly.sh b/scanners/system-configurations/4.2-ensure-local-login-warning-banner-is-configured-properly.sh index deb8015..bc3ee42 100644 --- a/scanners/system-configurations/4.2-ensure-local-login-warning-banner-is-configured-properly.sh +++ b/scanners/system-configurations/4.2-ensure-local-login-warning-banner-is-configured-properly.sh @@ -2,7 +2,7 @@ result=false grep -Eiq "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/issue || result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.20-ensure-permissions-on-etc-gshadow-are-configured.sh b/scanners/system-configurations/4.20-ensure-permissions-on-etc-gshadow-are-configured.sh index 05dcadb..cec1409 100644 --- a/scanners/system-configurations/4.20-ensure-permissions-on-etc-gshadow-are-configured.sh +++ b/scanners/system-configurations/4.20-ensure-permissions-on-etc-gshadow-are-configured.sh @@ -2,7 +2,7 @@ result=false stat -c "%a-%U-%G" /etc/gshadow | grep -Pq '^[0]\-root\-root$' && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.21-ensure-permissions-on-etc-passwd--are-configured.sh b/scanners/system-configurations/4.21-ensure-permissions-on-etc-passwd--are-configured.sh index 8a33498..21944a0 100644 --- a/scanners/system-configurations/4.21-ensure-permissions-on-etc-passwd--are-configured.sh +++ b/scanners/system-configurations/4.21-ensure-permissions-on-etc-passwd--are-configured.sh @@ -2,7 +2,7 @@ result=false stat -c "%a-%U-%G" /etc/passwd- | grep -Pq '^[0-6][0-4][0-4]\-root\-root$' && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.22-ensure-permissions-on-etc-shadow--are-configured.sh b/scanners/system-configurations/4.22-ensure-permissions-on-etc-shadow--are-configured.sh index b6ffb57..57c3562 100644 --- a/scanners/system-configurations/4.22-ensure-permissions-on-etc-shadow--are-configured.sh +++ b/scanners/system-configurations/4.22-ensure-permissions-on-etc-shadow--are-configured.sh @@ -2,7 +2,7 @@ result=false stat -c "%a-%U-%G" /etc/shadow- | grep -Pq '^[0]\-root\-root$' && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.23-ensure-permissions-on-etc-group--are-configured.sh b/scanners/system-configurations/4.23-ensure-permissions-on-etc-group--are-configured.sh index 283c771..ce4a660 100644 --- a/scanners/system-configurations/4.23-ensure-permissions-on-etc-group--are-configured.sh +++ b/scanners/system-configurations/4.23-ensure-permissions-on-etc-group--are-configured.sh @@ -2,7 +2,7 @@ result=false stat -c "%a-%U-%G" /etc/group- | grep -Pq '^[0-6][0-4][0-4]\-root\-root$' && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.24-ensure-permissions-on-etc-gshadow--are-configured.sh b/scanners/system-configurations/4.24-ensure-permissions-on-etc-gshadow--are-configured.sh index eced746..6935dc9 100644 --- a/scanners/system-configurations/4.24-ensure-permissions-on-etc-gshadow--are-configured.sh +++ b/scanners/system-configurations/4.24-ensure-permissions-on-etc-gshadow--are-configured.sh @@ -2,7 +2,7 @@ result=false stat -c "%a-%U-%G" /etc/gshadow- | grep -Pq '^[0]\-root\-root$' && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.25-ensure-no-world-writable-files-exist.sh b/scanners/system-configurations/4.25-ensure-no-world-writable-files-exist.sh index ae26bfc..2767e90 100644 --- a/scanners/system-configurations/4.25-ensure-no-world-writable-files-exist.sh +++ b/scanners/system-configurations/4.25-ensure-no-world-writable-files-exist.sh @@ -1,6 +1,6 @@ result=`df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002` -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.26-ensure-no-unowned-files-or-directories-exist.sh b/scanners/system-configurations/4.26-ensure-no-unowned-files-or-directories-exist.sh index a556bac..b30007f 100644 --- a/scanners/system-configurations/4.26-ensure-no-unowned-files-or-directories-exist.sh +++ b/scanners/system-configurations/4.26-ensure-no-unowned-files-or-directories-exist.sh @@ -1,6 +1,6 @@ result=`df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser` -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.27-ensure-no-ungrouped-files-or-directories-exist.sh b/scanners/system-configurations/4.27-ensure-no-ungrouped-files-or-directories-exist.sh index b171052..3367243 100644 --- a/scanners/system-configurations/4.27-ensure-no-ungrouped-files-or-directories-exist.sh +++ b/scanners/system-configurations/4.27-ensure-no-ungrouped-files-or-directories-exist.sh @@ -1,6 +1,6 @@ result=`df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup` -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.28-ensure-no-password-fields-are-not-empty.sh b/scanners/system-configurations/4.28-ensure-no-password-fields-are-not-empty.sh index db65d58..19b6df5 100644 --- a/scanners/system-configurations/4.28-ensure-no-password-fields-are-not-empty.sh +++ b/scanners/system-configurations/4.28-ensure-no-password-fields-are-not-empty.sh @@ -1,6 +1,6 @@ result=`awk -F: '($2 == "" ) { print $1 " does not have a password "}' /etc/shadow` -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.29-ensure-root-path-integrity.sh b/scanners/system-configurations/4.29-ensure-root-path-integrity.sh index bf985ff..40ff5e5 100644 --- a/scanners/system-configurations/4.29-ensure-root-path-integrity.sh +++ b/scanners/system-configurations/4.29-ensure-root-path-integrity.sh @@ -13,7 +13,7 @@ for x in $(echo "$RPCV" | tr ":" " "); do fi done` -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.3-ensure-remote-login-warning-banner-is-configured-properly.sh b/scanners/system-configurations/4.3-ensure-remote-login-warning-banner-is-configured-properly.sh index f45ba45..12f6802 100644 --- a/scanners/system-configurations/4.3-ensure-remote-login-warning-banner-is-configured-properly.sh +++ b/scanners/system-configurations/4.3-ensure-remote-login-warning-banner-is-configured-properly.sh @@ -2,7 +2,7 @@ result=false grep -Eiq "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/issue.net || result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.30-ensure-root-is-the-only-uid-0-account.sh b/scanners/system-configurations/4.30-ensure-root-is-the-only-uid-0-account.sh index 741be6a..5164024 100644 --- a/scanners/system-configurations/4.30-ensure-root-is-the-only-uid-0-account.sh +++ b/scanners/system-configurations/4.30-ensure-root-is-the-only-uid-0-account.sh @@ -1,6 +1,6 @@ result=`awk -F: '($3 == 0) { print $1 }' /etc/passwd` -if [ "$result" == "root" ] ; then +if [[ "$result" == "root" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.31-ensure-users-home-directories-permissions-are-750-or-more-restrictive.sh b/scanners/system-configurations/4.31-ensure-users-home-directories-permissions-are-750-or-more-restrictive.sh index 882905f..3287317 100644 --- a/scanners/system-configurations/4.31-ensure-users-home-directories-permissions-are-750-or-more-restrictive.sh +++ b/scanners/system-configurations/4.31-ensure-users-home-directories-permissions-are-750-or-more-restrictive.sh @@ -5,17 +5,17 @@ dir="" for i in $(awk -F: '($1!~/(halt|sync|shutdown)/ && $7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) {print $1":"$6}' /etc/passwd); do user=$(echo "$i" | cut -d: -f1) dir=$(echo "$i" | cut -d: -f2) - if [ ! -d "$dir" ]; then - [ -z "$result" ] && result="false" + if [[ ! -d "$dir" ]]; then + [[ -z "$result" ]] && result="false" else dirperm=$(stat -L -c "%A" "$dir") - if [ "$(echo "$dirperm" | cut -c6)" != "-" ] || [ "$(echo "$dirperm" | cut -c8)" != "-" ] || [ "$(echo "$dirperm" | cut -c9)" != "-" ] || [ "$(echo "$dirperm" | cut -c10)" != "-" ]; then - [ -z "$result" ] && result="false" + if [[ "$(echo "$dirperm" | cut -c6)" != "-" ]] || [[ "$(echo "$dirperm" | cut -c8)" != "-" ]] || [[ "$(echo "$dirperm" | cut -c9)" != "-" ]] || [[ "$(echo "$dirperm" | cut -c10)" != "-" ]]; then + [[ -z "$result" ]] && result="false" fi fi done -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.32-ensure-users-own-their-home-directories.sh b/scanners/system-configurations/4.32-ensure-users-own-their-home-directories.sh index e6480c4..222816e 100644 --- a/scanners/system-configurations/4.32-ensure-users-own-their-home-directories.sh +++ b/scanners/system-configurations/4.32-ensure-users-own-their-home-directories.sh @@ -5,17 +5,17 @@ dir="" for i in $( awk -F: '($1!~/(halt|sync|shutdown|nfsnobody)/ && $7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) {print $1":"$6}' /etc/passwd); do user=$(echo "$i" | cut -d: -f1) dir=$(echo "$i" | cut -d: -f2) - if [ ! -d "$dir" ]; then - [ -z "$result" ] && result="false" + if [[ ! -d "$dir" ]]; then + [[ -z "$result" ]] && result="false" else owner="$(stat -L -c "%U" "$dir")" - if [ "$owner" != "$user" ] && [ "$owner" != "root" ]; then - [ -z "$result" ] && result="false" + if [[ "$owner" != "$user" ]] && [[ "$owner" != "root" ]]; then + [[ -z "$result" ]] && result="false" fi fi done -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.33-ensure-users-dot-files-are-not-group-or-world-writable.sh b/scanners/system-configurations/4.33-ensure-users-dot-files-are-not-group-or-world-writable.sh index 7b41522..14fefaa 100644 --- a/scanners/system-configurations/4.33-ensure-users-dot-files-are-not-group-or-world-writable.sh +++ b/scanners/system-configurations/4.33-ensure-users-dot-files-are-not-group-or-world-writable.sh @@ -5,21 +5,21 @@ dir="" for i in $(awk -F: '($1!~/(halt|sync|shutdown)/ && $7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) {print $1":"$6}' /etc/passwd); do user=$(echo "$i" | cut -d: -f1) dir=$(echo "$i" | cut -d: -f2) - if [ ! -d "$dir" ]; then - [ -z "$result" ] && result="false" + if [[ ! -d "$dir" ]]; then + [[ -z "$result" ]] && result="false" else for file in "$dir"/.*; do - if [ ! -h "$file" ] && [ -f "$file" ]; then + if [[ ! -h "$file" ]] && [[ -f "$file" ]]; then fileperm=$(stat -L -c "%A" "$file") - if [ "$(echo "$fileperm" | cut -c6)" != "-" ] || [ "$(echo "$fileperm" | cut -c9)" != "-" ]; then - [ -z "$result" ] && result="false" + if [[ "$(echo "$fileperm" | cut -c6)" != "-" ]] || [[ "$(echo "$fileperm" | cut -c9)" != "-" ]]; then + [[ -z "$result" ]] && result="false" fi fi done fi done -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.34-ensure-no-users-have-.forward-files.sh b/scanners/system-configurations/4.34-ensure-no-users-have-.forward-files.sh index 4e5bf8b..1bb8ff6 100644 --- a/scanners/system-configurations/4.34-ensure-no-users-have-.forward-files.sh +++ b/scanners/system-configurations/4.34-ensure-no-users-have-.forward-files.sh @@ -5,17 +5,17 @@ dir="" for i in $(awk -F: '($1!~/(halt|sync|shutdown)/ && $7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) {print $1":"$6}' /etc/passwd); do user=$(echo "$i" | cut -d: -f1) dir=$(echo "$i" | cut -d: -f2) - if [ ! -d "$dir" ]; then - [ -z "$result" ] && result="false" + if [[ ! -d "$dir" ]]; then + [[ -z "$result" ]] && result="false" else file="$dir/.forward" - if [ ! -h "$file" ] && [ -f "$file" ]; then - [ -z "$result" ] && result="false" + if [[ ! -h "$file" ]] && [[ -f "$file" ]]; then + [[ -z "$result" ]] && result="false" fi fi done -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.35-ensure-no-users-have-.netrc-files.sh b/scanners/system-configurations/4.35-ensure-no-users-have-.netrc-files.sh index e8d10db..3758ea5 100644 --- a/scanners/system-configurations/4.35-ensure-no-users-have-.netrc-files.sh +++ b/scanners/system-configurations/4.35-ensure-no-users-have-.netrc-files.sh @@ -5,17 +5,17 @@ dir="" for i in $(awk -F: '($1!~/(halt|sync|shutdown)/ && $7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) {print $1":"$6}' /etc/passwd); do user=$(echo "$i" | cut -d: -f1) dir=$(echo "$i" | cut -d: -f2) - if [ ! -d "$dir" ]; then - [ -z "$result" ] && result="false" + if [[ ! -d "$dir" ]]; then + [[ -z "$result" ]] && result="false" else file="$dir/.netrc" - if [ ! -h "$file" ] && [ -f "$file" ]; then - [ -z "$result" ] && result="false" + if [[ ! -h "$file" ]] && [[ -f "$file" ]]; then + [[ -z "$result" ]] && result="false" fi fi done -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.36-ensure-users-.netrc-files-are-not-group-or-world-accessible.sh b/scanners/system-configurations/4.36-ensure-users-.netrc-files-are-not-group-or-world-accessible.sh index a71fc34..cd38763 100644 --- a/scanners/system-configurations/4.36-ensure-users-.netrc-files-are-not-group-or-world-accessible.sh +++ b/scanners/system-configurations/4.36-ensure-users-.netrc-files-are-not-group-or-world-accessible.sh @@ -5,19 +5,19 @@ dir="" for i in $(awk -F: '($1!~/(halt|sync|shutdown)/ && $7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) {print $1":"$6}' /etc/passwd); do user=$(echo "$i" | cut -d: -f1) dir=$(echo "$i" | cut -d: -f2) - if [ ! -d "$dir" ]; then - [ -z "$result" ] && result="false" + if [[ ! -d "$dir" ]]; then + [[ -z "$result" ]] && result="false" else file="$dir/.netrc" - if [ ! -h "$file" ] && [ -f "$file" ]; then + if [[ ! -h "$file" ]] && [[ -f "$file" ]]; then if stat -L -c "%A" "$file" | cut -c4-10 | grep -Eq '[^-]+'; then - [ -z "$result" ] && result="false" + [[ -z "$result" ]] && result="false" fi fi fi done -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.37-ensure-no-users-have-.rhosts-files.sh b/scanners/system-configurations/4.37-ensure-no-users-have-.rhosts-files.sh index aa3f13c..a7ea782 100644 --- a/scanners/system-configurations/4.37-ensure-no-users-have-.rhosts-files.sh +++ b/scanners/system-configurations/4.37-ensure-no-users-have-.rhosts-files.sh @@ -5,17 +5,17 @@ dir="" for i in $(awk -F: '($1!~/(halt|sync|shutdown)/ && $7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) {print $1":"$6}' /etc/passwd); do user=$(echo "$i" | cut -d: -f1) dir=$(echo "$i" | cut -d: -f2) - if [ ! -d "$dir" ]; then - [ -z "$result" ] && result="false" + if [[ ! -d "$dir" ]]; then + [[ -z "$result" ]] && result="false" else file="$dir/.rhosts" - if [ ! -h "$file" ] && [ -f "$file" ]; then - [ -z "$result" ] && result="false" + if [[ ! -h "$file" ]] && [ -f "$file" ]; then + [[ -z "$result" ]] && result="false" fi fi done -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.38-ensure-all-groups-in-etc-passwd-exist-in-etc-group.sh b/scanners/system-configurations/4.38-ensure-all-groups-in-etc-passwd-exist-in-etc-group.sh index 24d954c..d59409d 100644 --- a/scanners/system-configurations/4.38-ensure-all-groups-in-etc-passwd-exist-in-etc-group.sh +++ b/scanners/system-configurations/4.38-ensure-all-groups-in-etc-passwd-exist-in-etc-group.sh @@ -2,12 +2,12 @@ result="" for i in $(cut -s -d: -f4 /etc/passwd | sort -u ); do grep -q -P "^.*?:[^:]*:$i:" /etc/group - if [ $? -ne 0 ]; then - [ -z "$result" ] && result="false" + if [[ $? -ne 0 ]]; then + [[ -z "$result" ]] && result="false" fi done -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.39-ensure-no-duplicate-uids-exist.sh b/scanners/system-configurations/4.39-ensure-no-duplicate-uids-exist.sh index e636d79..f73ae43 100644 --- a/scanners/system-configurations/4.39-ensure-no-duplicate-uids-exist.sh +++ b/scanners/system-configurations/4.39-ensure-no-duplicate-uids-exist.sh @@ -1,12 +1,12 @@ result="" for i in $(cut -f3 -d":" /etc/passwd | sort -n | uniq -d); do -if [ -n "$i" ]; then +if [[ -n "$i" ]]; then result="false" fi done -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh b/scanners/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh index dd58a16..a227acd 100644 --- a/scanners/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh +++ b/scanners/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh @@ -8,7 +8,7 @@ elif [[ -h /etc/motd ]] && [[ -f /var/lib/update-motd/motd ]] ; then stat -c "%a-%U-%G" /var/lib/update-motd/motd | grep -Pq '^[0-6][0-4][0-4]\-root\-root$' && stat -c "%U-%G" /etc/motd | grep -Pq '^root\-root$' && result=true fi -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.40-ensure-no-duplicate-gids-exist.sh b/scanners/system-configurations/4.40-ensure-no-duplicate-gids-exist.sh index 3c57362..2418ea0 100644 --- a/scanners/system-configurations/4.40-ensure-no-duplicate-gids-exist.sh +++ b/scanners/system-configurations/4.40-ensure-no-duplicate-gids-exist.sh @@ -1,12 +1,12 @@ result="" for i in $(cut -d: -f3 /etc/group | sort | uniq -d); do -if [ -n "$i" ]; then +if [[ -n "$i" ]]; then result="false" fi done -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.41-ensure-no-duplicate-user-names-exist.sh b/scanners/system-configurations/4.41-ensure-no-duplicate-user-names-exist.sh index ffe873c..8406358 100644 --- a/scanners/system-configurations/4.41-ensure-no-duplicate-user-names-exist.sh +++ b/scanners/system-configurations/4.41-ensure-no-duplicate-user-names-exist.sh @@ -1,12 +1,12 @@ result="" for i in $(cut -d: -f1 /etc/passwd | sort | uniq -d); do -if [ -n "$i" ]; then +if [[ -n "$i" ]]; then result="false" fi done -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.42-ensure-no-duplicate-group-names-exist.sh b/scanners/system-configurations/4.42-ensure-no-duplicate-group-names-exist.sh index 847a69e..f1e063a 100644 --- a/scanners/system-configurations/4.42-ensure-no-duplicate-group-names-exist.sh +++ b/scanners/system-configurations/4.42-ensure-no-duplicate-group-names-exist.sh @@ -1,12 +1,12 @@ result="" for i in $(cut -d: -f1 /etc/group | sort | uniq -d); do -if [ -n "$i" ]; then +if [[ -n "$i" ]]; then result="false" fi done -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.43-ensure-all-users-home-directories-exist.sh b/scanners/system-configurations/4.43-ensure-all-users-home-directories-exist.sh index e34dc1f..e42dd49 100644 --- a/scanners/system-configurations/4.43-ensure-all-users-home-directories-exist.sh +++ b/scanners/system-configurations/4.43-ensure-all-users-home-directories-exist.sh @@ -5,12 +5,12 @@ dir="" for i in $( awk -F: '($1!~/(halt|sync|shutdown|nfsnobody)/ && $7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) {print $1":"$6}' /etc/passwd); do user=$(echo "$i" | cut -d: -f1) dir=$(echo "$i" | cut -d: -f2) - if [ ! -d "$dir" ]; then - [ -z "$result" ] && result="false" + if [[ ! -d "$dir" ]]; then + [[ -z "$result" ]] && result="false" fi done -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.44-ensure-sctp-is-disabled.sh b/scanners/system-configurations/4.44-ensure-sctp-is-disabled.sh index c8a4e6b..f9cd7d6 100644 --- a/scanners/system-configurations/4.44-ensure-sctp-is-disabled.sh +++ b/scanners/system-configurations/4.44-ensure-sctp-is-disabled.sh @@ -1,9 +1,9 @@ result=false modprobe -n -vq sctp && result="" -lsmod | grep -q sctp || { [ -z "$result" ] && result=true ; } +lsmod | grep -q sctp || { [[ -z "$result" ]] && result=true ; } -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.45-ensure-dccp-is-disabled.sh b/scanners/system-configurations/4.45-ensure-dccp-is-disabled.sh index 403c408..134d90d 100644 --- a/scanners/system-configurations/4.45-ensure-dccp-is-disabled.sh +++ b/scanners/system-configurations/4.45-ensure-dccp-is-disabled.sh @@ -1,9 +1,9 @@ result=false modprobe -n -vq dccp && result="" -lsmod | grep -q dccp || { [ -z "$result" ] && result=true ; } +lsmod | grep -q dccp || { [[ -z "$result" ]] && result=true ; } -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.46-ensure-wireless-interfaces-are-disabled.sh b/scanners/system-configurations/4.46-ensure-wireless-interfaces-are-disabled.sh index 6c3d54c..aa1406b 100644 --- a/scanners/system-configurations/4.46-ensure-wireless-interfaces-are-disabled.sh +++ b/scanners/system-configurations/4.46-ensure-wireless-interfaces-are-disabled.sh @@ -6,7 +6,7 @@ if command -v nmcli >/dev/null 2>&1 ; then else echo "fail" fi -elif [ -n "$(find /sys/class/net/*/ -type d -name wireless)" ]; then +elif [[ -n "$(find /sys/class/net/*/ -type d -name wireless)" ]]; then t=0 mname=$(for driverdir in $(find /sys/class/net/*/ -type d -name wireless | xargs -0 dirname); do basename "$(readlink -f "$driverdir"/device/driver/module)";done | sort -u) for dm in $mname; do @@ -17,8 +17,8 @@ elif [ -n "$(find /sys/class/net/*/ -type d -name wireless)" ]; then fi done -[ "$t" -eq 0 ] && echo "pass" -[ "$t" -eq 1 ] && echo "fail" +[[ "$t" -eq 0 ]] && echo "pass" +[[ "$t" -eq 1 ]] && echo "fail" else echo "pass" fi \ No newline at end of file diff --git a/scanners/system-configurations/4.47-ensure-ip-forwarding-is-disabled.sh b/scanners/system-configurations/4.47-ensure-ip-forwarding-is-disabled.sh index 9e8813c..07f1c74 100644 --- a/scanners/system-configurations/4.47-ensure-ip-forwarding-is-disabled.sh +++ b/scanners/system-configurations/4.47-ensure-ip-forwarding-is-disabled.sh @@ -1,10 +1,10 @@ result=false sysctl net.ipv4.ip_forward | grep -Psq "^net\.ipv4\.ip\_forward\s+=\s+0$" && sysctl net.ipv6.conf.all.forwarding | grep -Psq "^net\.ipv6\.conf\.all\.forwarding\s+=\s+0$" && result="" -[ -z "$result" ] && result=`grep -E -s "^\s*net\.ipv4\.ip_forward\s*=\s*1" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf` -[ -z "$result" ] && result=`grep -E -s "^\s*net\.ipv6\.conf\.all\.forwarding\s*=\s*1" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf` +[[ -z "$result" ]] && result=`grep -E -s "^\s*net\.ipv4\.ip_forward\s*=\s*1" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf` +[[ -z "$result" ]] && result=`grep -E -s "^\s*net\.ipv6\.conf\.all\.forwarding\s*=\s*1" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf` -if [ -z "$result" ] ; then +if [[ -z "$result" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.48-ensure-packet-redirect-sending-is-disabled.sh b/scanners/system-configurations/4.48-ensure-packet-redirect-sending-is-disabled.sh index a442f74..4819045 100644 --- a/scanners/system-configurations/4.48-ensure-packet-redirect-sending-is-disabled.sh +++ b/scanners/system-configurations/4.48-ensure-packet-redirect-sending-is-disabled.sh @@ -2,7 +2,7 @@ result=false sysctl net.ipv4.conf.all.send_redirects | grep -Psq "^net\.ipv4\.conf\.all\.send\_redirects\s+=\s+0$" && sysctl net.ipv4.conf.default.send_redirects | grep -Psq "^net\.ipv4\.conf\.default\.send\_redirects\s+=\s+0$" && grep -Psq "net\.ipv4\.conf\.all\.send_redirects" /etc/sysctl.conf /etc/sysctl.d/* && grep -Psq "net\.ipv4\.conf\.default\.send_redirects" /etc/sysctl.conf /etc/sysctl.d/* && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.49-ensure-source-routed-packets-are-not-accepted.sh b/scanners/system-configurations/4.49-ensure-source-routed-packets-are-not-accepted.sh index d283245..5795b4f 100644 --- a/scanners/system-configurations/4.49-ensure-source-routed-packets-are-not-accepted.sh +++ b/scanners/system-configurations/4.49-ensure-source-routed-packets-are-not-accepted.sh @@ -2,7 +2,7 @@ result=false sysctl net.ipv4.conf.all.accept_source_route | grep -Psq "^net\.ipv4\.conf\.all\.accept_source_route\s+=\s+0$" && sysctl net.ipv4.conf.default.accept_source_route | grep -Psq "^net\.ipv4\.conf\.default\.accept_source_route\s+=\s+0$" && grep -q "net\.ipv4\.conf\.all\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/* && grep -q "net\.ipv4\.conf\.default\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/* && sysctl net.ipv6.conf.all.accept_source_route | grep -Psq "^net\.ipv6\.conf\.all\.accept_source_route\s+=\s+0$" && sysctl net.ipv6.conf.default.accept_source_route | grep -Psq "^net\.ipv6\.conf\.default\.accept_source_route\s+=\s+0$" && grep -q "net\.ipv6\.conf\.all\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/* && grep -q "net\.ipv6\.conf\.default\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/* && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh b/scanners/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh index 95edca7..3f24a2a 100644 --- a/scanners/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh +++ b/scanners/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh @@ -2,7 +2,7 @@ result=false stat -c "%a-%U-%G" /etc/issue | grep -Pq '^[0-6][0-4][0-4]\-root\-root$' && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.50-ensure-icmp-redirects-are-not-accepted.sh b/scanners/system-configurations/4.50-ensure-icmp-redirects-are-not-accepted.sh index 05e7699..9853da2 100644 --- a/scanners/system-configurations/4.50-ensure-icmp-redirects-are-not-accepted.sh +++ b/scanners/system-configurations/4.50-ensure-icmp-redirects-are-not-accepted.sh @@ -2,7 +2,7 @@ result=false sysctl net.ipv4.conf.all.accept_redirects | grep -Psq "^net\.ipv4\.conf\.all\.accept_redirects\s+=\s+0$" && sysctl net.ipv4.conf.default.accept_redirects | grep -Psq "^net\.ipv4\.conf\.default\.accept_redirects\s+=\s+0$" && grep -q "net\.ipv4\.conf\.all\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/* && grep -q "net\.ipv4\.conf\.default\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/* && sysctl net.ipv6.conf.all.accept_redirects | grep -Psq "^net\.ipv6\.conf\.all\.accept_redirects\s+=\s+0$" && sysctl net.ipv6.conf.default.accept_redirects | grep -Psq "^net\.ipv6\.conf\.default\.accept_redirects\s+=\s+0$" && grep -q "net\.ipv6\.conf\.all\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/* && grep -q "net\.ipv6\.conf\.default\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/* && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.51-ensure-secure-icmp-redirects-are-not-accepted.sh b/scanners/system-configurations/4.51-ensure-secure-icmp-redirects-are-not-accepted.sh index 3d2cc7c..29b55a6 100644 --- a/scanners/system-configurations/4.51-ensure-secure-icmp-redirects-are-not-accepted.sh +++ b/scanners/system-configurations/4.51-ensure-secure-icmp-redirects-are-not-accepted.sh @@ -2,7 +2,7 @@ result=false sysctl net.ipv4.conf.all.secure_redirects | grep -Psq "^net\.ipv4\.conf\.all\.secure_redirects\s+=\s+0$" && sysctl net.ipv4.conf.default.secure_redirects | grep -Psq "^net\.ipv4\.conf\.default\.secure_redirects\s+=\s+0$" && grep -q "net\.ipv4\.conf\.all\.secure_redirects" /etc/sysctl.conf /etc/sysctl.d/* && grep -q "net\.ipv4\.conf\.default\.secure_redirects" /etc/sysctl.conf /etc/sysctl.d/* && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.52-ensure-suspicious-packets-are-logged.sh b/scanners/system-configurations/4.52-ensure-suspicious-packets-are-logged.sh index a9e233c..40ca3fe 100644 --- a/scanners/system-configurations/4.52-ensure-suspicious-packets-are-logged.sh +++ b/scanners/system-configurations/4.52-ensure-suspicious-packets-are-logged.sh @@ -2,7 +2,7 @@ result=false sysctl net.ipv4.conf.all.log_martians | grep -Psq "^net\.ipv4\.conf\.all\.log_martians\s+=\s+1$" && sysctl net.ipv4.conf.default.log_martians | grep -Psq "^net\.ipv4\.conf\.default\.log_martians\s+=\s+1$" && grep -q "net\.ipv4\.conf\.all\.log_martians" /etc/sysctl.conf /etc/sysctl.d/* && grep -q "net\.ipv4\.conf\.default\.log_martians" /etc/sysctl.conf /etc/sysctl.d/* && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.sh b/scanners/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.sh index 1b00d61..fb1cace 100644 --- a/scanners/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.sh +++ b/scanners/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.sh @@ -1,9 +1,9 @@ result=false result=`grep -E -s "^\s*net\.ipv4\.icmp_echo_ignore_broadcasts\s*=\s*0" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf` -[ -z "$result" ] && sysctl net.ipv4.icmp_echo_ignore_broadcasts | grep -Psq "^net\.ipv4\.icmp_echo_ignore_broadcasts\s+=\s+1$" && result=true +[[ -z "$result" ]] && sysctl net.ipv4.icmp_echo_ignore_broadcasts | grep -Psq "^net\.ipv4\.icmp_echo_ignore_broadcasts\s+=\s+1$" && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.sh b/scanners/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.sh index d2b6bfd..63c314a 100644 --- a/scanners/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.sh +++ b/scanners/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.sh @@ -1,9 +1,9 @@ result=false result=`grep -E -s "^\s*net\.ipv4\.icmp_ignore_bogus_error_responses\s*=\s*0" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf` -[ -z "$result" ] && sysctl net.ipv4.icmp_ignore_bogus_error_responses | grep -Psq "^net\.ipv4\.icmp_ignore_bogus_error_responses\s+=\s+1$" && result=true +[[ -z "$result" ]] && sysctl net.ipv4.icmp_ignore_bogus_error_responses | grep -Psq "^net\.ipv4\.icmp_ignore_bogus_error_responses\s+=\s+1$" && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.55-ensure-reverse-path-filtering-is-enabled.sh b/scanners/system-configurations/4.55-ensure-reverse-path-filtering-is-enabled.sh index 904b893..7deb0cf 100644 --- a/scanners/system-configurations/4.55-ensure-reverse-path-filtering-is-enabled.sh +++ b/scanners/system-configurations/4.55-ensure-reverse-path-filtering-is-enabled.sh @@ -1,9 +1,9 @@ result=false result=`grep -E -s "^\s*net\.ipv4\.conf\.all\.rp_filter\s*=\s*0" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf` -[ -z "$result" ] && sysctl net.ipv4.conf.all.rp_filter | grep -Psq "^net\.ipv4\.conf\.all\.rp_filter\s+=\s+1$" && sysctl net.ipv4.conf.default.rp_filter | grep -Psq "^net\.ipv4\.conf\.default\.rp_filter\s+=\s+1$" && grep -E -sq "^\s*net\.ipv4\.conf\.default\.rp_filter\s*=\s*1" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf && result=true +[[ -z "$result" ]] && sysctl net.ipv4.conf.all.rp_filter | grep -Psq "^net\.ipv4\.conf\.all\.rp_filter\s+=\s+1$" && sysctl net.ipv4.conf.default.rp_filter | grep -Psq "^net\.ipv4\.conf\.default\.rp_filter\s+=\s+1$" && grep -E -sq "^\s*net\.ipv4\.conf\.default\.rp_filter\s*=\s*1" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.56-ensure-tcp-syn-cookies-is-enabled.sh b/scanners/system-configurations/4.56-ensure-tcp-syn-cookies-is-enabled.sh index 4e53ba1..5601384 100644 --- a/scanners/system-configurations/4.56-ensure-tcp-syn-cookies-is-enabled.sh +++ b/scanners/system-configurations/4.56-ensure-tcp-syn-cookies-is-enabled.sh @@ -1,9 +1,9 @@ result=false result=`grep -E -r "^\s*net\.ipv4\.tcp_syncookies\s*=\s*[02]" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf` -[ -z "$result" ] && sysctl net.ipv4.tcp_syncookies | grep -Psq "^net\.ipv4\.tcp_syncookies\s+=\s+1$" && result=true +[[ -z "$result" ]] && sysctl net.ipv4.tcp_syncookies | grep -Psq "^net\.ipv4\.tcp_syncookies\s+=\s+1$" && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.57-ensure-ipv6-router-advertisements-are-not-accepted.sh b/scanners/system-configurations/4.57-ensure-ipv6-router-advertisements-are-not-accepted.sh index 7aed531..6eb6357 100644 --- a/scanners/system-configurations/4.57-ensure-ipv6-router-advertisements-are-not-accepted.sh +++ b/scanners/system-configurations/4.57-ensure-ipv6-router-advertisements-are-not-accepted.sh @@ -2,7 +2,7 @@ result=false sysctl net.ipv6.conf.all.accept_ra | grep -Psq "^net\.ipv6\.conf\.all.accept_ra\s+=\s+0$" && sysctl net.ipv6.conf.default.accept_ra | grep -Psq "^net\.ipv6\.conf\.default\.accept_ra\s+=\s+0$" && grep -q "net\.ipv6\.conf\.all\.accept_ra" /etc/sysctl.conf /etc/sysctl.d/* && grep -q "net\.ipv6\.conf\.default\.accept_ra" /etc/sysctl.conf /etc/sysctl.d/* && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh b/scanners/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh index 3754a3c..783c1a2 100644 --- a/scanners/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh +++ b/scanners/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh @@ -1,10 +1,10 @@ result="" rpm -qa | grep -Psq "^iptables\-.*" && rpm -qa | grep -Psq "^iptables\-services.*" && result=true -[ -z "$result" ] && rpm -q nftables | grep -Psq "^nftables\-.*" && result=true -[ -z "$result" ] && rpm -q firewalld | grep -Psq "^firewalld\-.*" && result=true +[[ -z "$result" ]] && rpm -q nftables | grep -Psq "^nftables\-.*" && result=true +[[ -z "$result" ]] && rpm -q firewalld | grep -Psq "^firewalld\-.*" && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh b/scanners/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh index ba60bf3..088b094 100644 --- a/scanners/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh +++ b/scanners/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh @@ -2,7 +2,7 @@ result=false [[ $(systemctl list-unit-files | grep firewalld) ]] && systemctl is-enabled firewalld | grep -Psq "^enabled$" && firewall-cmd --state -q && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh b/scanners/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh index ee5dfd4..2b18f47 100644 --- a/scanners/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh +++ b/scanners/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh @@ -2,7 +2,7 @@ result=false stat -c "%a-%U-%G" /etc/issue.net | grep -Pq '^[0-6][0-4][0-4]\-root\-root$' && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.60-ensure-iptables-is-not-enabled.sh b/scanners/system-configurations/4.60-ensure-iptables-is-not-enabled.sh index d4e3483..df2ec04 100644 --- a/scanners/system-configurations/4.60-ensure-iptables-is-not-enabled.sh +++ b/scanners/system-configurations/4.60-ensure-iptables-is-not-enabled.sh @@ -5,7 +5,7 @@ result="" rpm -q iptables-services | grep -Psq "^iptables\-services.*" || result=true [[ -z "$result" ]] && systemctl is-enabled iptables | grep -Psiq "(disabled|masked)" && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.61-ensure-nftables-is-not-enabled.sh b/scanners/system-configurations/4.61-ensure-nftables-is-not-enabled.sh index f4b89a9..c100d5e 100644 --- a/scanners/system-configurations/4.61-ensure-nftables-is-not-enabled.sh +++ b/scanners/system-configurations/4.61-ensure-nftables-is-not-enabled.sh @@ -5,7 +5,7 @@ result="" rpm -q nftables | grep -Psq "^nftables\-.*" || result=true [[ -z "$result" ]] && systemctl is-enabled nftables | grep -Psiq "(disabled|masked)" && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.62-ensure-nftables-service-is-enabled.sh b/scanners/system-configurations/4.62-ensure-nftables-service-is-enabled.sh index 047efba..766737e 100644 --- a/scanners/system-configurations/4.62-ensure-nftables-service-is-enabled.sh +++ b/scanners/system-configurations/4.62-ensure-nftables-service-is-enabled.sh @@ -2,7 +2,7 @@ result=false rpm -q nftables | grep -Psq "^nftables\-.*" && systemctl is-enabled nftables | grep -Psiq "^enabled$" && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.63-ensure-iptables-packages-are-installed.sh b/scanners/system-configurations/4.63-ensure-iptables-packages-are-installed.sh index d9039eb..50f6952 100644 --- a/scanners/system-configurations/4.63-ensure-iptables-packages-are-installed.sh +++ b/scanners/system-configurations/4.63-ensure-iptables-packages-are-installed.sh @@ -2,7 +2,7 @@ result=false rpm -qa | grep -Psq "^iptables\-.*" && rpm -q iptables-services | grep -Psq "^iptables\-services\-.*" && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.64-ensure-nftables-is-not-installed.sh b/scanners/system-configurations/4.64-ensure-nftables-is-not-installed.sh index fda3fa8..7bc4cd0 100644 --- a/scanners/system-configurations/4.64-ensure-nftables-is-not-installed.sh +++ b/scanners/system-configurations/4.64-ensure-nftables-is-not-installed.sh @@ -3,7 +3,7 @@ result=false rpm -q nftables | grep -Psiq "^package\s+nftables\s+is\s+not\s+installed$" && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked.sh b/scanners/system-configurations/4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked.sh index b119582..de4d417 100644 --- a/scanners/system-configurations/4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked.sh +++ b/scanners/system-configurations/4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked.sh @@ -2,9 +2,9 @@ export LANG="en_US.UTF-8" result="" rpm -q firewalld | grep -Psiq "^package\s+firewalld\s+is\s+not\s+installed$" && result=true -[ -z "$result" ] && systemctl is-enabled firewalld | grep -Psiq "(disabled|masked)" && result=true +[[ -z "$result" ]] && systemctl is-enabled firewalld | grep -Psiq "(disabled|masked)" && result=true -if [ "$result" = true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.66-ensure-system-histsize-as-100-or-other.sh b/scanners/system-configurations/4.66-ensure-system-histsize-as-100-or-other.sh index e05da35..6e64dec 100755 --- a/scanners/system-configurations/4.66-ensure-system-histsize-as-100-or-other.sh +++ b/scanners/system-configurations/4.66-ensure-system-histsize-as-100-or-other.sh @@ -1,10 +1,6 @@ #!/bin/bash source /etc/profile -HIST=`echo $HISTSIZE` -HIST_FILE=`grep -iP "^HISTSIZE" /etc/profile` +HIST=$(echo $HISTSIZE | awk '($1 > 100 || $1 == "" ) {print 1}') +HIST_FILE=$(grep -P "^HISTSIZE\b\=[0-9]+\b" /etc/profile | grep -Po "\b[0-9]+\b" | awk '($1 > 100 || $1 == "" ) {print 1}') -if [[ $HIST == "100" ]] && [[ $HIST_FILE == "HISTSIZE=100" ]];then - echo "pass" -else - echo "fail" -fi +[[ -z $HIST && -z $HIST_FILE ]] && echo 'pass' || echo 'fail' \ No newline at end of file diff --git a/scanners/system-configurations/4.67-ensure-system-histfilesize-100.sh b/scanners/system-configurations/4.67-ensure-system-histfilesize-100.sh index d8c3b93..d425e99 100755 --- a/scanners/system-configurations/4.67-ensure-system-histfilesize-100.sh +++ b/scanners/system-configurations/4.67-ensure-system-histfilesize-100.sh @@ -1,10 +1,6 @@ #!/bin/bash source /etc/profile -HIST=`echo $HISTFILESIZE` -HIST_FILE=`grep -iP "^HISTFILESIZE" /etc/profile` +HIST=$(echo $HISTFILESIZE | awk '($1 > 100 || $1 == "" ) {print 1}') +HIST_FILE=$(grep -P "^HISTFILESIZE\b\=[0-9]+\b" /etc/profile | grep -Po "\b[0-9]+\b" | awk '($1 > 100 || $1 == "" ) {print 1}') -if [[ $HIST == "100" ]] && [[ $HIST_FILE == "HISTFILESIZE=100" ]];then - echo "pass" -else - echo "fail" -fi +[[ -z $HIST && -z $HIST_FILE ]] && echo 'pass' || echo 'fail' \ No newline at end of file diff --git a/scanners/system-configurations/4.68-ensure-permissions-TMP-is-correct.sh b/scanners/system-configurations/4.68-ensure-permissions-TMP-is-correct.sh index 34ab3ca..7cfb93d 100644 --- a/scanners/system-configurations/4.68-ensure-permissions-TMP-is-correct.sh +++ b/scanners/system-configurations/4.68-ensure-permissions-TMP-is-correct.sh @@ -2,7 +2,7 @@ ls -l / | grep tmp | grep rwt >> /dev/null -if [ $? == 0 ];then +if [[ $? == 0 ]];then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh b/scanners/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh index 9f98674..14d7931 100644 --- a/scanners/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh +++ b/scanners/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh @@ -4,7 +4,7 @@ result=true grep -Eisq '^\s*Enable\s*=\s*true' /etc/gdm/custom.conf && result=false -if [ "$result" == true ]; then +if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.8-ensure-aide-is-installed.sh b/scanners/system-configurations/4.8-ensure-aide-is-installed.sh index 4457216..6e0624b 100644 --- a/scanners/system-configurations/4.8-ensure-aide-is-installed.sh +++ b/scanners/system-configurations/4.8-ensure-aide-is-installed.sh @@ -2,7 +2,7 @@ result=false rpm -q aide | grep -Piq aide-.* && result=true -if [ "$result" = true ] ; then +if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" diff --git a/scanners/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh b/scanners/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh index 5b5bf0a..9f6097f 100644 --- a/scanners/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh +++ b/scanners/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh @@ -1,8 +1,8 @@ result=false -if [ -e /var/spool/cron/root ]; then +if [[ -e /var/spool/cron/root ]]; then grep -Piq "^([-0-9*\/,A-Za-z]+\s+){5}([^#\n\r]+\h+)?\/usr\/sbin\/aide\h+([^#\n\r]+\h+)?--(check|update)\b.*$" /var/spool/cron/root && result=true - if [ "$result" = true ] ; then + if [[ "$result" == "true" ]] ; then echo "pass" else echo "fail" -- Gitee