From 5aa2fdae251d8faf13f94afa6da99cbac4d43473 Mon Sep 17 00:00:00 2001 From: YuQing Yang Date: Fri, 21 Jun 2024 13:51:33 +0800 Subject: [PATCH] Fixes execution errors and increases the robustness of remediation-kits and scanners scripts. benchmarks: - 2.22,2.32: Modify the rule format to be consistent with auditctl. - 4.14,4.47,4.53,4.54: Modifying regular expressions remediation-kits: - 2.22,2.32: Modify the rule format to be consistent with auditctl. - 4.14,4.44: Modify code logic - 4.47,4.53,4.54: Modifying regular expressions scanners: - 2.22: Modify the rule format to be consistent with auditctl. - 4.14,4.44: Modify code logic - 4.47,4.53,4.54: Modifying regular expressions tools/remediation-kits: - run_Anolis_remediation_kit.sh - tools/scanners/run_Anolis_scanners.sh Change the executing command to 'bash' Fixed 2.31 Script execution error by supporting bash feature. Fixes: #IA77FE Signed-off-by: YuQing Yang --- ...stem-management-scope-sudoers-are-collected.md | 4 ++-- ...ermission-modification-events-are-collected.md | 2 +- ...pace-layout-randomization-(ASLR)-is-enabled.md | 2 +- .../4.47-ensure-ip-forwarding-is-disabled.md | 8 ++++---- ...-ensure-broadcast-icmp-requests-are-ignored.md | 4 ++-- ....54-ensure-bogus-icmp-responses-are-ignored.md | 4 ++-- ...stem-management-scope-sudoers-are-collected.sh | 2 +- ...ermission-modification-events-are-collected.sh | 2 +- ...pace-layout-randomization-(ASLR)-is-enabled.sh | 15 +++++++-------- .../4.44-ensure-sctp-is-disabled.sh | 5 +++-- .../4.47-ensure-ip-forwarding-is-disabled.sh | 4 ++-- ...-ensure-broadcast-icmp-requests-are-ignored.sh | 2 +- ....54-ensure-bogus-icmp-responses-are-ignored.sh | 2 +- ...stem-management-scope-sudoers-are-collected.sh | 2 +- ...pace-layout-randomization-(ASLR)-is-enabled.sh | 2 +- .../4.44-ensure-sctp-is-disabled.sh | 5 ++--- .../4.47-ensure-ip-forwarding-is-disabled.sh | 4 ++-- ...-ensure-broadcast-icmp-requests-are-ignored.sh | 4 ++-- ....54-ensure-bogus-icmp-responses-are-ignored.sh | 6 +++--- .../run_Anolis_remediation_kit.sh | 4 ++-- tools/scanners/run_Anolis_scanners.sh | 4 ++-- 21 files changed, 43 insertions(+), 44 deletions(-) diff --git a/benchmarks/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.md b/benchmarks/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.md index bb6bb07..c08d6d5 100644 --- a/benchmarks/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.md +++ b/benchmarks/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.md @@ -15,7 +15,7 @@ 运行以下命令,配置审计服务,确保收集对系统管理范围(sudoers)的更改: ```bash -# echo -e "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/rules.d/audit.rules +# echo -e "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d -p wa -k scope" >> /etc/audit/rules.d/audit.rules ``` 执行以下命令,加载审计规则 @@ -31,7 +31,7 @@ ```bash # grep -E "\-w\s/etc/sudoers\s\-p\swa\s\-k\sscope -\-w\s/etc/sudoers.d/\s\-p\swa\s\-k\sscope" /etc/audit/rules.d/*.rules /etc/audit/*.rules +\-w\s/etc/sudoers.d\s\-p\swa\s\-k\sscope" /etc/audit/rules.d/*.rules /etc/audit/*.rules /etc/audit/rules.d/audit.rules:-w /etc/sudoers -p wa -k scope /etc/audit/rules.d/audit.rules:-w /etc/sudoers.d/ -p wa -k scope diff --git a/benchmarks/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.md b/benchmarks/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.md index 0a17bd2..1ab7455 100644 --- a/benchmarks/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.md +++ b/benchmarks/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.md @@ -31,7 +31,7 @@ 1. 执行以下命令,添加审计规则: ```bash -# echo -e "-a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F key=perm_mod\n-a always,exit -F arch=b32 -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F key=perm_mod" >> /etc/audit/rules.d/50-perm_mod.rules +# echo -e "-a always,exit -F arch=b64 -S chmod,lchown,fchmod,fchown,chown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod\n-a always,exit -F arch=b32 -S chmod,lchown,fchmod,fchown,chown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod" >> /etc/audit/rules.d/50-perm_mod.rules ``` 2. 执行以下命令,加载审计规则: diff --git a/benchmarks/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.md b/benchmarks/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.md index 2b236ff..2f04745 100644 --- a/benchmarks/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.md +++ b/benchmarks/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.md @@ -35,7 +35,7 @@ kernel.randomize_va_space = 2 ```bash # sysctl kernel.randomize_va_space kernel.randomize_va_space = 2 -# grep -s -- "kernel\.randomize_va_space" /run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf +# grep -s "kernel\.randomize_va_space" /run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/99-sysctl.conf:kernel.randomize_va_space = 2 /etc/sysctl.conf:kernel.randomize_va_space = 2 ``` diff --git a/benchmarks/system-configurations/4.47-ensure-ip-forwarding-is-disabled.md b/benchmarks/system-configurations/4.47-ensure-ip-forwarding-is-disabled.md index e3de21c..ff7d325 100644 --- a/benchmarks/system-configurations/4.47-ensure-ip-forwarding-is-disabled.md +++ b/benchmarks/system-configurations/4.47-ensure-ip-forwarding-is-disabled.md @@ -17,9 +17,9 @@ 1. 执行以下代码,禁用 IP 转发功能: ```bash -# grep -Els "^\s*net\.ipv4\.ip_forward\s*=\s*1" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | while read filename; do sed -ri "s/^\s*(net\.ipv4\.ip_forward\s*)(=)(\s*\S+\b).*$/# *REMOVED* \1/" $filename; done; sysctl -w net.ipv4.ip_forward=0; sysctl -w net.ipv4.route.flush=1 +# grep -Ps "^\s*net\.ipv4\.ip_forward\s*=.*" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | grep -Pvs "net.ipv4.ip_forward\s*=\s*0\s*$" | cut -f1 -d: | while read filename; do sed -ri "s/^\s*(net\.ipv4\.ip_forward\s*)(=)(\s*\S+\b).*$/# *REMOVED* \1/" $filename; done; sysctl -w net.ipv4.ip_forward=0; sysctl -w net.ipv4.route.flush=1 -# grep -Els "^\s*net\.ipv6\.conf\.all\.forwarding\s*=\s*1" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | while read filename; do sed -ri "s/^\s*(net\.ipv6\.conf\.all\.forwarding\s*)(=)(\s*\S+\b).*$/# *REMOVED* \1/" $filename; done; sysctl -w net.ipv6.conf.all.forwarding=0; sysctl -w net.ipv6.route.flush=1 +# grep -Ps "^\s*net\.ipv6\.conf\.all\.forwarding\s*=.*" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | grep -Pvs "net.ipv6.conf.all.forwarding\s*=\s*0\s*$" | cut -f1 -d: | while read filename; do sed -ri "s/^\s*(net\.ipv6\.conf\.all\.forwarding\s*)(=)(\s*\S+\b).*$/# *REMOVED* \1/" $filename; done; sysctl -w net.ipv6.conf.all.forwarding=0; sysctl -w net.ipv6.route.flush=1 ``` ## 扫描检测 @@ -31,11 +31,11 @@ ```bash # sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 0 -# grep -E -s "^\s*net\.ipv4\.ip_forward\s*=\s*1" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf +# grep -Ps "^\s*net\.ipv4\.ip_forward\s*=.*" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | grep -Pvs "net.ipv4.ip_forward\s*=\s*0\s*$" No value should be returned # sysctl net.ipv6.conf.all.forwarding net.ipv6.conf.all.forwarding = 0 -# grep -E -s "^\s*net\.ipv6\.conf\.all\.forwarding\s*=\s*1" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf +# grep -Ps "^\s*net\.ipv6\.conf\.all\.forwarding\s*=.*" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | grep -Pvs "net.ipv6.conf.all.forwarding\s*=\s*0\s*$" No value should be returned ``` diff --git a/benchmarks/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.md b/benchmarks/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.md index cb5839e..3438ba5 100644 --- a/benchmarks/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.md +++ b/benchmarks/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.md @@ -17,7 +17,7 @@ 1. 执行以下命令,修改配置文件,并设置活动内核参数。 ```bash -# grep -Els "^\s*net\.ipv4\.icmp_echo_ignore_broadcasts\s*=\s*0" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | while read filename; do sed -ri "s/^\s*(net\.ipv4\.icmp_echo_ignore_broadcasts\s*)(=)(\s*\S+\b).*$/# *REMOVED* \1/" $filename; done; sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1; sysctl -w net.ipv4.route.flush=1 +# grep -Ps "^\s*net\.ipv4\.icmp_echo_ignore_broadcasts\s*=.*" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | grep -Pvs "net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1\s*$" | cut -f1 -d: | while read filename; do sed -ri "s/^\s*(net\.ipv4\.icmp_echo_ignore_broadcasts\s*)(=)(\s*\S+\b).*$/# *REMOVED* \1/" $filename; done; sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1; sysctl -w net.ipv4.route.flush=1 ``` ## 扫描检测 @@ -29,7 +29,7 @@ ```bash # sysctl net.ipv4.icmp_echo_ignore_broadcasts net.ipv4.icmp_echo_ignore_broadcasts = 1 -# grep -E -s "^\s*net\.ipv4\.icmp_echo_ignore_broadcasts\s*=\s*0" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf +# grep -Ps "^\s*net\.ipv4\.icmp_echo_ignore_broadcasts\s*=.*" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | grep -Pvs "net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1\s*$" Nothing should be returned ``` diff --git a/benchmarks/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.md b/benchmarks/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.md index 7b0f1b3..8e59016 100644 --- a/benchmarks/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.md +++ b/benchmarks/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.md @@ -17,7 +17,7 @@ 1. 执行以下命令,修改配置文件,并设置活动内核参数: ```bash -# grep -Els "^\s*net\.ipv4\.icmp_ignore_bogus_error_responses\s*=\s*0" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | while read filename; do sed -ri "s/^\s*(net\.ipv4\.icmp_ignore_bogus_error_responses\s*)(=)(\s*\S+\b).*$/# *REMOVED* \1/" $filename; done; sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1; sysctl -w net.ipv4.route.flush=1 +# grep -Ps "^\s*net\.ipv4\.icmp_ignore_bogus_error_responses\s*=.*" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | grep -Pvs "net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1\s*$" | cut -f1 -d: | while read filename; do sed -ri "s/^\s*(net\.ipv4\.icmp_ignore_bogus_error_responses\s*)(=)(\s*\S+\b).*$/# *REMOVED* \1/" $filename; done; sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1; sysctl -w net.ipv4.route.flush=1 ``` ## 扫描检测 @@ -29,7 +29,7 @@ ```bash # sysctl net.ipv4.icmp_ignore_bogus_error_responses net.ipv4.icmp_ignore_bogus_error_responses = 1 -# grep -E -s "^\s*net\.ipv4\.icmp_ignore_bogus_error_responses\s*=\s*0" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf +# grep -Ps "^\s*net\.ipv4\.icmp_ignore_bogus_error_responses\s*=.*" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | grep -Pvs "net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1\s*$" Nothing should be returned ``` diff --git a/remediation-kits/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh b/remediation-kits/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh index 127bccb..4631678 100644 --- a/remediation-kits/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh +++ b/remediation-kits/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh @@ -1,4 +1,4 @@ grep -q "\-w /etc/sudoers -p wa -k scope --w /etc/sudoers.d/ -p wa -k scope" /etc/audit/rules.d/audit.rules || echo -e "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/rules.d/audit.rules +-w /etc/sudoers.d -p wa -k scope" /etc/audit/rules.d/audit.rules || echo -e "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d -p wa -k scope" >> /etc/audit/rules.d/audit.rules augenrules --load \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.sh b/remediation-kits/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.sh index d9de6a4..7c7692b 100644 --- a/remediation-kits/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.sh +++ b/remediation-kits/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.sh @@ -1,6 +1,6 @@ for BIT in b32 b64 ; do checkRule="^(?=^\s*-a\s+always,exit)(?=.*-F\s+arch=$BIT)(?=.*chmod)(?=.*fchmod)(?=.*chown)(?=.*fchown)(?=.*lchown)(?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr)(?=.*fchownat)(?=.*fchmodat)" - grep -Pq $checkRule /etc/audit/rules.d/*.rules /etc/audit/*.rules || echo "-a always,exit -F arch=$BIT -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod" >> /etc/audit/rules.d/50-perm_mod.rules + grep -Pq $checkRule /etc/audit/rules.d/*.rules /etc/audit/*.rules || echo "-a always,exit -F arch=$BIT -S chmod,lchown,fchmod,fchown,chown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod" >> /etc/audit/rules.d/50-perm_mod.rules done augenrules --load \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh b/remediation-kits/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh index 9f5d3d6..9b78d09 100644 --- a/remediation-kits/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh +++ b/remediation-kits/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh @@ -1,11 +1,10 @@ -conFile=$(grep -Ps "^kernel\.randomize_va_space\s*=" /run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf | cut -f1 -d:) +configExistenceFlag="false" +[[ -n $(grep -Ps "^kernel\.randomize_va_space\s*=.*" /run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf) ]] && configExistenceFlag="true" -conNum=$(grep -Ps "^kernel\.randomize_va_space\s*=" /run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf | cut -f2 -d= | sed -r 's/\s//g') - -if [[ -z $conFile && -z $conNum ]] ; then +if [[ $configExistenceFlag == "false" ]] ; then echo "kernel.randomize_va_space = 2" >> /etc/sysctl.d/50-kernel_sysctl.conf -elif [[ -n $conFile && -n $conNum && $conNum -ne 2 ]] ; then - sed -ri 's/^kernel\.randomize_va_space.*/kernel.randomize_va_space = 2/g' $conFile + sysctl -w kernel.randomize_va_space=2 +else + grep -Ps "^kernel\.randomize_va_space\s*=.*" /run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf | grep -Pvs "kernel.randomize_va_space\s*=\s*2\s*$" | cut -f1 -d: | while read filename; do sed -ri 's/^kernel\.randomize_va_space.*/kernel.randomize_va_space = 2/g' $filename; done; + sysctl -w kernel.randomize_va_space=2 fi - -sysctl -w kernel.randomize_va_space=2 \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.44-ensure-sctp-is-disabled.sh b/remediation-kits/system-configurations/4.44-ensure-sctp-is-disabled.sh index 57a7366..91ec526 100644 --- a/remediation-kits/system-configurations/4.44-ensure-sctp-is-disabled.sh +++ b/remediation-kits/system-configurations/4.44-ensure-sctp-is-disabled.sh @@ -1,5 +1,6 @@ -modprobe -n -vq sctp +modprobe -n -q sctp && modprobe -n -v sctp | grep -Pq "^install\s*\/bin\/true\s*$" if [[ $? -ne 0 ]]; then + lsmod | grep -Pq "^sctp\b" && rmmod sctp echo -e "\ninstall sctp /bin/true" >> /etc/modprobe.d/sctp.conf -fi \ No newline at end of file +fi diff --git a/remediation-kits/system-configurations/4.47-ensure-ip-forwarding-is-disabled.sh b/remediation-kits/system-configurations/4.47-ensure-ip-forwarding-is-disabled.sh index 1e237de..0657082 100644 --- a/remediation-kits/system-configurations/4.47-ensure-ip-forwarding-is-disabled.sh +++ b/remediation-kits/system-configurations/4.47-ensure-ip-forwarding-is-disabled.sh @@ -1,2 +1,2 @@ -grep -Els "^\s*net\.ipv4\.ip_forward\s*=\s*1" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | while read filename; do sed -ri "s/^\s*(net\.ipv4\.ip_forward\s*)(=)(\s*\S+\b).*$/# *REMOVED* \1/" $filename; done; sysctl -w net.ipv4.ip_forward=0; sysctl -w net.ipv4.route.flush=1 -grep -Els "^\s*net\.ipv6\.conf\.all\.forwarding\s*=\s*1" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | while read filename; do sed -ri "s/^\s*(net\.ipv6\.conf\.all\.forwarding\s*)(=)(\s*\S+\b).*$/# *REMOVED* \1/" $filename; done; sysctl -w net.ipv6.conf.all.forwarding=0; sysctl -w net.ipv6.route.flush=1 \ No newline at end of file +grep -Ps "^\s*net\.ipv4\.ip_forward\s*=.*" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | grep -Pvs "net.ipv4.ip_forward\s*=\s*0\s*$" | cut -f1 -d: | while read filename; do sed -ri "s/^\s*(net\.ipv4\.ip_forward\s*)(=)(\s*\S+\b).*$/# *REMOVED* \1/" $filename; done; sysctl -w net.ipv4.ip_forward=0; sysctl -w net.ipv4.route.flush=1 +grep -Ps "^\s*net\.ipv6\.conf\.all\.forwarding\s*=.*" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | grep -Pvs "net.ipv6.conf.all.forwarding\s*=\s*0\s*$" | cut -f1 -d: | while read filename; do sed -ri "s/^\s*(net\.ipv6\.conf\.all\.forwarding\s*)(=)(\s*\S+\b).*$/# *REMOVED* \1/" $filename; done; sysctl -w net.ipv6.conf.all.forwarding=0; sysctl -w net.ipv6.route.flush=1 diff --git a/remediation-kits/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.sh b/remediation-kits/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.sh index a685206..11b71ba 100644 --- a/remediation-kits/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.sh +++ b/remediation-kits/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.sh @@ -1 +1 @@ -grep -Els "^\s*net\.ipv4\.icmp_echo_ignore_broadcasts\s*=\s*0" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | while read filename; do sed -ri "s/^\s*(net\.ipv4\.icmp_echo_ignore_broadcasts\s*)(=)(\s*\S+\b).*$/# *REMOVED* \1/" $filename; done; sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1; sysctl -w net.ipv4.route.flush=1 \ No newline at end of file +grep -Ps "^\s*net\.ipv4\.icmp_echo_ignore_broadcasts\s*=.*" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | grep -Pvs "net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1\s*$" | cut -f1 -d: | while read filename; do sed -ri "s/^\s*(net\.ipv4\.icmp_echo_ignore_broadcasts\s*)(=)(\s*\S+\b).*$/# *REMOVED* \1/" $filename; done; sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1; sysctl -w net.ipv4.route.flush=1 diff --git a/remediation-kits/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.sh b/remediation-kits/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.sh index 6811457..30f4f62 100644 --- a/remediation-kits/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.sh +++ b/remediation-kits/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.sh @@ -1 +1 @@ -grep -Els "^\s*net\.ipv4\.icmp_ignore_bogus_error_responses\s*=\s*0" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | while read filename; do sed -ri "s/^\s*(net\.ipv4\.icmp_ignore_bogus_error_responses\s*)(=)(\s*\S+\b).*$/# *REMOVED* \1/" $filename; done; sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1; sysctl -w net.ipv4.route.flush=1 \ No newline at end of file +grep -Ps "^\s*net\.ipv4\.icmp_ignore_bogus_error_responses\s*=.*" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | grep -Pvs "net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1\s*$" | cut -f1 -d: | while read filename; do sed -ri "s/^\s*(net\.ipv4\.icmp_ignore_bogus_error_responses\s*)(=)(\s*\S+\b).*$/# *REMOVED* \1/" $filename; done; sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1; sysctl -w net.ipv4.route.flush=1 \ No newline at end of file diff --git a/scanners/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh b/scanners/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh index cdff2c5..78da0fb 100644 --- a/scanners/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh +++ b/scanners/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh @@ -1,7 +1,7 @@ result=false grep -q "\-w /etc/sudoers -p wa -k scope --w /etc/sudoers.d/ -p wa -k scope" /etc/audit/rules.d/*.rules /etc/audit/*.rules && auditctl -l | grep -Pq "^\-w\s+\/etc\/sudoers\s+\-p\s+wa\s+\-k\s+scope" && auditctl -l | grep -Pq "^\-w\s+\/etc\/sudoers.d\s+\-p\s+wa\s+\-k\s+scope" && result=true +-w /etc/sudoers.d -p wa -k scope" /etc/audit/rules.d/*.rules /etc/audit/*.rules && auditctl -l | grep -Pq "^\-w\s+\/etc\/sudoers\s+\-p\s+wa\s+\-k\s+scope" && auditctl -l | grep -Pq "^\-w\s+\/etc\/sudoers.d\s+\-p\s+wa\s+\-k\s+scope" && result=true if [[ "$result" == "true" ]]; then echo "pass" diff --git a/scanners/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh b/scanners/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh index 4feb08e..dc5b1b9 100644 --- a/scanners/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh +++ b/scanners/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh @@ -1,6 +1,6 @@ result=false -sysctl kernel.randomize_va_space|grep -Psq "^kernel\.randomize\_va\_space\s+=\s+2$" && [[ -z $(grep -Phs "^kernel\.randomize_va_space\s*=\s*" /run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf | grep -Psv "^kernel\.randomize_va_space\s*=\s*2\b$") ]] && result=true +sysctl kernel.randomize_va_space|grep -Psq "^kernel\.randomize\_va\_space\s+=\s+2$" && [[ -z $(grep -Phs "^kernel\.randomize_va_space\s*=\s*" /run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf | grep -Psv "^kernel\.randomize_va_space\s*=\s*2\b$") ]] && [[ -n $(grep -Phs "^kernel\.randomize_va_space\s*=\s*" /run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf | grep -Ps "^kernel\.randomize_va_space\s*=\s*2\b$") ]] && result=true if [[ "$result" == "true" ]] ; then echo "pass" diff --git a/scanners/system-configurations/4.44-ensure-sctp-is-disabled.sh b/scanners/system-configurations/4.44-ensure-sctp-is-disabled.sh index f9cd7d6..691eaa2 100644 --- a/scanners/system-configurations/4.44-ensure-sctp-is-disabled.sh +++ b/scanners/system-configurations/4.44-ensure-sctp-is-disabled.sh @@ -1,10 +1,9 @@ result=false -modprobe -n -vq sctp && result="" -lsmod | grep -q sctp || { [[ -z "$result" ]] && result=true ; } +lsmod | grep -Pq "^sctp\b" || { modprobe -n -q sctp && modprobe -n -v sctp | grep -Pq "^install\s*\/bin\/true\s*$" && result=true; } if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" -fi \ No newline at end of file +fi diff --git a/scanners/system-configurations/4.47-ensure-ip-forwarding-is-disabled.sh b/scanners/system-configurations/4.47-ensure-ip-forwarding-is-disabled.sh index 07f1c74..56d7533 100644 --- a/scanners/system-configurations/4.47-ensure-ip-forwarding-is-disabled.sh +++ b/scanners/system-configurations/4.47-ensure-ip-forwarding-is-disabled.sh @@ -1,8 +1,8 @@ result=false sysctl net.ipv4.ip_forward | grep -Psq "^net\.ipv4\.ip\_forward\s+=\s+0$" && sysctl net.ipv6.conf.all.forwarding | grep -Psq "^net\.ipv6\.conf\.all\.forwarding\s+=\s+0$" && result="" -[[ -z "$result" ]] && result=`grep -E -s "^\s*net\.ipv4\.ip_forward\s*=\s*1" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf` -[[ -z "$result" ]] && result=`grep -E -s "^\s*net\.ipv6\.conf\.all\.forwarding\s*=\s*1" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf` +[[ -z "$result" ]] && result=$(grep -Ps "^\s*net\.ipv4\.ip_forward\s*=.*" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | grep -Pvs "net.ipv4.ip_forward\s*=\s*0\s*$") +[[ -z "$result" ]] && result=$(grep -Ps "^\s*net\.ipv6\.conf\.all\.forwarding\s*=.*" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | grep -Pvs "net.ipv6.conf.all.forwarding\s*=\s*0\s*$") if [[ -z "$result" ]] ; then echo "pass" diff --git a/scanners/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.sh b/scanners/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.sh index fb1cace..7986661 100644 --- a/scanners/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.sh +++ b/scanners/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.sh @@ -1,7 +1,7 @@ result=false -result=`grep -E -s "^\s*net\.ipv4\.icmp_echo_ignore_broadcasts\s*=\s*0" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf` -[[ -z "$result" ]] && sysctl net.ipv4.icmp_echo_ignore_broadcasts | grep -Psq "^net\.ipv4\.icmp_echo_ignore_broadcasts\s+=\s+1$" && result=true +result=$(grep -E -s "^\s*net\.ipv4\.icmp_echo_ignore_broadcasts\s*=\s*[^1]+" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf) +[[ -z "$result" ]] && grep -Ps "^\s*net\.ipv4\.icmp_echo_ignore_broadcasts\s*=.*" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | grep -Pvsq "net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1\s*$" || result=true if [[ "$result" == "true" ]]; then echo "pass" diff --git a/scanners/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.sh b/scanners/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.sh index 63c314a..7447b78 100644 --- a/scanners/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.sh +++ b/scanners/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.sh @@ -1,10 +1,10 @@ result=false -result=`grep -E -s "^\s*net\.ipv4\.icmp_ignore_bogus_error_responses\s*=\s*0" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf` -[[ -z "$result" ]] && sysctl net.ipv4.icmp_ignore_bogus_error_responses | grep -Psq "^net\.ipv4\.icmp_ignore_bogus_error_responses\s+=\s+1$" && result=true +result=$(grep -E -s "^\s*net\.ipv4\.icmp_ignore_bogus_error_responses\s*=\s*[^1]+" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf) +[[ -z "$result" ]] && grep -Ps "^\s*net\.ipv4\.icmp_ignore_bogus_error_responses\s*=.*" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | grep -Pvsq "net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1\s*$" || result=true if [[ "$result" == "true" ]]; then echo "pass" else echo "fail" -fi \ No newline at end of file +fi diff --git a/tools/remediation-kits/run_Anolis_remediation_kit.sh b/tools/remediation-kits/run_Anolis_remediation_kit.sh index b6bf1fd..93cdf0b 100755 --- a/tools/remediation-kits/run_Anolis_remediation_kit.sh +++ b/tools/remediation-kits/run_Anolis_remediation_kit.sh @@ -44,9 +44,9 @@ function executeScripts() echo "---Executing the script: $filename---" grep -Pq "systemctl\s+restart" $filename if [[ $? -eq 0 ]] ; then - sh $filename && sleep 3 + bash $filename && sleep 3 else - sh $filename + bash $filename fi echo "$filename Script executed `date +%Y_%m_%d-%T`" >> $current_path/log/$logfile # 记录脚本执行日志,增加时间戳 elif [[ ! -a $filename ]] ; then diff --git a/tools/scanners/run_Anolis_scanners.sh b/tools/scanners/run_Anolis_scanners.sh index 8931675..8cec3df 100755 --- a/tools/scanners/run_Anolis_scanners.sh +++ b/tools/scanners/run_Anolis_scanners.sh @@ -55,9 +55,9 @@ function executeScripts() assignPath if [[ ! -z "$Dir" ]] ; then cd $Dir - filename=`ls | grep -P "^$line\-.*.sh$"` # 获取扫描脚本完整名称 + filename=$(ls | grep -P "^$line\-.*.sh$") # 获取扫描脚本完整名称 if [[ -a $filename ]] ; then - res1=`sh $filename | grep -P "^(pass|fail)$"` # 获取扫描脚本执行结果(pass or fail) + res1=$(bash $filename | grep -P "^(pass|fail)$") # 获取扫描脚本执行结果(pass or fail) ((total++)) # 总检查量 if [[ $res1 == "pass" ]]; then ((sum_pass++)) # pass量 -- Gitee